Senior Content Marketing Manager II
June 16, 2023â˘10 min read
What is the Florida Digital Bill of Rights?
Florida Digital Bill of Rights compliance checklist
On June 6, 2023, Governor Ron DeSantis signed the Florida Digital Bill of Rights (FDBR) into law. The law gave Florida residents more control over their personal data and created new data protection requirements for businesses. Most of the FDBRâs provisions go into effect on July 1, 2024.
Under this new privacy law, consumers have the right to access, correct, erase, and opt-out of the sale or sharing of their personal information (PI). There are also new restrictions on how businesses may process sensitive personal information (SPI), which includes data concerning a known minor and/or could identify a consumerâs:Â
The Florida Digital Bill of Rights will be enforced by the Florida Department of Legal Affair, which can bring civil suits against alleged violators and levy fines of up to $50,000 per violation.Â
If a company commits violations regarding the data of minors or fails to fulfill a consumerâs privacy request, that penalty can be tripled. The Department of Legal Affairs has discretion, but isn't required, to allow a 45 day cure period.Â
The Florida Digital Bill of Rights differs from other state privacy laws in a few key ways. It restricts social media moderation by government personnel, adds biometric and location data to the list of personal information that triggers Floridaâs breach notification, and requires disclosures about search engine methodology.Â
Notably, it also has a higher revenue threshold than any other state lawâeffectively limiting the billâs scope to large tech companies, search engines, and online advertisers.Â
Weâll explore these differences in greater detail below, but first weâll look at who falls under the FDBRâs scope.Â
With a baseline threshold of $1 billion a year in gross revenue, the majority the Florida Digital Bill of Rights requirements only apply to large tech companies. If a business meets that revenue threshold, they must also:Â
Itâs also important to note that a company doesnât have to be located in Florida or market its goods or services to Florida residents for the law to apply. Any business that meets the above criteria and whose goods or services are used by Florida residents falls under the FDBRâs purview.Â
Though the billâs scope covers a smaller swathe of companies compared to other state privacy laws, the obligations placed on those companies are not insignificant. Businesses under the Florida Digital Bill of Rights must, among other things:Â
Though most requirements in the Florida Digital Bill of Rights apply only to the largest of companies, two provisions are applied more broadly.Â
Under the Florida Information Protection Act (FIPA), any business that collects and stores personal information on Florida residents must take âreasonable measuresâ to ensure that data is protected and secure. And, in the event of a breach, they must follow certain reporting requirements. The Florida Digital Bill of Rights expands the definition of personal information outlined under FIPA to include location and biometric data.Â
The Florida Digital Bill of Rights also places new restrictions on any business that collects or processes sensitive personal informationârequiring that they obtain consent before collection or processing begins. Companies must also display a notice on their website that reads, âNOTICE: This website may sell your sensitive personal data."
The Florida Digital Bill of Rights has a few key differences from other US state privacy laws, including a higher revenue threshold, restrictions on government social media moderation and certain types of surveillance, requirements around search engine methodology disclosures, and an amended breach notice.Â
Floridaâs privacy law has a minimum revenue threshold of $1 billion per year. When compared to the California Privacy Rights Act (CPRA) and the Utah Consumer Privacy Act (UCPA), where the revenue threshold is $25 million, itâs clear the FDBR is mainly aimed at large tech companies.Â
Diverging from all other current state privacy laws, the FDBR has a provision that limits government involvement onlineâbanning government agencies and personnel from leveraging state resources to moderate social media content.
Moreover, government entities cannot form content moderation agreements with social media platforms, barring regular account maintenance or efforts to curb criminal activity or limit property damage, physical harm, or loss of life.
Under the Florida Digital Bill of Rights, devices equipped with voice or facial recognition, video, audio, or any other monitoring capabilities are banned from surveilling consumerâs without express permission.
