Have you heard the news? Florida recently passed the Florida Digital Bill of Rights (FDBR).
The FDBR is an interesting piece of legislation that uses unique definitions compared to other U.S. state laws covering data privacy.
I summarize everything you need to know about Florida’s new data privacy law below, including who it applies to, its key terms and definitions, and what data controllers must do before it enters into action in 2024.
- What Is the Florida Digital Bill of Rights (FDBR)?
- FDBR Key Terms and Definitions
- What Does the Florida Digital Bill of Rights Cover?
- Requirements of the Florida Digital Bill of Rights
- Florida’s Data Privacy Law vs. Other States: Similarities and Differences
- How Will Consumers Be Impacted by the FDBR?
- How Will Businesses Be Impacted by the FDBR?
- Who Must Comply With Florida’s New Data Privacy Law?
- How Can Businesses Prepare for the FDBR?
- How Will the FDBR Be Enforced?
- Fines and Penalties Under the Florida Digital Bill of Rights
- How Will Termly Help With FDBR Compliance?
What Is the Florida Digital Bill of Rights (FDBR)?
The Florida Digital Bill of Rights is a law that explains what rights Florida residents have over the processing and use of their personal data by different entities.
Secondly, it describes guidelines for government employees concerning social media services and obligations for controllers who operate search engines.
Third, it outlines specific rules for protecting data regarding children under 18 in online spaces.
Finally, it describes the penalties for violating parts of the new Florida data privacy law.
FDBR Effective Date
Florida’s Digital Bill of Rights enters into force on July 1, 2024.
However, the provisions regarding government employees regarding social media platforms became effective in July 2023, as outlined in Section 1, Section 112.23.
FDBR Key Terms and Definitions
The Florida Digital Bill of Rights uses several unique definitions for terms we’ve seen in other US data protection laws and understanding the differences is vital for compliance purposes.
To help, I’ve included key terms below with definitions exactly as they appear in the FDBR:
What Does the Florida Digital Bill of Rights Cover?
The FDBR covers three distinct privacy-related issues concerning Florida residents and the state itself:
- One section describes the rights consumers acting in a personal or household context have over how their personal data gets collected, processed, and used by controllers.
- Another section prohibits government employees from using their position or state resources to remove content or accounts on social media platforms.
- The third section explains and establishes protections regarding personal information for children online.
Interestingly, the FDBR uses different definitions for personal data and personal information (both appear in the key terms section above) as applicable to the different sections of the law:
- Personal data refers to the information collected, processed, and used by controllers about Florida residents.
- Personal information pertains to the safety guidelines in online spaces concerning children under the age of 18.
Requirements of the Florida Digital Bill of Rights
As a data privacy bill of rights, the Florida law has a lot of requirements, some of which apply directly to businesses that collect and use personal data from Florida consumers.
To help you make sense of those relevant portions of the FDBR, I’ve outlined the guidelines in this next section.
Controller Requirements for Processing Personal Data
According to Section 13. Section 501.71 of the law, controllers must limit the processing of personal data to what is “adequate, relevant, and reasonably necessary” based on the purposes they present to consumers.
Controllers must also maintain technical and physical measures to protect the integrity and confidentiality of the information.
To process data beyond what is necessary or any sensitive personal information, you need consumer consent.
Additionally, if you plan to sell biometric or sensitive personal data, you must provide a visible disclosure on your website using the following phrasing, as described in Section 14. Section 501.711 Part (2):
- NOTICE: This website may sell your sensitive personal data
- NOTICE: This website may sell your biometric personal data
Data Protection Assessments
Controllers must perform and document Data Protection Assessments (DPA) to perform certain data processing activities, as described in Section 16. Section 501.713 of the FDBR.
You’re required to perform a DPA to process information for the following purposes:
- Targeted advertising
- The sale of personal data
- Processing data for the purposes of profiling if it presents a reasonably foreseeable risk to the consumer
- Processing sensitive data
- Processing activities that involve personal data that presents a heightened risk of harm to the consumer
The controller’s data protection assessment must do all of the following:
- Identify and weigh the direct and indirect benefits to the controller, consumer, and other stakeholders against the potential risks to consumer rights, as mitigated by safeguards.
- Factor in the use of deidentified data, the consumer’s reasonable expectations, the processing context, and the relationship between the controller and the consumer.
You can use a single assessment to address a comparable set of operations or activities if the assumed risk to the consumer is similar in scope.
Controllers can also use an assessment conducted to comply with another law or regulation comparable to the guidelines written in the FDBR.
Contractual Obligations Regarding Third-Party Processors
The FDBR outlines contractual requirements between controllers and processors in Section 15. Section 501.712 Part (2).
