Hot on the trail of the latest state privacy laws to come into effect, Florida has jumped on board to keep the momentum going. On June 6, 2023, Florida Senate Bill 262 (“SB 262,”) was signed into law, meaning a new set of data privacy requirements will become effective soon. SB 262 has already enacted some changes related to state moderation of social media platforms, but data privacy laws relevant for businesses (including what will be known as the “Florida Digital Bill of Rights”) are set to become effective July 1, 2024. SB 262 provides residents of Florida with rights regarding their personal information similar to many other state laws — in fact, SB 262 is a good indicator of the current trends and priorities of data privacy in the United States. However, a narrow scope keeps this new law focused on “big tech” companies.
What’s in the Florida Digital Bill of Rights?
SB 262 provides Floridians with the right to confirm if, and what, specific pieces of their personal information are collected sold or disclosed by a covered company (defined as “controllers”), and to access, correct, delete, and receive a copy of their (or their under-18 child’s) personal information from a controller. Additionally, Floridians will have the right to opt out of certain collection, use, or sale of their personal information, such as opting out of use of their personal information for targeted advertising and certain profiling, as well as the sale of their personal information and the collection of certain “sensitive” and “biometric personal data.” In some cases, SB 262 requires controllers to receive a consumer’s authorization before even collecting their data.
SB 262 notably targets technology and features of products used “for surveillance.” Under the explicit rights of consumers, SB 262 prohibits a device with “a voice recognition feature, facial recognition features, voice recording feature, audio record feature, or any other electronic, visual, thermal, or olfactory feature” from using said features for surveillance purposes when not in active use, unless expressly authorized. This specific language appears to target popular virtual assistance technology, such as Amazon Alexa, Google Home, and other similar devices and services. This targeting, plus the narrow application of SB 262, has led some commentators to suggest that SB 262 is specifically targeting “big tech.” SB 262 defines a “controller” narrowly, covering for-profit or business entities that conduct business in Florida, collect and control processing of personal data, make over $1 billion in global gross annual revenue, and either (i) generate at least half of their global gross annual revenue from online advertisements, (ii) operate a consumer “smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation”, or (iii) operate an app store or a digital distribution platform with at least 250,000 different “software applications for consumers to download and install.”
Ramifications Beyond Big Tech
However, while it may seem as though the high threshold to be categorized as a “controller” eliminates any risk for most businesses, it is important to keep in mind that SB 262 also specifically protects children, which it defines as “consumers who are under 18 years of age,” from “online platforms”, like social media and online gaming platforms. The laws of SB 262 apply to online platforms regardless of a platform’s categorization as a controller. These protections, which are similar to state and federal laws protecting the privacy and data of children, prohibit using “dark patterns” that are designed to “subvert” or impair a child’s autonomy or decision-making and from collecting “precise” geolocation of children, defined as within a radius of 1,750 feet. SB 262 includes reference to any practice the Federal Trade Commission refers to as a dark pattern. Similar to the recently passed California Age Appropriate Design Code Act, SB 262 prohibits online platforms that are likely to be “predominately accessed by children” from processing a child’s personal information if the platform has “actual knowledge of or willfully disregards that the processing may result in substantial harm or privacy risk to children.”
Excluding its limited applicability, SB 262 is a good barometer for the current trends in data privacy, as well as a good reminder of the evolving understanding of what constitutes an individual’s personal data. Although SB 262’s restrictions and requirements regarding “biometric” data aren’t unique — several other states also cover an individual’s physical, biological, or behavioral characteristics under their data privacy acts — it is a timely reminder that data protections are expanding. Recently, Worldcoin, a new cryptocurrency that uses biometric data to confirm users’ identities, was announced. It is worth noting that SB 262 also includes the specific examples of “eye retinas or irises” in the definition of “biometric data.” We should be reminded that in many cases, a consumer’s data isn’t limited to their name, addresses or government-issued identification numbers, but also includes the physical features and behaviors that can identify them. And, data privacy isn’t limited only to the four corners of a web browser. Businesses, particularly those collecting, analyzing, and transferring consumer data would do well to understand and integrate this shift into their policies and processes.
As more and more states adopt data privacy acts, it is critical that business that collect, use, or disclose any consumer data, particularly businesses that offer services across multiple states, analyze how their processes and policies may violate different state laws. Taking the time now to review, adjust and adapt to trends and the direction of consumer data protection in the United States will help your business avoid last-minute or expensive changes, fees or corrective actions.