What is the Florida Digital Bill of Rights? 

The Florida Digital Bill of Rights (FDBR) is comprehensive legislation aimed at providing Florida residents with greater control over their personal data. It introduces key obligations for businesses, including obtaining consent for processing sensitive data, providing clear privacy notices, and conducting data protection assessments. The FDBR was signed into law on June 6, 2023, and will take effect on July 1, 2024. 

What is the FDBR effective date? 

The FDBR will take effect on July 1, 2024. 

Who does the FDBR apply to? 

The FDBR applies to businesses defined as "controllers" that: 

• Sell to customers in Florida and generate over $1 billion in global annual revenue. 
• Derive 50% or more of their revenue from targeted advertising worldwide. 
• Operate consumer smart speakers and voice component services with integrated virtual assistants. 
• Operate app stores offering at least 250,000 software applications. 

What are the FDBR exemptions? 

The FDBR includes specific exemptions for certain types of data and entities. These exemptions ensure that not all data processing activities are subjected to the same requirements. The FDBR exempts entities including: 

• State agencies or a political subdivision of the state; 
• Financial institution subject to the GLBA 
• Covered entity or business associate under the HIPAA 
• Non-profit organizations; and  
• Postsecondary education institution. 

What types of data are covered under the FDBR? 

The FDBR covers personal data, including: 

• Sensitive personal information: racial/ethnic origin, religious beliefs, health data, sexual orientation, citizenship status, genetic/biometric data, children's data, and geolocation data. 

Consumer rights under the FDBR 

The FDBR grants consumers the following rights: 

• Confirmation: Right to confirm whether their personal data is being processed. 
• Access: Right to access their personal data processed by the businesses  
• Correction: Right to rectify inaccuracies. 
• Deletion: Right to request data deletion. 
• Portability: Right to obtain data in a portable format. 
• Opt-Out: Right to opt out of targeted advertising, profiling, data sales, and the collection and processing of sensitive data. 
• Opt-Out of Voice Recognition: Right to opt out of data collection via voice recognition features. 

Key compliance areas of the FDBR 

To comply with the FDBR, businesses must focus on several key areas: 

• Data security: Implement measures to protect data from unauthorized access. 
• Data minimization: Collect only necessary data. 
• Transparency: Provide clear privacy notices. 
• Vendor management: Execute vendor contracts and ensure vendors assist them in meeting their obligations under the FDBR. 

Privacy notices 

Businesses must disclose: 

• Categories and purposes of data processing. 
• Consumer rights and how to exercise them. 
• Data shared with third parties. 
• The categories of third parties with whom data is shared. 

Additionally, if a business engages in the sale of sensitive personal data, they must include a notice stating: "NOTICE: This website may sell your sensitive personal data." For the sale of biometric data, a notice stating: "NOTICE: This website may sell your biometric personal data" is required. 

Data protection assessments 

Organizations must conduct assessments for activities involving: 

• Targeted advertising. 
• Data sales. 
• Profiling with significant risks. 
• Processing sensitive data.  

These assessments balance the benefits and risks of data processing. 

Noncompliance under the FDBR 

Noncompliance can result in significant consequences, including: 

• Fines: Up to $50,000 per violation. 
• Legal actions: The Florida Attorney General can adopt rules to implement the FDBR, initiate investigations and take legal action against violators. 

Enforcements and penalties 

The FDBR is enforced by the Florida Attorney General's Office. Enforcement actions can include: 

• Investigations: Based on consumer complaints or evidence of noncompliance. 
• Penalties: Imposing fines and requiring corrective actions. 
• Court orders: Mandating changes to business practices for compliance. 

Organizations found in violation have a 45-day cure period to remedy issues. Failure to do so can result in civil penalties of up to $50,000 per violation. 

Get the latest in-depth research and track the evolving US privacy landscape with DataGuidance. Sign up for an account today.