June 2024

1. Right To Privacy/Constitutional Protection

1.1. Constitutional Right of Privacy

The Constitution of the State of Florida (the Constitution) recognizes an individual's right of privacy under Article 1 of §23, which provides that every natural person has the right to be let alone and free from governmental intrusion into the person's private life except as otherwise provided in the Constitution. This Section must not be construed to limit the public's right of access to public records and meetings as provided by law.

It is important to note, however, that this right of privacy specifically protects against 'governmental intrusion,' not any or all intrusions. Floridians must look to other areas of the law, some of which are highlighted below, for privacy protections against other actors and forms of intrusion.

1.2. Statutory Right to Privacy

• Florida has codified its statutory right of publicity, which has been treated as a property right at §540.08 of Chapter 540 of Title XXXIII of the Florida Statutes (Fla. Stat.). For more discussion, see section 2.1.

1.3. Common Law Right to Privacy

Florida courts generally recognize three theories or categories of privacy torts, originally set forth by Prosser in the Law of Torts (Fourth Edition, 1971), including:

• intrusion, namely invading physical solitude or seclusion;
• public disclosure of private facts; and
• appropriation, namely commercial exploitation of the property value of one's name (see Loft v. Fuller, 408 So. 2d 619, 622 (District Court of Appeal of Florida, Fourth District 1981)).

Note that courts previously recognized a fourth category, false light in the public eye, but this was done away with in 2008 (see Jews for Jesus, Inc. v. Rapp, 997 So. 2d 1098, 1114 (Fla. 2008)).

Intrusion

'Intrusion' is defined by Florida law as 'physically or electronically intruding into one's private quarters' (Oppenheim v. I.C. Sys., Inc., 695 F.Supp.2d 1303, 1308 (M.D. Fla. 2010) (quoting Allstate Ins. Co. v. Ginsberg, 863 So.2d 156, 162 (Fla. 2003)). The tort focuses on 'the right of a private person to be free from public gaze' and requires that 'the intrusion […] be highly offensive to a reasonable person' (Oppenheim at 1309 (quoting Ginsberg, 863 So.2d at 162 (Fla. 2003)).

Public disclosure of private facts

The tort of public disclosure of private facts has four elements:

1. the publication;
2. of private facts;
3. that are offensive; and
4. are not of public concern (Cape Publ'n, Inc. v. Hitchner, 549 So. 2d 1374, 1377 (Fla. 1989)).

However, this 'right of privacy does not forbid the publication of information that is of public benefit, and the right does not exist as to persons and events in which the public has a rightful interest' (Cape Publ'n, Inc. at 1378 (quoting Harms v. Miami Daily News, Inc., 127 So.2d 715, 717 (Fla. 3d DCA 1971))). As such, the 'newsworthiness' defense can be a substantial obstacle for potential plaintiffs.

Misappropriation

The tort of misappropriation, (e.g. 'the unauthorized use of a person's name or likeness to obtain some benefit') is very similar to the statutory right to publicity under Fla. Stat. §540.08, discussed below in section 2.1., (Oppenheim v. IC System, Inc., 695 F.Supp.2d at 1309 (M.D. Fla. 2010)). Furthermore, a 'plaintiff may assert common law and statutory claims for misappropriation in the same action" (Coton v. Televised Visual X-Ography, Inc., 740 F.Supp.2d 1299, 1313 (M.D. Fla. 2010)).

2. Key Privacy Laws 

2.1. Senate Bill 262

On June 6, 2023, Florida became the tenth state in the US to enact a comprehensive privacy law, namely the Florida Digital Bill of Rights (FDBR).  The FDBR has three distinct parts.  It creates Chapter 501, part V of the Florida Statutes, providing a unified scheme to allow Florida's consumers to control the digital flow of their personal data and provides consumers with certain rights over their data privacy.  It also creates Section 112.23 of the Florida Statutes, which prohibits employees of a governmental entity from using their position or any state resources to communicate with social media platforms to request the removal of content or accounts. Additionally, it creates §501.1735 of the Florida Statutes to establish protection for children in online spaces.

The FDBR provides Florida residents with certain rights with respect to their personal data and imposes significant obligations on large companies to whom the law applies. The FDBR redesignates current portions of Chapter 501, Florida Statutes and creates a new Part V of Chapter 501, consisting of F.S. §§501.701-501.721 entitled 'Data Privacy and Security.' 

The provisions of the FDBR will take effect on July 1, 2024.  Notably, the FDBR supersedes all rules, regulations, codes, ordinances, and other laws adopted by a city, county, municipality, or other local agency regarding consumer personal data.

Scope

The FDBR applies to 'controllers' which are defined as businesses that collect Florida consumers' personal data, make in excess of $1 billion in global gross annual revenue, and meet one of the following three thresholds (§501.703(1) of the FDBR):

• derives 50% or more of its global gross annual revenues from the online sale of advertisements, including from providing targeted advertising or the sale of ads online;
• operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or
• operates an app store or digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

However, the FDBR does not apply to state agencies, political subdivisions of the state, financial institutions subject to the Gramm-Leach-Bliley Act of 1999, covered entities or business associates governed by the Health Insurance Portability and Accountability Act of 1996 Privacy and Security Rules (the Privacy and Security Rules) established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), or Florida postsecondary education institutions.  Additionally, the FDBR does not apply to the processing of personal data by a person in the course of a purely personal or household activity solely for measuring or reporting advertising performance, reach, or frequency.  Finally, the FDBR does not apply to employee data or business data (§501.703(2) of the FDBR).

Enforcement

Similar to other state comprehensive privacy laws, there is no general private right of action. Instead, the FDBR will be enforced by the Florida Department of Legal Affairs (the Department). In addition to other remedies, the Department can assess a civil penalty of up to $50,000 per violation, which can be trebled for certain violations like violations related to the personal data of a known child or failing to delete information on a proper consumer request. The FDBR permits but does not require, the Department to allow a business a 45-day cure period.

