Florida Digital Bill of Rights: First Look & Summary

Have you heard the news? Florida recently passed the Florida Digital Bill of Rights (FDBR).

The FDBR is an interesting piece of legislation that uses unique definitions compared to other U.S. state laws covering data privacy.

I summarize everything you need to know about Florida’s new data privacy law below, including who it applies to, its key terms and definitions, and what data controllers must do before it enters into action in 2024.

Table of Contents

What Is the Florida Digital Bill of Rights (FDBR)?
FDBR Key Terms and Definitions
What Does the Florida Digital Bill of Rights Cover?
Requirements of the Florida Digital Bill of Rights
Florida’s Data Privacy Law vs. Other States: Similarities and Differences
How Will Consumers Be Impacted by the FDBR?
How Will Businesses Be Impacted by the FDBR?
Who Must Comply With Florida’s New Data Privacy Law?
How Can Businesses Prepare for the FDBR?
How Will the FDBR Be Enforced?
Fines and Penalties Under the Florida Digital Bill of Rights
How Will Termly Help With FDBR Compliance?
Summary

What Is the Florida Digital Bill of Rights (FDBR)?

The Florida Digital Bill of Rights is a law that explains what rights Florida residents have over the processing and use of their personal data by different entities.

Secondly, it describes guidelines for government employees concerning social media services and obligations for controllers who operate search engines.

Third, it outlines specific rules for protecting data regarding children under 18 in online spaces.

Finally, it describes the penalties for violating parts of the new Florida data privacy law.

FDBR Effective Date

Florida’s Digital Bill of Rights enters into force on July 1, 2024.

However, the provisions regarding government employees regarding social media platforms became effective in July 2023, as outlined in Section 1, Section 112.23.

FDBR Key Terms and Definitions

The Florida Digital Bill of Rights uses several unique definitions for terms we’ve seen in other US data protection laws and understanding the differences is vital for compliance purposes.

To help, I’ve included key terms below with definitions exactly as they appear in the FDBR:

Child: A consumer or consumers who are under 18 years of age.

Consent: When referring to a consumer, means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative act.
- The term does not include any of the following:
  - (a) Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information.
  - (b) Hovering over, muting, pausing, or closing a given piece of content.
  - (c) Agreement obtained through the use of dark patterns.

Consumer: An individual who is a resident of or is domiciled in this state acting only in an individual or household context.
- The term does not include an individual acting in a commercial or employment context.

Controller: (a) A sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:
- 1. Is organized or operated for the profit or financial benefit of its shareholders or owners;
- 2. Conducts business in this state;
- 3. Collects personal data about consumers, or is the entity on behalf of which such information is collected;
- 4. Determines the purposes and means of processing personal data about consumers alone or jointly with others;
- 5. Makes in excess of $1 billion in global gross annual revenues; and
- 6. Satisfies at least one of the following:
  - a. Derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
  - b. Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-subparagraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or
  - c. Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

(b) Or any entity that controls or is controlled by a controller. As used in this paragraph, the term “control” means:
- 1. Ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a controller;
- 2. Control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or
- 3. The power to exercise a controlling influence over the management of a company.

Dark pattern: A user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice and includes, but is not limited to, any practice the Federal Trade Commission refers to as a dark pattern.

Personal data: any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
- The term does not include deidentified data or publicly available information.

Personal information: Information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child. Or either of the following:
- a. An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual:
  - (I) A social security number;
  - (II) A driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
  - (III) A financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual’s financial account;
  - (IV) Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
  - (V) An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual;
  - (VI) An individual’s biometric data as defined in Section 1495 501.702; or (VII) Any information regarding an individual’s geolocation.
- b. A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.
- The term does not include information about an individual that has been made publicly available by a federal, state, or local governmental entity. The term also does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.

Processing: Any operation or set of operations performed on personal information or on sets of personal information, regardless of whether by automated means.

Processor: A person who processes personal data on behalf of a controller.

Sensitive personal data: Any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
- The term does not include deidentified data or publicly available information.

What Does the Florida Digital Bill of Rights Cover?

The FDBR covers three distinct privacy-related issues concerning Florida residents and the state itself:

One section describes the rights consumers acting in a personal or household context have over how their personal data gets collected, processed, and used by controllers.
Another section prohibits government employees from using their position or state resources to remove content or accounts on social media platforms.
The third section explains and establishes protections regarding personal information for children online.

Interestingly, the FDBR uses different definitions for personal data and personal information (both appear in the key terms section above) as applicable to the different sections of the law:

Personal data refers to the information collected, processed, and used by controllers about Florida residents.

Personal information pertains to the safety guidelines in online spaces concerning children under the age of 18.

Requirements of the Florida Digital Bill of Rights

As a data privacy bill of rights, the Florida law has a lot of requirements, some of which apply directly to businesses that collect and use personal data from Florida consumers.

