The new Florida Digital Bill of Rights (FDBR) makes The Sunshine State the latest to enact a comprehensive data privacy law. This new law may affect you if you conduct business with consumers in Florida and meet specific criteria. Parrish & Goodman, Attorneys at Law, can help you understand your rights and responsibilities under this new state law.
Understanding the Florida Digital Bill of Rights
The Florida Digital Bill of Rights (FDBR) is a comprehensive data privacy law that became enforceable on July 1, 2024. However, unlike similar laws in Tennessee, Texas, California, Utah, Colorado, Connecticut, Virginia, Iowa, Indiana, and Montana, Florida’s law has higher jurisdictional thresholds.
This bill has three distinct sections (only one of which we will address here):
· Section 1 contains the most detailed provisions of the bill, providing extensive data privacy responsibilities for data controllers when processing consumers’ personal data.
· Section 2 imposes stricter requirements on data controllers to better safeguard children from online harm.
· Section 3 addresses the government’s oversight of social media platforms and imposes restrictions on content moderation.
Also, unlike other U.S. privacy laws, the FDBR seems to mainly target big tech entities like social media platforms, online retail giants, and search engines. Article 501.702 (9) of the FDBR indicates that the Law will apply to data controllers that collect and process consumers’ personal data. A data controller is defined as an entity that operates in Florida, collects or processes personal data, and operates for profit.
These data controllers must meet two criteria for this law to apply:
1. The organization’s gross annual revenue is more than $1 billion and;
2. The organization fulfills one of the following:
· It derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online; or,
· It operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected.
What If My Business Is Subject to the FDBR?
Florida businesses that are subject to the FDBR can find their new obligations in Article 501.71. Here are the basics:
1. Data minimization: Data controllers must “Limit the collection of personal data to data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed.”
2. Purpose limitation: The secondary use of personal data collected by controllers is restricted. They are prohibited from processing personal data for a secondary purpose unless they obtain the consumer’s consent.
3. Data security: Data controllers must take appropriate administrative, technical, and physical data security measures to maintain the integrity, confidentiality, and accessibility of personal data collected directly or indirectly from consumers.
4. Obtain consent before processing sensitive data: Data controllers must obtain a consumer’s consent before collecting and processing sensitive personal data. 5. Create a Privacy Notice: Article 501.711 demands that data controllers display an accessible and clear privacy notice to consumers. 6. Data subject rights: Article 501.705 gives consumers the right to confirm whether their data is processed, obtain a copy of their data, correct any inaccuracies related to their data, and delete their data. For further reference, Article 501.703 lists the types of exempt organizations, and Article 501.704 lists the types of consumer data that are excluded.
Experienced Florida Business Lawyers
Our Florida Business Lawyers at Parrish & Goodman can work with you to protect your interests before legal challenges arise. Does the Florida Digital Bill of Rights impact your business? Do you need help clarifying its provisions and how they apply to you? Schedule a free consultation today to get the guidance you need. We look forward to working with you.