Florida has joined the growing list of states enacting comprehensive privacy laws. Governor Ron DeSantis (R) signed the Florida Digital Bill of Rights (“FDBR”) into law on June 6th.
How does it compare? The FDBR seems to stray from the majority of the recently-enacted comprehensive privacy laws and lacks most of the compliance obligations in the other states. The reach of the FDBR is far more conservative than laws enacted this year in other states such as Indiana, Montana, and Tennessee. In particular, a billion-dollar gross revenue threshold keeps the hands of the Florida Department of Legal Affairs off most small to medium-sized businesses operating in Florida.
To be characterized as a “controller” under the FDBR and therefore subject to the bulk of its requirements and prohibitions, a business must generate at least $1 billion in gross revenue and it must either (i) derive 50% or more of its global annual revenues from targeted advertising or the sale of ads online, (ii) operate a consumer smart speaker and voice command service with an integrated virtual assistant through a cloud service and hands-free verbal activation, or (iii) operate an app store that offers at least 250,000 software applications for consumers to download. Clearly, companies fitting this mold that are not named Google or Apple or Amazon are few and far between!
Smaller businesses generating less gross revenue that serve as data processors for covered controllers may still be impacted by the FDBR. Processors are required to support a controller’s efforts to comply with the FDBR and to execute a contract with the controller that addresses data processing in prescribed ways. We expect a wide range of service providers will find themselves assisting their larger clients subject to the FDBR to comply with its requirements, and contract amendments will likely come their way.
The FDBR is embedded within a broader “technology transparency” statute, which also prohibits officers or salaried employees of governmental entities from using their position or resources to communicate with social media platforms to request removal of content or accounts. These protections are designed to ensure that governmental entities and employees do not create working relationships with social media platforms.
In addition, the broader statute applies to online platforms that provide online services, games, or other features likely to be accessed by children, and significantly limits when those platforms can lawfully collect and process personal information of children under the age of 18.
The FDBR has similar exemptions to those in other privacy laws::
- Non-profit organizations;
- Certain government entities;
- Institutions of higher education;
- Financial institutions and affiliates, or data subject to the federal GLBA;
- Covered entities or business associates governed by certain rules under HIPAA; and
- Certain research data and information governed by laws such as HIPAA and FERPA.
Consumers who are residents of or domiciled in Florida will be able to exercise the following rights under the FDBR:
- Right to authorize whether or not a controller may collect the consumer’s precise geolocation data or personal information through a voice recognition feature.
- Right to deletion of their personal data.
- Right to correction of their personal data.
- Right to opt-out of the selling or sharing of personal information to third parties, or the use of personal information for targeted advertising.
- Right to request a copy of the personal information that has been collected, sold, or shared.
- Right to request the categories of sources from which the consumer’s personal information was collected or disclosed to a processor.
- Right to disclosure of the third parties to which the consumer’s personal information was sold or shared.
Business Obligations to Consumers
Businesses subject to the FDBR will have new compliance obligations, including:
- Controllers that operate a search engine must provide consumers with information as to how the algorithm prioritizes political partisanship or ideology in its search results. This obligation again suggests the FDBR is aiming to assert some control over technology companies. For example, Google could be required to describe (in an easily accessible location that does not require consumers to log in or register) its parameters used to list search results, including the prioritization or deprioritization of political partisanship or ideology in search results.
- Respond to consumer requests for information disclosures to the consumer within 45 days of receiving a verifiable consumer request.
- Respond to consumer requests for information disclosures by providing data in a portable and readily usable format.
- Provide required information to consumers free of charge, up to twice per year.
- Provide a clear and conspicuous link on the homepage, entitled “Do Not Sell or Share My Personal Information,” to enable a consumer to opt out of the sale or sharing of personal information.
Required Notices to Consumers
- Controllers that collect personal information must, at or before the point of collection, inform consumers of the categories of personal information to be collected and the purposes for which the information will be used.
- Controllers who engage in the sale of personal data that is sensitive data must provide a specific notice that states: “NOTICE: This website may sell your sensitive personal data.” Note that this differs from the CCPA “do not sell” language in that it is only a notice and not an opt-out from such sale.
Other Business Obligations
- Maintain reasonable security procedures to protect such information.
- Conduct and document data protection assessments of specified processing activities involving personal data. Assessments include extensive requirements and an obligation to provide disclosure of the assessment if requested from the Attorney General.
- Establish a process for consumers to appeal a controller’s refusal to act on a consumer’s request regarding their data within a specified timeframe.
- Ensure de-identified data remains de-identified and segregated.
- Obtain consent before processing sensitive personal data from a consumer, or obtain affirmative authorization if the data is of a known child between 13 and 18 years of age.
The Do Not’s:
- Do not discriminate against a consumer for exercising any consumer rights, including denying goods or services or charging different prices or rates for goods or services.
- Do not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.
Impacts on Data Processors (Vendors)
Vendors that are data processors have direct obligations under the FDBR, such as adhering to instructions from data controllers, assisting data controllers with their own compliance obligations, and assisting data controllers with data protection impact assessments, and required subcontractor flow-down obligations.
The FDBR also contains specific requirements that must be included in data processing agreements between data controllers and data processors.
No Private Right of Action
The FDBR does not provide for a private right of action and is enforced exclusively by the Florida Department of Legal Affairs (the “Department”).
Fines and Penalties for Violations
Civil penalties up to $50,000 per violation. Civil penalties may be tripled for the following violations: (1) a violation involving a Florida consumer who the controller has actual knowledge is 18 years of age or younger, (2) failure to delete or correct consumer’s personal information after receiving a verifiable consumer request, or (3) continuing to sell or share the consumer’s personal information after the consumer opts out.
The fee per violation of the FDBR is remarkably high as compared to other states with comprehensive privacy laws. While businesses covered by the FDBR have requirements that are less onerous than those set forth in data privacy laws in other states, the potential fine for violating the FDBR could be much steeper.
Entities that violate the FDBR or related Technology Transparency statutes may be granted a 45-day period to cure the alleged violation, with discretion given to the Department. If the alleged violation is cured within this time period, the Department will not bring an action against the entity but instead may issue a letter of guidance stating that the entity will not be given another 45-day cure period should future violations occur. If the entity fails to cure the violation within the 45 calendar days, the Department may bring an action against them.
Effective Date for the FDBR
The prohibition on government officers and employees moderating content of social media platforms takes almost immediate effect on July 1, 2023. The FDBR’s effective date is July 1, 2024.