FDBR differs from other states' consumer data privacy laws in certain areas including scope of entities covered, required disclosures, and voice and facial recognition technology
The Florida Digital Bill of Rights (FDBR) was signed into law by Governor Ron DeSantis on June 6, 2023, making Florida the tenth state to enact a consumer data privacy law along with California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, and Montana. The FDBR, which goes into effect on July 1, 2024, generally adheres to the "Virginia model" of consumer privacy legislation. Nevertheless, there are a number of unique provisions that will make the new Florida law an outlier.
How the FDBR is Different from Other State Consumer Data Privacy Laws
- Narrow Scope: The law does not apply to businesses with less than $1 billion in gross annual revenue, meaning that the FDBR will cover only a relatively small number of very large entities. Other thresholds further limit the law's coverage to those that derive half their revenue from digital ad sales, operate certain app stores or digital distribution platforms, or offer certain smart home speakers with a virtual assistant.
- Data Sale Disclaimer: A controller that "sells" sensitive personal data must provide consumers with "a reasonably accessible and clear privacy notice, updated at least annually": "NOTICE: We may sell your sensitive personal data." Similarly, if a controller sells biometric personal data, it must provide the following notice: "NOTICE: We may sell your biometric personal data." These notices must be posted in the same location and in the same manner as a covered company's privacy notice.
- Opt-Out Rights for Voice and Facial Recognition Technology. The FDBR expressly grants Florida consumers the right to opt out of the collection of personal data through voice and facial recognition technology by controllers.
- Restrictions on "Surveillance." The FDBR prohibits controllers and processors from collecting data when voice-activated devices are not in active use by a consumer, unless expressly authorized by the consumer. The surveillance data collection prohibition extends to audio and video recording features, or "any other electronic, visual, thermal, or olfactory feature that collects data…for the purpose of surveillance." The term surveillance is not defined in the law, and thus controllers will need to be careful when crafting any opt-in for consumer authorization.
- Restrictions on Government Moderation of Social Media Platforms. Accompanying legislation to the FDBR prohibits a governmental entity from contacting a social media platform in order to request removal of content or accounts from the platform. Government entities also are prohibited from initiating or maintaining any agreements or working relationships with a social media platform for the purpose of moderating content. The FDBR provides exceptions to these prohibitions allowing governmental entities to:
- Engage in routine account management of the governmental entity's account, including, but not limited to, the removal or revision of the governmental entity's content or account or identification of accounts falsely posing as a governmental entity, officer, or salaried employee;
- Attempt to remove content or accounts that pertain to the commission of a crime or violation of Florida's public records law; or
- Engage in an investigation or inquiry related to an effort to prevent imminent bodily harm, loss of life, or property damage.
- Restrictions on Websites and Online Services Accessible by Children. Accompanying legislation to the FDBR places restrictions on online platforms providing services, products, games and/or features "likely to be predominantly accessed by children," and specifically prohibits:
- Processing a child's personal information if the online platform has actual knowledge or willfully disregards that the processing will result in "substantial harm or privacy risk to children;"
- Profiling a child unless the online platform uses safeguards to protect children and either the profiling is necessary to provide the service or there is a compelling reason that the profiling does not pose a substantial harm or privacy risk to children;
- Using a child's personal information for any reason other than the reason for which the personal information was collected;
- Collecting, selling, sharing, or retaining any personal information that is not necessary to provide the digital service, product, or feature that is knowingly utilized by children;
- Collecting, selling, or sharing a child's precise geolocation data;
- Using "dark patterns" to lead, or encourage, a child to take certain actions; and
- Using any personal information collected to estimate a child's age or age range.
- Mandatory Disclosures for Search Engines. The FDBR requires search engines to provide easily accessible descriptions of the main parameters used to determine the rankings of search results, "including the prioritization or deprioritization of political partisanship or political ideology in search results." In addition, search engines must disclose the relative importance and influence of the main parameters on the search results.
- Mandatory Data Retention Schedule. In contrast to other state consumer data privacy laws that reference data retention generally, the FDBR mandates that controllers and processors create and adhere to a specific data retention schedule that would prohibit the use and retention of personal data that is not subject to an exemption. The retention period would end after:
- Satisfaction of the initial purpose for which such information was collected or obtained;
- Expiration or termination of the contract pursuant to which the information was collected or obtained; or
- Two years after the consumer's last interaction with the controller or processor.