Data subject rights

The FDBR provides consumers the right to (§501.711 of the FDBR):

• confirm and access their personal data;
• delete, correct, or obtain a copy of that personal data;
• opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer;
• opt out of the collection or processing of sensitive data, including precise geolocation data; and
• opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.

Key Definitions

Child: Means an individual younger than 18 years of age (§501.702(6) of the FDBR).

Consent: Means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. It does not include acceptance of general or broad terms of use or similar documents; hovering over, muting, pausing, or closing of a given piece of content; or an agreement obtained through dark patterns (§501.702(7) of the FDBR).

Consumer: Means an individual who is a resident of Florida or is domiciled in Florida acting in an individual or household context.  It does not include individuals acting in a commercial or employment context (§501.702(8) of the FDBR).

Dark Pattern: Means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision making, or choice.  The term includes any practice that the Federal Trade Commission (FTC) refers to as a dark pattern (§501.702(11) of the FDBR).

Decision that produces a legal or similarly significant effect concerning a consumer: Means a decision made by a controller that results in the provision or denial by the controller of any of the following (§501.702(12) of the FDBR):

• financial and lending services;
• housing, insurance, or health care services;
• education enrollment;
• employment opportunities;
• criminal justice; or
• access to basic necessities, such as food and water.

Personal data: Means any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual.  The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include de-identified data or publicly available information (§501.702(19) of the FDBR).

Profiling: Means any form of solely automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location or movements (§501.702(25) of the FDBR).

Sale of personal data: Means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.  The term does not include (§501.702(29) of the FDBR):

• the disclosure of personal data to a processor who processes the personal data on the controller’s behalf;
• the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
• the disclosure of information that the consumer:
  • intentionally made available to the general public through a mass media channel; and
  • did not restrict to a specific audience; or
• the disclosure or transfer of personal data to a third party as an asset that is part of a merger or an acquisition.

Sensitive data: Means a category of personal data that includes any of the following (§501.702(31) of the FDBR):

• personal data revealing an individual's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
• genetic or biometric data processed for the purpose of uniquely identifying an individual;
• personal data collected from a known child; and
• precise geolocation data.

Targeted advertising: Means displaying to a consumer an advertisement selected based on personal data obtained from that consumer's activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer’s preferences or interests. The term does not include an advertisement that is (§501.702(33) of the FDBR):

• based on the context of a consumer's current search query on the controller's own website or online application; or
• directed to a consumer search query on the controller's own website or online application in response to the consumer's request for information or feedback.

Controller obligations

A controller under the FDBR must:

• establish two or more methods to enable consumers to submit requests to exercise their rights under the FDBR.  The methods must be secure, reliable, and clearly and conspicuously accessible;
• authenticate and respond to consumer requests and must provide an appeal process for any requests that are unfulfilled;
• limit the collection of personal data to data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed and as disclosed to the consumer;
• establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue;
• provide consumers with a reasonably accessible and clear privacy notice, updated at least annually;
• enter into contracts with its processors with the requirements described below;
• take certain measures with respect to deidentified data, pseudonymous data, and aggregate consumer information;
• conduct and document data protection assessments;
• where operating a search engine, make available, in an easily accessible location on the webpage that does not require a consumer to log in or register to read, an up-to-date plain language description of the main parameters that are used to determine rankings of results, including the prioritization or deprioritization of political partisanship or ideologies.

Controller prohibitions

Controllers under the FDBR must not:

• process personal data for a purpose that is neither reasonably necessary nor compatible with the purpose for which the personal data is processed, as disclosed to the consumer unless the consumer provides consent;
• process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers;
• discriminate against a consumer by exercising their rights under the FDBR; or
• sell sensitive personal data of a consumer without obtaining the consumer's consent.

Responding to Consumer Requests

A controller shall provide information or take action in response to a consumer request free of charge at least twice per year per consumer.  If a request is manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may deny the request.  The controller bears the burden of demonstrating that a request is manifestly unfounded, excessive, or repetitive (§501.706(5) of the FDBR).

A controller shall comply with consumer requests without undue delay, which may be no later than 45 days after receiving the request.  A controller may extend the response by an additional 15 days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial 45-day period and provides the reason for the extension (§501.706(2) of the FDBR).

If a controller cannot take action regarding the consumer's request, the controller must inform the consumer within 45 days of receiving the request.  The controller must also provide the consumer with the justification for the inability to take action and must provide instructions on how the consumer can appeal the decision (§501.706(3) of the FDBR).

A controller is not required to comply with a consumer request if the controller cannot authenticate the request.  However, the controller must make a reasonable effort to request that the consumer provide additional information reasonably necessary to authenticate the request (§501.706(3) of the FDBR). If a controller maintains a self-service mechanism to allow a consumer to correct certain personal data, the controller may deny the consumer's request and require the consumer to correct his or her own personal data through such a mechanism (§501.706(3) of the FDBR).

If a controller receives a request to delete from a customer who the controller has obtained personal data about from a source other than the consumer, the controller will be in compliance with the request if it (§501.706(6) of the FDBR):

• deletes the personal data, retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring that the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose under this part; or
• opting the consumer out of the processing of that personal data.

A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer receives the controller's decision. The appeal process must be conspicuously available and similar to the process for initiating a request to exercise the consumer's rights.  A controller must inform the consumer in writing of any action taken or not taken in response to an appeal within 60 days of receiving the appeal, including a written explanation for the decision (§501.707 of the FDBR).

Any contractual provision that waives or limits in any way a consumer right provided in the FDBR is contrary to public policy and is void and unenforceable (§501.708 of the FDBR).

