June 6, 2023, marked a significant milestone as Governor Ron DeSantis of Florida officially endorsed Senate Bill 262, ushering in Florida’s Digital Bill of Rights (FDBR). With this enactment, Florida joins the ranks of U.S. states that have established comprehensive data privacy legislation. The FDBR is slated to become enforceable starting July 1, 2024.
Distinguished by a billion-dollar gross revenue threshold, the FDBR stands as a more measured approach compared to other existing data privacy laws in U.S. states. This particular provision renders it inapplicable to a majority of the small to medium-sized enterprises that operate within the confines of Florida.
What is FBDR?
On June 6, 2023, The Florida Digital Bill of Rights (FBDR) was enacted into law, marking Florida as the tenth state to implement a consumer data privacy law. This aligns the state with others like California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, and Montana. Set to come into effect on July 1, 2024, the FDBR largely follows the consumer privacy legislation framework known as the “Virginia model.” However, there are distinct provisions within the new Florida law that set it apart.
FBDR affords consumers various essential rights, encompassing:
- The right to verify, access, modify, or erase their personal data.
- The right to comprehend how search engines formulate search results and rankings.
- The right to decline the sale of their personal data.
- The right to opt out of their personal data’s utilization for targeted advertising purposes.
- The right to decline the collection of their personal data through voice or facial recognition technology.
- The right to reject the collection or processing of sensitive personal data.
- The right to be shielded from discrimination when exercising their rights.
- The rights of minors are to prevent the collection, sale, or sharing of their personal data.
In the context of the Florida Digital Bill of Rights, personal data is defined as any information capable of identifying an individual. This includes particulars such as names, social security numbers, driver’s license details, and bank account numbers.
Is FBDR applicable to me & my business?
FBDR will apply to persons that:
- Conducts business in Florida or produces a product or service used by the residents of Florida; and
- Process or engage in the sale of personal data.
FBDR will apply to businesses, including sole proprietorships, partnerships, limited liability companies, corporations, associations, or legal entities, that is a ‘controllers’ and will be subjected to most of the obligations under the FDBR if it:
- Is organized or operated for the profit or financial benefit of its shareholders or owners;
- Conducts business in this state;
- Collects personal data about consumers, or is the entity on behalf of which such information is collected;
- Determines the purposes and means of processing personal data about consumers alone or jointly with others;
- Makes more than $1 billion in global gross annual revenues; and
Meets at least one of the following:
- Derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
- Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. This excludes a motor vehicle or speaker or device associated with or connected to a vehicle that is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or
- Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
Is My Business Exempt From FBDR?
It is exempt from FBDR if your organization is any of the following categories:
- A state agency or any political subdivision within the state of Florida.
- A financial institution that is subject to Title V of the Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.).
- A covered entity or a business associate is regulated by the privacy, security, and breach notification rules outlined by the United States Department of Health and Human Services (HHS). This regulation is established under both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
- A nonprofit organization.
- A postsecondary educational institution.
Additionally, the FBDR exemption extends to the processing of personal data under the following circumstances:
- When conducted by an individual as part of purely personal or household activities.
- Solely for the purpose of measuring or reporting advertising performance, reach, or frequency.
Data used by my business is exempted from the FBDR if it does not apply to information that is already subject to the following regulations:
- Medical data is covered under any medical laws.
- Personal data used for research.
- Fair Credit Report Act (FCRA) covered data.
- Gramm-Leach-Bliley Act (GLBA) data.
- Driver’s Privacy Protection Act of 1994 data.
- Family Educational Rights and Privacy Act (FERPA) data.
How Can I Ensure My FBDR Compliance?
The FBDR imposes specific obligations on enterprises engaged in the collection, processing, or sale of personal data belonging to residents of Utah. To ensure readiness for compliance with the FBDR, refer to the following checklist:
- Assess whether your business falls under the purview of the UCPA.
- Extend notice and the option to opt out of sensitive data processing to individuals.
- Facilitate consumers in exercising their rights, including access, delete, portability, and opt-out preferences.
- Furnish a conspicuously clear notification regarding the sale of personal data and processing for targeted advertising purposes, accompanied by opt-out instructions.
- Establish and enact appropriate security measures to safeguard personal data.
Considering The Future
The FDBR is scheduled to come into effect in July 2024. The complementary legislation associated with the FDBR, which prohibits government-directed moderation of social media platforms, will be enacted on July 1, 2023. Consequently, businesses falling under the scope of the FDBR must take immediate action to formulate strategies and implement protocols, positioning themselves in the most robust compliance stance possible. Companies subject to the FDBR are advised to contemplate the following measures:
- Conduct a comprehensive privacy gap assessment, encompassing an evaluation of websites and online services accessed by minors.
- Ascertain whether voice-activated assistants capture voice or audio data when not actively in use by consumers, and assess the potential legal implications if such data is collected.
- Evaluate the business’s requirements for retaining personal data and establish and implement a structured data retention timetable.
- Establish mechanisms for reporting.
- Develop appropriate privacy policies, privacy notices, and data protection impact assessments.
- Provide training to personnel on the necessary procedures to respond to data subject requests.
- Institute a well-defined appeals process.
How Can GetTerms Assist You
If your business falls under the Florida Digital Bill of Rights (FBDR), it is essential to start your compliance preparations well in advance of July 1, 2024, when the law comes into effect. These preparations should include an examination of your third-party contracts, the creation of an appropriate privacy notice, an assessment of your security protocols, and more.
GetTerms offers many features to help you efficiently address numerous items on your checklist, including tailoring your legal policy documentation and generating cookie consent banners. Please take advantage of GetTerms’ services today to ensure ongoing compliance with the FBDR and other pertinent privacy regulations.