Florida Digital Bill of Rights
Florida becomes the ninth state to enact a privacy law, following California, Colorado, Virginia, and others. Accompanying Texas, Oregon, and Montana, the Florida Digital Bill of Rights (FDBR) would come into effect from July 1st, 2024. Though the law has a closer resemblance with the newly enacted privacy laws, it does put forth some unique aspects, adding additional layers of analysis to ensure compliance.
With lawmakers adjusting the glut of lawsuits and breaches, here's what the law has to its residents and obligations for businesses operating in the state.
Scope and Exemptions
Unlike the other state privacy laws, Florida's privacy law applies to a narrower set of businesses. However, a closer look at its applicability clears that the law targets tech giants and large advertising companies.
When enacted, the FDBR would apply to any controller earning more than $1 billion as revenue in gross and:
Making at least 50 percent of the revenue through target advertisements or online ad sales.
Operating a consumer smart speaker and voice command service with integrated virtual assistants connected through a cloud computing service and hands-free verbal activation.
Operating an app store that lets consumers download or install at least 250,000 different software applications.
The law defines a controller as any business operating in Florida that collects personal information about consumers or an entity on behalf of which the information is collected and determines the means and purpose of processing the information collected. The consumer is an individual resident of Florida and doesn't act in an employment or commercial context.
Like other comprehensive privacy laws, this law also exempts various entities being regulated by federal law, including financial institutions and affiliates subject to the Gramm-Leach-Bliley Act, entities covered under the Health Information Portability and Accountability Act, and the Fair Credit Reporting Act. Non-profit organizations and certain government entities also have an exemption from the law.
Unlike the CCPA, the FDBR does not have a private right of action, and the Florida Department of Legal Affairs is granted the authority to enforce the law. A violation of the law can lead to penalties of up to $50,000 per violation, including a 45-day period that can be provided before initiating an action to address the alleged violation. The penalties are tripled in the case of certain violations involving a consumer under 18 years of age.
The FDBR provides different rights to its consumers, most of which are like those of the other 'states' privacy laws. Consumers within the scope of this law can enjoy the following rights:
Access – Including rights to confirm if a controller is processing their data.
Correction – Can correct any inaccuracies in their personal data.
Deletion – Delete any of or the entire personal data obtained from or about the consumer.
Data Portability – Obtain a copy of their personal data that is collected, shared, or sold.
Opt-out – Can choose to opt out of targeting advertising, data sale, and profiling; collecting and processing of sensitive data; and personal data collection through voice and face recognition features.
Florida law prohibits controllers from collecting sensitive data without obtaining consumer consent. Sensitive data includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, Immigration status, genetic data or data from known children, or precise geo-location data.
Florida's privacy law sets forth different compliance obligations for businesses and applicable entities, including:
Consent – obtain Consent from the consumer for processing sensitive data and for sale; Consent needs to be a clear affirmative act, informed and unambiguous.
Response – Controller must respond to verifiable consumer information requests within 45 days of receipt. The controller may extend the response by 15 days if reasonably necessary.
Notice – inform the consumers of the categories of personal information collected and the purpose for it before or when collecting the information.
Discrimination – Do not discriminate against consumers exercising their rights by charging different prices for goods and services or denying goods and services to any consumer.
Businesses are also required to maintain appropriate security measures to protect consumer information and conduct DPAs (data protection assessments) of activities involving personal data processing.
Apart from these obligations on businesses, like most other state privacy laws in the US, Florida's state privacy law also limits the retention of personal data. Any controller or processor can retain a consumer's personal data until the initial purpose of data collection is met, the contract for which personal data is obtained gets terminated or expires, or two years after the consumer's last interaction with the controller or processor.
The FDBR also requires every data controller to post a privacy notice and update it annually. In the case of a controller operating a search engine, they are required to disclose the parameters deciding the prioritization and de-prioritization of the ranking results.
Multiple states in the US are up for state-wide privacy laws, requiring businesses to keep updated on significant regulatory developments. Though the privacy law of Florida state would take effect almost a year from now, businesses falling under its scope must implement compliance measures and avoid violations.