On June 6, 2023, Florida State Governor Ron DeSantis signed the Florida Bill of Rights (FDBR, S.B. 262) into law, making Florida the tenth state to enact a comprehensive privacy law. Unlike the other comprehensive state privacy laws that have been enacted, the FDBR applies to a much narrower subset of entities. The FDBR would go into effect on July 1, 2024. All commercial entities that store electronic data regarding Floridians are already subject to Section 501.171 of the Florida Information Protection Act (FIPA), which requires "covered entities" to take "reasonable measures" to protect and secure data containing personal information, and in the event of a data breach, follow reporting requirements. FDBR would expand FIPA's definition of personal information beyond things like Social Security numbers, government IDs and financial account information to include biometric and geolocation data.
If enacted, the FDBR would apply to a “controller,” meaning an entity that conducts business in Florida, collects personal data about consumers, makes in excess of $1 billion in global gross annual reviews and satisfies at least one of the following: (1) derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online; (2) operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or (3) operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install. “Consumer” means an individual resident or domiciled in Florida and does not include an individual acting in a commercial or employment context.
The FDBR would require controllers to: (1) provide a privacy notice with certain specified content; (2) establish a secure and reliable means for consumers to exercise their privacy rights under the law; (3) obtain a consumer’s consent to process sensitive data; (4) enter into contracts with its processors; and (5) conduct and document data protection assessments.
The FDBR also uniquely would require a controller that operates a search engine to make available on its website “an up-to-date plain language description of the main parameters that are individually or collectively the most significant in determining ranking and the relative importance of those main parameters, including the prioritization or deprioritization of political partisanship or political ideology in search results.” Controllers would not be required to disclose algorithms or any other information that, “with reasonable certainty, would enable deception of or harm to consumers through the manipulation of search results.”
The FDBR would provide consumers the right to (1) confirm whether a controller is processing the consumer’s personal data and to access the personal data; (2) correct inaccuracies in the consumer’s personal data; (3) delete any or all personal data provided by or obtained about the consumer; (4) obtain a copy of the consumer’s personal data; (5) opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer; (6) opt out of the collection or processing of sensitive data; and (7) opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.
The FDBR would provide for enforcement by the Florida Department of Legal Affairs, civil penalties of up to $50,000 per violation, and tripled penalties for certain violations, such as those involving a known child.
The FDBR would:
Not contain a private right of action;
Provide for the Department to adopt implementing rules; and
Permit but not require the Department to provide a 45-day period to cure an alleged violation.
Government Moderation of Social Media
S.B. 262 would prohibit a governmental entity from communicating with a social media platform to request that it remove content or accounts from the platform, and from initiating or maintaining any agreements or working relationships with a social media platform for the purpose of content moderation (subject to certain exceptions). In addition to the FDBR, S.B. 262 also contains provisions relating to government moderation of social media and protection of children in online spaces.
Protection of Children in Online Spaces
S.B. 262 would impose restrictions on an online platform that provides an online service, product, game or feature “likely to be predominantly access by children” relating to:
Processing the personal information of a child;
Profiling a child;
Collecting, selling, sharing or retaining any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged;
Using the personal information of a child for any reason other than the reason for which the personal information was collected;
Collecting, selling, or sharing any precise geolocation data of children;
Using dark patterns to lead or encourage children to take certain actions; and
Using any personal information collected to estimate age or age range.
For violations of these provisions, S.B. 262 would provide for the same enforcement provisions as those in the FDBR, including exclusive enforcement by the Florida Department of Legal Affairs, civil penalties of up to $50,000 per violation, tripled penalties for certain violations, and a permitted 45-day cure period.
Data Breach Notifications
The FDBR amends the state's data breach notification law. Florida's data breach statute previously identified the following categories of data as personal information that, if compromised, could potentially trigger a data breach notification requirement: government identifiers (e.g., Social Security number, a driver license or identification card number, a passport number, military identification number); certain financial account numbers and access codes; medical data and health insurance policy numbers; and certain usernames or e-mail addresses in conjunction with their passwords.
The FDBR expanded this list of protected personal data to include an individual's biometric data and any information regarding an individual's geolocation, when connected to an individual's name.
Data protection assessments
As discussed above, FIPA already requires companies to "take reasonable measures to protect and secure data … containing personal information," and SB 262 would require controllers to develop and implement reasonable data security practices.
The bill adds the requirement to conduct and document data protection assessments for certain processing activities involving personal data. Activities that require an assessment include sensitive data processing and processing activities for data sales, targeted advertising and profiling that "presents reasonably foreseeable or heightened risk of harm to consumers."
Controllers are required to address and consider a number of factors impacting risks associated with data collection and processing, and reasonable expectations of consumers, but SB 262 does not state how often such assessments must be conducted, or whether or how long the assessment must be preserved. However, the bill provides the Florida attorney general with the authority to request such assessments.