Understanding the Florida Digital Bill of Rights

• The Florida Digital Bill of Rights is a privacy law that gave data rights to Florida residents and applied new requirements to businesses that process consumer data.

• Signed by Florida Gov. Ron DeSantis on June 6, 2023, the Florida Digital Bill of Rights will go into effect on July 1, 2024.

• To comply with this new privacy law, businesses whose goods or services are used by Florida residents must respond to consumer privacy requests, implement data retention schedules, conduct data protection assessments, and more.

What is the Florida Digital Bill of Rights?

• Who's subject to the Florida Digital Bill of Rights?

• Florida Digital Bill of Rights vs. other state privacy laws

• Consumer rights provided by the FBDR

Florida Digital Bill of Rights compliance checklist

• Determine whether the FDBR applies to your business

• Create a data map

• Review and update privacy policies and notices

• Establish procedures for responding to consumer requests

• Implement data retention schedules and reasonable security measures

• Conduct data protection assessments

• For search engines, disclose algorithmic methodologies

On June 6, 2023, Governor Ron DeSantis signed the Florida Digital Bill of Rights (FDBR) into law. The law gave Florida residents more control over their personal data and created new data protection requirements for businesses. Most of the FDBR’s provisions go into effect on July 1, 2024.

Under this new privacy law, consumers have the right to access, correct, erase, and opt-out of the sale or sharing of their personal information (PI). There are also new restrictions on how businesses may process sensitive personal information (SPI), which includes data concerning a known minor and/or could identify a consumer’s: 

• Ethnic or racial background

• Health conditions

• Religious beliefs

• Sexual orientation

• Immigration or citizenship status

• Exact location

The Florida Digital Bill of Rights will be enforced by the Florida Department of Legal Affair, which can bring civil suits against alleged violators and levy fines of up to $50,000 per violation. 

If a company commits violations regarding the data of minors or fails to fulfill a consumer’s privacy request, that penalty can be tripled. The Department of Legal Affairs has discretion, but isn't required, to allow a 45 day cure period. 

The Florida Digital Bill of Rights differs from other state privacy laws in a few key ways. It restricts social media moderation by government personnel, adds biometric and location data to the list of personal information that triggers Florida’s breach notification, and requires disclosures about search engine methodology. 

Notably, it also has a higher revenue threshold than any other state law—effectively limiting the bill’s scope to large tech companies, search engines, and online advertisers. 

We’ll explore these differences in greater detail below, but first we’ll look at who falls under the FDBR’s scope. 

With a baseline threshold of $1 billion a year in gross revenue, the majority the Florida Digital Bill of Rights requirements only apply to large tech companies. If a business meets that revenue threshold, they must also: 

• Make 50% of annual revenue from selling online ads

• Manage an app store or other digital distribution platform that has 250,000+ downloadable apps OR

• Offer a smart device with an integrated virtual assistant or other voice command service i.e. Siri, Google Home, Alexa, etc. 

It’s also important to note that a company doesn’t have to be located in Florida or market its goods or services to Florida residents for the law to apply. Any business that meets the above criteria and whose goods or services are used by Florida residents falls under the FDBR’s purview. 

Though the bill’s scope covers a smaller swathe of companies compared to other state privacy laws, the obligations placed on those companies are not insignificant. Businesses under the Florida Digital Bill of Rights must, among other things: 

• Maintain fair information practices

• Uphold strict data retention schedules

• Provides clear disclosures when engaging in targeted advertising

• Implement robust security measures

• Conduct data protection assessments

• Disclose search engine methodology (if applicable) 

Though most requirements in the Florida Digital Bill of Rights apply only to the largest of companies, two provisions are applied more broadly. 

Under the Florida Information Protection Act (FIPA), any business that collects and stores personal information on Florida residents must take “reasonable measures” to ensure that data is protected and secure. And, in the event of a breach, they must follow certain reporting requirements. The Florida Digital Bill of Rights expands the definition of personal information outlined under FIPA to include location and biometric data. 

The Florida Digital Bill of Rights also places new restrictions on any business that collects or processes sensitive personal information—requiring that they obtain consent before collection or processing begins. Companies must also display a notice on their website that reads, “NOTICE: This website may sell your sensitive personal data."

The Florida Digital Bill of Rights has a few key differences from other US state privacy laws, including a higher revenue threshold, restrictions on government social media moderation and certain types of surveillance, requirements around search engine methodology disclosures, and an amended breach notice. 

Florida’s privacy law has a minimum revenue threshold of $1 billion per year. When compared to the California Privacy Rights Act (CPRA) and the Utah Consumer Privacy Act (UCPA), where the revenue threshold is $25 million, it’s clear the FDBR is mainly aimed at large tech companies. 

Diverging from all other current state privacy laws, the FDBR has a provision that limits government involvement online—banning government agencies and personnel from leveraging state resources to moderate social media content.

Moreover, government entities cannot form content moderation agreements with social media platforms, barring regular account maintenance or efforts to curb criminal activity or limit property damage, physical harm, or loss of life.

Under the Florida Digital Bill of Rights, devices equipped with voice or facial recognition, video, audio, or any other monitoring capabilities are banned from surveilling consumer’s without express permission.

Under Florida’s Data Breach Notification Statute, any business, individual, or organization that collects personal information and experiences a breach must notify the Department of Legal Affairs within 30 days—ideally sooner. 

The Florida Digital Bill of Rights expanded this breach notice trigger to include location and biometric data. 

In an unprecedented provision, the Florida Digital Bill of Rights requires that search engine operators provide an:

“an up-to-date plain language description of the main parameters that are individually or collectively the most significant in determining the ranking and the relative importance of those main parameters.”

