On July 1, 2024, Senate Bill 262, commonly known as the Florida Digital Bill of Rights (FDBR), went into effect. This consumer data privacy law, located at Fla. Stat. § 501.701 et seq., grants Florida residents important rights regarding their data, including the right to opt out of certain advertising, sales, data collection, biometric recognition, and data-driven profiling. At The Lomnitzer Firm P.A., our cyber law attorneys help individuals, families, and companies understand the scope of this law, consider its limitations, and evaluate its impact in Florida’s evolving digital environment.
The FDBR generally affects people or businesses that process or sell personal data. Ultimately, the FDBR applies only to a limited number of very large entities. The FDBR applies only to entities with gross annual revenue of more than $1 billion. Furthermore, affected businesses must meet at least one of the following criteria:
The FDBR also contains various exemptions that are based on entity, data, and employment.
Affected entities must provide two or more ways for consumers to make requests regarding their personal data rights, which must be secure, reliable, and clearly and conspicuously accessible. These entities must take certain actions upon a consumer’s request, including correcting and deleting data, as well as providing certain opt-outs. When an affected entity receives this type of request, it shall respond or inform the consumer that it cannot take the requested action no later than 45 days after receipt of the request, with one 15-day extension of that deadline. If the entity complies with the request, it must give notice of doing so within 60 days of receipt of the request.
Entities subject to the FDBR must limit collected personal data to adequate, relevant, and reasonably necessary data for its purposes as disclosed to the consumer. The entities also must implement and maintain reasonable and appropriate data security practices.
Entities also may not collect consumers’ personal data in a way that:
The FDBR also outlines certain required disclosures for entities that operate search engines, as well as required privacy notices that must be updated annually. Surveillance without consumer authorization when consumers are not actively using voice-activated devices is also prohibited.
Legislation enacted alongside the FDBR prohibits governmental entities from contacting social media platforms to request the removal of content or accounts. However, the FDBR provides some exceptions to contact with social media platforms, such as routinely maintaining governmental entity accounts.
Entities may not process sensitive data without consumer consent, like data related to race, mental health, immigration status, or religious beliefs. As a result, any for-profit entity that collects personal data must obtain consent before selling sensitive personal data. The FDBR specifically defines consent as a clear affirmative act signaling specific, informed, and unambiguous agreement, and cannot be part of a broader general terms-of-use acceptance.
Likewise, the FDBR specifically defines a sale as the sharing, disclosure, or transfer of personal data for monetary or other valuable consideration. This definition is crucial, as it determines the circumstances under which a consumer can opt out of the disclosure of their personal data.
The FDBR provides no private right of action for consumers. The Office of the Attorney General has the exclusive legal authority to enforce the FDBR and pursue those who violate it. Each violation may result in civil penalties of up to $50,000, which may triple in certain egregious circumstances. The Attorney General may adopt new rules to implement certain aspects of the FDBR.
The FDBR provides a completely discretionary cure period of 45 days before the Attorney General’s office initiates an enforcement action.
The FDBR applies only to very large entities with gross annual revenue exceeding $1 billion. In addition, these entities must meet at least one of the following criteria:
Certain organizations are exempt, including government entities, nonprofits, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and HIPAA-covered entities.
Consumers can request that covered entities:
Entities must respond within 45 days (with one possible 15-day extension) and provide notice of compliance within 60 days. Consumers may make requests twice per year at no cost, and entities must offer at least two secure and accessible methods for submitting requests.
Entities may not process or sell sensitive personal data without the consumer’s explicit consent. Sensitive data includes:
Consent must be a clear, affirmative act and cannot be bundled into general terms of use. The FDBR also defines a “sale” broadly as any sharing, disclosure, or transfer of personal data for monetary or other valuable consideration, giving consumers the right to opt out of such disclosures.
Florida’s Digital Bill of Rights marks a significant shift in how others may use online data. At The Lomnitzer Firm P.A., our Broward cyber law attorneys are dedicated to helping clients navigate this evolving landscape, evaluate their options, and take decisive steps to secure their data in Florida’s new digital era. Call our office today at (800) 853‑9692 or reach out to us online.
