Florida passed a data privacy law that becomes effective on July 1, 2024. The Florida Digital Bill of Rights (“FDBR”) affects “controllers” of personal data that have more than $1 billion in global revenues, so the law applies only to a small percentage of companies in Florida.
The FDBR uses terms like “controller” and “processor” that resemble the terms in the European Union’s GDPR law. However, the FDBR covers a narrow scope of large size businesses in Florida. According to the definition in section 501.702, a “controller” must adhere to the FDBR if it:
- Makes in excess of $1 billion in global gross annual revenues
- Conducts business in Florida
- Operates to make a profit
- Collects personal data about consumers (or on behalf of an entity)
- Determines the purposes and means of processing personal data about consumers (alone or jointly with others)
- Satisfies at least one of the following:
- Derives 50 percent (or more) of annual revenues globally from selling online advertisements
- Operates “a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation”
- Operates an app store that offers at least 250,000 different consumer software applications
In the FDBR, a “processor” is a person who processes personal data for a controller. A processor must follow the controller’s instructions and assist with complying with the controller’s duties, such as:
- Responding to consumer rights requests
- Complying with data breach notification requirements
- Providing information to controller for data protection assessments
Under section 501.712, the FDBR provides a contract framework for controllers and processors to govern data processing procedures. The contract must include:
- Clear instructions for processing data
- The nature and purpose of processing
- The type of data that is subject to processing
- The duration of processing
- The rights and obligations of both parties
- A requirement that the processor ensures data confidentiality, implements data deletion, demonstrates processing compliance, cooperates with assessments, and obtains subcontractor agreements.
Contracts may not have a provision that waives the rights of consumers. A data processing agreement is void and unenforceable if it limits any consumer rights or is contrary to public policy.
Section 501.705 provides consumer rights with the processing of their personal data. A controller must comply with an “authenticated consumer request” to allow consumers to exercise their rights. The seven consumer rights are:
- Confirm processing and access personal data – “To confirm whether a controller is processing the consumer’s personal data and to access the personal data.”
- Correct personal data – “To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”
- Delete personal data – “To delete any or all personal data provided by or obtained about the consumer.”
- Obtain a copy of personal data – “To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format.”
- Opt out of processing personal data – “To opt out of the processing of the personal data for purposes of: 1 Targeted advertising; 2. The sale of personal data; or 3. Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer.”
- Opt out of collection of sensitive and geolocation data – “To opt out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data.”
- Opt out of collection of voice and facial recognition – “To opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.”
A controller or processor may not use devices to collect data for surveillance. Consumers must expressly authorize the use of features such as voice recognition, facial recognition, a video recording, an audio recording, or any other electronic, visual, thermal, or olfactory feature. However, Florida consumers will need to opt out of the collection of their sensitive data. The FDBR provides a list of sensitive data, which includes personal data that reveals an individual’s location, racial or ethnic origin, sexual orientation, religious beliefs, mental or physical health diagnosis, genetic or biometric data, citizenship or immigration status, or data collected from a known child.
Under section 501.711, the FDBR requires controllers to provide “a reasonably accessible and clear” privacy notice to consumers that is “updated at least annually.” The notice must describe the categories and the purposes of the data processing. Also, the notice needs to explain if the controller shares any personal data with third parties.
The privacy notice needs to explain how consumers can exercise their rights. Under section 501.706, a controller must respond to consumer requests “without undue delay” no later than 45 days after receipt. A 15-day extension may be available under certain circumstances.
If a controller refuses to complete a consumer’s request, the FDBR requires the controller to have a process for an appeal. The Privacy Notice must provide an explanation of the appeal process. When a consumer submits an appeal, the controller has 60 days to respond.
The privacy notice must disclose the selling of consumer data. The FDBR defines the “sale of personal data” as “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” If a controller sells sensitive data or biometric data, the controller must provide a specific notice. If the controller sells personal data to third parties for targeted advertising, the controller “must clearly and conspicuously disclose that process” and explain how to opt out.
A controller may not process a consumer’s sensitive data without obtaining the consumer’s consent. If processing sensitive data of a known child, who is between 13 and 18 years of age, the controller must obtain affirmative authorization. A controller or processor that complies with the authenticated parental consent requirements of the Children’s Online Privacy Protection Act (COPPA) will be in compliance with the FDBR.