Privacy notices

A controller must provide consumers with a reasonably accessible and clear privacy notice, updated at least annually, that includes (§501.711(1) of the FDBR):

• the categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller;
• the purpose of processing personal data;
• how consumers may exercise their rights, including the process by which a consumer may appeal a decision;
• the categories of personal data that the controller shares with third parties (if applicable);
• the categories of third parties with whom the controller shares personal data (if applicable); and
• a description of the methods by which consumers can submit requests to exercise their consumer rights.

Where a person who engages in the sale of sensitive personal data must provide a notice that states: 'NOTICE: This website may sell your sensitive personal data.' and where a controller engages in the sale of biometric data, the controller must provide a notice stating: 'NOTICE: This website may sell your biometric personal data' and be in line with the above (§§01.711(2) and (3) of the FDBR).

With regard to the sale of data to third parties by the controller or the processing of personal data for targeted advertising, the data controller must clearly and conspicuously disclose the same and the manner in which a consumer may exercise the right to opt-out (§ 501.711(4) of the FDBR).

Data Processors

Data processors must adhere to the instructions of the controller and shall assist the controller in compliance with the requirements of the FDBR (Section 501.712(1) of the FDBR).  The controller and processor must also enter into a contract that governs the processor’s data processing procedures and must include (Section 501.712(1) of the FDBR):

• clear instructions for processing data;
• the nature and purpose of processing;
• the type of data subject to processing;
• the duration of processing;
• the rights and obligations of both parties;
• a requirement that the processor ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
• a requirement that the processor delete or return all personal data to the controller as requested after the provision of the service is completed unless retention of the personal data is required by law;
• a requirement that the processor make available to the controller, upon reasonable request, all information in the processor's possession necessary to demonstrate the processor's compliance with this part;
• a requirement that the processor allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; and
• a requirement that the processor engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.

If the processor engages an independent assessor to conduct an assessment of the processor's policies and technical and organizational measures under the FDBR, the processor shall provide the assessor's report to the controller upon request.

Data Protection Assessments

The FDBR follows the trend of requiring controllers to conduct and document data protection assessments ('DPAs'). DPAs are required for (§501.713(1) of the FDBR):

• the processing of personal data for targeted advertising;
• the sale of personal data;
• the processing of personal data for purposes of profiling, if such profiling presents a reasonably foreseeable risk of:
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • financial, physical, or reputational injury to consumers;
  • a physical or other intrusions upon the solitude or seclusion, or the private affairs or concerns, of consumers, if such intrusion would be offensive to a reasonable person; or
  • other substantial injuries to consumers;
• the processing of sensitive data; and
• any processing activities involving personal data which present a heightened risk of harm to consumers.

DPAs must cover processing activities generated on or after July 1, 2023 (§501.713(6) of the FDBR).

The DPA must (§501.713(2) of the FDBR):

• identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce such risks; and
• factor into the assessment:
  • the use of deidentified data;
  • the reasonable expectations of consumers;
  • the context of the processing; and
  • the relationship between the controller and the consumer whose personal data will be processed.

If a controller must disclose its DPA to the Florida Attorney General (AG) under the FDBR, such disclosure will not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment (§501.713(3) of the FDBR). A single data protection assessment may address a comparable set of processing operations which include similar activities (§501.713(4) of the FDBR). A data protection assessment conducted by a controller for the purpose of compliance with any other law or regulation may constitute compliance with the requirements of this section if the assessment has a reasonably comparable scope and effect (§501.713(5) of the FDBR).

Government-Directed Content Moderation of Social Media Platforms (F.S. §112.23)

The FDBR also created Florida Statutes §112.23. This provision applies to each governmental entity, which is defined broadly as 'any officer or employee of a state, county, district, authority, municipality, department, agency, division, board, bureau, commission, or other separate unit of government created or established by law, and includes any other public or private entity acting on behalf of such governmental entity.' §112.23 enters into effect on July 1, 2023. Notably, §112.23 prohibits governmental entities from:

• communicating with social media platforms to request the removal of content or accounts; and
• initiating or maintaining any agreements or working relationships with social media platforms for the purpose of content moderation.  Violations of the FDBR constitute the commission of a crime or violation of Florida's public records law.

The prohibitions do not apply in the following instances:

• routine account management;
• attempts to remove content or accounts that pertain to the commission of a crime or violation of Florida's public records law; or
• investigations or inquiries related to an effort to prevent imminent bodily harm, loss of life, or property damage.

Protection of Children in Online Spaces (F.S. 501.1735)

The FDBR amends Part II of Chapter 501 (Deceptive and Unfair Trade Practices) to provide protection for children who use online platforms and games. Such provisions enter into effect on July 1, 2024.

Prohibitions

The FDBR prohibits online platforms that provide an online service, product, game, or feature, that is likely to be predominantly used by children from (§501.1735(2) of the FDBR):

• processing the child's data if the platform has actual knowledge of or wilfully disregards that the processing may result in substantial harm or privacy risk to children;
• profiling a child unless both of the following criteria are met:
  • the online platform can demonstrate it has appropriate safeguards in place to protect children; and
  • the profiling is necessary to provide the service, product or feature or the online platform can demonstrate a compelling reason that profiling does not pose a substantial harm of privacy risk to children.
• collecting, selling, sharing, or retaining any personal information that is not necessary to provide the online service, product, or feature with which a child is actively and knowingly engaged unless the online platform can demonstrate a compelling reason that the collecting, selling, sharing, or retaining the personal information does not pose a substantial harm or privacy risk to children;
• using personal information of a child for any reason other than the reason for which the personal information was collected unless the online platform can demonstrate a compelling reason that the use of the personal information does not pose a substantial harm or privacy risk to children;
• collecting, selling, or sharing any precise geolocation data of children unless such collection is strictly necessary for the online platform to provide the service, product, or feature, and only for the limited time that the collection of such data is necessary;
• using dark patterns to:
  • lead or encourage children to provide personal information beyond the personal information that would otherwise be reasonably expected to be provided for that online service, product, game, or feature;
  • forego privacy protections; or
  • take any action that the online platform has actual knowledge of or willfully disregards that may result in substantial harm or privacy risk to children.
• using any personal information collected to estimate age or age range for any other purpose or retain that personal information longer than necessary to estimate age.  The age estimate must be proportionate to the risks and data practice of an online service, product, or feature.

