Clifford Chance

On June 6, 2023, Florida became the tenth state in the U.S. to enact comprehensive data privacy legislation with Florida Governor, Ron DeSantis, signing Florida Senate Bill 262 (the Florida Digital Bill of Rights or FLDBOR). The FLDBOR will come into effect on July 1, 2024. The FLDBOR joins other U.S. state data privacy laws that are either in effect or will soon come into force (together with the FLDBOR, the "State Data Privacy Laws"). This article summarizes key provisions of the FLDBOR.

Scope and Applicability

The FLDBOR applies to any person that:

• conducts business in Florida or produces products or services "used" by Florida residents 
• processes or engages in the "sale" of personal data. 

In contrast to most other State Data Privacy Laws, the FLDBOR does not include a data processing or revenue threshold for applicability purposes (except as described below) and applies to persons that produce products or services "used" by residents of Florida (which is likely broader than entities that "target" products or services at a state's consumers under other State Data Privacy Laws).

However, the FLDBOR is similar to most other State Data Privacy Laws with respect to certain exclusions and exemptions. For example, the FLDBOR only applies to personal data collected from "an individual who is a resident of or is domiciled in [the] state" and, and like most other State Data Privacy Laws other than the California Consumer Privacy Act and California Privacy Rights Act, expressly excludes personal data collected or processed in a commercial or employment context (e.g., business-to-business activities). The FLDBOR also includes typical exemptions in line with other State Data Privacy Laws, such as for state subdivisions or entities, nonprofit organizations, institutions of higher education, and any information or data regulated by certain other privacy laws, including the Health Insurance Portability and Accountability Act of and the Gramm-Leach-Bliley Act.

Controller and Processor Regime

The FLDBOR, like certain other State Data Privacy Laws, contains the regulatory framework of the European Union's General Data Protection Regulation, which distinguishes roles and responsibilities between controllers and processors.  In contrast to most other State Data Privacy Laws, the FLDBOR significantly limits the definition of "controller" through revenue thresholds and product or service requirements. A "controller" is an entity that:

• is organized or operated for the profit or financial benefit of its shareholders or owners
• conducts business in the state
• collects personal data about consumers, or is the entity on behalf of which such information is collected
• determines the purposes and means of processing personal data about consumers alone or jointly with others
• makes in excess of $1 billion in global gross annual revenues
• satisfies at least one of the following: (a) derives fifty percent (50%) or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising; (b) operates a consumer smart speaker and voice command service with integrated virtual assistant connected to a cloud computing services that uses hands-free verbal activation; or (c) operates an app store or digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

The FLDBOR defines "processor" as a person who processes personal data on behalf of a controller. Practically speaking, these definitions mean that the FLDBOR is narrower than most other State Data Privacy Laws and will likely only apply to "Big Tech" companies and their service providers.

The FLDBOR requires controllers to provide consumers with a reasonably accessible and clear privacy notice, which, among other things, discloses:

• the categories of personal data processed by the controller
• the purpose of such processing
• how consumers may exercise their privacy rights. The privacy notice must be updated at least annually, a requirement analogous to that under the California Consumer Privacy Act and California Privacy Rights Act.

Controllers may only process personal data to the extent such processing is "reasonably necessary and proportionate" and "adequate, relevant, and limited to what is necessary" for the certain specified purposes, including the purposes disclosed to consumers. Controllers are required implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and reduce reasonably foreseeable risks of harm to consumers.

Similar to certain other State Data Privacy Laws, the FLDBOR requires that controllers conduct and document data protection assessments in connection with certain processing activities, such as processing personal data for targeted advertising or certain profiling purposes, selling personal data, processing sensitive data, or any other processing activity that presents a heightened risk of harm to consumers. A data protection assessment must identify and weigh the benefits of the processing activity with potential risks to consumers (as mitigated by the safeguards employed by the controller related to such risks). Data protection assessment obligations under the FLDBOR apply to activities generated on or after July 1, 2023. Controllers may use data protection assessments created pursuant to other laws with similar requirements, including other relevant State Date Privacy Laws, for FLDBOR compliance purposes.