In the FDBR, consent from a consumer “means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data.” Consent “includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative act.” Consent does not include:
- Unintentional interaction – “Hovering over, muting, pausing, or closing a given piece of content.”
- Dark patterns – “Agreement obtained by using dark patterns.” The FDBR defines a dark pattern as “a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision making, or choice.” Dark patterns trick users into giving consent to having their data used in ways that they didn’t anticipate.
A controller that operates a search engine must provide an up-to-date description of how it determines the search results. The description needs to have plain language and be easily accessible with no requirement to register or log in. The controller should explain the main parameters that are the most significant to determine ranking, such as “the prioritization or deprioritization of political partisanship or political ideology in search results.”
A controller must conduct and document a data protection assessment for certain processing activities involving personal data for:
- The purposes of targeted advertising
- The sale of personal data
- The purposes of profiling if there is a reasonably foreseeable risk of harm
- A data protection assessment must identify and weigh the benefits against the potential risks to the rights of the consumer associated with the processing. The assessment must factor:
- The use of deidentified data
- The reasonable expectations of consumers
- The context of the processing
- The relationship between the controller and the consumer
The FDBR includes various exemptions, such as certain kinds of entities, types of information, and data processing activities.
Specific entities are exempt under section 501.703. The exemptions include state agencies, nonprofit organizations, and postsecondary education institutions. Entities that are subject to the GLBA and HIPAA are also exempt.
The FDBR provides 21 information exemptions in section 501.704. These exemptions include health records, consumer reports, employment data, and emergency contact information.
Section 501.716 provides exemptions for a controller’s uses of personal data. These data processing exemptions include:
- Complying with federal or state laws, rules, or regulations
- Complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities
- Defending legal claims
- Providing a product or service requested by a consumer
- Performing a contract to which the consumer is a party
- Fulfilling the terms of a written warranty
- Taking immediate steps to protect the life or physical safety of an individual
- Protecting against or responding to security incidents, identity theft, deceptive activities, or any illegal activity
- Preserving the integrity of systems to investigate, report, or prosecute those responsible for security breaches
- Engaging in public or peer-reviewed scientific or statistical research in the public interest that is approved, monitored, and governed by an institutional review board or similar independent oversight entity
Section 501.722 provides a public records exemption for DLA investigations. When the DLA receives a violation notification, all information will be kept confidential until the DLA completes the investigation. During an investigation, the DLA may disclose information to further its official duties and responsibilities. Upon completion of an investigation, the following information will remain confidential:
- Personal information
- Information with another public records exemption
- A computer forensic report
- Information that would reveal weaknesses in the data security of a controller, processor, or third party
- Information that would disclose the proprietary information of a controller, processor, or third party
A violation of the FDBR is an unfair and deceptive trade practice actionable solely by the Department of Legal Affairs (“DLA”). The FDBR does not establish a private cause of action for individuals.
The DLA may collect a civil penalty of up to $50,000 per violation. Civil penalties may be tripled if the violation involves:
- Disregarding the age of a known child who is a Florida consumer (a controller that willfully disregards a child’s age is deemed to have actual knowledge).
- Failing to delete or correct a consumer’s personal data after receiving an authenticated consumer request (or directions from a controller).
- Ignoring a consumer’s opt out request (continuing to sell or share the consumer’s personal data).
In some cases, the DLA may allow a cure for a violation. After the DLA notifies a person in writing, the DLA may grant a 45-day period to cure the alleged violation and issue a letter of guidance.
The FDBR allows the DLA to collaborate and cooperate with other enforcement authorities, such as the Federal Government or other state governments. The DLA will issue a public report on its website by February 1 of each year that describes any actions taken to enforce the data privacy law.
Privacy advocates warn that the FDBR fails to address important privacy issues, such as the use of pseudonymous identifiers like cookies. The advocates point out that the exclusion makes the right to opt out of targeted advertising “largely meaningless” to Florida consumers. The advocates urge the legislature to expand the scope of the FDBR because it leaves the personal data of Floridians “unprotected in a wide variety of contexts.” In the meantime, Floridians can take steps to protect themselves from online profiling, such as managing their web browser cookie settings and installing an ad blocker.