If an online platform processes the personal information of children as part of providing its online services, products, games, or features to children, the online platform bears the burden of demonstrating that its processes do not violate the prohibitions enumerated above (§501.1735(3) of the FDBR).

The FDBR does not include a private cause of action.  Any violation of §501.1735 is an unfair and deceptive trade practice actionable under Part II of Chapter 501 solely by the Department of Legal Affairs against the online platform.  Remedies include standard remedies under Part II of Chapter 501 (which includes attorneys' fees), along with a civil penalty of up to $50,000 per violation. Civil penalties may be tripled for any violation involving a Florida child, where the online platform has actual knowledge is under 18 years of age. Actions may be brought only on behalf of a Florida child (§501.1735(4) of the FDBR).

The FDBR specifically includes a broadly encompassing jurisdictional provision.  An online platform is subject to the jurisdiction of Florida courts if it operates an online service, product, game, or feature likely to be predominantly accessed by children and is accessible by Florida children located in Florida (§501.1735(5) of the FDBR).   

Right to Cure

There is no automatic right to cure, but the Department, in its sole discretion, may grant a 45-day cure period after providing an online platform in writing of an alleged violation.  If a cure period is granted and the online provider cures the alleged violation to the satisfaction of the Department, the Department may not bring an action for the alleged violation but may issue a letter of guidance that indicates the online platform will not be offered a 45-day cure period for future violations.  If the online platform does not cure any violations within a 45-day cure period, the Department may bring an action against the online platform (§501.72(2) of the FDBR).

House Bill 3

On March 25, 2024, Florida passed House Bill 3, which establishes three new statutory sections. The new sections include §501.1736, which addresses social media use for minors, and §§501.1737 and 501.1738, which together address age verification for online access to materials harmful to minors. These sections, which take effect January 1, 2025, contain some privacy and information management requirements. 

Social Media Use for Minors 

§501.1736 addresses social media use for minors. A social media platform is one that meets all of the following criteria (Fla. Stat. §501.1736(1)(e)): 

• the platform allows users to upload content or view other users’ content or activity;  
• 10% or more of daily active users under age 16 have spent 2 hours per day or more on the platform during the past 12 months;  
• the platform uses algorithms that analyze user data to choose content for users; and  
• the platform has one or more addictive features listed in the section (e.g., infinite scrolling, metrics that show numbers of reactions or reposts, push notifications). 

The section requires social media platforms to prohibit minors under 14 years of age —as well as those who are 14 or 15 years of age and whose parent or guardian has not provided consent—from entering into a contract with the platform to be an account holder. Social media platforms must terminate accounts held by individuals younger than 14 years of age, as well as accounts held by individuals who are 14 or 15 years of age and whose parent or guardian has not provided consent, among other provisions. When terminating accounts, the social media platform must also '[p]ermanently delete all personal information held by the social media platform relating to the terminated account, unless there are legal requirements to maintain such information.' (Fla. Stat. §501.1736(2), (3)). 

Knowing or reckless violations by social media platforms are considered unfair and deceptive trade practices actionable by the Department of Legal Affairs. Remedies may include standard remedies available under Part II of Chapter 501, as well as civil penalties ranging up to $50,000 per violation, reasonable attorney fees, and court costs. Punitive damages may be assessed when there is a 'consistent pattern of knowing or reckless conduct.' (Fla. Stat. §501.1736(5)). 

Social media platforms are also liable to the minor account holder for knowing or reckless violations, including up to $10,000 in damages, plus court costs and reasonable attorney fees. (Fla. Stat. §501.1736(6)) Other remedies may be available as well. (Fla. Stat. §501.1736(9)). 

Age Verification 

§501.1737 requires commercial entities that knowingly and intentionally publish or distribute material harmful to minors on a website or application to use age verification to confirm that the person attempting to access the material is age 18 years of age or older and to prevent access by younger individuals. The entity must offer anonymous age verification and standard age verification, and the person attempting to access the material may choose which method to use. The requirements do not apply to certain news or public interest broadcasts, reports, or events. They also do not apply to internet service providers, search engines, or cloud service providers that merely provide access or connection, if the content is outside their control and they were not responsible for creating it (Fla. Stat. §501.1737(2), (4)). 

§501.1738 defines and sets requirements for anonymous age verification. Anonymous age verification is 'a commercially reasonable method' that a government agency or business uses to verify age. It must be conducted by a nongovernmental, independent third party organized under U.S. law that has its principal place of business in a U.S. state and is not owned or controlled by a foreign government, a foreign company, or any other entity formed in a foreign country. (Fla. Stat. §501.1738(1)). 

The third party conducting anonymous age verification (Fla. Stat. §501.1738(2)): 

• may not retain personal identifying information used to verify age once the account holder's age has been verified; 
• may not use personal identifying information used to verify age for any other purpose; 
• must keep anonymous the personal identifying information used to verify age and may not share or otherwise communicate the information; and 
• must protect personal identifying information used to verify age from 'unauthorized or illegal access, destruction, use, modification, or disclosure through reasonable security procedures and practices appropriate to the nature of the personal information.' 

