Florida Governor Ron DeSantis signed into law Senate Bill 262, known as the “Florida Digital Bill of Rights” (“FDBR”), on June 6, 2023.
The FDBR will go into effect on July 1, 2024, which means businesses subject to it will have just over a year to prepare for compliance. The law significantly expands the definition of “personal information” in Florida’s existing Information Protection Act, Chapter 501.171, to include (i) “biometric data,” which includes fingerprints, voiceprints, retina scans and other unique biological patterns used to identify specific individuals, and (ii) information regarding an individual’s geolocation.
Aside from this major change which will apply generally to most companies that collect consumer data, the remaining provisions of the FDBR, Fla. Stat. 501.701, et. seq., will only apply to a limited number of companies that do business in Florida. The FDBR takes aim squarely at Big Tech companies, such as Apple, Amazon and Google who act as “controllers” of data from consumers. The FDBR defines a “controller” as an entity that conducts business in Florida, collects personal data about consumers, makes over $1 billion in global gross annual revenues, and meets at least one of the following: (1) derives 50 percent or more of its global gross annual revenues from selling advertisements online, including providing targeted advertising or selling ads online, (2) operates a smart speaker and voice command component service, with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation (i.e., Siri and Alexa), or (3) operates an app store, or digital distribution platform, that offers at least 250,000 different software applications for consumers to download and install.
Companies that fit this “controller” bill are required to, among other things, establish secure and reliable means for consumers to exercise their privacy rights under the laws, obtain consumer consent to process “sensitive data,” and to conduct and document data protection assessments. The FDBR now defines “sensitive data” as any data that reveals an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, biometric data such as fingerprints and retina scans, personal data collected from children and precise geolocation data.
The FDBR affords Florida consumers considerably more protection than existing Florida data protection statutes. Consumers now have the ability to confirm whether controllers are processing their personal data and to access that data, correct inaccuracies in their data, ask controllers to delete all their data, and opt out of the sale of their data, or the processing of personal data, for purposes of sending targeted advertising. Consumers also have the ability to opt out of the collection of personal data through operation of a voice recognition or facial recognition feature.
Florida’s Department of Legal Affairs has jurisdiction over enforcement, and is permitted, but not required, to afford offending companies a 45-day safe harbor period to cure violations. While the FDBR does not afford consumers a private right of action for violations, the fines that the government can impose are hefty—up to $50,000 per violation, with tripled penalties for certain violations, including those that involve known children.
While the FDBR will likely only apply narrowly to “Big Tech” companies, because of the new categories of “personal information” that Florida law protects, all companies that collect consumer data in Florida should review the type of data they collect from consumers, how they collect that data, and what they do to protect that data once collected.