Florida just signed a new comprehensive consumer data protection law. The Florida Digital Bill of Rights (FDBR) will go into effect on July 1, 2024. Learn everything you need to know about FDBR and how Ethyca can help you comply with privacy in The Sunshine State.
Florida is another U.S. state that passed a comprehensive consumer data privacy bill this year. The Florida Digital Bill of Rights (FDBR). or SB 262, was signed into law on June 6th and is scheduled to go into effect on July 1, 2024. Businesses subject to FDBR have about a year to prepare for compliance.
What’s unique about FDBR is its focus on curbing the powers of Big Tech companies. The new law gives Florida consumers the ability to control how Big Tech companies handle their personal data, and strictly limits large companies’ data collecting and processing practices.
Since FDBR has such a narrow scope, not all companies will be subject to Florida’s privacy law. However, it’s still important to be aware of different states’ privacy regulations. Let’s go over what businesses need to know and do to comply in The Sunshine State.
Florida’s privacy law applies to businesses (controllers) that operate in Florida or target products or services to Floridian consumers, makes in excess of $1 billion in global gross annual revenues, and;
The Florida Digital Bill of Rights has the highest revenue threshold to determine applicability among all state privacy laws to date. California’s CPRA and Utah’s UCPA come in second with a revenue threshold for businesses making $25 million in global annual revenue.
With such a high revenue threshold to determine applicability, fewer businesses may be subjected to Florida’s privacy law. However, If your business fulfills all of the criteria above, you can use the steps in this article to prepare for FDBR compliance.
If your business is subject to Florida’s privacy law, you’ll need to enable Floridian consumers to exercise their data subject and consent rights. You’ll also need to know how the law is enforced and the consequences of privacy violations. This section will cover these things in more detail.
FDBR grants Florida consumers data subject rights, or the ability to control how Big Tech companies process their personal data. These rights include:
Like in Iowa, Indiana, Montana, Tennessee, and Texas, Floridians do not have a private right of action. Florida residents do have the ability to correct their data like in Indiana, Montana, Tennessee, and Texas, whereas Iowans do not.
Florida residents also have specific opt-out and opt-in consent rights that businesses must enable.
For opt-out consent, consumers are allowed to opt out of the processing of personal data for:
One of the unique provisions of Florida’s privacy law is the right for consumers to opt out of voice and facial recognition. FDBR is the only state privacy law that includes this right, keeping in line with its reputation of clamping down on Big Tech companies.
Additionally, FDBR takes a unique consent approach when it comes to processing sensitive data. Florida consumers are given the option to both opt out of and opt into the processing of sensitive data. It’s still unclear how this will work in practice, but Ethyca will keep you updated.
FDBR defines “sensitive data” as personal data revealing and individual’s:
Another point to consider is Florida’s definition of a child. FDBR defines a child as anyone under the age of 18. Most state privacy laws follow the Children’s Online Privacy Protection Act’s (COPPA) definition of a child, which is anyone under the age of 13 years old. This change reflects the wider protections Florida’s privacy law gives children against Big Tech companies.
Companies must respond to consumers’ data subject and consent requests within 45 days and can extend for an additional 15 days. The Attorney General has exclusive authority to enforce FDBR and can issue notices of privacy violations or start civil investigations,
Once notified, businesses have a 45-day cure period to correct violations or face a civil penalty of up to $50,000 per violation. Civil penalties can even triple depending on the privacy violation, such as:
This is the highest civil penalty set by a U.S. state privacy law to date. To avoid large fines from Florida’s regulators, ensure that your business adheres to the consumer and consent rights listed above, and the organizational requirements covered below.
Now that you know what data subject and consent rights Floridians have, as well as the consequences of privacy violations, Let’s go over the additional business obligations required under FDBR.
Florida’s privacy law explicitly states that businesses must limit the collection of personal data to only what’s “adequate, relevant, and reasonably necessary.” This means your business should only collect data that is necessary to fulfill a specific business purpose.
This practice is also known as data minimization. Rather than simply collecting less data, data minimization forces businesses to be more deliberate about collecting only the data it needs. The less data your organization collects, the less risk of potential data misuse.
Implementing data minimization and purpose limitation is a fundamental step toward running a privacy-respecting business. The idea of purpose limitation is similar; businesses should only process users’ personal data for a specific business purpose. Practicing both data management strategies will make it easier to fulfill users’ subject rights requests.
Additionally, FDBR mandates that businesses create a strict data retention schedule. To comply with Florida’s privacy law, be sure to identify what data your business needs to collect, for what reason, the duration, and dispose of it in a timely and secure manner.
If your business operates a search engine, you must publish a description of how the results are ranked on the website. This includes how results are prioritized or deprioritized and the political ideology used in determining the results.
Publishing these guidelines will help Florida regulators ensure that the algorithms used in search engines do not harm consumers.
Businesses subject to Florida’ privacy law must submit a clear and accessible Privacy Notice on their website. Privacy Notices should include:
Additionally under FDBR, if your business sells sensitive or biometric data, it must publish explicit notices. Examples from the bill include “NOTICE: This website may sell your sensitive personal data” or “NOTICE: This website may sell your biometric personal data.”