To help you make sense of those relevant portions of the FDBR, I’ve outlined the guidelines in this next section.

Controller Requirements for Processing Personal Data

According to Section 13. Section 501.71 of the law, controllers must limit the processing of personal data to what is “adequate, relevant, and reasonably necessary” based on the purposes they present to consumers.

Controllers must also maintain technical and physical measures to protect the integrity and confidentiality of the information.

To process data beyond what is necessary or any sensitive personal information, you need consumer consent.

Additionally, if you plan to sell biometric or sensitive personal data, you must provide a visible disclosure on your website using the following phrasing, as described in Section 14. Section 501.711 Part (2):

NOTICE: This website may sell your sensitive personal data
NOTICE: This website may sell your biometric personal data

Data Protection Assessments

Controllers must perform and document Data Protection Assessments (DPA) to perform certain data processing activities, as described in Section 16. Section 501.713 of the FDBR.

You’re required to perform a DPA to process information for the following purposes:

Targeted advertising
The sale of personal data
Processing data for the purposes of profiling if it presents a reasonably foreseeable risk to the consumer
Processing sensitive data
Processing activities that involve personal data that presents a heightened risk of harm to the consumer

The controller’s data protection assessment must do all of the following:

Identify and weigh the direct and indirect benefits to the controller, consumer, and other stakeholders against the potential risks to consumer rights, as mitigated by safeguards.
Factor in the use of deidentified data, the consumer’s reasonable expectations, the processing context, and the relationship between the controller and the consumer.

You can use a single assessment to address a comparable set of operations or activities if the assumed risk to the consumer is similar in scope.

Controllers can also use an assessment conducted to comply with another law or regulation comparable to the guidelines written in the FDBR.

Contractual Obligations Regarding Third-Party Processors

The FDBR outlines contractual requirements between controllers and processors in Section 15. Section 501.712 Part (2).

Specifically, it states that a contract must exist between controllers and processors outlining all of the following:

Clear instructions for the processing of the data
The nature and purpose for the processing
The type of data subject to processing
The duration of the processing
The rights and obligations of both parties involved
A requirement that the processor will ensure that each person processing the data is subject to a duty of confidentiality regarding the information
A requirement that the processor will delete or return all information at the end of the contract as directed by the controller unless the law requires retention
A requirement that the processor will make all information in their possession available, at the controller’s reasonable request, to demonstrate the processor is complying with this portion of the FDBR
A requirement that the processor will allow and cooperate with a reasonable assessment by the controller or a designated assessor
A requirement that any subcontractors must follow a contract with the same provisions

A processor can arrange a qualified independent assessor to assess their policies and technical or organizational measures to support these requirements.

The processor must make the report available to the controller upon request.

Guidelines Surrounding Children’s Data

Online services that provide games, products, services, or features likely to be accessed primarily by children must follow specific guidelines under the FDBR.

Specifically, as explained in Section 2. Section 501.1735, these platforms may not:

Process any child’s personal information if the platform has actual knowledge (or willfully disregards) that the processing may result in substantial harm or privacy risk to the child.
Profile a child unless the online platform demonstrates it has appropriate safeguards in place and the profiling is necessary to provide the service.

However, platforms that can prove or demonstrate a compelling reason that the profiling doesn’t pose any substantial risk of harm or privacy risk may carry on with this type of processing.

Additionally, entities cannot:

Collect, sell, share, or retain personal data that is unnecessary to provide an online service unless they prove it does not pose substantial harm or privacy risk to the child.
Use the personal information for any reason other than the original reason it was collected unless they prove it does not pose substantial harm or privacy risk to the child.
Collect, sell, or share any precise geolocation data of the child unless strictly necessary for the service to function.
Collect any precise geolocation data about the child without providing an obvious sign that the data is being collected.
Use dark patterns to mislead the child in a direction they wouldn’t otherwise take.
Use the personal information to estimate the age or age range for any other purpose or retain that data longer than necessary.

Social Media Restrictions for Government Employees

Under Section 1. Section 112.23 Part (2) and (3) of the Florida Digital Bill of Rights, government entities, officers, or salaried employees may not communicate with social media platforms regarding specific concerns.

Specifically, government entities cannot request the removal of content or accounts or initiate agreements for the purposes of content moderation.

They also cannot initiate or maintain working relationships with a social media platform for content moderation.

However, these sections don’t apply when the government entity or officer is acting on any of the following:

Routine account management of the government entity’s account, including removing or revising their content or account.
Removing content pertaining to committing a crime or violating Florida’s public law.
Removing an account pertaining to committing a crime or violating Florida’s public law.
Investigations related to efforts to prevent bodily harm, loss of life, or property damage.

Provisions for Controllers That Own Search Engines

The FDBR outlines guidelines that controllers who operate search engines must follow in Section 13. Section 501.71 Part (4).

