Florida passed a data privacy law that becomes effective on July 1, 2024. The Florida Digital Bill of Rights (\u201cFDBR\u201d) affects “controllers” of personal data that have more than $1 billion in global revenues, so the law applies only to a small percentage of companies in Florida.<\/p>\n\n\n\n
The FDBR \u201cdata privacy and security law\u201d is codified under sections 501.701\u2013501.722 of the Florida Statutes<\/a>. The law targets Big Tech companies<\/a> and strengthens children’s protections.<\/p>\n\n\n\n The FDBR uses terms like \u201ccontroller\u201d and \u201cprocessor\u201d that resemble the terms in the European Union\u2019s GDPR<\/a> law. However, the FDBR covers a narrow scope of large size businesses in Florida. According to the definition in section 501.702, a \u201ccontroller\u201d must adhere to the FDBR if it:<\/p>\n\n\n\n In the FDBR, a \u201cprocessor\u201d is a person who processes personal data for a controller. A processor must follow the controller’s instructions and assist with complying with the controller\u2019s duties, such as:<\/p>\n\n\n\n Under section 501.712, the FDBR provides a contract framework for controllers and processors to govern data processing procedures. The contract must include:<\/p>\n\n\n\n Contracts may not have a provision that waives the rights of consumers. A data processing agreement is void and unenforceable if it limits any consumer rights or is contrary to public policy.<\/p>\n\n\n\n Section 501.705 provides consumer rights with the processing of their personal data. A controller must comply with an \u201cauthenticated consumer request\u201d to allow consumers to exercise their rights. The seven consumer rights are:<\/p>\n\n\n\n A controller or processor may not use devices to collect data for surveillance. Consumers must expressly authorize the use of features such as voice recognition, facial recognition, a video recording, an audio recording, or any other electronic, visual, thermal, or olfactory feature. However, Florida consumers will need to opt out of the collection of their sensitive data. The FDBR provides a list of sensitive data, which includes personal data that reveals an individual\u2019s location, racial or ethnic origin, sexual orientation, religious beliefs, mental or physical health diagnosis, genetic or biometric data, citizenship or immigration status, or data collected from a known child.<\/p>\n\n\n\n Under section 501.711, the FDBR requires controllers to provide \u201ca reasonably accessible and clear\u201d privacy notice to consumers that is \u201cupdated at least annually.\u201d The notice must describe the categories and the purposes of the data processing. Also, the notice needs to explain if the controller shares any personal data with third parties.<\/p>\n\n\n\n The privacy notice<\/a> needs to explain how consumers can exercise their rights. Under section 501.706, a controller must respond to consumer requests \u201cwithout undue delay” no later than 45 days after receipt. A 15-day extension may be available under certain circumstances.<\/p>\n\n\n\n If a controller refuses to complete a consumer’s request, the FDBR requires the controller to have a process for an appeal. The Privacy Notice must provide an explanation of the appeal process. When a consumer submits an appeal, the controller has 60 days to respond. <\/p>\n\n\n\n The privacy notice must disclose the selling of consumer data. The FDBR defines the \u201csale of personal data\u201d as “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” If a controller sells sensitive data or biometric data, the controller must provide a specific notice. If the controller sells personal data to third parties for targeted advertising, the controller \u201cmust clearly and conspicuously disclose that process” and explain how to opt out.<\/p>\n\n\n\n A controller may not process a consumer\u2019s sensitive data without obtaining the consumer\u2019s consent. If processing sensitive data of a known child, who is between 13 and 18 years of age, the controller must obtain affirmative authorization. A controller or processor that complies with the authenticated parental consent requirements of the Children\u2019s Online Privacy Protection Act<\/a> (COPPA) will be in compliance with the FDBR.