- New Notices Regarding Sales of Sensitive and Biometric Data. Controllers must post conspicuous notices if they "sell" sensitive or biometric data.
As noted above, the FDBR applies to a considerably narrower range of entities than other state privacy laws as it applies only to controllers that generate more than $1 billion in gross annual revenue and that:
- Derive at least 50 percent of their revenue from the sale of digital advertisements;
- Operate an app store or digital distribution platform that offers at least 250,000 different software applications for consumers to download and install; or
- Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud-computing service that uses hands-free verbal activation (but not including in-car smart speaker and voice command component services operated by vehicle manufacturers).
Like most state data privacy laws, the FDBR contains entity-level, data-specific, and employment-related exemptions.
- government entities;
- nonprofit organizations;
- higher education institutions;
- financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); and
- "covered entities" under the Health Insurance Portability and Accountability Act (HIPAA).
- protected health information under HIPAA;
- data subject to the GLBA;
- certain other health- and patient-related information under federal regulations and state laws;
- certain employment-related data; and
- information governed by and/or processed in accordance with other privacy laws, including the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Driver's Privacy Protection Act, and several others.
- The FDBR does not restrict a controller or processor from collecting, using, or retaining personal data to:
- Comply with federal, state, or municipal ordinances or regulations;
- Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons, by federal, state, municipal, or other governmental authorities;
- Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably, and in good faith, believes may violate federal, state, or municipal ordinances or regulations;
- Investigate, establish, exercise, prepare for, or defend legal claims;
- Provide a product or service specifically requested by a consumer;
- Fulfil the terms of a written warranty;
- Conduct internal research to develop, improve, or repair products, services, or technology;
- Effectuate a product recall;
- Identify and repair technical errors that impair existing or intended product functionality;
- Perform internal operations that are reasonably based on consumer expectations or the consumer relationship;
- Process personal data in the course of a purely personal or household activity; or
- Process personal data solely for measuring or reporting advertising performance, reach, or frequency.
The FDBR prohibits controllers from processing sensitive data without obtaining consumer consent. The FDBR defines "sensitive data" as personal data revealing the following information about an individual:
- Racial or ethnic origin;
- Religious beliefs;
- Mental or physical health diagnosis;
- Sexual orientation;
- Citizenship or immigration status;
- Genetic or biometric data processed for the purpose of uniquely identifying an individual;
- Personal data collected from a known child; and
- Precise geolocation data.
Any for-profit entity that conducts business in Florida and collects personal data is required to obtain consumer consent prior to selling the consumer's sensitive personal data.
The FDBR requires controllers to publish privacy notices describing:
- the categories of personal data that are processed;
- the purpose of processing;
- how consumers may exercise their data rights;
- how consumers may appeal a controller's refusal to take action on data rights requests;
- the categories of personal data shared with third parties; and
- the categories of third parties with which personal data is shared.
Definition of "Consent"
The FDBR defines consent as a clear affirmative act signifying a consumer's specific, informed and unambiguous agreement to process data relating to the consumer.
Definition of "Sale"
The Florida law follows privacy laws in California and elsewhere by adopting a broad definition of "sale," which includes the sharing, disclosure, or transfer of personal data for "monetary or other valuable consideration" (emphasis added).
The definition of a "sale" under the FDBR and other state privacy laws is important because the scope of this term determines under what circumstances a consumer can opt out of the disclosure of their personal data.
In practical terms, the FDBR's broader definition of "sale" may, among other things, provide consumers with the ability to opt out of third-party marketing and other disclosures of personal information that do not strictly involve monetary consideration.
Consistent with all other state privacy laws, the FDBR's definition of a "sale" excludes any disclosure to an affiliate of the controller, the controller's processor, for the purpose of providing a requested product or service, in a merger or acquisition of the controller's business or assets, or of information that the consumer intentionally made public via mass media.
As with other state privacy laws, the FDBR provides consumers the right to confirm the processing of, and access to, their personal data; request that a controller correct inaccuracies in the consumer's personal data; delete personal data about the consumer; and obtain a copy of the data in a portable and readily usable format.