Those controllers must make available an up-to-date description of the most significant parameters used to determine the search engine rankings and their relative importance.

It should include details about the “prioritization or deprioritization of political partisanship or political ideology in search results.”

The description must be available in an easily accessible location without requiring a log-in or any user registration.

However, these controllers are not required to disclose algorithms or any other information that might enable deception or harm to consumers through the manipulation of search results.

Florida’s Data Privacy Law vs. Other States: Similarities and Differences

The FDBR outlines consumer rights and some privacy obligations that mirror other U.S. privacy laws, but it’s very different in scope and scale than the other legislation that exists, like the:

California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
Colorado Privacy Act (CPA) — currently in force
Connecticut Data Privacy Act (CTDPA) — currently in force
Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
Tennessee Information Protection Act (TIPA) — effective July 1, 2025
Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
Utah Consumer Privacy Act (UCPA) — currently in force
Virginia Consumer Data Protection Act (VCDPA) — currently in force

The primary differences of the FDBR include its very limited scope, which targets larger enterprise-level entities that control browsers and/or search engines.

It doesn’t apply to small to medium-sized businesses, data brokers, and other online entities that typically collect, process, and use consumer personal data.

However, you can compare aspects of the law to these other state laws in the table below.

State Law	Opt-in consent for certain types of data processing	Opt-out consent for certain types of data processing	Must present users with a privacy policy (or notice)	Requires Data Protection Assessments	Outlines Contractual Obligation with Third-Party Processors	Allows for civil lawsuits or private right of action	Must honor Global Privacy Controls/browser privacy settings
FDBR		✓	✓	✓	✓
CCPA/CPRA	✓	✓	✓	✓	✓	✓	✓
CPA		✓	✓	✓	✓		✓
CTDPA		✓	✓	✓	✓		✓
DPDPA	✓	✓	✓	✓	✓		✓
Indiana CDPA		✓	✓	✓	✓
Iowa CDPA		✓	✓		✓
MCDPA		✓	✓	✓	✓		✓
OCPA		✓	✓	✓	✓		✓
TIPA	✓	✓	✓	✓	✓
TDPSA		✓	✓	✓	✓		✓
UCPA		✓	✓		✓
VCDPA		✓	✓	✓	✓

How Will Consumers Be Impacted by the FDBR?

The FDBR impacts consumers by granting them rights and control over how their personal information gets collected, processed, and used by qualifying data controllers.

Specifically, Section 8. Section 501.705 describes most of the consumer rights, which include all of the following:

Confirm if a controller is processing their personal data and have access to it
Correct inaccuracies in their personal data
Delete any or all of the personal data provided by or obtained about the consumer
Obtain a copy of their data in a portable format and, where available, in a digital format
Opt-out of targeted advertising
Opt-out of the sale of their personal data
Opt-out of profiling
Opt-out of the collection of sensitive personal data, including precise geolocation and the processing of sensitive data
Opt-out of the collection of personal data through a voice or facial-recognition feature

Additionally, devices that have any of the following features that collect data cannot be used for surveillance when the features aren’t activated by the consumer without authorization:

Voice recognition
Facial recognition
Video recording
Audio recording
Any other electronic features
Any other visual features
Thermal features
Olfactory features

Who Does the FDBR Apply To?

The FDBR only covers the personal data of Florida residents acting as individuals or on behalf of a household according to Section 5. Section 501.702 of the law.

It excludes anyone in the state acting for employment or commercial purposes.

How Will Businesses Be Impacted by the FDBR?

The FDBR impacts businesses in several ways beyond the contractual obligations, data protection impact assessments, and search engine obligations previously mentioned.

It also impacts your privacy and cookie policies, which I discuss in detail in the next section.

How Will the FDBR Affect My Privacy Policy?

Entities that qualify as controllers should plan to update their privacy policy to meet the requirements described by the Florida Digital Bill of Rights.

According to Section 14. Section 501.711, qualifying controllers must present consumers with a “reasonably accessible” and “clear” privacy notice that outlines all of the following:

The categories of personal information and sensitive personal information processed by the controller
Your purpose for processing the data
How consumers can exercise their rights granted by the FDBR, including how they can appeal a controller’s decisions based on their requests
The categories of personal data a controller shares with third parties, if any
The categories of third parties that the controller shares data with, if any
A description of the methods (as specified in Section 501.709 of the FDBR) of how consumers can submit requests to exercise their rights under the law

How Will the FDBR Affect My Cookie Policy?

The FDBR may impact qualifying data controllers’ cookie policies, particularly if you use internet cookies for targeted advertising or sell the information derived from cookies.

As explained in Section 8. Section 501.705 of the law, Floridians have the right to opt out of the sale of their personal data and targeted ads.

So, you must update your cookie policy to describe if you use any cookies for these purposes and how consumers can follow through on their opt-out rights.