Like most other State Data Privacy Laws, the FLDBOR requires controllers and processors to enter into a written contract, which governs the processor's data processing procedures performed on behalf of the controller. These contractual provisions must clearly set out instructions for the processing of applicable data, describe the type of data subject to and the duration, nature, and purpose of such processing, and specify the rights and obligations of each party. Processors must be subject to a duty of confidentiality with respect to the applicable data and enter into subcontracts with sub-processors to ensure similar protections. Processors also must adopt reasonable administrative, technical, and physical safeguards to protect personal data and reduce reasonably foreseeable risks of harm to consumers. Processors are required to assist controllers with complying with applicable obligations: (a) under the FLDBOR (e.g., responding to consumer rights requests and completing data protection assessments); and (b) related to the security of personal data processing and notification of security breaches under Florida Statutes § 501.171.

Consumer Rights and Requests

The FLDBOR provides a variety of individual consumer rights that align with other State Data Privacy Laws. The rights under the FLDBOR provide consumers with a right to access, obtain a copy of, delete, correct inaccuracies in their personal data, and to opt-out of the selling and/or sharing of personal data for targeted advertising. The FLDBOR also grants a unique right to consumers for opting out of the collection of personal data specifically from voice or facial recognition technologies.

The FLDBOR permits parents and guardians to exercise rights on behalf of their children. In contrast to most other State Data Privacy Laws, the FLDBOR defines "child" as any consumer under the age of eighteen (18). While the FLDBOR requires controllers to comply with Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq. (COPPA) for the processing data of children under the age of thirteen (13), controllers must also obtain "affirmative authorization" to process personal data collected from children between thirteen (13) and eighteen (18) years old. 

The FLDBOR grants consumers certain rights with respect to other "sensitive data." The FLDBOR's definition of "sensitive data" is similar to those in most other State Data Privacy Laws, which encompass a consumer's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation data. Like other State Data Privacy Laws, such as the Virginia Consumer Data Protection Act, the FLDBOR provides an "opt-in" regime, where controllers may not process a consumer's sensitive data "without obtaining the consumer's consent." However, the FLDBOR also provides consumers with an express "opt-out" right in connection with collection and/or processing of any sensitive data.

Right to Appeal

Under the FLDBOR, a controller must respond to a consumer's request to exercise their right within forty-five (45) days of receipt of such request. A controller can extend the response period by an additional fifteen (15) days when reasonably necessary and in consideration of the complexity and number of consumer requests within the initial forty-five (45) day period by providing notice and an explanation to the consumer. The FLDBOR also expressly requires that controllers also provide (a potentially separate and distinct) notice to the consumer within sixty (60) days of receipt of the consumer's request that the controller has complied with the relevant requirements of the FLDBOR. Like other State Data Privacy Laws, if the controller denies the consumer of their request, the controller must offer a right of appeal that is conspicuously available and similar to the process for submitting consumer request. Within sixty (60) days of receipt of an appeal request, a controller must inform the consumer of any action taken or not taken in response to the appeal. In contrast to most other State Data Privacy Laws, the FLDBOR does not expressly require controllers to provide the consumer with a mechanism to contact a regulatory authority (e.g., Attorney General) if the appeal is denied.

Selling Personal Data

The FLDBOR defines the "sale of personal data" as "the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by a controller to a third party." The FLDBOR also provides exceptions to the "sale of personal data" in line with a number of other State Data Privacy Laws, including a controller's disclosure of personal data:

• to a processor that processes personal data on behalf of the controller 
• to a third party for purposes of providing a product or service requested by the consumer
• that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience 
• to a third party as an asset that is part of a merger or an acquisition.

As noted above, controllers must provide consumers with the ability to opt-out of the selling of their personal data, but the FLDBOR does not provide any additional guidance on how controllers must offer and process such consumer opt-out requests from a technical perspective. However, to the extent that a controller "sells" sensitive data or biometric data, the FLDBOR also requires an express disclosure in privacy notices that states: "NOTICE: This website may sell your sensitive personal data" or "NOTICE: This website may sell your biometric personal data", respectively.

