Florida Digital Bill of Rights: How to Prepare Your Business for FDBR Compliance?
2023 was a huge year for consumer privacy in the United States. Eight states have enacted comprehensive data privacy legislation this year alone, including Iowa, Oregon, Montana, Tennessee, Texas, Indiana, Delaware, and Florida.
This article will walk you through the essential steps to prepare your business for the Florida Digital Bill of Rights and ensure FDBR compliance when it becomes effective.
Let’s dive right in.
Key Takeaways
- The Florida Digital Bill of Rights governs how entities that operate in Florida or sell goods and services to Florida residents can process their consumers' personal data.
- FDBR sets specific provisions and guidelines regarding children’s data, controllers that operate search engines, and government entities and employees using social media platforms
- The law was signed on June 6th, 2023 and will become effective on July 1st, 2024
What is the Florida Digital Bill of Rights?
With the Florida Digital Bill of Rights (FDBR), signed on 6th June 2023, Florida joins a growing list of states with a data privacy law. However, while this law is similar to many in other states, it still has a few unique points that you must consider.
These differences include restrictions for government employees and entities using social media, provisions regarding entities operating search engines, and guidelines regarding children’s data.
The Bill was signed on 6th June 2023 by Governor Ron DeSantis and will come into effect on 1st July 2024.
The FDBR serves five primary purposes:
- Describe the rights consumers have when it comes to the processing of their personal data by businesses
- Explain the rules for data protection for children
- Outline the responsibilities of controllers who operate search engines
- Specifies the guidelines for government employees regarding social media services
- Clarify the fines and penalties for violating the law
Who Does the Florida Digital Bill Apply To?
The Florida Digital Bill of Rights applies to businesses that operate in Florida and businesses that offer products and services to residents of Florida.
More specifically, a business must comply with the FDBR if it makes more than $1 billion in global gross annual revenue and if at least one of these is true:
- The business derives at least 50% of its global gross annual revenue from the sale of online ads (including targeted advertising or selling online ads)
- The business has a digital distribution platform or an app store and offers a minimum of 250,000 different apps for consumers to download and install
The law does not apply to:
- Any businesses with annual global revenue under $1 billion
- Nonprofits
- Government agencies
- Financial institutions
- insurance companies
- Postsecondary education institutions
- Data already protected by federal laws such as the Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), Driver’s Privacy Protection Act (DPPA), Family Educational Rights and Privacy Act (FERPA), Gramm-Leach-Bliley Act (GLBA) and other federal laws
FDBR Key Terms & Definitions
The FDBR provides definitions for several vital terms in its text. Here are some key terms and how the law defines them:
- Consent:
A clear and affirmative act of signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.
- Controller:
A sole proprietor, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements
- Is organized or operated for the profit or financial benefit of its shareholders or owners;
- Conducts business in this state;
- Collects personal data about consumers or is the entity on behalf of which such information is collected;
- Determines the purposes and means of processing personal data about consumers alone or jointly with others;
- Makes in excess of $1 billion in global gross annual revenues
- Satisfies at least one of the following:
- Derives 50 percent or more from its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online
- Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation.
- Operates an app store or digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
- Consumer:
An individual who is a resident of or is domiciled in this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.
- Personal data:
Any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. (this includes pseudonymous data if used together with other data that links to an individual but does not include publicly available or de-identified information)
- Processing:
Operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data
- Processor
A person who processes personal data on behalf of a controller
- Sale of personal data:
Sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party
- Sensitive data:
A category of personal data which includes any of the following:
- Personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
- Genetic or biometric data processed for the purpose of uniquely identifying an individual.
- Personal data collected from a known child.
- Precise geolocation data.
- Targeted advertising:
Displaying to a consumer an advertisement selected based on personal data obtained from that consumer’s activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer’s preferences or interests
A person other than the consumer, the controller, the processor, or an affiliate of the controller or processor
Consumer Rights Under FDBR
Under the Florida Digital Bill, consumers have rights similar to those of other data privacy regulations, such as the Virginia Consumer Data Protection Act (VCDPA).
This includes:
- Right to Access. Excluding a few exceptions, consumers have the right to be informed of the controller processing their personal data and to access them.
- Right to Correct Inaccurate Data. Next, the controller must comply with an authenticated consumer request to correct any inaccuracies in their personal data.
- Right to Delete: Consumers also have the right to request that the controller delete all their data (with some exceptions).
- Right to Data Portability: Consumers can request a copy of the data they previously provided to the controller in a portable and readily-used format.
- Right to Opt-Out of Data Processing: At any time, consumers can opt out of the processing of their personal data for:
- Targeted advertising
- Sale of personal data
- Profiling
- Right Not to be Discriminated Against: Finally, the FDBR protects consumers against being unlawfully discriminated against (including for exercising their privacy rights)
Florida Digital Bill Requirements
The FDBR has several essential requirements that you need to understand to comply with it:
Controller Requirements
Under the Florida Digital Bill of Rights, the controller has to limit data processing to only the “adequate, relevant, and reasonably necessary” level, depending on the specific purposes for processing.
They also must safeguard the integrity and confidentiality of the consumers’ personal data using adequate technical and physical measures.
Controllers are also obligated to conduct a Data Protection Impact Assessment (DPIA) for the following activities:
- Targeted advertising
- Sale of personal data
- Processing for profiling when this presents a risk to the individual
- Processing of sensitive data
- Data processing if it presents an increased risk of harm to the consumer
The DPIA must:
- Identify and contrast the benefits of data processing to the consumer, controller, processor, and other stakeholders against the potential risks to consumer privacy rights.
- Consider the context of processing, the relation between the consumer and controller, the consumer’s reasonable expectations, and other factors.