Specifically, it states that a contract must exist between controllers and processors outlining all of the following:
A processor can arrange a qualified independent assessor to assess their policies and technical or organizational measures to support these requirements.
The processor must make the report available to the controller upon request.
Guidelines Surrounding Children’s Data
Online services that provide games, products, services, or features likely to be accessed primarily by children must follow specific guidelines under the FDBR.
Specifically, as explained in Section 2. Section 501.1735, these platforms may not:
- Process any child’s personal information if the platform has actual knowledge (or willfully disregards) that the processing may result in substantial harm or privacy risk to the child.
- Profile a child unless the online platform demonstrates it has appropriate safeguards in place and the profiling is necessary to provide the service.
However, platforms that can prove or demonstrate a compelling reason that the profiling doesn’t pose any substantial risk of harm or privacy risk may carry on with this type of processing.
Additionally, entities cannot:
- Collect, sell, share, or retain personal data that is unnecessary to provide an online service unless they prove it does not pose substantial harm or privacy risk to the child.
- Use the personal information for any reason other than the original reason it was collected unless they prove it does not pose substantial harm or privacy risk to the child.
- Collect, sell, or share any precise geolocation data of the child unless strictly necessary for the service to function.
- Collect any precise geolocation data about the child without providing an obvious sign that the data is being collected.
- Use dark patterns to mislead the child in a direction they wouldn’t otherwise take.
- Use the personal information to estimate the age or age range for any other purpose or retain that data longer than necessary.
Social Media Restrictions for Government Employees
Under Section 1. Section 112.23 Part (2) and (3) of the Florida Digital Bill of Rights, government entities, officers, or salaried employees may not communicate with social media platforms regarding specific concerns.
Specifically, government entities cannot request the removal of content or accounts or initiate agreements for the purposes of content moderation.
They also cannot initiate or maintain working relationships with a social media platform for content moderation.
However, these sections don’t apply when the government entity or officer is acting on any of the following:
- Routine account management of the government entity’s account, including removing or revising their content or account.
- Removing content pertaining to committing a crime or violating Florida’s public law.
- Removing an account pertaining to committing a crime or violating Florida’s public law.
- Investigations related to efforts to prevent bodily harm, loss of life, or property damage.
Provisions for Controllers That Own Search Engines
The FDBR outlines guidelines that controllers who operate search engines must follow in Section 13. Section 501.71 Part (4).
Those controllers must make available an up-to-date description of the most significant parameters used to determine the search engine rankings and their relative importance.
It should include details about the “prioritization or deprioritization of political partisanship or political ideology in search results.”
The description must be available in an easily accessible location without requiring a log-in or any user registration.
However, these controllers are not required to disclose algorithms or any other information that might enable deception or harm to consumers through the manipulation of search results.
Florida’s Data Privacy Law vs. Other States: Similarities and Differences
The FDBR outlines consumer rights and some privacy obligations that mirror other U.S. privacy laws, but it’s very different in scope and scale than the other legislation that exists, like the:
- California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
- Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
- Oregon Data Privacy Act (ODPA) — effective July 1, 2024
- Tennessee Information Protection Act (TIPA) — effective July 1, 2024
- Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
- Utah Consumer Privacy Act (UCPA) — effective December 31, 2023
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
The primary differences of the FDBR include its very limited scope, which targets larger enterprise-level entities that control browsers and/or search engines.
It doesn’t apply to small to medium-sized businesses, data brokers, and other online entities that typically collect, process, and use consumer personal data.
However, you can compare aspects of the law to these other state laws in the table below.
How Will Consumers Be Impacted by the FDBR?
The FDBR impacts consumers by granting them rights and control over how their personal information gets collected, processed, and used by qualifying data controllers.
Specifically, Section 8. Section 501.705 describes most of the consumer rights, which include all of the following:
- Confirm if a controller is processing their personal data and have access to it
- Correct inaccuracies in their personal data
- Delete any or all of the personal data provided by or obtained about the consumer
- Obtain a copy of their data in a portable format and, where available, in a digital format
- Opt-out of targeted advertising
- Opt-out of the sale of their personal data
- Opt-out of profiling
- Opt-out of the collection of sensitive personal data, including precise geolocation and the processing of sensitive data
- Opt-out of the collection of personal data through a voice or facial-recognition feature
Additionally, devices that have any of the following features that collect data cannot be used for surveillance when the features aren’t activated by the consumer without authorization:
- Voice recognition
- Facial recognition
- Video recording
- Audio recording
- Any other electronic features
- Any other visual features
- Thermal features
- Olfactory features
Who Does the FDBR Apply To?
The FDBR only covers the personal data of Florida residents acting as individuals or on behalf of a household according to Section 5. Section 501.702 of the law.
It excludes anyone in the state acting for employment or commercial purposes.
