On June 6th, 2023, Senator Ron Desantis signed Senate Bill (S.B.) 262, or the Florida Digital Bill of Rights (FDBR). The Florida Digital Bill of Rights (FDBR) joins a growing body of legislation that states and countries around the globe have implemented to protect consumers' personal data and privacy rights.
This article will take you through what the Florida Digital Bill of Rights (FDBR) is, who it applies to, how to comply with it, and what the penalties for non-compliance are. It will also cover the differences between and similarities to other online privacy laws.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What is the Florida Digital Bill of Rights (FDBR)?
- 2. Who Does the Florida Digital Bill of Rights (FDBR) Apply to?
- 3. How to Comply With the Florida Digital Bill of Rights (FDBR)
- 3.1. Provide Methods for Consumer Requests
- 3.2. Respond to Consumer Requests
- 3.3. Maintain a Privacy Policy
- 3.3.1. The Kinds of Personal Data You Use
- 3.3.2. Why You Collect Personal Data
- 3.3.3. How Consumers Can Exercise Their Rights
- 3.3.4. What Personal Data You Share With Third Parties
- 3.3.5. What Third Parties You Share Personal Data With
- 3.4. Notify Consumers of the Sale or Sharing of Their Personal Data
- 3.5. Conduct Data Protection Assessments
- 3.6. Get Consent
- 4. Penalties for Noncompliance with the Florida Digital Bill of Rights (FDBR)
- 5. The Florida Digital Bill of Rights (FDBR) vs Other Privacy Laws
- 5.1. CCPA (CPRA)
- 5.2. GDPR
- 6. Summary
What is the Florida Digital Bill of Rights (FDBR)?
The Florida Digital Bill of Rights (FDBR) is a law that grants consumers certain rights over their online data and requires organizations that collect or process consumers' personal data to meet specific requirements or else face substantial fines. The law goes into effect July 1st, 2024.
The rights the Florida Digital Bill of Rights (FDBR) gives consumers include:
- The rights to confirm, access, edit, or delete their personal data
- The right to understand how search engines determine search results and rankings
- The right to opt out of the sale of their personal data
- The right to opt out of the use of their personal data for targeted advertising purposes
- The right to opt out of the collection of their personal data via voice or face recognition technology
- The right to opt out of the collection or processing of sensitive personal data
- The right to be free from discrimination for exercising their rights
- The rights of children to avoid having their personal data collected, sold, or shared
The Florida Digital Bill of Rights (FDBR) defines personal data as any information that can be used to identify an individual, and can include names and social security, driver's license, and bank account numbers.
Personal data also includes genetic or biometric (i.e., fingerprints, voiceprints, info from retinal scans) data and geographic location data.
Sensitive personal data is a special category of personal data that includes information about an individual's race or ethnicity, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status, and data used to identify a child.
The Florida Digital Bill of Rights (FDBR) requires data controllers (for-profit entities that make decisions about how the personal data they collect will be used) that fall under its jurisdiction to meet the following requirements:
- Only collect personal data that is relevant and necessary to the functioning of their organizations
- Communicate the purposes for which they collect personal data to consumers
- Keep the personal data they collect safe by implementing physical, technical, and administrative security measures
- Only provide financial incentives in exchange for personal data as long as the consumer consents to the arrangement and has the ability to withdraw their consent at any time
- Get consent from consumers before processing their sensitive personal data
The Florida Digital Bill of Rights (FDBR) also prohibits government employees from influencing social media platforms to moderate or remove content.
Additionally, applicable data controllers that operate search engines must maintain an easily accessible and clearly written description of how they determine search results rankings and whether political ideologies are prioritized in determining search results.
Who Does the Florida Digital Bill of Rights (FDBR) Apply to?
The Florida Digital Bill of Rights (FDBR) applies to data controllers that do business in the state of Florida, make over $1 billion in global gross annual revenue, and meet one of the following criteria:
- Get 50% or more of their global gross annual revenue from the sale of online advertisements, or
- Operate a consumer smart speaker or voice command component service with a virtual assistant connected to a cloud computing service that uses hands-free verbal activation, or
- Operate an app store or digital distribution platform that offers 250,000 or more apps
The law also applies to data processors and other third parties that process personal data on behalf of or receive personal data from data controllers.