Work with your legal team to ensure that all of the necessary information listed above is included in your business’ Privacy Notice.
Florida’s privacy law also requires businesses to enter into data processing contracts between processors or entities that “process personal data on behalf of a controller.” Examples of this include third-party SaaS vendors that process and store data for your business.
These contracts should legally obligate the processor to follow the controller’s instructions and help the controller comply and demonstrate compliance with regulators. Examples of compliance include data subject requests or data protection assessments.
Data processing contracts should also specify the purpose of processing, the type of data being processed, the duration of processing, and the rights and obligations of both controllers and processors.
If your business works with processors or subcontractors that process data on your behalf, be sure to enter into a legally binding data processing contract with each of them.
As with most state privacy laws, FDBR requires businesses to perform data protection assessments (DPAs). DPAs are meant to help businesses carefully assess the risks of processing data on the consumer and the business itself.
These assessments should weigh the business benefits against the potential risks of the following activities:
The Attorney General can request a DPA to determine whether a company is compliant with FDBR or not. To ensure that your business is ready for Florida regulators, work with your legal team to conduct and document DPAs for the above processing activities.
Businesses that process de-identified and pseudonymous data must:
If your business processes de-identified and pseudonymous data, make sure the required controls and safeguards are put in place by July 1, 2024.
Although all of FDBR’s provisions don’t apply to small businesses Florida’s privacy law still mandates that small businesses as defined by the United States Small Business Administration may not sell consumers’ sensitive data without obtaining their consent.
Making sure your business complies with all U.S. state privacy laws can feel overwhelming. Luckily, Ethyca makes it easy with the Fides privacy intelligence platform. With Fides, your business will be able to automate privacy obligations for all U.S. state privacy laws.
Read on to learn how.
Different U.S. state privacy laws have different consent requirements your business needs to fulfill. With the Fides privacy intelligence platform, your business can easily manage users’ consent preferences for any privacy law.
Your business will be able to set multiple opt-out links on your website footer, customize a Privacy Center for easy consent intake, and set single or multiple opt-in or opt-out consent preferences to comply with different state privacy laws at the same time.
Using Fides, users can submit requests through a Privacy Center on your website and verify their identity via a code sent through SMS or email. With Fides’ simple and intuitive Admin UI. your business will be able to quickly process and record users’ consent preferences as proof of compliance for state regulators.
All privacy regulations require businesses to fulfill user subject requests, or data subject requests (DSRs). This process can often be manual, costly, labor-intensive, and cause lots of friction for legal, compliance, and engineering teams.
The Fides privacy intelligence platform streamlines these workflows. Your business will be able to automate DSR processing end-to-end with Fides. Users can submit their DSR requests via the same Privacy Center they would use to submit their consent preferences.
After DSR requests are submitted, you can approve or deny them with the same Admin UI. Users will then receive an email containing a link to the data they requested in a machine-readable format or a confirmation that their data has been corrected or deleted.
Fides will also maintain a log of the requests your business has received and processed. That way, if regulators come knocking, you can prove that your business’ privacy practices are compliant.
What makes the Fides privacy intelligence platform so powerful is its ability to connect to all of your business’ internal and third-party databases and systems. Once connected, Fides will be able to produce a data map, or a real-time visualization of your organization’s data flows.
Unlike tracking data through manual spreadsheets that are immediately out of date, Fides’ automated data map will give you an accurate inventory of all the data in your systems, i.e. what the data is, where it goes, and where it’s stored.
In fact, connecting to all of your systems is how Fides can automate consent management and data subject requests in the first place. Using the Fides privacy intelligence platform will integrate privacy across your entire business. That’s the true power of privacy intelligence.
Florida follows many other state privacy laws that were created in 2023. U.S. privacy is a patchwork of state-by-state laws, and more are constantly on the way. Your business needs to keep an eye out on all the privacy regulations emerging at the state level.
Thankfully, you don’t have to do it alone. Ethyca is here to help your business fulfill its privacy obligations every step of the way. If you have any questions about new or existing privacy laws, schedule a free 15-minute consultation today to get privacy intelligence and expertise.
Today we’re announcing faster and more powerful Data Privacy and AI Governance support
See new feature releases enhancing user experience, adding new integrations and support for IAB GPP
Learn more about the privacy and data governance enhancements in Fides 2.27 here.
Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.
Ethyca sponsored the Unpacking Privacy Engineering for Lawyers webinar for the Interactive Advertising Bureau (IAB) on December 14, 2023. Our CEO Cillian Kieran moderated the event and ran a practical discussion about how lawyers and engineers can work together to solve the technical challenges of privacy compliance. Read a summary of the webinar here.
Ethyca’s CEO Cillian Kieran hosted a LinkedIn Live about the newly agreed upon EU AI Act. Read a summary of his talk and find a link to his slides on what governance, data, and engineering teams need to do to comply with the AI Act’s technical risk assessment and data governance requirements.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Request a Demo