On June 6, 2023, Gov. Ron DeSantis signed S.B. 262 into law, adding Florida to the list of states passing new privacy laws this year. While much of S.B. 262 will only impact companies with annual revenues of more than $1 billion, the law also contains provisions of broader applicability. This article summarizes S.B. 262’s most notable provisions, particularly the creation of a “Digital Bill of Rights.” Other than section 111.23, which prohibits governmental entities from communicating with social media platforms to request content moderation, the law takes effect on July 1, 2024.

Impact on Certain Businesses With Annual Gross Revenues of Over $1B and Businesses That Process Personal Information on Their Behalf

The Digital Bill of Rights imposes familiar rights and requirements on companies with annual gross revenues over $1 billion AND that (i) derive 50% or more of those revenues from the sale of online advertisements; (ii) operate a consumer smart speaker; or (iii) operate an app store or a digital distribution platform offering at least 250,000 different software applications (“controllers”). Those rights and requirements will, by virtue of the threshold noted above, only apply to very large companies, including privacy notices, data protection assessments, required contractual provisions between controllers and processors, rights to access, know, correct, and delete, and an expanded set of opt-out rights, including the right to opt out of (a) the collection and processing of sensitive or biometric data (e.g., data collected through voice and facial recognition technology) and (b) the use of their personal data for purposes of targeted advertising, data sales, and certain profiling. The Digital Bill of Rights also contains some familiar exemptions; for example, financial institutions, nonprofits, and covered entities or business associates subject to HIPAA are exempt from the law.

The Digital Bill of Rights also impacts businesses that process personal information on behalf of controllers (“processors”). For example, processors must execute a contract governing the processing to be performed on behalf of the controller, including a description of the parties’ legal obligations and a retention schedule for the deletion of nonexempt personal information. Other obligations imposed on processors more closely align with those set forth in other state privacy laws, including requiring the processor to adhere to the controller’s instructions and assist in responding to consumer rights requests.

The law does not create a private right of action but can be enforced by the Florida attorney general. 

Impact on Businesses Predominantly Accessed by Children

In addition to creating the Digital Bill of Rights, for providers of an online service, product, game, or feature likely to be predominantly accessed by individuals under 18 (“online platforms”), S.B. 262 generally:

• Prohibits processing personal information that “may result in substantial harm or privacy risk to children”;
• Limits profiling children unless certain conditions are met; and
• Restricts online platform’s collecting, selling, sharing, using, and retaining of children’s personal information, especially precise geolocation data.

Impact on Other Businesses

More broadly, S.B. 262 expands the Florida Data Breach Notification Statute’s definition of “personal information” to include Floridians’ biometric data or geolocation paired with an individual’s name or initials.

Takeaways and Next Steps

Based on the above, companies collecting or processing the personal information of Floridians should evaluate which of S.B. 262’s provisions apply to them, and how, and consider what adjustments may be advisable for compliance, such as changing practices related to children’s personal information, revising incident response plans to reflect the expanded definition of “personal information,” etc.