A controller is required to respond to a consumer request within 45 days of receipt. The controller may extend the response by 15 days, if reasonably necessary (a notably shorter extension period than those provided in other state laws). If a controller cannot take action regarding the consumer's request, the controller must inform the consumer without undue delay and provide a justification for the inability to take action on the request. In addition, the FDBR requires controllers to establish a conspicuously available appeal process regarding a consumer's request and provide instructions for appealing their decisions.
The FDBR uses a controller-processor framework and requires that controllers and processors—those that process personal data on a controller's behalf—enter into agreements that include standard terms found under other state privacy laws, including those requiring confidentiality of personal information, deletion or return of personal data upon termination of the agreement, and cooperation with reasonable assessments by the controller.
Data Protection Impact Assessments
Similar to the consumer data privacy laws in Virginia, Connecticut, Colorado, Montana, and elsewhere, the FDBR requires controllers to conduct data protection assessments for each of the controller's processing activities that presents a heightened risk of harm, prior to engaging in those processing activities, which include:
- Processing personal data for targeted advertising;
- Sales of personal data;
- Processing sensitive data;
- Processing of personal information for profiling, if the profiling presents certain specified risks; and
- Any other processing activities that "present a heightened risk of harm to consumers."
Disclosing a data protection assessment upon request from the Florida Attorney General would not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.
The FDBR requires data protection impact assessments be conducted for processing activities "created or generated" after July 1, 2023.
Enforcement – Private Right of Action?
The FDBR does not provide a private right of action to consumers for violations of the FDBR. Instead, the FDBR grants the Department of Legal Affairs (i.e., the Office of the Attorney General) exclusive authority to enforce the FDBR. Civil penalties of up to $50,000 per violation may be imposed in the event a covered business fails to remedy the violation within the statutory cure period (see below). The penalties may be trebled if:
- A controller willfully disregards a consumer's age when the consumer is a child and the controller is deemed to have actual knowledge of the consumer's age;
- A covered entity fails to delete or correct a consumer's personal data after receiving an authenticated consumer request or directions from a controller to delete or correct the consumer's personal data, unless an exception applies; or
- A covered entity continues to sell or share a consumer's personal data after the consumer exercises their opt-out right.
The Department of Legal Affairs also has the discretionary authority to collaborate and cooperate with federal and state enforcement authorities concerning consumer data privacy issues and investigations if the state or federal enforcement authorities adhere to confidentiality restrictions "as stringent as" the restrictions of the FDBR.
Like Colorado and California, Florida grants both mandatory and discretionary rulemaking authority to the attorney general (via the Department of Legal Affairs). Florida's attorney general may adopt rules implementing the provisions of the FDBR related to the prohibition on processing children's data, but must adopt rules establishing standards for authenticated consumer requests, enforcement, data security, and authorized persons who may act on a consumer's behalf.
In contrast to other state privacy laws, such as in Tennessee, Montana, and elsewhere, the FDBR establishes a discretionary cure period of 45 days that the Attorney General may provide before initiating an enforcement action. Only a few state privacy laws contain mandatory cure periods that must be provided to covered businesses. In Florida, the attorney general is empowered to decide whether or not a covered business will be afforded the 45-day cure period.
The FDBR will go into effect in July 2024 (like the Texas Data Privacy and Security Act, once it is signed by the Texas governor), which is sooner than multiple states that enacted consumer data privacy laws earlier this year. Additionally, the accompanying legislation to the FDBR prohibiting government-directed moderation of social media platforms goes into effect on July 1, 2023. This means businesses subject to the FDBR need to take action now to develop policies and implement protocols to put them in the strongest compliance posture possible. Businesses subject to the FDBR should consider taking the following actions:
- Conduct a privacy gap assessment, including an examination of websites and online services accessed by children;
- Determine whether voice-activated assistants collect voice or audio when not in use by consumers and consider the legal implications, if so;
- Analyze the business's needs for maintaining personal data and develop and implement a data retention schedule;
- Establish reporting mechanisms;
- Prepare appropriate privacy policies, privacy notices, and data protection impact assessments;
- Train personnel on the steps needed to respond to data subject requests; and
- Establish an appeal procedure.