Florida Governor Ron DeSantis recently signed Senate Bill 262 into law, adopting the "Digital Bill of Rights" proposed by his office in February. Florida joins the rapidly increasing group of states, California, Utah, Colorado, Connecticut, Virginia, Iowa, Indiana, Tennessee, Montana, and Texas (together, "US State Data Privacy Laws") with comprehensive data privacy laws. The Florida Digital Bill of Rights ("FDBR") is set to take effect on July 1, 2024. Unlike other US State Data Privacy Laws, the FDBR has higher jurisdictional thresholds, which will result in fewer entities being subject to the law. Additionally, the FDBR incorporates several unique provisions that provide expanded opt-out rights, protections for children online, and prohibitions on government officials moderating content.
To whom does the FDBR apply?
The FDBR imposes obligations on "controllers" (for profit legal entities that conduct business within the state of Florida, collects personal data from consumers, and determines the purposes or means of the processing of personal data) who have an annual global revenue of more than $1 billion and meet one of the following criteria:
- Derive 50 percent of its global gross annual revenue from the sale of advertisements online;
- Operate a consumer smart speaker and voice command service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or
- Operate an app store or digital distribution platform with at least 250,000 different software applications for consumers to download and install.
Compared to other state privacy laws, the applicability of the FDBR is significantly limited in scope due to its high jurisdictional thresholds. The law is clearly intended to regulate "Big Tech" companies. As such, the provisions in the FDBR will not be relevant to most businesses.
Under the FDBR, any controller collecting sensitive data must obtain consumer consent before selling the consumer's sensitive data. Sensitive data includes personal data that reveals an individual's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data, personal data collected from a known child, and precise geolocation data.
In addition, the FDBR does not apply to state government entities, nonprofits, HIPAA-covered entities and business associates, higher educational institutions (public or private), utility service providers, and Gramm-Leach-Bliley Act-regulated entities and data. The FDBR also does not apply to certain classes of data, including health records and health related data, scientific research data, consumer credit-reporting data, personal motor vehicle records, insurance data, data regulated by the Family Educational Rights and Privacy Act or federal Farm Credit Act, employment-related information; personal data collected and transmitted for the sole purpose of facilitating payment processing for the purchase of products or services.
What rights does the FDBR vest in consumers?
The FDBR grants Florida residents ("consumers") certain access and control rights concerning their personal data. Consumers may submit authenticated requests to a controller to:
- confirm whether the controller is processing their personal data and provide them access to their personal data;
- correct inaccuracies in their personal data;
- delete personal data provided by or obtained about them;
- obtain a copy of the consumer's personal data;
- opt out of the processing of their personal data for targeted advertising, the sale of their personal data, or profiling; and
- opt out of the collection or processing of sensitive data, including precise geolocation data.
Uniquely, the FDBR also permits consumers to opt out of the collection of personal data that is obtained through the use of voice recognition or facial recognition features.
Unlike other US State Data Privacy Laws, the FDBR permits controllers to deny a consumer's request for the business to correct their personal data if the business offers a self-service mechanism where a consumer can correct their own personal data. A controller must respond to consumer requests within 45 days, though that period may be extended for an additional 15 days if reasonably necessary, depending on the complexity and number of requests. Notably, the FDBR also grants consumers the right to appeal a controller's refusal to take action on requests to exercise their rights, to which the controller must reply within 60 days.
What obligations does the FDBR impose on controllers and processors?
The FDBR requires controllers to:
- limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to disclosed purposes for which such data is processed;
- establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
- provide consumers with an accessible and clear privacy notice, updated at least annually. The privacy notice should include the categories of personal data processed by the controller, including any sensitive data; purposes for processing personal data; categories of personal data shared with third parties; categories of third parties with whom the controller shares personal data; the consumer's rights and the manner in which consumers may exercise their rights, including to appeal; clear disclosures regarding whether the controller sells consumers' sensitive data or biometric data; and clear disclosures to consumers on how to opt out from the sale of their personal data to third parties and the processing of their personal data for targeted advertising;
- process consumers' personal data in a non-discriminatory manner, and refrain from discriminating against consumers who exercise the rights granted by the FDBR;
- obtain consumers' consent before processing sensitive data;
- conduct a data protection impact assessment on the processing of personal data for targeted advertising, the sale of personal data, profiling, processing of sensitive data, and any processing activities that involve personal data that present a heightened risk of harm to consumers;
- establish and follow a retention schedule that prevents the use or retention of personal data, unless exempted, beyond the fulfillment of the initial purpose for which the information was collected or obtained. Additionally, the retention period should not extend beyond the expiration or termination of the contract that facilitated the collection or obtaining of the information, or exceed two years after the consumer's last interaction with the controller or processor; and
- a controller that operates a search engine must provide an easily accessible description, without requiring consumer login or registration, of the main parameters used to determine search ranking, including the relative importance of those parameters.
