Florida Enacts Comprehensive Privacy Law

Florida has become the latest state – approximately ten – to enact a comprehensive privacy law.  On June 6, 2023, Governor DeSantis recently signed SB 262 which includes some new privacy provisions.  Florida also recently passed a child privacy law that is notably similar to California’s Age Appropriation Act that becomes effective July 1, 2024.

The Florida Digital Bill of Rights Law

Covered entities (“controllers”) include those that earn $1 billion in global gross annual revenues and either (i) receive 50% of gross annual revenue from online ad sales; (ii) operate a consumer smart speaker and voice command service with an integrated virtual assistant through a cloud-connected service and hands-free verbal activation; or (iii) operate an app store or digital distribution platform that has at least 250,000 apps available for download.

Note, however, that non-covered entities that serve as data processors for covered entities may potentially be impacted.  More specifically, such processors are required to support a covered entities’ compliance efforts and to maintain responsible contracts that include provisions governing data processing.  In fact, the new law sets forth specific requirements that must be included in such data processing agreements.

Not unlike other states, the Florida Digital Bill of Rights Law has numerous exemptions and applies to consumer information.  Exemptions include entities covered by HIPAA (and business associates), financial institutions and affiliates (subject to GLBA), non-profits, certain government entities, and higher education institutions.  There are also specific data exemptions.

Conversely, unique features of the new Florida law include permitting consumers to opt-out of the collection of personal data from facial recognition technology features.  Additionally, controllers are required to publish a plain language description of how search results are ranked (e.g., political partisanship or ideology) and how the algorithm prioritizes same.  Covered entities are also required to establish data retention schedules or dispose of consumer data two years following the last interaction with a consumer.

Covered entities will also be required to respond to consumer requests for information within 45 days of receiving a verifiable consumer request, provide data in a portable and usable format (free of charge up to two times per year), and provide a clear and conspicuous link on the homepage, entitled “Do Not Sell or Share My Personal Information,” to allow consumers to opt- out of the sale or sharing of personal information.

Covered entities are required to maintain an online privacy policy that includes, without limitation, notice of Florida-specific consumer privacy rights; the types and categories of personal information being collected, sold or shared; notice of a consumer’s right to request deletion or correction of personal information; and a consumer’s right to opt-out of the sale or sharing of personal information to third-parties.  Additionally, covered entities must inform consumers of the categories of personal information to be collected and how it will be used.

Importantly, covered entities that sell sensitive personal data are required to specifically notify consumers by stating: “NOTICE: This website may sell your sensitive personal data.”

Violations can result in penalties as high as $50,000 and the Florida Attorney General is vested with discretion relating to the provision of a 45-day cure period for violators.  The AG has also been tasked with adopting rules surrounding, without limitation, enforcement and data security.  Civil penalties may be tripled under enumerated circumstances.

The fee per violation of the FDBR is remarkably high as compared to other states with comprehensive privacy laws. While businesses covered by the FDBR have requirements that are less onerous than those set forth in data privacy laws in other states, the potential fine for violating the FDBR could be much steeper.

Entities that violate the FDBR or related Technology Transparency statutes may be granted a 45-day period to cure the alleged violation, with discretion given to the Department. If the alleged violation is cured within this time period, the Department will not bring an action against the entity, but instead may issue a letter of guidance stating that the entity will not be given another 45-day cure period should future violations occur. If the entity fails to cure the violation within the 45 calendar days, the Department may bring an action against them.

There is no private right of action.  The new law will be enforced by the Florida Department of Legal Affairs.

However, residents of those domiciled in Florida will have data access rights, and the right to request correction and deletion.  They will also be able to  decide whether or not a controller may collect precise geolocation data or personal information through a voice recognition feature, opt-out of the selling or sharing of personal information to third parties, and the use of personal information for targeted advertising.  Such consumers will also be able to request the identities of third-parties to whom their personal information was sold or shared.

The new Florida law does not contain many of the compliance obligations that other state privacy laws mandate, including Indiana, Montana and Tennessee.

The prohibition on officers or salaried employees of governmental entities is effective on July 1, 2023.  The remainder of the new privacy legislation becomes effective July 1, 2024.

Florida’s Children’s Privacy Law

SB 262 also includes a new that applies to operators of social media platforms accessed by Florida children.  As noted above, restrictions are similar to California’s Age Appropriation Act, although the California law is not strictly limited to and encompasses providers of online products and services to children.

In short, the new law restricts the processing of children’s data if substantial harm will result.  Children may not be profiled by social media platforms with demonstrating necessity.  A child’s information may only be used for collection purposes.

Richard B. Newman is an FTC defense attorney at Hinch Newman LLP. Follow FTC defense lawyer on National Law Review.