<\/p>\n\n\n\n In the FDBR, consent from a consumer \u201cmeans a clear affirmative act signifying a consumer\u2019s freely given, specific, informed, and unambiguous agreement to process personal data.” Consent “includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative act.\u201d Consent does not include:<\/p>\n\n\n\n A controller that operates a search engine must provide an up-to-date description of how it determines the search results. The description needs to have plain language and be easily accessible with no requirement to register or log in. The controller should explain the main parameters that are the most significant to determine ranking, such as \u201cthe prioritization or deprioritization of political partisanship or political ideology in search results.\u201d<\/p>\n\n\n\n A controller must conduct and document a data protection assessment for certain processing activities involving personal data for:<\/p>\n\n\n\n The FDBR includes various exemptions, such as certain kinds of entities, types of information, and data processing activities.<\/p>\n\n\n\n Specific entities are exempt under section 501.703. The exemptions include state agencies, nonprofit organizations, and postsecondary education institutions. Entities that are subject to the GLBA<\/a> and HIPAA<\/a> are also exempt.<\/p>\n\n\n\n The FDBR provides 21 information exemptions in section 501.704. These exemptions include health records, consumer reports, employment data, and emergency contact information.<\/p>\n\n\n\n Section <\/strong>501.716 provides exemptions for a controller\u2019s uses of personal data. These data processing exemptions include:<\/p>\n\n\n\n Section 501.722 provides a public records exemption for DLA investigations. When the DLA receives a violation notification, all information will be kept confidential until the DLA completes the investigation. During an investigation, the DLA may disclose information to further its official duties and responsibilities. Upon completion of an investigation, the following information will remain confidential:<\/p>\n\n\n\n A violation of the FDBR is an unfair and deceptive trade practice actionable solely by the Department of Legal Affairs (\u201cDLA\u201d). The FDBR does not establish a private cause of action for individuals.<\/p>\n\n\n\n The DLA may collect a civil penalty of up to $50,000 per violation. Civil penalties may be tripled if the violation involves:<\/p>\n\n\n\n In some cases, the DLA may allow a cure for a violation. After the DLA notifies a person in writing, the DLA may grant a 45-day period to cure the alleged violation and issue a letter of guidance.<\/p>\n\n\n\n The FDBR allows the DLA to collaborate and cooperate with other enforcement authorities, such as the Federal Government or other state governments. The DLA will issue a public report on its website by February 1 of each year that describes any actions taken to enforce the data privacy law.<\/p>\n\n\n\n Privacy advocates warn that the FDBR fails to address important privacy issues, such as the use of pseudonymous identifiers like cookies<\/a>. The advocates point out<\/a> that the exclusion makes the right to opt out of targeted advertising \u201clargely meaningless\u201d to Florida consumers. The advocates urge the legislature to expand the scope of the FDBR because it leaves the personal data of Floridians \u201cunprotected in a wide variety of contexts.\u201d In the meantime, Floridians can take steps<\/a> to protect themselves from online profiling, such as managing their web browser cookie settings and installing an ad blocker.<\/p>\n\n\n\n Image by CoolVid-Shows<\/a> from Pixabay<\/a><\/em>.<\/p>\n","protected":false},"excerpt":{"rendered":" Florida passed a data privacy law that becomes effective on July 1, 2024. The Florida Digital Bill of Rights (\u201cFDBR\u201d) affects “controllers” of personal data that have more than $1 billion in global revenues, so […]<\/p>\n","protected":false},"author":1,"featured_media":1207,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[78],"tags":[79,66,123,12],"yoast_head":"\nController Defined<\/h3>\n\n\n\n
\n
\n
Processor Duties<\/h3>\n\n\n\n
\n
Contract Framework<\/h3>\n\n\n\n
\n
Consumer Rights<\/h3>\n\n\n\n
\n
Surveillance<\/h3>\n\n\n\n
Privacy Notice<\/h3>\n\n\n\n
Consent<\/h3>\n\n\n\n
\n
Search Engines<\/h3>\n\n\n\n
Assessments<\/h3>\n\n\n\n
\n
\n
Exemptions<\/h3>\n\n\n\n
\n
Public Records<\/h3>\n\n\n\n
\n
Enforcement<\/h3>\n\n\n\n
\n
Limited Scope<\/h3>\n\n\n\n