Florida Digital Bill of Rights

Jillian Simons
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On June 6, 2023, the Florida Digital Bill of Rights (“FDBR”) was signed into law,[1] and goes into effect on July 1, 2024[2] with some exceptions—the prohibition of government-directed content moderation of social media platforms[3] and the requirement for data controllers to conduct data protection assessments[4] went into effect on July 1, 2023.

Applicability and Exemptions

The FDBR applies to “controllers,” which are entities that meet either of two tests. The primary type of controller is defined as for-profit legal entities that conduct business in Florida, collect or direct another entity to collect consumers’ personal data, determine the purpose and means of processing consumer personal data (jointly or alone), and meet certain revenue requirements.[5] The revenue must amount to more than $1 billion USD and meet at least one of three additional requirements: (i) derive at least fifty percent of revenue from the sale of online advertisements, (ii) operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation, or (iii) operate an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.[6] Alternatively, the second test for a “controller” is any entity that controls or is controlled by a “controller.”[7] The test to determine control is (i) owning or having the power over at least fifty percent of voting shares in any class of shares, (ii) control “in any manner” over the election of a majority of directors (or those in similar roles), or (iii) having power to exercise a controlling influence over the management of a company.[8]

The FDBR allows for three types of exemptions: by entity type, by data subject, and by processing purpose. The exempt entities are nonprofit organizations, institutions of higher education, financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”), “covered entities” under the Health Insurance Portability and Accountability Act (“HIPAA”), and government entities.[9] Relatedly, the data subject exemptions are: data covered under the GLBA, protected health information (“PHI”) under HIPAA[10] as well as other health-related data under federal or state laws,[11] employment-related data,[12] and data covered under other data protection laws, including the Fair Credit Reporting Act (“FCRA”),[13] the Family Educational Rights and Privacy Act (“FERPA”),[14] and the Driver’s Privacy Protection Act.[15] The processing exemptions are those generally included for typical legal and operational use cases, such as compliance with law or court order, law enforcement cooperation, to fulfill contractual or warranty obligations, and to perform operations reasonably based on consumer expectations of the good or service.[16]

Key Requirements and Consumer Rights

The FDBR requires all controllers to publish a privacy notice[17] and obtain consumer consent prior to processing sensitive data.[18] If the controller uses another controller or processor as part of its collection or processing of consumer data, then the primary controller must include certain contractual obligations, such deleting or destroying the consumer personal data upon contract termination,[19] requiring confidentiality of consumer personal data,[20] and cooperating with data protection assessments.[21] The data protection assessment requirement—which went into effect in 2023—requires an assessment prior to certain processing activities that present a “heightened” risk-of-harm to consumers.[22] The FDBR lists certain processing activities as requiring an assessment: targeted advertising,[23] certain types of consumer profiling,[24] any processing of sensitive data,[25] and a catch-all for any other use cases with a “heightened” risk.[26]

Similar to other comprehensive state privacy laws, the FDBR grants Florida consumers certain rights, including the right to: (i) have personal data deleted,[27] (ii) opt out of having sensitive data collected or processed,[28] (iii) opt out of having personal data collected through facial or voice recognition,[29] (iv) opt out of sharing or selling personal data to third parties,[30] (iii) confirm the processing of, and access to, their personal data,[31] (iv) request that the controller correct inaccuracies in their personal data,[32] and (v) obtain a copy of their personal data in a portable and readily usable format.[33] The FDBR requires the controller to respond to such consumer requests within 45 days of receipt, stating either its compliance with the request or a justification for denial along with the process for appeal.[34] If the consumer appeals, the controller must provide notice to the consumer of either compliance with the request or the reason(s) for denial within 60 days of receipt of the appeal.[35]

Enforcement and Cure

The FDBR grants the Florida Office of the Attorney General (described as the “Department of Legal Affairs”) with enforcement authority;[36] there is no statutory private right-of-action. Violations carry a civil penalty of up to $50,000 per violation;[37] however, the violations may be tripled if there is a willful disregard of actual knowledge that the consumer is a minor,[38] a failure to delete or correct consumer personal data upon request,[39] or a failure to stop disclosing personal data to a third party after a consumer opts out.[40]

The FDBR allows the Office of the Attorney General to determine when it may permit a cure period (not to exceed 45 days),[41] but it is not required before enforcement action is taken.

The FDBR allows the Office of the Attorney General to develop rules and regulations,[42] which may follow in the coming months.

[1] “Governor Ron DeSantis Signs Legislation to Create a Digital Bill of Rights for Floridians,” (June 6, 2023) https://www.flgov.com/2023/06/06/governor-ron-desantis-signs-legislation-to-create-a-digital-bill-of-rights-for-floridians/#:~:text=SB 262 gives consumers the,the sale of personal data.

[2] Section 27; https://flsenate.gov/Session/Bill/2023/262/BillText/er/HTML

[3] Section 112.23

[4] Section 501.713

[5] Section 501.702(9)(a)

[6] Section 501.702(9)(a)(5)-(6)

[7] Section 501.702(9)(b)

[8] Section 501.702(9)(b)(1)-(3)

[9] Section 501.70

[10] Section 501.704(1)

[11] Section 501.704(2)-(11)

[12] Section 501.704(16)-(18)

[13] Section 501.704(12)

[14] Section 501.704(14)

[15] Section 501.704(13)

[16] Section 501.711

[17] Section 501.71

[18] Section 501.71(2)(d)

[19] Section 501.712(2)(f)(2)

[20] Section 501.712(2)(f)(1)

[21] Section 501.712(2)(f)(4)

[22] Section 501.713(1)(e)

[23] Section 501.713(1)(a)

[24] Section 501.713(1)(c)

[25] Section 501.713(1)(d)

[26] Section 501.713(1)(e)

[27] Section 501.705(2)(c)

[28] Section 501.705(2)(f)

[29] Section 501.705(2)(g)

[30] Section 501.705(2)(e)

[31] Section 501.705(2)(a)

[32] Section 501.705(2)(b)

[33] Section 501.705(2)(d)

[34] Section 501.706(2)-(3)

[35] Section 501.707(3)

[36] Section 501.72

[37] Section 501.72(1)

[38] Section 501.72(1)(a)

[39] Section 501.72(1)(b)

[40] Section 501.72(1)(c)

[41] Section 501.72(2)

[42] Section 501.72(5)

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide