Florida: FDBR - FAQs
The Florida Digital Bill of Rights (FDBR) was introduced to the Florida State Senate on March 3, 2023. After passing both Houses of the Florida State Congress, the FDBR was signed by the Governor on June 6, 2023.
The FDBR will enter into effect on July 1, 2024.
Scope, applicability, and key definitions
Who does the FDBR apply to?
The FDBR applies to a person who:
- conducts business in Florida or produces a product or service used by residents of Florida; and
- processes or engages in the sale of personal data.
Importantly, however, the FDBR defines 'controller' as a sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that, among other things, makes in excess of $1 billion in global gross annual revenues.
However, the FDBR does not apply to the processing of personal data by a person in the course of a purely personal or household activity or solely for measuring or reporting advertising performance, reach, or frequency will not be covered by the FDBR.
Are certain data exempted from the application of the FDBR?
Yes, the FDBR does not apply to the types of personal data listed below:
- protected health information under the Health Insurance Portability and Accountability Act (HIPAA);
- health records;
- patient identifying information for purposes of Title 42 of the U.S. Code, as part of the Public Health Service Act;
- information and documents created for purposes of the Health Care Quality Improvement Act of 1986;
- personal data relating to consumers' credit information or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, or user of such a consumer report, if such an activity is regulated by and authorized under the Fair Credit Reporting Act (FCRA);
- personal data regulated by the Family Educational Rights and Privacy Act 1974 (FERPA);
- data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;
- data processed or maintained as the emergency contact information of an individual used for emergency contact purposes; and
- personal data processed by a person in the course of a purely personal or household activity or solely for measuring or reporting advertising performance, reach, or frequency.
How does the FDBR define 'consumer'?
The FDBR defines a 'consumer' as an individual who is a Florida resident and is acting only for an individual, or household purpose. The definition does not include an individual acting in a commercial or employment context.
How does the FDBR define 'consent'?
The FDBR defines 'consent' as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data. The term includes a written statement, including by electronic means, or any other unambiguous affirmative act. The term does not include any of the following:
- hovering over, muting, pausing, or closing a given piece of content; or
- agreement obtained using dark patterns.
How does the FDBR define a 'controller'?
The FDBR defines a 'controller' as a sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:
- is organized or operated for the profit or financial benefit of its shareholders or owners;
- conducts business in Florida;
- collects personal data about consumers, or is the entity on behalf of which such information is collected;
- determines the purposes and means of processing personal data about consumers alone or jointly with others;
- makes more than $1 billion in global gross annual revenues; and
- satisfies at least one of the following:
- derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
- operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-subparagraph, a consumer smart speaker and voice command component service does not include a motor vehicle manufacturer or a subsidiary or affiliate thereof; or
- operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
Alternatively, 'controller' can mean any entity that controls or is controlled by a controller. The term 'control' is defined as:
- ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a controller;
- control over the election of a majority of the directors, or of individuals exercising similar functions; or
- the power to exercise a controlling influence over the management of a company.
How does the FDBR define a 'processor'?
The FDBR defines 'processor' as a person that processes personal data on behalf of a controller.
A determination as to whether a person is acting as a controller or processor is a fact-based determination that depends on the context in which personal data is to be processed. A processor that continues to follow a controller's instructions with respect to the specific processing of personal data remains in the role of a processor.
How does the FDBR define 'personal data'?
The FDBR defines 'personal data' as information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. However, personal data does not include de-identified data, aggregate data, or publicly available information.
How does the FDBR define 'sensitive data'?
The FDBR defines 'sensitive data' as personal data related to:
- racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual;
- personal data collected from a known child; and
- precise geolocation data.
How does the FDBR define 'processing'?
The FDBR defines 'processing' as any operation or set of operations performed, by manual or automated means, on personal data or on sets of personal data, including the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
How does the FDBR define 'sale' of personal data?
The FDBR defines the sale of personal data as the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by a controller to a third party. However, the definition does not include:
- the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
- the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
- the disclosure of information that the consumer intentionally made available to the public via a mass media channel, and did not restrict to a specific audience; or
- the disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.
Key provisions and requirements
Does the FDBR provide for consumer rights?
Yes, the FDBR provides several consumer rights, including the right to:
- confirm whether or not the controller is processing the consumer's personal data and to access such personal data;
- delete or correct their personal data;
- obtain a copy of their personal data, in a portable, and readily usable format if the data is available in a digital format;
- opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling;
- opt out of the collection or processing of sensitive data, including precise geolocation data; and
- opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.
Are there obligations in relation to sensitive data?
Yes, when processing or selling sensitive personal data, the FDBR requires controllers to:
- obtain the data subject's consent;
- provide consumers with an accessible and clear privacy notice that contains information on the categories of any sensitive data processed by the controller;
- provide a notice on their website that states:
- 'NOTICE: This website may sell your sensitive personal data,' if the controller engages in the sale of sensitive personal data;
- 'NOTICE: This website may sell your biometric personal data,' where a controller engages in the sale of biometric data; and
- conduct and document a Data Protection Impact Assessment (DPIA) for processing activities involving sensitive data.
In relation to minor's personal information, the controller must obtain the child's consent in the case of processing or selling the sensitive data of a child between 13 and 18 years of age, or in accordance with the Children's Online Privacy Protection Act (COPPA) if the child is below the age of 13.
What are the main obligations for data controllers?
The FDBR requires data controllers to adhere to the following requirements:
- only collect personal data that is adequate, relevant, and necessary for the purposes for which it is processed, as disclosed to the consumer;
- establish and maintain administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data;
- conduct DPIAs for specific processing activities;
- provide consumers with an accessible and clear privacy notice, that details;
- the categories of personal or sensitive data processed by the controller;
- the purpose of processing personal data;
- how consumers may request the deletion of their personal data and how they can opt out of the processing of their personal data;
- the categories of personal data that the controller shares with third parties;
- the categories of third parties with whom the controller shares personal data; and
- how consumers can submit requests to exercise their consumer rights.
Additionally, controllers who operate search engines must disclose on their webpage, the main parameters that are used to rank search results, including the prioritization or de-prioritization of political partisanship or political ideology in search results.
Under the FDBR controllers are prohibited from:
- processing personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers;
- discriminating against consumers for exercising their consumer rights including by providing goods or services of a different price, rate, level, quality; and
- processing personal data for a purpose that is neither necessary nor compatible with the purpose for which the personal data is processed, as disclosed to the consumer, without the consumer's consent.
What are the main obligations for data processors?
The FDBR requires processors to follow the instructions of controllers and assist controllers in their duties, to:
- fulfill the controller's obligation to respond to consumer rights requests; and
- meet the controller's obligations in relation to the security of processing the personal data, the notification of a security breach of the processor; and
- providing necessary information to enable the controller to document and conduct DPIAs.
Are vendor privacy relationships regulated under the FDBR?
Yes, the FDBR provides that controller/processor relationships must be governed by a binding contract. In this regard, the Bill specifies that such a contract must set forth, among other things:
- the instructions for processing personal data, including the nature and purpose of processing;
- the type of data subject to processing, and the duration of processing;
- the rights and duties of both parties; and
- requirements regarding:
- the duty of confidentiality when processing personal data;
- deletion or return of personal data to the controller at the end of the provision of services;
- controller assessments;
- making available to the controller information necessary to demonstrate compliance with the provisions of the FDBR; and
- engaging a subprocessor.
Are DPIAs regulated under the FDBR?
Yes, controllers must conduct and document DPIAs for the following processing activities involving personal data:
- the processing of personal data for targeted advertising;
- the sale of personal data;
- the processing of personal data for purposes of profiling, if such profiling presents a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, if such intrusion would be offensive to a reasonable person; or
- other substantial injury to consumers;
- the processing of sensitive data; and
- any processing activities involving personal data that present a heightened risk of harm to consumers.
According to the FDBR, a DPIA must:
- identify and weigh the benefits and the risks to the rights of the consumer associated with the processing, as well as measures that can be employed by the controller to mitigate such risks; and
- factor into the assessment, the use of deidentified data, the expectations of consumers, the context of the processing, and the relationship between the controller and the consumer whose personal data will be processed.
This requirement is applicable to processing activities created or generated on or after July 1, 2023.
Who is empowered to enforce violations of the FDBR?
The Attorney General (AG) has exclusive authority to enforce the provisions of the FDBR. Where the AG believes that a person is in violation of the FDBR, it can bring an action against such person for unfair or deceptive acts or practices.
What penalties are controllers and processors facing under the FDBR?
The AG may bring an action in the name of the state, and in addition to other remedies may impose a civil penalty of up to $50,000 for a violation of the FDBR. Importantly, the FDBR clarifies that it does not establish a private right of action.
What is the legislative status of the FDBR?
The FDBR was signed by the Florida Governor on June 6, 2023.
When will the FDBR come into force?
The FDBR will come into effect on July 1, 2024.
Mike Kariuki Privacy Analyst