Who Must Comply With Florida’s New Data Privacy Law?

The Florida Digital Bill of Rights isn’t like the other U.S. state laws, as it appears to target enterprise-level entities more than data brokers and small to medium-sized businesses.

According to Section 6. Section 501.703, it applies to entities that do business in Florida or provide goods and services to state residents who also meet Section 5. Section 501.702’s definition of controller (which appears in the key terms and definitions section above).

You must be for-profit, make an excess of $1 billion in gross annual revenue, and meet one of the following additional conditions:

Derive 50% or more of your revenue from selling ads online.
Operate a smart speaker or voice command component service (but those connected to vehicles are exempt).
Operate an app store or digital platform that offers at least 250,000 different software applications.

Additionally, Section 5 Section 501.702 states that anyone controlled by or who controls a controller also falls under the definition.

By control, the law specifically means:

Owning more than 50% of the outstanding shares of any class of voting
Having control over the election of the majority of the directors
Having the power to exercise influence over the management of the company.

You’re only subject to following the FDBR if your business meets these requirements.

Who Is Exempt From the FDBR?

According to Section 6. Section 501.703 Part (2), the following entities are exempt and do not need to follow the FDBR:

State agencies or political subdivisions of the state
Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
Covered entity or business associate governed by the privacy, security, and breach notifications issued by the United States Department of Health and Human Services, the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act
Nonprofit organizations
Postsecondary education institutions
Processing of personal data for a purely personal or household activity
Processing of personal data solely for measuring or reporting advertising performance, reach, or frequency

How Can Businesses Prepare for the FDBR?

Entities that qualify as data controllers under the FDBR should plan to take a few crucial steps to get ready for the implementation of this law:

Update your privacy policy to include all details specified, including the description of consumer rights.
If you sell biometric or sensitive data, include the proper notice on your website.
Ensure any contract you enter with third-party processors follows the guidelines expressed in the FDBR.
If you perform processing activities that pose a high risk to consumers, execute and document the proper Data Privacy Assessments.
If your company operates a search engine, implement a visible disclosure on your website about your link ranking parameters.
For entities that create services primarily used by children, you must follow all obligations expressed by the law.

How Will the FDBR Be Enforced?

The Attorney General has the exclusive authority to enforce violations of the Florida Digital Bill of Rights and can bring action against any person they believe violates the law for unfair or deceptive acts or practices.

Fines and Penalties Under the Florida Digital Bill of Rights

The Florida Attorney General can implement civil penalties of up to $50,000 for violations of the FDBR, as explained in Section 23. Section 501.72 Part (1) of the law.

However, Florida consumers don’t have a private right to legal action under this law.

How Will Termly Help With FDBR Compliance?

Termly helps businesses comply with laws like the Florida Digital Bill of Rights by providing policy generators and a consent management platform (CMP) backed by our legal team and data privacy experts.

Our Privacy Policy Generator follows several U.S. laws already in action, and we regularly update it to keep up with new and changing legislation from around the world.

Using it couldn’t be more simple — it asks fundamental questions about your business and personal data processing activities, then makes a unique privacy policy based on your answers.

Below is a screenshot of one of the questions it asks.

Termly-Privacy-Policy-Generator

Generate a Free Privacy Policy

We also offer a CMP with a cookie consent banner you can configure to meet the opt-out requirements described by laws like the FDBR.

See an example of it below.

Summary

While the Florida Digital Bill of Rights has a unique, limited scope compared to the other U.S. state privacy laws, this law will likely make waves once it enters into force in 2024.

If you qualify as a controller under the FDBR, you should plan to:

Update your privacy policy to meet all requirements outlined by the FDBR.
Ensure your cookie policy is up-to-date and accurate.
Use compliant contracts with any third-party processors in line with the FDBR guidelines.
Perform data processing assessments before processing any information that may pose a higher risk to consumers.
Add Data Subject Access Request forms to your website so users can easily follow through on their privacy rights.
Ensure you follow all guidelines surrounding children’s data, especially if people under 18 primarily use your services.
If you own a search engine, follow the law’s new disclosure requirements.
Government entities affected by this law must follow all new obligations regarding social media platforms and requests.

Why not make things easier for your business? Use our Privacy Policy Generator or CMP and get a headstart on your privacy compliance process today.

More about the author

Written by Josh Langeland, CIPM

Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author

What Is the IAB’s Global Privacy Platform (IAB GPP)?

American Privacy Rights Act (APRA): First Look & Summary

109 Biggest Data Breaches, Hacks, and Exposures as of 2024

New Zealand Data Privacy Act 2020 Explained

Cookie Walls: Are They GDPR Compliant?

Personal vs. Sensitive Personal Information

Privacy Policy for Hotel Websites

Privacy Policy for Gym Websites

Privacy Policy for Real Estate Websites