On June 6, DeSantis signed Senate Bill 262 to create the Florida Digital Bill of Rights (FDBR). The law is scheduled to go into effect on July 1, 2024. Although the FDBR resembles other newly enacted state privacy laws, it has several unique aspects that add additional levels of analysis to determining multi-state privacy compliance.
To qualify as a data controller under the FDBR, an organization must have $1 billion in global gross revenue and satisfy one of the following:
- Derive 50 percent of its global gross revenue from the sale of advertisements online.
- Operate a consumer smart speaker and voice command service.
- Operate an app store or digital distribution platform with at least 250,000 different software applications.
Based on these requirements, it is clear that the FDBR is targeting large technology and advertising companies. However, the terms “processor” and “third-party” do not include these same threshold criteria as a data controller, so there are still compliance implications for businesses that process data on behalf of data controllers, as well as those who receive personal data in a third-party capacity but do not otherwise satisfy the data controller threshold.
Like other data privacy laws, the FDBR provides exemptions to various entities regulated by federal law (e.g., the Health Information Portability and Accountability Act, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act). It does not apply to individuals who are acting in a commercial or employment capacity.
The FDBR provides consumers residing in Florida with the following data privacy rights:
- Access rights, including a right to confirm whether the controller is processing any data at all.
- Correction rights.
- Deletion rights concerning the data provided by or about the consumer
- Data portability rights.
- Opt-out rights related to the sale of personal information targeted marketing and profiling
- Opt-out rights related to the collection of sensitive data
- Opt-out rights for the collection of personal data through voice recognition features
The FDBR sets forth specific processes for how data controllers must receive, process, and respond to individuals who exercise their privacy rights, including establishing a privacy rights appeals process.
The FDBR provides that a data controller must obtain a consumer’s consent before they:
- Use the consumer’s personal data for a purpose that is neither reasonably necessary nor compatible with the purpose for which the personal data is processed, as disclosed to the consumer.
- Process sensitive personal data of a consumer.
- Enroll the consumer in certain financial incentive programs.
Like other privacy laws, the FDBR specifically prohibits using “dark patterns.” Though the FDBR does not define dark patterns, it does state that consent cannot be obtained through acceptance of general or broad terms of use or by hovering over, muting, pausing, or closing a given piece of content.
The FDBR creates obligations for organizations that are not otherwise deemed data controllers. Specifically, all for-profit entities that conduct business in Florida and collect personal data are prohibited from selling a consumer’s sensitive data without first obtaining the consumer’s consent.
In addition to the typical obligations on controllers and processors seen in other states’ laws, the FDBR limits the retention of personal data. Controllers or processors may only retain personal data until the initial purpose for the collection is satisfied, the contract for which the data was collected or obtained is expired or terminated, or two years after the consumer’s last interaction with the regulated business.
The FDBR requires a data controller to post a privacy notice, which must be updated annually. In addition to the notices regarding the website selling sensitive or biometric data, if the controller operates a search engine, it is also required to disclose the parameters in ranking results. Specifically, the search engines must disclose the prioritization or de-prioritization of partisan or political ideology in search results.
Enforcement
Data controllers must undertake data impact assessments before engaging in certain processing activities. The Florida attorney general is granted the authority to request such assessments at any time.
The FDBR grants the state Department of Legal Affairs exclusive authority to enforce the FDBR, and a violation of the FDBR is deemed an unfair and deceptive trade practice. The FDBR authorizes civil penalties of up to $50,000 per violation but does not create a private right of action. The FDBR includes a 45-day cure period that the Department of Legal Affairs may provide before initiating an enforcement action.
Data Breach Notifications
The FDBR amends the state’s data breach notification law. Florida’s data breach statute previously identified the following categories of data as personal information that, if compromised, could potentially trigger a data breach notification:
Requirements:
- Government identifiers (e.g., Social Security number, a driver’s license or identification card number, a passport number, military identification number);
- Certain financial account numbers and access codes;
- Medical data and health insurance policy numbers;
- Certain usernames or e-mail addresses in conjunction with their passwords.
The FDBR expanded this list of protected personal data to include an individual’s biometric data and any information regarding an individual’s geolocation when connected to an individual’s name.
This amendment is especially important for organizations that use cookies, pixels, and tags on their website to identify an individual, such as through their social media account, and track their location, as such data may be subject to data breach notification requirements. The FDBR’s definition of geolocation does not correspond to the definition of “precise geolocation data” used elsewhere in the law and is likely broader in scope.