It also requires that these disclosures offer information on how political ideology and partisanship is handled within search results. 

The bill defines search engines as:

“technology and systems that use algorithms to sift through and index vast third-party websites and content on the Internet in response to search queries entered by a user.” 

Third parties who license the engine, but can’t control its algorithm, index, or ranking order are excluded.

Under the Florida Digital Bill of Rights, consumers have the right to:

• Confirm whether a controller is processing personal data

• Access personal data

• Delete personal data

• Correct personal data

• Obtain a copy of their personal data

• Opt out of the processing of the sale or sharing of their personal data for the purpose of targeted advertising

• Opt out of certain types of automated profiling

• Opt out of the collection or processing of sensitive data

• Opt out of data collection via voice or facial recognition technology

Florida’s law is somewhat unique in its consideration of facial and voice recognition technology—limiting its use in many cases and codifying consumers’ right to opt-out. 

With the Florida Digital Bill of Rights going into effect on July 1, 2024, businesses under its purview should start working towards compliance now. We’ve outlined a basic checklist for compliance below. 

Remember, the Florida Digital Bill of Rights applies to businesses whose goods or services are used by Florida residents and that have an annual revenue of $1 billion or more. 

If a business meets that base threshold, they must also:

• Derive 50% of annual revenue from selling online ads

• Manage an app store or other digital distribution platform with at least 250,000 apps that consumers can download and install OR

• Offer a smart device with an integrated virtual assistant or other voice command service i.e. Siri, Google Home, Alexa, etc. 

If your company does not meet these requirements, Florida’s privacy law does not apply.

To kickoff compliance with the Florida Digital Bill of Rights, you’ll need to conduct a gap analysis and compare your current data processing practices with the law’s requirements. But to conduct a gap analysis, you’ll need a clear look into how your company processes personal data—this is where data mapping comes in.

Though data mapping isn’t explicitly required under any state privacy law, creating a data map will give you a comprehensive view of:

• The personal data your company collects and stores

• Where that data is located

• How long it’s being retained

• Where/when it’s being shared with third parties

At a high level, you data map should include: 

• What categories of personal information (PI) you’re processing

• Whether you process sensitive personal information

• Where and how PI is being processed

• Purposes of processing

Manually building a data map is possible, but can be time consuming—especially if your company regularly adds new data systems. Many privacy program managers start out by building their data map in a spreadsheet, but an automated tool like Transcend Data Mapping will speed the process up significantly.

Businesses under the FDBR must, in a public facing privacy policy: 

• Disclose their data processing activities, including whether or not data is being shared with third-parties

• Outline a consumer’s rights under the law, and

• Provide instructions on how to fulfill those rights

If a business is selling or sharing sensitive personal information or biometric data, they must include a link on their website that reads, “NOTICE: This website may sell your sensitive personal data” or “NOTICE: This website may sell your biometric personal data.”

Under the Florida Digital Bill of Rights, consumers have the right to access, correct, and erase their personal information. This means that your company needs to establish a mechanism that makes fulfilling these rights possible. 

Similar to data mapping, it’s possible to complete this process manually. However, that’s not the ideal workflow as it’s time consuming and difficult to scale. 

To manually fulfill an access request, for example, someone on your team would need to identify every data system that stores consumer data, locate all the information relevant to the person making the request, and then send everything back to that person in a format that’s easy to understand. 

That process is feasible when you only receive a few requests per month, but as request volumes increase it quickly becomes unsustainable. Automated solutions like Transcend Privacy Requests can help. 

The Florida Digital Bill of Rights requires that companies limit data collection to what’s necessary to fulfill their stated purpose of processing and implement: 

“reasonable administrative, technical and physical data security practices.”

They must also maintain data retention schedules that: 

• Ensure data is deleted after its purpose of processing has been fulfilled

• The initial contract has expired, or

• A consumer hasn’t interacted with the business in over two years

Florida’s privacy law requires that data controllers conduct data protection assessments (DPA) for data processing related to: 

• Targeted advertising

• The sale or sharing personal information

• Certain types of automated profiling

• Sensitive personal information

• Activities that pose a heightened risk to consumers

The requirement to conduct DPA’s is not necessarily meant to limit data processing outright. Rather, the process should help your organization weigh the benefits of these processing activities against the risks to consumers. 

The FDBR requires that search engines provide, in an easily accessible format:

“an up-to-date plain language description of the main parameters that are individually or collectively the most significant in determining the ranking and the relative importance of those main parameters.”

Put simply, search engines must disclose how they rank the content that shows up in search results. In this disclosure, they also need to describe:

“the prioritization or deprioritization of political partisanship or political ideology in search results.”

This requirement is unique to the Florida Digital Bill of Rights, so it will be interesting to see how search engines implement this mandate in practice.

If your company has been impacted by the Florida Digital Bill of Rights, Transcend can help. We're the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

• Florida’s Take on Comprehensive Consumer Privacy Law: Moore & Van Allen

• Florida Data Breach Notification Statute Summary

• When Cybersecurity Goes Wrong: Breach Notice Obligations Under the Florida Information Protection Act

• Newly-Passed Florida Privacy Law Bill

• The ranging impacts of Florida's Digital Bill of Rights

• Florida Legislature Passes Privacy Law

• Florida Added to Growing List of New Comprehensive Consumer Privacy Laws

• Florida Senate Bill 262

• Florida Governor Signs Data Privacy Law Focused on Children, Search Engines and Billion Dollar Businesses