Florida’s law introduces novel provisions that depart from existing US state privacy laws, which businesses will need to carefully consider.
- On June 7, 2023, Florida’s governor signed the Digital Bill of Rights into law, set to go into effect on July 1, 2024.
- Unique to Florida, the law mainly targets very large enterprises, adopting a revenue threshold of at least $1 billion gross annual revenue for many of its requirements, and regulating companies engaged in specific enumerated digital lines of business.
- The law also imposes obligations on all for-profit businesses (regardless of revenue threshold) that do business in the state and “sell” the sensitive personal data of Florida consumers.
- The Florida Attorney General has exclusive enforcement authority, and penalties can reach up to $150,000 for certain violations, including failure to correct or delete a consumer’s personal data.
- Favorably, the law provides a discretionary 45-day right to cure.
With passage of Florida’s Digital Bill of Rights, along with the Texas Data Privacy & Security Act enacted on June 18, 2023, the patchwork of US general state data privacy laws continues to grow in size and complexity. To date, large businesses subject to the existing US privacy laws have been able to take some comfort in the fact that other new privacy state laws have largely been modeled on Virginia’s or Connecticut’s privacy laws (see, for example, our blog post on Indiana, Montana, and Tennessee).
Florida marks a significant departure from this trend. The law introduces new definitions, consumer rights, and the most significant penalties of the existing US state privacy laws that will almost certainly require covered businesses to review their existing compliance programs prior to the July 2024 effective date.
The law also enacts Florida’s own version of an Age-Appropriate Design Code that addresses the handling of data belonging to consumers under the age of 18. The Age-Appropriate Design Code provisions are separate from the Digital Bill of Rights law and are not addressed in this post.
Overview of Requirements
For businesses that have already built in compliance measures for US state privacy laws coming into effect in 2023, we use Virginia’s law as a base for comparison. Similar to the existing state data privacy laws, the Florida law refers to “consumers,” defined as residents of the state, except those acting in a commercial or employment context (with the notable exception of California where all state residents are now in scope). Below, we use “consumers” and “individuals” interchangeably to refer to residents who fall within the scope of these laws.
1. Scope. The scope of the Florida law marks the first significant departure from Virginia and other US state privacy laws by limiting the principal compliance burden to “controllers” with $1 billion in minimum global revenue. Specifically, the Florida law narrowly defines “controllers” as for-profit entities that conduct business in Florida, make in excess of $1 billion in global gross annual revenue, and satisfy at least one of the following:
- derive 50% or more of their global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
- operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or
- operate an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
That said, the law also imposes limited universal requirements on any for-profit business (regardless of satisfying the revenue threshold) that operate in Florida and collect personal data from Florida residents. These requirements are covered in the Universal Requirements on Florida Businesses section below.
2. Privacy Notice. The Florida law follows the same privacy notice disclosure requirements as the existing state data privacy laws; however, it also introduces two novel requirements on controllers:
- Search engine disclosures: The law requires controllers that operate a search engine to “make available, in an easily accessible location on the webpage, an up-to-date plain language description of the main parameters that are individually or collectively the most significant in determining ranking and the relative importance of those main parameters, including the prioritization or deprioritization of political partisanship or political ideology in search results.”
- Sale of sensitive/biometric data disclosures: The law also requires controllers that engage in the “sale” of sensitive personal data or biometric data to include the following disclosure in their privacy notice: “NOTICE: This website may sell your sensitive personal data.” Additionally, if controllers sell consumer’s biometric data, then they must also include the following disclosure: “NOTICE: This website may sell your biometric personal data.”
3. Individual Rights. Controllers must provide consumers with the same rights as Virginia, including the right to access, correct, delete, and opt out of the following activities: (i) sale of personal data, (ii) the processing of personal data for targeted advertising, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects on the consumer. Florida also adopts the broader definition of “sale,” which includes “monetary and other valuable consideration” like California, Colorado, Connecticut, and Montana. Additionally, the Florida law provides consumers with the right to opt out of:
- the collection or processing of their sensitive data; and
- the collection of personal data through voice or facial recognition features.