Violations of either section by commercial entities are considered unfair and deceptive trade practices actionable by the Department of Legal Affairs. Remedies may include standard remedies available under Part II of Chapter 501, as well as civil penalties ranging up to $50,000 per violation, reasonable attorney fees, and court costs. Punitive damages may be assessed when there is a 'consistent pattern of conduct.' Third parties that perform age verification in violation of §501.1738 are likewise considered to have committed unfair and deceptive trade practices actionable by the Department of Legal Affairs and subject to the same potential remedies, except punitive damages (Fla. Stat. §501.1737(5)(a), (b)). 

In addition, commercial entities that fail to prohibit access or fail to prohibit a minor from future access to harmful material after a report of unauthorized or unlawful access are liable to the minor for such access. Remedies may include up to $10,000 in damages, plus court costs and reasonable attorney fees. (Fla. Stat. §501.1737(5)(c)). Other remedies may be available as well (Fla. Stat. §501.1737(7)). 

2.2. Statutory Right to Privacy/Publicity

Florida has codified its statutory right of publicity, which has been treated as a property right, at Fla. Stat. §540.08. Specifically, under Fla. Stat. §540.08, no person shall publish, print, display, or otherwise publicly use for purposes of trade or for any commercial or advertising purpose the name, portrait, photograph, or other likeness of any natural person without the express written or oral consent to such use given by:

• such person;
• any other person, firm or corporation authorized in writing by such person to license the commercial use of her or his name or likeness; or
• if such person is deceased, any person, firm or corporation authorized in writing to license the commercial use of her or his name or likeness, or if no person, firm or corporation is so authorized, then by any one from among a class composed of her or his surviving spouse and surviving children.

Note that consent is not required for a deceased person if at least 40 years have passed from the date of the person's death (Fla. Stat. §540.08(5)). Likewise, exceptions apply for news media, including newspapers, magazines, broadcasts and news reports, and publications connected with resale or distribution where consent was given with initial sale or distribution (Fla. Stat. §540.08(4)).

A person whose likeness is used without consent may bring an action to enjoin such unauthorized publication, printing, display or other public use, and recover damages for any loss or injury sustained by reason thereof, including an amount that would have been a reasonable royalty, and punitive or exemplary damages (Fla. Stat. §540.08(2)). These remedies are intended to be 'in addition to and not in limitation of' those provided under the common law protections against invasions of privacy (Fla. Stat. §540.08(7)).

2.3. Confidentiality of Public Records

Generally, under Florida law, all state, county, and municipal records are open for personal inspection and copying by any person, and providing access to public records is a duty of each agency (§119.01(1) of Chapter 119 of Title X of the Fla. Stat.). Public records include 'all documents, papers, letters, maps, books, tapes, photographs, films, sound recordings, data processing software, or other material, regardless of the physical form, characteristics, or means of transmission, made or received pursuant to law or ordinance or in connection with the transaction of official business by any agency' (Fla. Stat. §119.011(12)). However, Chapter 119 of Title X of the Fla. Stat. provides several exemptions to disclosure under Fla. Stat. §119.01(1). For example, Fla. Stat. §119.071(5) exempts certain personal information from disclosure, including social security numbers, bank account numbers and debit, charge, and credit card numbers, medical history records and information related to health or property insurance, and biometric identification information. Other exemptions under Fla. Stat. §119.071 include certain agency actions (administration, investigations), information (security and fire safety), and agency and military personnel information. Additional exemptions can be found in various Florida statutes, including, for example, §395.0162 of Chapter 395 of Title XXIX of the Fla. Stat. (hospital inspection reports), §456.057 of Chapter 456 of Title XXXII of the Fla. Stat. (patient records), §624.23 of Chapter 624 of Title XXXVII of the Fla. Stat. (personal and financial health information), §394.47892 of Chapter 394 of Title XXIX of the Fla. Stat. (mental health court program records), §394.47891 of Chapter 394 of Title XXIX of the Fla. Stat. (veterans treatment court program records), §406.135 of Chapter 406 of Title XXIX (autopsy images and recordings and certain autopsy reports), and, as discussed below, §501.171(11) of Chapter 501 of Title XXXIII of the Fla. Stat. (records relating to data breach notifications).

In addition, Senate Bill 1648—a companion bill to Senate Bill 262, which implemented the FDBR—provides certain exemptions from public records requirements for information related to potential violations of two parts of the FDBR: Part V of Chapter 501 (addressing consumer control over the digital flow of their personal data and data privacy rights) and Section 501.1735 (addressing the protection of children in online spaces). Senate Bill 1648 takes effect the same day as Senate Bill 262, July 1, 2024. Under House Bill 1491, there will also be public records exemptions for alleged violations of the new sections addressing social media use for minors (§501.1736) and age verification for online access to materials harmful to minors (§501.1737 and §501.1738); these exemptions take effect the same day as the new sections, January 1, 2025. 

3. Health Data 

Florida has several laws related to the privacy and confidentiality of patient health information. Below are examples of these laws, but this list is not exhaustive. Additionally, the Florida Administrative Code provides additional guidance on health data privacy.

