Florida has joined the growing number of states enacting comprehensive consumer privacy legislation. On June 6, 2023, Governor Ron DeSantis signed the Florida Digital Bill of Rights (FDBR) into law, and it became effective on July 1, 2024. The law introduces new rights for Florida consumers and establishes obligations for certain companies that collect or process personal data.

Unlike many other state privacy laws, the FDBR is intentionally narrow in scope. It primarily applies to a limited group of very large technology and digital platform companies that meet significant revenue thresholds. For companies within its reach, the law introduces new expectations around responding to consumer privacy requests, maintaining clear and transparent disclosures, and supporting responsible data governance practices.

Key Takeaways

• Limited Scope: The FDBR primarily targets large technology companies with more than $1 billion in global annual revenue and significant digital platform operations.
• Applicability Beyond Florida: Businesses located outside Florida may still be subject to the law if they conduct business in the state or process the personal data of Florida residents.
• Expanded Consumer Rights: Florida consumers have the right to access, correct, delete, and obtain copies of their personal data, as well as opt out of targeted advertising, the sale of personal data, and certain profiling activities.
• Restrictions on Emerging Technologies: Consumers may opt out of the collection of certain data, including precise geolocation data and data collected through voice or facial recognition technologies.
• Transparency Requirements: Covered companies must maintain a clear and reasonably accessible privacy notice, updated at least annually, explaining their data practices and consumer rights.
• Heightened Protections: The law imposes additional requirements for sensitive personal data and includes additional safeguards for platforms likely to be accessed by children.

Scope and Applicability

The FDBR applies to companies that collect, process, or sell the personal data of Florida residents. A business does not need to be physically located in Florida to be subject to the law. Companies operating outside the state may still fall within the statute’s scope if they conduct business in Florida, target Florida residents, or process the personal data of Florida users.

The law applies only to entities that qualify as “controllers,” generally defined as a for-profit entity that:

• Conducts business in Florida or targets Florida residents
• Determine the purposes and means of processing personal data
• Generates more than $1 billion in global annual revenue

In addition, the entity must satisfy at least one of the following criteria:

• Derive 50 percent or more of its global gross revenue from the sale of online advertising, including targeted advertising
• Operates a consumer smart speaker or voice command service connected to a cloud computing platform and activated through hands-free voice commands
• Operates an app store or digital distribution platform offering at least 250,000 software applications for consumer download

Because of these high thresholds, the FDBR will not apply to most small and mid-sized businesses.

Consumer Rights

The FDBR grants Florida residents several rights related to their personal data. Controllers must be prepared to receive and respond to consumer requests exercising those rights.

Consumers have the right to:

• Confirm whether a company is processing their personal data
• Access personal data collected about them
• Correct inaccurate personal data
• Request deletion of personal data
• Receive a portable copy of their personal data

Consumers may also opt out of certain data uses, including:

• Targeted advertising
• The sale of personal data
• Certain forms of profiling that produce significant effects

The statute also provides Florida consumers the right to opt out of the collection of certain types of data, including:

• Precise geolocation data
• Data collected through voice recognition technologies
• Data collected through facial recognition technologies

These provisions reflect Florida’s emphasis on transparency and consumer control over modern data collection practices.

Additional Compliance Obligations

Controllers subject to the FDBR must meet several transparency and operational requirements.

Privacy Notices

Controllers are required to provide a clear and reasonably accessible privacy notice that explains:

• The categories of personal data collected
• The purposes for which the data is used
• The categories of personal data shared with third parties
• The rights available to consumers under the law

The privacy notice must be reviewed and updated at least annually.

Sensitive Data Protections

The statute imposes additional requirements for the processing of sensitive personal data, including certain health-related information.

Protections for Children

Online platforms likely to be accessed by children must comply with additional safeguards and restrictions, reflecting the law’s emphasis on protecting minors in digital environments.

Practical Steps Toward Compliance

Organizations that may fall within the scope of the FDBR should consider taking several steps to evaluate and prepare for compliance.

1. Assess Applicability: Review whether the organization meets the revenue threshold and qualifying criteria.
2. Conduct Data Mapping and Review Practices: Identify what personal data is collected from Florida residents, how the data is used, and whether it is shared or sold to third parties.
3. Implement Consumer Request Procedures: Develop processes to receive, verify, and respond to consumer requests involving access, correction, deletion, and opt-outs.
4. Update Privacy Policies and Disclosures: Ensure privacy notices accurately describe data practices and clearly explain consumer rights under the FDBR.
5. Strengthen Data Governance Controls: Implement internal policies governing the handling of sensitive personal data and the use of technologies such as geolocation tracking, voice recognition, and facial recognition.

Conclusion

The Florida Digital Bill of Rights represents a significant development in the state’s consumer privacy framework. While the statute applies to a relatively narrow group of large technology companies, those within the scope must implement processes to address consumer privacy rights, maintain transparent privacy practices, and ensure responsible data governance.

Companies that may be subject to the FDBR should take a close look at their current privacy frameworks and consider whether additional policies, procedures, or disclosures are warranted.

If you have questions regarding the FDBR or would like assistance assessing your organization’s compliance obligations, please contact any of our data privacy and security attorneys.