The Florida Digital Bill of Rights (FDBR) takes effect on July 1, 2024.
If your business is subject to following the consumer privacy protections outlined in this upcoming law, follow this easy 6-step checklist for help simplifying compliance.
FDBR Compliance Checklist: Step-by-Step
I compiled these six steps to help remove confusion about complying with the Florida Digital Bill of Rights (FDBR).
Part 1: Perform a Privacy Audit
To comply with the FDBR, perform a privacy audit so you know what personal information you collect, why, how you collect it, and your purpose for the processing.
Also called a data inventory, try using one of the following methods to start this process:
Part 2: Privacy Notification Requirements
The FDBR requires covered businesses to present Florida users with a privacy policy outlining the following information:
- What categories of personal information you collect
- Your purpose for processing it
- How consumers can exercise their rights and appeal your decision
- What categories of data you share with third parties, if any
- What categories of third parties you share data with, if any
If you sell biometric or sensitive personal data, you must post the following visible disclosures on your website:
- NOTICE: This website may sell your sensitive personal data
- NOTICE: This website may sell your biometric personal data
The privacy policy must be updated at least annually.
Part 3: Consent Management for Specific Data Processing
You must present your Florida users with a consent banner or similar technology to allow them to easily follow through on their rights to opt out of:
- Profiling
- Targeted advertising
- The sale of their personal data
- The collection and processing of sensitive personal data, including precise geolocation
- The collection of personal data through a voice or facial recognition feature
Part 4: Contractual Obligations for Sharing or Selling Personal Data
If you’re a data controller working with third-party data processors, the FDBR requires you to make and ensure both parties sign a contract outlining the following details:
- Describe the instructions for the data processing, its nature, and its purpose.
- List the type of data being processed and the duration of the processing.
- Outline the rights and obligations of both parties.
- Require all involved to a duty of confidentiality concerning the personal data.
- Require the processor to delete or return all data at the end of the contract unless retention of the personal data is required by law.
- Require the processor to demonstrate compliance with the FDBR.
- Require the processor to cooperate with reasonable assessments by the controller.
Part 5: Consumer Rights and Verifiable Consumer Requests
According to the FDBR, you must present your users with one or more ways to exercise their rights to do any of the following:
- Confirm if you’re processing their data.
- Request access to their data
- Correct inaccuracies in their data.
- Obtain a portable copy when possible.
- Request to delete their data.
- Opt out of having their data sold or processed for targeted advertising.
- Opt out of profiling.
- Opt out of the collection of sensitive data.
- Opt out of the collection of personal data through voice or facial recognition features.
Methods you might implement include:
- Post a Data Subject Access Request (DSAR) form on your website.
- Provide an email address where users can submit requests.
- Publish a cookie policy if you deploy cookies that collect sensitive data, data that you sell, or data used for targeted advertising.
- Use a consent banner so consumers can follow through on opt-out rights.
Part 6: Security Procedures and Practices
The FDBR requires data controllers to implement appropriate security measures to protect the integrity, confidentiality, and access of collected personal data.
You must have physical, administrative, and technical measures in place.
Some standard data security techniques include:
- Anonymizing and de-identifying the data
- Encrypting the information
- Access controls
- Creating a data backup or recovery plan
FDBR Requirements FAQ
Below, read through some frequently asked questions about Florida’s new data privacy law.
Does the FDBR apply to my business?
The FDBR applies to your business if you meet the following thresholds:
- You conduct business in Florida or target products or services in the state and
- You’re for-profit and make an excess of $1 billion in gross annual revenue, and
- You derive 50% or more revenue from selling ads online or
- You operate a smart speaker or voice command component services (exemptions for those connected to vehicles) or
- You operate an app store or digital platform with 250,000 different software applications.
When does the FDBR take effect?
The FDBR takes effect on July 1, 2024.
Who enforces the FDBR?
The Attorney General has the exclusive authority to enforce violations of the FDBR.
What are the penalties for violating the FDBR?
Fines for violating the consumer protections in the FDBR can reach as high as $50,000.
Can Termly help with FDBR compliance?
Termly offers a Privacy Policy Generator and a consent management platform (CMP) that businesses can use to help with compliance under the FDBR.
Our CMP also features a free Data Subject Access Request (DSAR) form, allowing your users to submit verified requests to follow through on their rights securely.
Summary
If your business must comply with the FDBR, use our six-step checklist to help simplify your compliance journey:
- Perform a data inventory to know all personal data you collect, why, and how it’s used.
- Present your users with a compliant privacy policy that meets all notification requirements outlined by the law.
- Use a consent banner to allow Florida users to follow through on their opt-out rights.
- Use and sign compliant contracts with any third-party data processors you work with.
- Provide one or more ways for Florida users to submit verifiable consumer requests to act on their privacy rights.
- Establish adequate safeguards to protect the personal data you collect.
To help simplify compliance with laws like the FDBR, try using solutions like our privacy policy generator and CMP.
More about the author
Written by Josh Langeland, CIPM
Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author