How to Comply With the Florida Digital Bill of Rights (FDBR)
There are a few essential steps that organizations need to take in order to comply with the Florida Digital Bill of Rights (FDBR). These steps include:
- Providing methods for consumers to submit requests
- Having a process in place for responding to consumer requests
- Maintaining a Privacy Policy
- Notifying consumers if you sell or share their sensitive or biometric personal data
- Conducting data protection assessments
- Getting consumers' consent before collecting or processing their personal data
Let's look at each in more detail.
Provide Methods for Consumer Requests
You will need to provide at least two methods for consumers to submit requests concerning their personal data. These methods need to be:
- Safe
- Reliable
- Easy to find and access
An effective way to meet the Florida Digital Bill of Rights' consumer request method requirements is to provide both a submission form and an email address through which consumers can make their requests.
Apple uses the Privacy Questions section of its Privacy Policy to describe how its privacy complaint process works and includes a link to its Privacy Enquiries page as well as a link to its Apple Support contact page:
Respond to Consumer Requests
You must respond to consumer requests concerning their personal data within 45 days of the date the request was received.
If you are unable to take the action requested by the consumer, then you must notify them of the reasons you are unable to fulfill their request within 45 days of receiving their request and provide them with steps on how they can appeal your decision.
You must inform consumers within 60 days of receiving their appeal what action (if any) you decide to take.
Section 501.707 of the text of the Florida Digital Bill of Rights (FDBR) describes the appeals process that you must abide by:
Depending on the complexity of the requests, you can extend the 45-day response time frame by 15 days, as long as you inform the consumer of the extension and the reasons for the delay in your response within 45 days of receipt of the initial request.
You must respond to a consumer request free of charge at least twice annually per consumer unless a consumer makes excessive, repeated, or unfounded requests, in which case you can charge an administrative fee.
If you obtain information about a consumer from third parties, you must delete that information upon consumer request and maintain a record of the deletion request, as well as opt the consumer out of any future processing of their personal data.
Maintain a Privacy Policy
The Florida Digital Bill of Rights (FDBR) requires applicable businesses to provide consumers with a clearly written, easily accessible, and annually updated privacy notice (such as a Privacy Policy) that contains clauses describing:
- The types of personal data you use and why
- Who you share it with
- How consumers can exercise their rights
The Kinds of Personal Data You Use
This clause describes the types of personal data you collect and process, including sensitive personal data.
The Collection of Personal Information clause in Alphabet's Privacy Policy lists the kinds of personal data it collects, including contact and identification info, vehicle details, warranty information, marketing information, and other information that is voluntarily provided by consumers:
Why You Collect Personal Data
This clause informs consumers about your reasons for collecting personal data. As a general rule, you should only collect personal data that is essential to the functioning of your organization.
Microsoft's Privacy Statement explains that it uses the data it collects to provide, improve, and customize its products, for product support, and for targeted advertising, analysis, and legal purposes:
How Consumers Can Exercise Their Rights
This clause describes how consumers can exercise their rights, including how they can appeal your decisions regarding their requests.
Amazon's Privacy Notice includes a link to its Data Privacy Queries page where users can exercise their rights:
When users visit Amazon's Data Privacy Queries page they are given the options to request their data via a link to Amazon's Request Your Personal Information page, submit a request to close their account and delete their data via a link to its Close Your Amazon Account page, email Amazon with questions about their requests, or visit its Contact page for any other questions:
What Personal Data You Share With Third Parties
You should let consumers know what personal data you share with third parties and for what reasons.
Broadcom's Privacy Policy explains the types of personal data it may share with third parties, including user names, user-generated content (UGC), and aggregate and de-identified data:
What Third Parties You Share Personal Data With
You should inform consumers about what third parties you share their personal information with.
Samsung's Privacy Policy includes a clause that informs consumers that it may share their personal data with its subsidiaries, affiliates, and service providers, as well as with law enforcement or government agencies when legally required:
Notify Consumers of the Sale or Sharing of Their Personal Data
To comply with the Florida Digital Bill of Rights (FDBR), you must post a notice on your website informing consumers if you sell sensitive personal data, or biometric personal data.
For example, you can include a simple but clear notice like this on your website and/or within your Privacy Policy to address the selling of sensitive personal data:
And the sale of biometric personal data can be addressed the same way:
Note that you can and should still include these types of data in your general clause that addresses the selling of personal information, but including an additional and more eye-catching notice helps you comply with Florida's Digital Bill of Rights (FDBR), and helps the information be more noticeable to your users.
If you sell personal data to third parties or use personal data for targeted advertising, you must notify consumers that you do so, and give them a means for opting out of the sale or sharing of their personal data.
