The Florida Digital Bill of Rights (FDBR), also known as SB 262, has emerged as a significant piece of legislation for companies doing business within Florida’s borders.
Ushering in a new era of digital privacy standards—and with the importance of securing the personal data of consumers being more pressing than ever—Florida’s endeavor into this territory is both timely and crucial.
The Growing Trend of Data Privacy Legislation in the US
Florida’s FDBR isn’t an isolated endeavor. Between March and June 2023, states including Iowa, Indiana, Tennessee, Montana, Florida, and Texas took bold strides by passing their individual data privacy laws. Florida is the tenth state to adopt such a law and the fifth of six to do so in 2023, indicating a wave of change in the national perspective on data privacy.
However, unlike the previously established state laws, Florida’s FDBR introduces unique elements that primarily focus on child protection, social media, and the evolving realms of technology. Notably, the law appears to put tech giants in its crosshairs, reflecting a broader concern over their influence and data practices.
Exploring Florida's Digital Bill of Rights
Purpose and Scope
The FDBR safeguards the digital rights of over 21 million Floridians. It mandates specific responsibilities for companies operating in Florida, particularly those handling the personal information of the state’s residents. The legislation places heightened scrutiny on large tech corporations, newer consumer technologies, and the pervasive realm of social media.
Who is a "Consumer" in Florida?
Florida’s definition aligns with most states, identifying a consumer as any resident or person within the state acting outside of a commercial or employment context.
The Opt-Out Model
Similar to other American privacy regulations, FDBR adopts an opt-out model. Unlike opt-in models, which require upfront consent from users before collecting or processing data, the opt-out approach mandates businesses to inform consumers of their data practices and allow them to decline participation.
Specifically, organizations must disclose:
Furthermore, businesses must obtain upfront consent for specific data categories (notably sensitive data or information related to minors).
A striking distinction in Florida's law lies in its broadened definition of "child." Unlike most states that set the age threshold at 13, Florida amplifies its protection to include individuals below the age of 18.
Dissecting Definitions in the FDBR
Personal Information vs. Personal Data
The law provides distinct definitions for these terms. Notably, “personal data” encompasses information linked to a child, including unique identifiers like biometric data.
Additionally, the act offers a more intricate definition of personal data than most U.S. privacy laws, as It stresses the importance of pseudonymous data—particularly when combined with other information to identify an individual.
Extension and Expansion of Florida Information Protection Act (FIPA)
Since 2014, Florida has had the FIPA covering data like Social Security numbers, financial details, and contact information. FDBR broadens this definition, reflecting the evolving technological landscape by including data like biometric and geolocation information.
Consent in Florida's Digital World
Following in the footsteps of the EU’s GDPR, Florida provides a rigorous definition of consent, emphasizing it must be “freely given, specific, informed, and unambiguous.”
Moreover, the FDBR aligns with other state laws like Montana’s Consumer Data Privacy Act, ensuring that consent is not surreptitiously acquired through deceptive designs or ‘dark patterns.’
When it Comes to Data
The FDBR provides a comprehensive classification of data types, ranging from sensitive data to data controllers and processors. Significantly, the definition of “controller” in Florida’s law is more exhaustive than most: It incorporates numerous requirements, with compliance thresholds being a prominent aspect.
Scope of the FDBR
Who Must Comply?
The law is particularly stringent for businesses operating within Florida or targeting its residents.
Unique to Florida, companies need to meet a revenue threshold of over US $1 billion, drastically higher than other states like California, which stands at US $25 million. This high threshold implies that Florida is primarily focusing on the tech behemoths as a mere fraction of businesses currently operating in Florida exceeds this revenue marker, which narrows the compliance net.
Moreover, specific criteria seem to target tech giants known for online ad sales, smart speakers, and app stores—like Apple and Google.
Exemptions and Exclusions
Like other data privacy acts, Florida’s FDBR respects federal laws such as HIPAA, COPPA, and the Fair Credit Reporting Act. Various exemptions are provided, including HR data, health records, research data, and data under federal purview.
Entities such as state agencies, financial institutions, insurance companies, postsecondary education institutions, and nonprofit organizations also enjoy exemption status.
Florida’s Digital Bill of Rights marks a significant leap in the ongoing efforts to protect consumer data. While its focus on large tech entities and child protection sets it apart, it embodies the broader movement to establish robust digital privacy frameworks across the United States.
As the effective date of July 1, 2024 approaches, organizations must gear up to align with FDBR’s stipulations and ensure that the digital rights of Floridians are properly upheld.