On May 9, 2023, the Florida legislature passed the Florida Digital Bill of Rights (FDBR), which adds a new twist to the growing body of state consumer privacy laws. The bill now heads to Governor Ron DeSantis’ desk, and it is anticipated that he will sign the bill into law. While the FDBR is modeled off of consumer privacy laws like those in Virginia, there are a number of unique aspects of the bill that would make it an outlier, including as related to the scope of companies that will be regulated under the FDBR. Assuming that the bill is signed into law, it will go into effect on December 31, 2023.
Below we provide an overview of some of the key aspects of Florida’s new consumer privacy law.
To Whom Does the FDBR Apply?
Most of the FDBR applies to businesses that meet the following requirements:
Is organized or operated for the profit or financial benefit of its shareholders or owners;
Conducts business in Florida;
Collects personal data about Florida consumers, or is the entity on behalf of which such information is collected;
Determines the purposes and means of processing personal data about Florida consumers alone or jointly with others;
Makes in excess of $1 billion in global gross annual revenues; and
Satisfies at least one of the following:
Derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-subparagraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle that is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or
Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
On its face, as a result of the $1 billion revenue threshold and the requirements in section (6) above, the FDBR likely will apply to only the largest of tech companies.
However, as discussed below, one part of the FDBR applies to businesses that meet the requirements of (1), (2) and (3) above. Those companies are prohibited from selling sensitive data without the prior consent of the individual to whom the data relates.
Who Is a “Consumer”?
In the FDBR, a “consumer” is an individual who is a resident of or is domiciled in Florida and acting only in an individual or household context. This means that employees and B2B contacts are expressly excluded from the definition of “consumer.”
What Is “Personal Data”?
“Personal data” in the FDBR is “any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.”
This definition of “personal data” largely tracks the definitions in other state consumer privacy laws like those in Virginia or Connecticut.
Who Can Enforce?
The Florida Department of Legal Affairs has exclusive enforcement authority, and there is an express provision disclaiming any private right of action. Before initiating any enforcement proceeding, the Florida Attorney General has the discretion to give a 45-day cure period. However, if the violation relates to the information of a known child, there is no cure period permitted.
The Florida Attorney General can seek damages of up to $50,000 per violation, making it unquestionably the most punitive of the state consumer privacy laws to date.
Who Is Exempt?
The exemptions to the FDBR closely mimic those of other state privacy laws. For example, personal information is covered by laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act and a litany of other federal laws.
In addition, the FDBR does not apply to government entities, nonprofit organizations or higher education institutions.
The FDBR also exempts the use of personal data for certain specific purposes, such as compliance with the law, preventing fraud or injury to others and defending legal claims, just as in other state consumer privacy laws.
What Obligations Are Imposed?
Under the FDBR, controllers must:
Limit the purpose of processing personal information to that which is reasonably necessary and proportional;
Take steps to implement reasonable safeguards for the personal information within their control;
Refrain from discriminating against consumers for exercising their rights and from processing personal information in violation of federal laws that prohibit discrimination;
Be transparent in their reasonably accessible, clear and meaningful privacy notice; and
Ensure contracts control relationships with their processors (note: the law itself details the minimum necessary provisions of these contracts).
What Consumer Rights Are Created by the FDBR?
Controllers must provide a set of customer rights that are broader that the standard state consumer privacy suite of rights, including:
Access rights, including a right to confirm whether the controller is processing any data at all;
Correction rights, accounting for the nature of the data;
Deletion rights (with respect to the data provided by or about the consumer);
Data portability rights;
Opt-out rights related to the sale of personal information, targeted marketing and profiling (automated decision-making that could have significant legal effects such as related to housing, drinking water, credit, etc.);
Opt-out of the collection of sensitive data;
Opt-out of the collection of personal data through voice recognition features; and
Sensitive Personal Information
Under the FDBR, “sensitive data” is personal data that includes information such as racial/ethnic origin, religious beliefs, mental or physical health diagnosis, information about a person’s sex life, sexual orientation, citizenship or immigration status, genetic or biometric information used to uniquely identify an individual, personal data collected from a known child (under the age of 18) and precise geolocation (location within a radius of 1,750 feet). A unique aspect of this definition is that a “known child” is an individual under the age of 18, making it an outlier under state consumer privacy laws.
Under the FDBR, a controller may not process (including collection) sensitive data without obtaining the consumer’s consent or, in the case of a child, complying with COPPA.
In addition, and as noted above, any for-profit business operating in Florida and collecting consumer data may not sell sensitive data absent consent from the data subject.
Response to Consumer Inquiries
The FDBR also contains a wrinkle with respect to responding to consumer data requests. Under the FDBR, controllers must respond to a consumer personal data request within forty-five (45) days of receipt of the request, with a fifteen-day (15) day extension available. If a consumer appeals a decision of the controller to deny a consumer request, the appeal response must be delivered within sixty (60) days. Interestingly, however, there is no requirement to inform a consumer of their ability to escalate to the Florida Attorney General.
Data Protection Impact Assessments
As with other state consumer privacy laws, under the FDBR, controllers will need to document impact assessments before they engage in a number of different processing activities, including: (i) processing for targeted advertising; (ii) sale of personal data; (iii) processing of personal data for profiling if the profiling presents a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational or physical harms; (iv) processing sensitive data; and (v) a catch-all category of any processing that presents a heightened risk of harm to consumers.
The FDBR allows for the use of impact assessments done under other state laws to count towards the requirements of the FDBR.
What Are the Unique Aspects of the FDBR?
Just when we were starting to get some uniformity, the FDBR very much breaks that mold. In addition to the differences discussed above with respect to the scope of businesses regulated under the FDBR, opt-outs from voice recognition and the scope of the definition of “known child” (i.e., under 18), the FDBR has several other unique provisions, including:
If a business maintains a self-service mechanism that allows consumers to correct their own information, that business can deny a correction request and direct the consumer to the self-service mechanism.
Search engines are required to provide a “plain language” description of the “main parameters” used to determine how results are provided to consumers.
If a business sells consumer data, there may be two different “NOTICE” provisions on their website: (i) a notice that sensitive data may be sold and (ii) a notice that biometric personal data may be sold.
There is a two-year retention period placed on consumer data, albeit subject to a number of exceptions, including, e.g., preservation for legal requirements, internal uses and continuing to provide goods and services to the consumer.
When Does the FDBR Take Effect?
The FDBR comes into effect on December 31, 2023.
Creating a successful and effective, comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal information subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.
If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or reach out to David Saunders.
Check out our additional coverage on new state consumer privacy laws: