Florida: Digital Bill of Rights - privacy concerns and key differences for businesses to consider
On June 6, 2023, the Governor signed S.B. 262, the Florida Digital Bill of Rights (FDBR) into law, with an effective date of July 1, 2024. Kyle R. Dull, Senior Associate at Squire Patton Boggs (US) LLP, provides a detailed overview of the contents of the FDBR and what businesses may need to consider in order to remain compliant.
Although the FDBR provides consumers rights similar to the rights in other state consumer privacy laws already in effect, it differs in important and significant ways. The FDBR includes familiar concepts such as personal data, controllers, processors, dark patterns, biometric data, targeted advertising, and data processing principles, among others. But, in some instances, Florida employs unique definitions of these terms. Consumers have the right to confirm processing of their personal data, access, correct, and delete their personal data. The FDBR also provides consumers with various opt-out rights and an opt-in right for the sale of sensitive personal data, which applies to all businesses and not just those that meet the controller threshold requirements.
Narrow definition of controllers
Unlike most of the other state consumer privacy laws, the FDBR more narrowly defines the term 'controller' and targets larger companies because a 'controller' must have $1 billion in global gross revenue, plus one of the following requirements:
- 50% of global gross revenue comes from the sale of advertisements online;
- it operates a consumer smart speaker and voice command service; or
- it operates an app store or digital distribution platform with at least 250,000 different software applications.
As a result, most of the FDBR's controller obligations only apply to larger technology companies. Although the FDBR is clearly focusing on the top tech and data companies, the definitions of 'processor' and 'third-party' do not have these same limitations so there are still implications for businesses that process data on behalf of controllers, as well as those who receive data in a third-party capacity. Thankfully, for compliance purposes, these processor requirements largely follow the other state consumer privacy laws and mandate such things as specific contractual requirements and an obligation to assist controllers in their compliance with this law. However, as discussed below, the FDBR also places a specific sensitive personal data opt-in obligation on controllers, who would otherwise not be subject to the FDBR.
A 'consumer' is defined as an individual acting in an individual or household context, who is a resident of or is domiciled in Florida. The definition specifically excludes individuals 'acting in a commercial or employment context.' Thus, the FDBR's definition of a consumer aligns with how the term is used in non-California consumer privacy laws. Further, Florida consumers are granted the right to request that a controller confirm the processing of personal data and access the personal data, correct inaccuracies in the personal data, delete personal data, obtain a portable copy of the personal data, and various opt-out rights, as noted below.
However, the scope of some of the rights differ in Florida when compared to other states. The right to delete personal information is a broad right, as it includes 'personal data provided by or obtained about the consumer.' In contrast, the California Consumer Privacy Act (CCPA) has a more limited right to delete, and provides consumers the right to request deletion of 'any personal information about the consumer which the business has collected from the consumer.' [Emphasis added].
The FDBR also outlines a verification requirement for consumer rights requests. Controllers must comply with 'authenticated consumer requests,' which roughly means that the controller has verified 'that the consumer who is entitled to exercise the consumer's rights [under the FDBR] is the same consumer exercising those consumer rights with respect to the personal data at issue.' The FDBR does not provide more detail but, as noted below, the Attorney General (AG) is directed to implement rules addressing authentication. Authenticated consumer requests, which include the opt-out rights addressed below, must be responded to with undue delay, and no later than 45 days after the date of the request, although a controller may extend the response deadline by an additional 15 days, if the consumer is informed of the extension during the first 45-day period. The CCPA allows businesses up to 90 days to respond to a verifiable consumer request because the extension right is for another 45-day period. Thus, controllers have a significantly shorter period of time to respond to requests from Florida consumers as compared to the other state consumer privacy laws. Florida consumers have the right to appeal the controller's refusal to take action on a consumer rights request, and controllers must respond to the appeal within 60 days of receipt.
Consumers have the right to opt out of: (i) targeted advertising; (ii) the sale of personal data; (iii) profiling; (iv) the collection or processing of sensitive data; and (v) the collection of personal data collected through a voice recognition or facial recognition feature. Although, as noted below, all businesses (not just those that meet the definition of a controller) must obtain a consumer's consent prior to the sale of their sensitive personal data.
Some of these opt-out rights are unique, so controllers will need to adjust their current consumer rights requests programs to process requests for these new consumer rights. In order to make an opt-out rights request, a consumer must make an authenticated consumer request. As noted above, 'authenticate' is vaguely defined by the FDBR. It will be important to watch the rulemaking from the AG's Office to see it adopts rules establishing less stringent authentication requirements for opt-out rights as compared to other rights like correct or delete.
Of note, for controllers, the definition of targeted advertising includes some first-party targeting, which has typically been excluded from other consumer privacy laws. In Florida, 'targeted advertising' is more broadly defined as, 'displaying to a consumer an advertisement selected based on personal data obtained from that consumer's activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer's preferences or interests.' [Emphasis added]. Excluded from the definition is 'an advertisement that is:
- Based on the context of a consumer's current search query on the controller's own website or online application; or
- Directed to a consumer search query on the controller's own website or online application in response to the consumer's request for information or feedback.'
Typically, other states excluded affiliated websites and applications from the definition of targeted advertising. Like the other state consumer privacy laws, the FDBR requires controllers to permit consumers to opt out of processing personal data for targeted advertising. But, because the broad definition of targeted advertising includes affiliated websites, Florida's opt-out right now covers practices previously excluded under other state laws.
Special rights for sensitive data and biometric data
All businesses, regardless of whether they hit the controller revenue and processing thresholds, must obtain consent from a consumer prior to selling that consumer's sensitive personal data. Sensitive data is defined as '(a) Personal data revealing an individual's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status[;] (b) Genetic or biometric data processed for the purpose of uniquely identifying an individual[;] (c) Personal data collected from a known child[; or] (d) Precise geolocation data.' Precise geolocation data is limited to a radius of 1,750 feet. Businesses will have to consider when and how they obtain the consent to sale, or just abandon selling sensitive data about Florida consumers altogether.
In addition, a controller, which meets the revenue and processing thresholds and sells biometric data, must include a specific disclosure in its privacy notice, 'NOTICE: This website may sell your biometric personal data.'
Data Protection Assessments
Data Protection Assessments (DPAs) are also required for processing activities generated on or after July 1, 2023, including targeted advertising, the sale of personal data, profiling in certain circumstances, the processing of sensitive data, and any processing which 'present[s] a heightened risk of harm to consumers.' The Florida AG may request a copy of the DPA. As some of the other state consumer privacy laws, as well as other privacy laws like the General Data Protection Regulation (GDPR), require similar assessments to be conducted, a business may use such existing assessments to comply with the FDBR, 'if the assessment has a reasonably comparable scope and effect.'
General processing principles
The FDBR also outlines general processing principles which a controller must follow. If the personal data is processed for purposes otherwise exempt by §501.717(1) of the Florida Statutes, the controller must adopt 'reasonable administrative, technical, and physical measures to protect its confidentiality, integrity, and accessibility and to reduce reasonably foreseeable risks of harm to consumers…'. Controllers and processors are required to adopt a retention schedule that satisfies specific requirements, subject to certain exemptions. The retention schedule must prohibit the use or retention of personal data: (i) after the initial purpose for the collection of personal data has been satisfied; (ii) 'after expiration or termination of the contract pursuant to which the information was collected or obtained;' or (iii) two years after the last interaction with the consumer.
The FDBR does not contain a private right of action and specifically states that it is only actionable by the Florida AG. The AG must bring the action on behalf of a Florida consumer and may obtain a civil penalty of up to $50,000 per violation, which may be tripled in certain circumstances. There is a 45-day cure period, but it is at the discretion of the AG. The FDBR sets out specific elements for the AG to consider in determining whether to grant the cure period, including, the number of violations, substantial likelihood of injury to the public, and the safety of persons or property.
The AG is required to adopt rules to implement the FDBR, including establishing 'standards for authenticated consumer requests, enforcement, data security, and authorized persons who may act on a consumer's behalf.' These are all important topics where California and Colorado have issued detailed rules. The effective date of the FDBR is July 1, 2024, which is not significantly far away when you consider the sometimes-arduous rulemaking process that must be followed by agencies. It will be important to monitor these rulemaking developments to see if Florida follows in Colorado's footsteps with robust and detailed rules implementing the law and to see if Florida is able to issue its rules prior to the FDBR's effective date.
Other security concerns
Although not specifically part of the FDBR, S.B. 262 also amended the definition of personal information, as used in Florida's data breach statute, §501.171 of the Florida Statute, to include both biometric information and information regarding a person's geolocation (if in combination with the individual's first name or first initial and last name). This is an important development for all businesses to consider in reviewing their breach notification obligations.
The FDBR is largely targeted to businesses with over $1 billion in revenue, making it stand apart from the other state consumer privacy laws. However, the FDBR includes some unique requirements that applicable controllers must consider, including a very broad definition of targeted advertising, as well as some unique rights with response times that differ from other state laws. Importantly, the FDBR requires all businesses, not just those that meet the definition of a controller, to obtain a consumer's opt-in consent to the sale of sensitive personal data prior to selling that data. And there are more privacy developments to come. The AG is required to issue rules to implement the FDBR. Businesses should be following the rulemaking process to ensure that the proposed rules do not impose compliance burdens that conflict with the various requirements in other state consumer privacy laws.
Kyle Dull Senior Associate
Squire Patton Boggs (US) LLP, Miami