This alert has been amended to highlight the FDBR's impact on Big-Tech companies.
On June 6, 2023, Florida's Governor, Ron DeSantis, signed SB 262, which contains the Florida Digital Bill of Rights (“FDBR”), making Florida the fifth state in the past few months to enact a new privacy law. For the most part, these laws have followed a consistent framework and applied similarly to companies. However, Florida took a different approach. Instead of a comprehensive privacy law aimed at a wide number of businesses, the scope of the FDBR is distinctly narrower than the other state laws because most of its provisions will only apply to large technology companies. As a result, companies should carefully analyze the applicability of the FDBR to their respective operations. The FDBR will take effect on July 1, 2024 giving subject companies a little over a year to comply.
Most of the provisions of the FDBR apply to a uniquely defined “controller,” meaning a company that meets the following criteria or is controls or is controlled by a company that meets the following criteria:
- operates for profit;
- conducts business in Florida;
- collects personal data about consumers (defined below) or is the entity on behalf of which such information is collected;
- determines the purposes and means of processing personal data about consumers alone or jointly with others;
- makes in excess of $1 billion in global gross annual revenues; and
- satisfies at least one of the following:
(i) derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
(ii) operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or
(iii) operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
The FDBR's definition of “controller” does not include small and medium-sized businesses but rather covers big, technology-driven companies, like Google, Meta, Apple, and Amazon.
Additionally, like the other states' comprehensive privacy laws, the FDPR contains exemptions for certain types of entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, covered entities and business associates subject to HIPAA, non-profit organizations, and postsecondary education institutions. Further, the FDPR also exempts certain types of information, such as protected health information under HIPAA, personal data regulated by the Family Educational Rights and Privacy Act, and data processed or maintained in the course of employment.
Consistent with the other states' comprehensive privacy laws (except for California's law), the FDBR defines “consumer” to mean an individual who is a Florida resident acting only in an individual or household context, and excludes an individual acting in a commercial or employment context. Therefore, employee personal information and business contact personal information fall outside the scope of the FDBR. Of note, the FDBR defines “child” as a consumer who is under 18 years of age – another distinction from the other state comprehensive privacy laws since they define a child as being under 13 years of age.
With respect to such consumers, the FDBR regulates their “personal data,” defined broadly to mean any information which is linked or reasonably linkable to an identified or identifiable individual. Personal data also includes as a special category of data known as “sensitive data,” which it defines as (i) racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying an individual; (iii) personal data collected from a known child (i.e., a consumer under 18); or (iv) precise geolocation data. The FDBR's definition of “sensitive data” is similar to the definitions used in other states' comprehensive privacy laws, except for California's law (which uses a broader definition).
Additionally, the FDBR broadly defines the “sale of personal data” as the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. This definition differs from other state privacy laws that require monetary consideration only for a sale of personal data. The FDBR also provides broad exceptions to the definition of “sale” that are becoming standard among state privacy laws and should cover many ordinary business activities, such as disclosure of personal data to a processor who processes the personal data on behalf of a controller or to a third party for the purpose of providing a product or service requested by a consumer. However, the FDBR does not exempt disclosures to an affiliate of the controller from the definition of “sale,” which is unlike other states' comprehensive privacy laws and may impact a controller's operations.
In addition to having a unique scope, the FDBR also contains certain unique compliance requirements. For example, a controller that operates a search engine must make available a description of the main parameters that are the most significant in determining ranking, and the relative importance of those main parameters, including the prioritization or deprioritization of political partisanship or political ideology, in search results. Also, the FDBR requires controllers that sell sensitive personal data to provide the following statement on their website: “NOTICE: This website may sell your sensitive personal data.”Similarly, if a controller sells biometric data, it must provide the following statement on their website:“NOTICE: This website may sell your biometric data.”
In addition to its unique compliance requirements, the FDBR also contains compliance obligations found in all the other states' comprehensive privacy laws, such as requiring controllers to provide a compliant privacy notice to consumers and to enter into agreements with processors that handle the controller's personal data. Further, like the privacy laws in Colorado, Connecticut, Virginia, Indiana, Tennessee, and Montana, the FDBR requires controllers to undertake data protection assessments of processing personal data for purposes of targeted advertising, the sale of personal data, profiling (in certain instances), and the processing of sensitive data. Of note, the FDBR provides that data protection assessments must apply to processing activities created or generated after July 1, 2023, which is a year before the law will become operative. Companies subject to the FDBR should immediately consider whether their activities require a data protection assessment.
Consumer Rights and Requests
Like all of the other states' comprehensive privacy laws, the FDBR grants certain rights to individuals regarding their own personal data. While some of these rights overlap with those in such other laws, others are unique to the FDBR and, again, cover technology companies. Specifically, the FDBR grants consumers the right to make requests to (1) access their personal data; (2) correct their personal data; (3) delete their personal data; (4) obtain a copy of their personal data; (5) opt out of the processing of their personal data for targeted advertising, the sale of personal data, and certain types of profiling; (6) opt out of the collection or processing of sensitive data; and (7) opt out of the collection of personal data through the operation of a voice recognition or facial recognition feature.
Further, a consumer must provide express authorization in order for devices that have a voice or facial recognition feature, a video or audio recording feature, or any other electronic, visual, thermal, or olfactory feature that collects data to use those features for the purpose of surveillance by the controller, processor, or affiliate of a controller or processor when such features are not in active use by the consumer. Additionally, with respect to sensitive data, the FDBR requires controllers to obtain prior consent from consumers (or their parents/legal guardians if the consumers are under age 13).
A controller has 45 days to respond to a consumer request, which may be extended once by an additional 15 days when reasonably necessary upon considering the complexity and number of the consumer's requests, provided that the controller informs the consumer of the extension within the initial 45-day period. Most of the other states' comprehensive privacy laws allow for a 45-day extension, so this shorter timeframe will be important for controllers to keep in mind. Additionally, the FDBR requires a controller to provide consumers with an appeals process if it denies a consumer's request, and a controller has 60 days to respond to an appeal, which is similar to some comprehensive privacy laws.
Enforcement & Penalties
Importantly, the FDBR does not have a private right of action for individuals. Rather, like the other states' comprehensive privacy laws, the FDBR is enforced exclusively by its State Attorney General via the Department of Legal Affairs. The FDBR provides for an optional cure period whereby the Florida Attorney General may grant a company 45 days to cure an alleged violation prior to initiating an action for a violation of the FDBR. This possibility of cure will be important for companies because the FDBR carries potentially step penalties. It permits the Florida Attorney General to collect a civil penalty of up to $50,000 per violation and penalties may be tripled for a violation involving a known child (i.e., a consumer under the age of 18), failure to delete or correct a consumer's personal data after receiving an authenticated request to do so if no exception applies, or continuing to sell or share a consumer's personal data after they opt out from such selling or sharing.
While passage of the FDBR is most significant for the relatively limited number of companies that constitute controllers, it is also significant because it adds to the patchwork structure of the state privacy law movement in the U.S. This may create a stronger push for a federal comprehensive privacy law, especially now that large technology companies who often engage in lobbying efforts are being targeted by the FDBR. Additionally, the FDBR provides that the Florida Department of Legal Affairs will adopt regulations to implement the FDPR, so there will be more regulation to come under this law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.