The FDBR also imposes requirements on "processors" (a person or entity who processes personal data on behalf of a controller). Processors must cooperate with the controller to comply with its obligations under the statute, including its obligations regarding consumer rights requests and security of data processing. The FDBR also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions set forth under the FDBR.
Protection of Children in Online Spaces
Under the statute, "online platforms" (a social media platform, online game, or online gaming platform) that are predominantly accessed by children, are prohibited from processing the personal information of children, defined as consumers under the age of 18, if the online platform has actual knowledge or willfully disregards that such processing poses a substantial risk or harm to their privacy. A substantial risk to children encompasses substantial physical injury, economic injury, offensive intrusion into the child's privacy and includes mental health disorders (e.g., self-harm, suicide, eating disorders, substance abuse disorders), addictive behaviors, online bullying and harassment, sexual exploitation, and promotion or marketing of tobacco products, gambling, alcohol, or narcotic drugs.
Additionally, to profile a child, online platforms must demonstrate, first, the presence of adequate safeguards, and second that the profiling is necessary to provide the service or product contemplated, or a compelling reason that such profiling does not pose a substantial harm or privacy risk to children.
Moreover, the collecting, selling, sharing or retaining of personal information beyond what is necessary for the requested service is prohibited, unless the platform can prove a compelling reason that such actions do not pose a substantial risk to children. Furthermore, the collection, selling, or sharing of precise geolocation data, is only permitted when it is strictly necessary for providing the requested service and retained only for the limited time to provide the service. Online platforms are also barred from using manipulative "dark patterns" (defined as a user interface intentionally crafted or manipulated to significantly undermine user autonomy, decision-making or choice) to induce children to provide excessive personal information or forgo privacy protections. Notably, personal information must not be used to estimate age or be retained longer than necessary for age estimation purposes, and any age estimate must align with the risks and data practices of the online service.
Government-directed content moderation of social media platform
The statute also introduces a unique provision aimed at curbing government influence online which became effective on July 1, 2023. Government employees and entities are prohibited from directly contacting a social media platform to request the removal of content or accounts. Government employees are also prohibited from establishing agreements or working relationships with social media platforms for the purpose of content moderation. However, such restrictions do not apply if the governmental entity or its officer or employee is engaged in routine account management, such as managing their own content or identifying accounts impersonating the government. Additionally, they are allowed to remove content or accounts related to the commission of a crime or violation of the state's public records law, as well as in cases where there is a need to prevent imminent harm to individuals or property.
Key Aspects of the FDBR
- Definition of a Controller. Unlike other US State Data Privacy Laws, the definition of a controller under the FDBR is quite limited and notably only applies to entities with global annual revenue of more than one billion dollars and meet one of the additional requirements described above.
- Processing Agreement Required between Controllers and Processors. Like certain other US State Data Privacy Laws, the FDBR requires controllers to enter into contracts with data processors governing the processor's data processing procedures. Contracts under the FDBR must set forth clear instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the parties' rights and obligations. The contracts also must include a duty of confidentiality and must require processors' subcontractors to sign contracts with the same requirements. The FDBR also requires processors to delete or return personal data upon the controller's request.
- Enforcement and Cure Period. The FDBR does not create a private right of action. Rather it grants the state Department of Legal Affairs the exclusive authority to enforce FDBR. FDBR authorizes civil penalties of up to $50,000 per violation. Of note, damages may be trebled if an online platform has actual knowledge it is violating the rights afforded to children under the statute. In addition, the FDBR includes a 45-day cure period that the Department of Legal Affairs may provide before initiating an enforcement action, except for violations involving a known child.
The FDBR is quite distinguishable in substance from other US State Data Privacy Laws. Although, many businesses will not fall within its jurisdiction, those that do should begin assessing its compliance obligations, especially in interactions with children. Additionally, businesses that collect sensitive data should not overlook their independent compliance obligations with FDBR.