Targeted Advertising

The FLDBOR defines "targeted advertising" as "displaying to a consumer an advertisement selected based on personal data obtained from that consumer's activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer's preferences or interests." As such, the FLDBOR definition of "targeted advertising" is likely broader than those seen in most other State Data Privacy Laws since it includes personal data collected across controller's "affiliated" websites and applications. However, like most other State Data Privacy Laws, the FLDBOR expressly excludes certain activities from the definition of "targeted advertising," such as advertisements:

• based on the context of a consumer's current search query on the controller's own website or online application
• directed to a consumer search query on the controller's own website or online application in response to the consumer's request for information or feedback. 

The FLDBOR also imposes the same opt-out requirements on controllers in connection with targeted advertising as it does with respect to the sale of personal data.

Deidentified Data, Pseudonymous Data, and Aggregate Customer Information

The FLDBOR defines "deidentified data" as data that cannot reasonably be linked to an identified or identifiable individual or a device linked to that individual, and such data is expressly excluded from the definition of "personal data." Similar to certain other State Data Privacy Laws, the FLDBOR requires that controllers in possession of deidentified data:

• take reasonable measures to ensure that such data cannot be associated with an individua
• maintain and use such data in deidentified form
• contractually obligate any recipient of such data to comply with the applicable FLDBOR requirements
• implement business processes to prevent the inadvertent release of deidentified data. 
• Additionally, in contrast to requirements under some other State Data Privacy Laws, such as the Virginia Consumer Data Protection Act, Utah Consumer Privacy Act, and Connecticut Data Privacy Act, controllers are not required to "publicly commit" not to re-identify any deidentified data.

The FLDBOR defines "pseudonymous data" as personal data that cannot be attributed to a specific individual without the use of additional information. The FLDBOR also uniquely defines "aggregate customer information" which encompasses information that relates to a group or category of consumers, from which the identity of an individual consumer has been removed and that is not reasonably capable of being associated or linked to any consumer, household, or device (excluding information about a group that facilitates targeted advertising or "personal information that has been deidentified"). Certain consumer rights (e.g., right to access, delete, opt-out, etc.) under the FLDBOR do not apply to pseudonymous data or aggregate customer information if the controller is able to demonstrate that any information necessary to identify the consumer is kept separate and subject to effective technical and organizational controls to prevent the controller from accessing the information.

The FLDBOR requires controllers that disclose pseudonymous data, deidentified data, and/or aggregate consumer information to exercise reasonable oversight to monitor compliance with any contractual commitments related to such data and to take appropriate actions to address any breaches of such contractual commitments.

Enforcement and Penalties

In contrast to the California Consumer Privacy Act and California Privacy Rights Act, the FLDBOR does not provide consumers with a private right of action and is not enforced by a dedicated privacy agency. Rather, the FLDBOR is enforced by the Florida Department of Legal Affairs (which includes the Florida Attorney General) which can bring action against violators for an unfair or deceptive act or practice, but only on behalf of a Florida consumer. Under the FLDBOR, the Florida Department of Legal Affairs may provide written notice of an alleged violation and grant a forty-five (45) day period to cure such alleged violation and issue a letter of guidance. In determining whether to grant a cure period, the Florida Department of Legal Affairs may consider factors such as the number and frequency of violations, the substantial likelihood of injury to the public, and the safety of persons or property.

If a violation remains uncured (or if a cure period is not granted), the Florida Department of Legal Affairs may initiate an action against the violator and recover up to $50,000 in civil penalties per violation. The FLDBOR also provides that such civil penalty amounts may be trebled if the violation involves:

• a consumer that is a known child
• a failure to delete or correct a consumer's personal data after receiving an authenticated consumer request (unless a statutory exception applies)
• the continued selling or sharing (note that "sharing" is not expressly defined under the FLDBOR, but likely relates to "targeted advertising" processing activities) the consumer's personal data after the consumer exercises their opt-out right.