How Will Businesses Be Impacted by the FDBR?
The FDBR impacts businesses in several ways beyond the contractual obligations, data protection impact assessments, and search engine obligations previously mentioned.
It also impacts your privacy and cookie policies, which I discuss in detail in the next section.
According to Section 14. Section 501.711, qualifying controllers must present consumers with a “reasonably accessible” and “clear” privacy notice that outlines all of the following:
- The categories of personal information and sensitive personal information processed by the controller
- Your purpose for processing the data
- How consumers can exercise their rights granted by the FDBR, including how they can appeal a controller’s decisions based on their requests
- The categories of personal data a controller shares with third parties, if any
- The categories of third parties that the controller shares data with, if any
- A description of the methods (as specified in Section 501.709 of the FDBR) of how consumers can submit requests to exercise their rights under the law
The FDBR may impact qualifying data controllers’ cookie policies, particularly if you use internet cookies for targeted advertising or sell the information derived from cookies.
As explained in Section 8. Section 501.705 of the law, Floridians have the right to opt out of the sale of their personal data and targeted ads.
Who Must Comply With Florida’s New Data Privacy Law?
The Florida Digital Bill of Rights isn’t like the other U.S. state laws, as it appears to target enterprise-level entities more than data brokers and small to medium-sized businesses.
According to Section 6. Section 501.703, it applies to entities that do business in Florida or provide goods and services to state residents who also meet Section 5. Section 501.702’s definition of controller (which appears in the key terms and definitions section above).
You must be for-profit, make an excess of $1 billion in gross annual revenue, and meet one of the following additional conditions:
- Derive 50% or more of your revenue from selling ads online.
- Operate a smart speaker or voice command component service (but those connected to vehicles are exempt).
- Operate an app store or digital platform that offers at least 250,000 different software applications.
Additionally, Section 5 Section 501.702 states that anyone controlled by or who controls a controller also falls under the definition.
By control, the law specifically means:
- Owning more than 50% of the outstanding shares of any class of voting
- Having control over the election of the majority of the directors
- Having the power to exercise influence over the management of the company.
You’re only subject to following the FDBR if your business meets these requirements.
Who Is Exempt From the FDBR?
According to Section 6. Section 501.703 Part (2), the following entities are exempt and do not need to follow the FDBR:
- State agencies or political subdivisions of the state
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Covered entity or business associate governed by the privacy, security, and breach notifications issued by the United States Department of Health and Human Services, the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act
- Nonprofit organizations
- Postsecondary education institutions
- Processing of personal data for a purely personal or household activity
- Processing of personal data solely for measuring or reporting advertising performance, reach, or frequency
How Can Businesses Prepare for the FDBR?
Entities that qualify as data controllers under the FDBR should plan to take a few crucial steps to get ready for the implementation of this law:
- If you sell biometric or sensitive data, include the proper notice on your website.
- Ensure any contract you enter with third-party processors follows the guidelines expressed in the FDBR.
- If you perform processing activities that pose a high risk to consumers, execute and document the proper Data Privacy Assessments.
- If your company operates a search engine, implement a visible disclosure on your website about your link ranking parameters.
- For entities that create services primarily used by children, you must follow all obligations expressed by the law.
How Will the FDBR Be Enforced?
The Attorney General has the exclusive authority to enforce violations of the Florida Digital Bill of Rights and can bring action against any person they believe violates the law for unfair or deceptive acts or practices.
Fines and Penalties Under the Florida Digital Bill of Rights
The Florida Attorney General can implement civil penalties of up to $50,000 for violations of the FDBR, as explained in Section 23. Section 501.72 Part (1) of the law.
However, Florida consumers don’t have a private right to legal action under this law.
How Will Termly Help With FDBR Compliance?
Termly helps businesses comply with laws like the Florida Digital Bill of Rights by providing policy generators and a consent management platform (CMP) backed by our legal team and data privacy experts.
Below is a screenshot of one of the questions it asks.
We also offer a CMP with a cookie consent banner you can configure to meet the opt-out requirements described by laws like the FDBR.
See an example of it below.
While the Florida Digital Bill of Rights has a unique, limited scope compared to the other U.S. state privacy laws, this law will likely make waves once it enters into force in 2024.
If you qualify as a controller under the FDBR, you should plan to:
- Use compliant contracts with any third-party processors in line with the FDBR guidelines.
- Perform data processing assessments before processing any information that may pose a higher risk to consumers.
- Add Data Subject Access Request forms to your website so users can easily follow through on their privacy rights.
- Ensure you follow all guidelines surrounding children’s data, especially if people under 18 primarily use your services.
- If you own a search engine, follow the law’s new disclosure requirements.
- Government entities affected by this law must follow all new obligations regarding social media platforms and requests.