Conduct Data Protection Assessments
A data protection assessment is an audit of your organization's data collection and processing activities that helps to identify and mitigate areas of enhanced risk.
The Florida Digital Bill of Rights (FDBR) requires applicable businesses to conduct and keep a record of data protection assessments for each of the following activities:
- Processing personal data for targeted advertising
- Selling personal data
- Processing personal data for profiling if the profiling may result in unfair treatment of, injury to, or invasion of consumers' privacy
- Processing sensitive personal data
- Any data processing activities that could result in an increased risk of harm to consumers
Get Consent
You should always get consent from consumers before collecting or processing their sensitive personal data.
If you use devices that collect personal data through voice or facial recognition technology or through audio or video recordings, you cannot use those features for surveilling consumers when they are not actively using your product or service, unless the consumer consents to their use.
Penalties for Noncompliance with the Florida Digital Bill of Rights (FDBR)
The Department of Legal Affairs is the agency responsible for enforcing the Florida Digital Bill of Rights. If you are found guilty of violating the Florida Digital Bill of Rights (FDBR), you may be given 45 days to cure the violation.
The Department of Legal Affairs can fine you up to $50,000 per violation. Fines can be tripled if the violation involves a child, if you fail to delete or correct a consumer's personal data after receiving a consumer request or a request from a data controller, or if you continue to sell or share a consumer's personal information after they have opted out of those processing activities.
The Florida Digital Bill of Rights (FDBR) vs Other Privacy Laws
While the Florida Digital Bill of Rights shares many similarities with other state and global privacy legislation, there are a few key areas in which it stands out.
The Florida Digital Bill of Rights (FDBR) has unique requirements for search engines and applies to a more narrowly defined selection of entities than comparable privacy laws.
CCPA (CPRA)
The California Consumer Privacy Act (CCPA) is California's primary data protection law that applies to any for-profit entities that do business in the state of California and meet the following criteria:
- Have a gross revenue of $25 million or more
- Buy, sell, or share personal data belonging to 100,000 or more California residents, households, or devices
- Get 50% or more of their revenue from selling or sharing California residents' personal information
GDPR
The European Union's (EU) General Data Protection Regulation (GDPR) applies to the following entities:
- Organizations based within the EU that process personal data for any reason
- Organizations based outside of the EU that provide goods or services to residents of the EU
As you can see, the CCPA/CPRA and the GDPR apply to a much broader range of entities than Florida's Digital Bill of Rights (FDBR), which is designed to target Big Tech.
However, all three laws grant consumers the rights to access, edit, or delete their personal data and to opt out of the sale or sharing of their personal data.
Here's a chart that breaks it down in a clear way:
Special Requirements for Search Engines | Restriction of Online Censorship | Consumer Rights to Access, Edit, or Delete Personal Data | Consumer Right to Opt Out of the Sale or Sharing of Personal Data | |
Florida Digital Bill of Rights (FDBR) | ✓ | ✓ | ✓ | ✓ |
CCPA/CPRA | ✓ | ✓ | ||
GDPR | ✓ | ✓ |
Summary
Florida's Digital Bill of Rights (FDBR) goes into effect July 1st, 2024. The law gives consumers certain rights concerning their personal data, including:
- The rights to confirm, access, edit, or delete their personal data
- The right to know how search engine results are influenced
- The right to opt out of the sale of their personal data, the use of their personal data for targeted advertising, the collection of their personal data via voice or face recognition software, and the collection or processing of their sensitive personal data
- The right to be free from discrimination for exercising their rights
Florida's Digital Bill of Rights (FDBR) also requires applicable organizations to abide by its rules, including:
- Only collecting personal data that is relevant and necessary for the purposes which consumers have agreed to
- Keeping personal data secure
- Getting consent from consumers before collecting or processing their personal data
- Providing at least two methods for consumers to make requests concerning their data
- Having a clearly written and regularly updated Privacy Policy
- Notifying consumers if they sell or share their sensitive or biometric personal data
- Conducting data protection assessments for certain data processing activities
The fines for noncompliance with the Florida Digital Bill of Rights (FDBR) can range from up to $50,000 per violation to three times that amount for specific violations.
The Florida Digital Bill of Rights (FDBR) is similar to other data protection laws, including the CCPA/CPRA and the GDPR, in that they all afford consumers the rights to access, edit, or delete their personal information and opt out of the sale or sharing of their personal data.
However, the Florida Digital Bill of Rights (FDBR) targets Big Tech in a way that other privacy laws don't with its search engine specific rules and narrowed definition of what entities count as data controllers.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.