Notably, the law’s definition of “targeted advertising” significantly departs from existing US state data privacy laws by including personal data obtained from a consumer’s activities over time across either non-affiliated or affiliated websites and online applications. Under existing US state data privacy laws, the opt out has only applied to data collected from non-affiliated sources. As a result, covered businesses subject to existing US state privacy laws that engage in targeted advertising will now need to take into account the broader scope of the opt out.
Lastly, the Florida law also departs on the timing requirements to comply with a consumer right request, by narrowing the total response time to 60 days (45 days plus an additional 15 days if reasonably necessary) compared to 90 days (45 days plus an additional 45 days if reasonably necessary) in other US state privacy laws. Therefore, businesses subject to existing US state data privacy laws will also need to evaluate their compliance programs to ensure this narrowed time requirement is feasible.
4. Appeals Process. The Florida law requires that a controller establish a process for individuals to appeal a rights request decision not to take action, similar to the majority of existing and forthcoming US state data privacy laws. Businesses have 60 days to respond to the appeal request, informing the individual of the reasons for the decision. If the appeal is denied, the business must also provide the individual with a method to contact the state Attorney General to submit a complaint.
5. Consent. The Florida law closely tracks the consent requirements of existing state privacy laws, including requiring controllers to obtain consent prior to processing sensitive data. However, while the requirements are familiar, the law considers personal data belonging to a known child as “sensitive data.” Under the expanded definition of child, this means any personal data belonging to a consumer known to be under the age of 18 is considered “sensitive data.” The law also borrows from the California Consumer Privacy Act (CCPA) by requiring controllers to obtain consent prior to entering a consumer into a financial incentive program. Businesses are further required to provide a mechanism for consumers to revoke such consent at any time.
6. Contractual Requirements. The Florida law imposes specific contractual requirements for agreements between controllers and processors. These requirements mirror those in Virginia and other states.
7. Data Protection Impact Assessments. Similar to Virginia and other states, the Florida law requires businesses to conduct a data protection impact assessment (DPIA) for each of the following activities: (i) processing sensitive personal data; (ii) the sale of personal data; (iii) processing personal data for targeted advertising; (iv) profiling in furtherance of decisions that produce legal or similarly significant effects on the consumer; and (v) processing activities involving personal data that present a heightened risk of harm to consumers. However, as noted above, while the triggers remain the same, businesses looking to leverage existing DPIAs to comply with this requirement should keep in mind that the Florida law treats personal data collected from a known child as “sensitive data.” As a result, processing personal data belonging to a known “child” under the age of 18 would trigger a DPIA.
Universal Requirements on Florida Businesses
Unique to Florida, the law also imposes the following requirements on all for-profit entities that operate in Florida and collect personal data from Florida residents, regardless of their revenue. Any entity that violates these requirements will be subject to the penalties listed in the Enforcement section below.
- Consent: Similar to the requirements imposed on controllers, no entity shall engage in the sale of a consumer’s sensitive personal data without first obtaining the consumer’s consent. If the sensitive data belongs to a known child between the ages of 13 and 18, the entity must obtain “affirmative authorization,” and if the child is under 13, the entity must comply with the Children’s Online Privacy Protection Act (COPPA).
- Privacy Notice: Entities engaged in the “sale” of sensitive personal data must include the following disclosure in their privacy notice: “NOTICE: This website may sell your sensitive personal data.”
The law grants the Florida Attorney General exclusive authority to enforce the law, and authorizes by far the highest civil penalties: up to $50,000 per violation, which may be trebled for violations relating to a known child, failing to delete or correct a consumer’s personal data, or continuing to sell or share the consumer’s personal data after the consumer chooses to opt out. The law also provides for a discretionary cure period of up to 45 days, but states that the cure period does not apply to violations relating to a known child.
The passage of the Florida law illustrates the constantly evolving US privacy landscape that is hurtling towards a 50-state patchwork. While many existing US state laws have followed the mold of Virginia’s law, the Florida and Texas laws adopt notable departures from Virginia and other US state privacy laws, thereby imposing increasingly complex compliance burdens on businesses. Most of the law’s requirements apply to a narrower subset of entities than the other US state privacy laws, but businesses subject to the law will need to evaluate their data privacy compliance programs in light of some of the Florida law’s diverging provisions. Additionally, as the law broadens some rights under the existing US state privacy laws, businesses will need to evaluate their user rights mechanisms to ensure compliance.