Under Floridaâs Data Breach Notification Statute, any business, individual, or organization that collects personal information and experiences a breach must notify the Department of Legal Affairs within 30 daysâideally sooner.Â
The Florida Digital Bill of Rights expanded this breach notice trigger to include location and biometric data.Â
In an unprecedented provision, the Florida Digital Bill of Rights requires that search engine operators provide an:
âan up-to-date plain language description of the main parameters that are individually or collectively the most significant in determining the ranking and the relative importance of those main parameters.â
It also requires that these disclosures offer information on how political ideology and partisanship is handled within search results.Â
The bill defines search engines as:
âtechnology and systems that use algorithms to sift through and index vast third-party websites and content on the Internet in response to search queries entered by a user.âÂ
Third parties who license the engine, but canât control its algorithm, index, or ranking order are excluded.
Under the Florida Digital Bill of Rights, consumers have the right to:
Floridaâs law is somewhat unique in its consideration of facial and voice recognition technologyâlimiting its use in many cases and codifying consumersâ right to opt-out.Â
With the Florida Digital Bill of Rights going into effect on July 1, 2024, businesses under its purview should start working towards compliance now. Weâve outlined a basic checklist for compliance below.Â
Remember, the Florida Digital Bill of Rights applies to businesses whose goods or services are used by Florida residents and that have an annual revenue of $1 billion or more.Â
If a business meets that base threshold, they must also:
If your company does not meet these requirements, Floridaâs privacy law does not apply.
To kickoff compliance with the Florida Digital Bill of Rights, youâll need to conduct a gap analysis and compare your current data processing practices with the lawâs requirements. But to conduct a gap analysis, youâll need a clear look into how your company processes personal dataâthis is where data mapping comes in.
Though data mapping isnât explicitly required under any state privacy law, creating a data map will give you a comprehensive view of:
At a high level, you data map should include:Â
Manually building a data map is possible, but can be time consumingâespecially if your company regularly adds new data systems. Many privacy program managers start out by building their data map in a spreadsheet, but an automated tool like Transcend Data Mapping will speed the process up significantly.
Businesses under the FDBR must, in a public facing privacy policy:Â
If a business is selling or sharing sensitive personal information or biometric data, they must include a link on their website that reads, âNOTICE: This website may sell your sensitive personal dataâ or âNOTICE: This website may sell your biometric personal data.â
Under the Florida Digital Bill of Rights, consumers have the right to access, correct, and erase their personal information. This means that your company needs to establish a mechanism that makes fulfilling these rights possible.Â
Similar to data mapping, itâs possible to complete this process manually. However, thatâs not the ideal workflow as itâs time consuming and difficult to scale.Â
To manually fulfill an access request, for example, someone on your team would need to identify every data system that stores consumer data, locate all the information relevant to the person making the request, and then send everything back to that person in a format thatâs easy to understand.Â
That process is feasible when you only receive a few requests per month, but as request volumes increase it quickly becomes unsustainable. Automated solutions like Transcend Privacy Requests can help.Â
The Florida Digital Bill of Rights requires that companies limit data collection to whatâs necessary to fulfill their stated purpose of processing and implement:Â
âreasonable administrative, technical and physical data security practices.â
They must also maintain data retention schedules that:Â
Floridaâs privacy law requires that data controllers conduct data protection assessments (DPA) for data processing related to:Â
The requirement to conduct DPAâs is not necessarily meant to limit data processing outright. Rather, the process should help your organization weigh the benefits of these processing activities against the risks to consumers.Â
The FDBR requires that search engines provide, in an easily accessible format:
âan up-to-date plain language description of the main parameters that are individually or collectively the most significant in determining the ranking and the relative importance of those main parameters.â
Put simply, search engines must disclose how they rank the content that shows up in search results. In this disclosure, they also need to describe:
âthe prioritization or deprioritization of political partisanship or political ideology in search results.â
This requirement is unique to the Florida Digital Bill of Rights, so it will be interesting to see how search engines implement this mandate in practice.
If your company has been impacted by the Florida Digital Bill of Rights, Transcend can help. We're the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.
Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.
Senior Content Marketing Manager II