3.1. General Confidentiality of Patient Records

Under Florida law, patient health records may not be furnished to, and the medical condition of a patient may not be discussed with, any person other than the patient, the patient's legal representative, or other health care practitioners and providers involved in the patient's care or treatment, except upon written authorization from the patient (Fla. Stat. §456.057(7)(a)). Moreover, Fla. Stat. §395.3025(4) reaffirms that patient records are confidential and must not be disclosed without the consent of the patient or his or her legal representative. In the following instances, however, such information may be disclosed without a patient's written authorization (Fla. Stat. §456.057(7)(a)):

• to any person, firm, or corporation that has procured or furnished such care or treatment with the patient's consent;
• when compulsory physical examination is made pursuant to Rule 1.360 of the Florida Rules of Civil Procedure, in which case copies of the medical records must be furnished to both the defendant and the plaintiff;
• in any civil or criminal action, unless otherwise prohibited by law, upon the issuance of a subpoena from a court of competent jurisdiction and proper notice to the patient or the patient's legal representative by the party seeking such records;
• for statistical and scientific research, provided the information is abstracted in a way as to protect the identity of the patient or provided written permission is received from the patient or the patient's legal representative;
• to a regional poison control center for purposes of treating a poison episode under evaluation, case management of poison cases, or compliance with data collection and reporting requirements of Fla. Stat. §395.1027 and the professional organization that certifies poison control centers in accordance with federal law; and
• to the Florida Department of Children and Families, its agent, or its contracted entity, for the purpose of investigations of or services for cases of abuse, neglect, or exploitation of children or vulnerable adults.

See also the exceptions listed at Fla. Stat. §395.3025(4)(a) to (l).

3.2. Mental Health Treatment Records

Chapter 394 of Title XXIX of the Fla. Stat. sets forth laws related to mental health, and Fla. Stat. §394.4615(1) requires such clinical records be kept confidential, providing that, unless waived by express and informed consent, by the patient or the patient's guardian, the confidential status of the clinical record must not be lost by either authorized or unauthorized disclosure to any person, organization, or agency. A patient's mental health clinical record may be released in certain circumstances, including the following (Fla. Stat. §394.4615(2)(a) to (d)):

• The patient or the patient's guardian authorizes the release. The guardian or guardian advocate must be provided access to the appropriate clinical records of the patient. The patient or the patient's guardian or guardian advocate may authorize the release of information and clinical records to appropriate persons to ensure the continuity of the patient's health care or mental health care.
• The patient is represented by counsel and the records are needed by the patient's counsel for adequate representation.
• The court orders such release. In determining whether there is good cause for disclosure, the court must weigh the need for the information to be disclosed against the possible harm of disclosure to the person to whom such information pertains.
• The patient is committed to, or is to be returned to, the Florida Department of Corrections from the Department of Children and Families, and the Department of Corrections requests such records. These records must be furnished without charge to the Department of Corrections.

See also Fla. Stat. §394.4615(3) and (4).

Furthermore, under Fla. Stat. §456.059, communications between a patient and a psychiatrist must be held confidential and may not be disclosed except upon the request of the patient or the patient's legal representative. However, if a patient communicates a 'specific threat' to cause serious bodily harm or death to a 'readily available person,' and the treating psychiatrist believes the patient has the ability and intent to actually carry out the threat, then the psychiatrist may disclose such communications as necessary to warn potential victims and alert law enforcement.

4. Financial Data

Florida law dictates that books and records pertaining to trust accounts, and the deposit accounts and loans of depositors, borrowers, members, and stockholders of any financial institution must be kept confidential by the financial institution and its directors, officers, and employees and may not be released except upon express authorization of the account holder as to her or his own accounts, loans, or voting rights (§655.059 of Chapter 655 of Title XXXVIII of the Fla. Stat.).

In certain circumstances, however, information relating to any loan made by a financial institution may be released without the borrower's authorization in a manner prescribed by the board of directors for the purpose of meeting the needs of commerce and for fair and accurate credit information, and to verify or corroborate the existence or amount of a customer's or member's account when such information is reasonably provided to meet the needs of commerce and to ensure accurate credit information (Fla. Stat. §655.059(2)(b)). Likewise, a financial institution, affiliate, and its subsidiaries, and any holding company of the financial institution or subsidiary of such holding company, may furnish to one another information relating to their customers or members, subject to the requirement that each corporation receiving information that is confidential maintain the confidentiality of such information and not provide or disclose such information to any unaffiliated person or entity (Fla. Stat. §655.059(2)(b)).

Furthermore, the books and records of a financial institution are confidential and must be made available for inspection and examination only in certain limited circumstances (Fla. Stat. §655.059(1)). However, each depositor, borrower, member, or stockholder has the right to inspect such books and records of a financial institution as they pertain to her or his loans or accounts (Fla. Stat. §655.059(2)(a)).

A willing violation of Fla. Stat. §655.059 related to unlawful disclosure of confidential information is a third-degree felony (Fla. Stat. §655.059(2)(c)).

Note, the Florida Insurance Code, codified under Chapter 624 of Title XXXVII of the Fla. Stat., provides additional privacy protections, as does Chapter 69O-128 of the Florida Administrative Code.

5. Employment Data

Florida statutory law does not explicitly protect employment data. However, under the exemptions provided from Florida's general public records law, Fla. Stat. §119.071, discussed in section 2.2. above, certain individuals' employment information may be exempt from disclosure, such as agency employees, US attorneys and judges, and servicemembers (see Fla. Stat. §119.071(4) and (5)(i)).

Some protections for personnel files, however, may be afforded via common law. Specifically, in Walker v. Ruot, 111 So. 3d 294 (Fla. Dist. Ct. App. 2013), the court stated that '[p]ersonnel files undoubtedly contain private information', and acknowledged that disclosure of this private information would be 'highly intrusive' to an employee's privacy interest (Walker at 295-96). Unfortunately, the court was considering this privacy interest in the context of litigation discovery, and therefore may not have wide applicability beyond this context, highlighting that '[w]hen privacy rights are implicated, discovery should be narrowly tailored to provide access to discoverable information while safeguarding privacy rights.'

6. Online Privacy

See the section on key privacy laws in the section above for information on the FDBR.