Processor Requirements
The controller and processor must have a contract that includes:
- Clear data processing instructions
- Nature and purpose of processing
- Types of data being processed
- Length of processing
- Controller and processor rights and obligations
Specifically, the processor must:
- Make all information it possesses available at the controller’s reasonable request
- Ensure the confidentiality and integrity of the information they are processing
- Delete or return the information at the end of their agreement with the controller, except when the law requires retention.
- Allow and assist the controller or controller-designated assessor in the assessment.
Consent Requirements
Since Florida uses the opt-out model, as other states do, controllers and processors don’t need to obtain consent from users before collecting and processing their data. The exceptions to this are children’s data and sensitive data.
Regarding children’s data, the Florida Digital Bill requires companies to obtain explicit and specific consent from the child’s parent or legal guardian.
Finally, controllers must notify consumers they are processing their data and inform them of their right to opt out of sales, targeted advertising, profiling, and data collection.
Children’s Data Requirements
Online services that are likely to be accessed by children may not:
- Process any personal information of a child if they know, as this can result in harm or privacy risk to the child
- Profile a child unless this is necessary to provide their service and have reasonable safeguards to protect the child
- Collect, share, sell, or retain any data that is not necessary for providing their service
- Use the personal information for any reason other than what is originally collected for
- Collect, share, and sell precise geolocation data of a child, except when this is necessary to provide their service
- Collect precise geolocation data without giving a sign that they are doing so
- Misleading the child using dark patterns into taking actions they wouldn’t otherwise
- Using personal information to estimate the age or age range for any other purpose and retaining the data longer than necessary for the specific purpose
Restrictions for Government Employees Using Social Media
The Florida Digital Bill of Rights prohibits government entities, agencies, and employees from communicating with social media platforms like Facebook, X, Instagram, and others regarding content or account removal from those platforms or starting a working relationship with them for content moderation.
These restrictions do not apply if:
- The employee is managing a government entity’s account
- They are removing content or accounts related to committing a crime or violating Florida’s public law
- Investigations regarding efforts to prevent loss of life, bodily harm, and damage to property
Guidelines for Controllers Owning Search Engines
The Florida Digital Bill also has specific guidelines and rules for controllers who own search engines.
Specifically, controllers must describe the most significant parameters they used to determine search engine rankings and their relative importance.
This description must be up-to-date and available in an easy-to-access location without a log-in or user registration.
Controllers are not obligated to reveal information, including algorithms that might be used to harm or deceive consumers through search result manipulation.
How to Prepare for the FDBR?
The Florida Digital Bill will become effective in July 2024. Here are a few things you should do to prepare your business for FDBR compliance:
- Update your Privacy Policy to comply with the law with the help of Captain Compliance.
- Conduct a Data Privacy Assessment if your data processing poses a high risk to consumer’s privacy and safety with Captain Compliance.
- Follow all law-required obligations concerning children.
- Provide a clear notice for processing sensitive data and biometric data
What Happens if You Violate the Florida Digital Bill of Rights?
While the Florida Digital Bill of Rights does not include a private right of action, consumers can report any violations to the Florida Attorney General and the Department of Legal Affairs, who have full enforcement authority on this law.
Upon receiving an authentic consumer complaint, the Attorney General will send a written notice to the business and the list of violations.
The business then has a 45-day cure to correct these violations and prevent penalties. This does not apply if the violation affects a known child, and the Department of Legal Affairs also saves the right to change the cure period if the violation is severe or if there are multiple violations.
If the business successfully solves these issues, the Attorney General will send a letter of guidance, reminding the company they will not get a cure period for future violations.
If the violation is not corrected following the 45-day cure period, the business will be subject to a fine of up to $50,000 for each violation.
This sum can be tripled in some cases:
- The violation includes a known child.
- After receiving the consumer’s request to opt out, the controller continues to sell or share the consumer’s personal data.
- After getting their request, the controller does not delete the consumer’s personal data.
Frequently Asked Questions (FAQs)
Does Florida Have a Bill of Rights?
Florida Governor Ron DeSantis signed the Florida Digital Bill of Rights (FDBR) on 6th June, 2023. The law will come into effect on the 1st of July, making Florida, along with Texas and Oregon, the seventh US state with a consumer data privacy law in full effect.
What Is the Social Media Ban Bill in Florida?
Florida Governor Ron DeSantis signed a bill on 25th March that prohibited children under 14 years of age in that state from using social media, while children of 14 and 15 years can do so with their parents’ or guardians’ consent.
According to the bill, HB3, social media platforms must also delete existing accounts for users under 14. Those who fail to do this could be sued and are liable for up to $50,000 per violation, while the minor could be awarded $10,000 in damages.
What Is the Cure Period for the Florida Digital Bill of Rights?
The cure period during which a business can correct any violations under the Florida Bill of Rights is 45 days. However, the Department of Legal Affairs (DLA) and the Attorney General, who enforce this law, have the authority to change this cure period depending on the number and severity of the violations.
The cure period of 45 days also does not apply if the business repeats the violation later.
What is the Florida Information Protection Act?
The Florida Information Protection Act (FIPA) is a state-level regulation signed on 20th June 2014, and the law became effective on 1st July the same year.
The primary purpose of this law is to protect the personal information of the residents of Florida, and it applies to businesses that own, maintain, or license PI related to individuals who reside in this state.
How Can Captain Compliance Help You?
Staying up-to-date with data privacy regulations can take time and effort. In 2023 alone, eight states (Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, and Delaware) passed a new consumer data privacy law.
If you operate a business or sell products and services to Florida residents, you must comply with the Florida Digital Bill of Rights (FDBR). Unfortunately, you only have a few months to prepare (from the date of writing).
Get in touch with Captain Compliance, and we’ll make sure your company is ready for FDBR.