7. Unsolicited Commercial Communications

7.1. Email Marketing

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (the CAN-SPAM Act), which is a federal law, establishes requirements for commercial messages sent to recipients in the US. The CAN-SPAM Act expressly supersedes state laws or regulations that expressly regulate the use of electronic mail to send commercial messages, except to the extent that such laws or regulations prohibit false or deceptive actions.

Additionally, Chapter 668 of Title XXXIX of the Fla. Stat. protects against unsolicited commercial electronic mail messages, which is defined as 'any commercial electronic mail message that is not a transactional or relationship message and is sent to a recipient without the recipient's affirmative or implied consent' (Fla. Stat. §668.602(14)). An 'electronic mail message' is 'an electronic message or computer file that is transmitted between two or more telecommunications devices, computers, or computer networks, regardless of whether the network is a local, regional, or global network, or electronic devices capable of receiving electronic messages, regardless of whether the message is converted to a hard copy format after receipt, viewed upon transmission, or stored for later retrieval' (Fla. Stat. §668.602(7)). A 'commercial electronic mail message' is 'an electronic mail message sent to promote the sale or lease of, or investment in, property, goods, or services related to any trade or commerce. This includes any electronic mail message that may interfere with any trade or commerce, including messages that contain computer viruses' (Fla. Stat §668.602(3)).

Fla. Stat. §668.603 specifically dictates that a person may not:

• initiate or assist in the transmission of an unsolicited commercial electronic mail message from a computer located in Florida or to an electronic mail address that is held by a resident of Florida which:
  • uses a third party's internet domain without permission of the third party;
  • contains falsified or missing routing information or otherwise misrepresents, falsifies, or obscures any information in identifying the point of origin or the transmission path of the unsolicited commercial electronic mail message;
  • contains false or misleading information in the subject line; or
  • contains false or deceptive information in the body of the message which is designed and intended to cause damage to the receiving device of an addressee or of another recipient of the message.

Under Fla. Stat. §668.6075, a violation of Fla. Stat. §668.603 is considered 'an unfair and deceptive trade practice' as defined in Part II of Chapter 501 of Title XXXIII of the Fla. Stat. Additionally, anyone who violates Fla. Stat. §668.603 commits a first-degree misdemeanor and may be subject to imprisonment for up to one year and a fine of no more than $1,000 (Fla. Stats. §668.608(1)). This violation may be upgraded to a third-degree felony, with commensurate imprisonment and fines, depending on the volume of the email messages sent or the revenue generated from such messages (Fla. Stat. §668.608(2)).

7.2. Telephone Marketing

Under the Florida Telemarketing Act, codified under Part IV of Chapter 501 of Title XXXIII of the Fla. Stat., all non-exempt businesses engaged in the sale of consumer goods or services by telephone must be licensed by the Florida Department of Agriculture and Consumer Services (FDACS), along with the salespeople of that business.

A 'commercial telephone solicitation' includes the following (Fla. Stat. §501.603(1)):

• an unsolicited telephone call to a person initiated by a commercial telephone seller or salesperson, or an automated dialing machine used in accordance with the provisions of Fla. Stat. §501.059(8) for the purpose of inducing the person to purchase or invest in consumer goods or services;
• other communication with a person where:
  • a gift, award, or prize is offered; or
  • a telephone call response is invited; and
  • the salesperson intends to complete a sale or enter into an agreement to purchase or invest in consumer goods or services during the course of the telephone call; or
• other communication with a person which represents a price, quality, or availability of consumer goods or services and which invites a response by a telephone or which is followed by a call to the person by a salesperson.

A person who violates the requirements of the Florida Telemarketing Act is liable for a Class III civil penalty under §570.971 of Chapter 570 of Title XXXV of the Fla. Stat. for each violation (Fla. Stat. §501.619). The FDACS will also be entitled to reasonable attorney's fees and costs from any non-prevailing parties involved in a civil action or investigation (Fla. Stat. §501.621).

8. Privacy Policies 

See the section on key privacy laws for information on the FDBR, as well as laws addressing social media use for minors and age verification.

9. Data Disposal/Cybersecurity/Data Security

Codified under §501.171 of Chapter 501 of Title XXXIII of the Fla. Stat. is Florida's Information Protection Act of 2014 (FIPA), which expressly requires covered entities, government agencies, and third-party agents to properly disclose of records containing personal information, to implement reasonable security measures, and to provide notification of data breaches.

A 'covered entity' means a sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information. For the data breach notification provisions (§501.171(3) to (6) of FIPA), 'covered entity' includes governmental entities.

Under FIPA, 'personal information' means either:

• an individual's first name or first initial and last name in combination with any one or more of the following data elements for that individual:
  • a social security number;
  • a driver license or identification card number, passport number, military identification number, or other similar number issued on a government document used to verify identity;
  • a financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to permit access to an individual's financial account;
  • any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
  • an individual's health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual; or
• a username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

9.1. Disposal of Records

Under §501.171(8) of FIPA, covered entities and their third-party agents are required to take 'all reasonable measures' to ensure proper disposal of records that no longer need to be retained. Acceptable disposal measures include shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.

9.2. Data Security Requirements

Under §501.171(2) of FIPA, covered entities, governmental agencies, and third-party agents are required to take reasonable security measures to protect and secure data in electronic form containing personal information.

9.3. Breach Notification Requirements

Florida's data breach notification law is provided under §501.171(3) to (6) of FIPA.

'Breach of security' or 'breach' means the unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the covered entity does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.

There are three instances where an entity must provide notice to others of a data security incident, as outlined below.

Notice to the Florida AG

A covered entity must provide notice to the AG affecting 500 or more individuals in Florida. The notice must be provided 'as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred.' A covered entity may receive 15 additional days if the covered entity provides a notification in writing to the AG within 30 days that good cause exists for the delay. Any notification of a need for additional time must include:

• a synopsis of the events surrounding the breach at the time the notice is provided;
• the number of individuals in Florida who were or potentially were impacted by the breach;
• information on any services related to the breach being offered or scheduled to be offered, without charge, by the covered entity to individuals, along with instructions on how to use such services;
• a copy of the breach notification letter sent to individuals, or an explanation of other actions taken to notify individuals; and
• the name, address, telephone number, and email address of the employee or agent of the covered entity from whom additional information may be obtained.

Upon further request, the covered entity must also provide:

• a police report, incident report, or computer forensics report;
• a copy of the policies in place regarding breaches; and
• steps taken to rectify the breach.

A covered entity may provide supplemental or additional information to the AG at any time.

If the covered entity is part of the Florida judicial branch, the Executive Office of the Governor, the Department of Financial Services, or the FDACS, in lieu of providing written notice to the AG, the entity may post the information set forth above on an agency-managed website.

Notice to individuals

A covered entity must give notice to each individual in Florida whose personal information was, or the covered entity reasonably believes to have been, accessed as a result of the breach.

Timing of notice

Notice to individuals must be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the covered entity to determine the scope of the breach of security, to identify individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than 30 days after the determination of a breach or reason to believe a breach occurred unless subject to an authorized delay (as described above).

Law enforcement delay

If a federal, state, or local law enforcement agency determines that notice to individuals would interfere with a criminal investigation, the notice must be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay as of a specified date or extend the period set forth in the original request to a specified date if further delay is necessary.

Good faith determination that breach will not result in harm or identity theft

Notice to affected individuals is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least five years. The covered entity must provide the written determination to the AG within 30 days after making this determination.

Acceptable notification methods

The notice to an affected individual must be by one of the following methods:

• written notice sent to the mailing address of the individual in the records of the covered entity; or
• email notice sent to the email address of the individual in the records of the covered entity.

Content requirements

The notice to an individual with respect to a breach of security must include, at a minimum:

• the date, estimated date, or estimated date range of the breach of security;
• a description of the personal information that was accessed or reasonably believed to have been accessed as a part of the breach of security; and
• information that the individual can use to contact the covered entity to inquire about the breach of security and the personal information that the covered entity maintained about the individual.

Substitute notice

A covered entity required to provide notice to an individual may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $250,000, because the affected individuals exceed 500,000 persons, or because the covered entity does not have an email address or mailing address for the affected individuals. Such substitute notice must include the following:

• a conspicuous notice on the internet website of the covered entity if the covered entity maintains a website; and
• notice in print and to broadcast media, including major media in urban and rural areas where the affected individuals reside.

Interplay with federal privacy laws and regulations

Notice provided pursuant to rules, regulations, procedures, or guidelines established by the covered entity's primary or functional federal regulator is deemed to be in compliance with the notice requirement in this subsection if the covered entity notifies affected individuals in accordance with the rules, regulations, procedures, or guidelines established by the primary or functional federal regulator in the event of a breach of security.

9.4. Enforcement

FIPA does not establish a private right of action. A violation of FIPA must be treated as an unfair or deceptive trade practice in any action brought by the AG pursuant to §501.207 of Chapter 501 of Title XXXIII of the Fla. Stat. against a covered entity or third-party agent. Pursuant to Fla. Stat. §501.207, the AG may seek injunctive relief, actual damages, and other appropriate legal or equitable relief.

In addition, a covered entity that violates its requirements to notify the AG or impacted individuals will be liable for a civil penalty not to exceed $500,000, as follows:

• in the amount of $1,000 for each day up to the first 30 days following a violation and, thereafter, $50,000 for each subsequent 30-day period or portion thereof for up to 180 days; and
• if the violation continues for more than 180 days, in an amount not to exceed $500,000.

The civil penalties for failure to notify apply per breach and not per individual affected by the breach. All penalties collected pursuant to this subsection will be deposited into the General Revenue Fund.

9.5. Public Records Exemption

Like most US states, Florida has open records laws that permit individuals to inspect and examine public records (e.g. Fla. Stat. §119.07(1) and §24(a) of Article I of the Constitution). However, all information received by the AG pursuant to a notification required under FIPA or received by the AG pursuant to an investigation by the AG or a law enforcement agency, is confidential and exempt from Fla. Stat. §119.07(1) and §24(a) of Article I of the Constitution, until such time as the investigation is completed or ceases to be active.

Exceptions

During an active investigation, confidential information may be disclosed by the AG:

• in the furtherance of its official duties and responsibilities;
• for print, publication, or broadcast if the department determines that such release would assist in notifying the public or locating or identifying a person that the AG believes to be a victim of a data breach or improper disposal of customer records (unless it is a record that must maintain confidentiality as defined below); or
• to another governmental entity in the furtherance of its official duties and responsibilities.

Records that maintain confidentiality

Upon completion of an investigation or once an investigation ceases to be active, the following information received by the AG must remain confidential and exempt from Fla. Stat. §119.07(1) and §24(a) of Article I of the Constitution:

• all information to which another public records exemption applies;
• personal information;
• a computer forensic report;
• information that would otherwise reveal weaknesses in a covered entity's data security; and
• information that would disclose a covered entity's proprietary information.

'Proprietary information' means information that:

• is owned or controlled by the covered entity;
• is intended to be private and is treated by the covered entity as private because disclosure would harm the covered entity or its business operations;
• has not been disclosed except as required by law or a private agreement that provides that the information will not be released to the public;
• is not publicly available or otherwise readily ascertainable through proper means from another source in the same configuration as received by the AG; and
• specifically includes:
  • trade secrets as defined in Fla. Stat. §688.02; and
  • competitive interests, the disclosure of which would impair the competitive business of the covered entity who is the subject of the information.

10. Other Specific Jurisdictional Requirements

Not applicable.