IDC Names Securiti a Worldwide Leader in Data PrivacyView
On June 6, 2023, Florida’s Governor Ron DeSantis signed Senate Bill 262 into law, which contains Florida’s Digital Bill of Rights (FDBR), making Florida the latest US state to have a comprehensive data privacy law. The law is set to take effect from July 1, 2024.
A billion-dollar gross revenue threshold makes the FDBR reach far more conservative than the other US state data privacy laws and makes it inapplicable to most of the small to medium-sized businesses operating in the state of Florida.
The law applies only to a person who:
A business, including a sole proprietorship, partnership, limited liability company, corporation, association, or legal entity, is a ‘controller’ and subject to most of the obligations under the FDBR if it:
The law does not apply to:
The following information is also exempt from the application of the FDBR:
Any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include de-identified data or publicly available information.
A category of personal data which includes any of the following:
Data generated by automatic measurements of an individual’s biological characteristics, including the fingerprints, voiceprints, eye retinas or irises, or other unique biological patterns or characteristics used to identify a specific individual. The term does not include physical or digital photographs, video or audio recordings or data generated from video or audio recordings, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.
When referring to a consumer, consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative act. Consent does not include the following:
An individual who is a resident of or is domiciled in Florida acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.
Child or children means an individual younger than 18 years of age.
A user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice and includes, but is not limited to, any practice the Federal Trade Commission refers to as a dark pattern.
Any information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child.
Technology and systems that use algorithms to sift through and index vast third-party websites and content on the Internet in response to search queries entered by a user. The term does not include the license of search functionality for the purpose of enabling the licensee to operate a third-party search engine service in circumstances where the licensee does not have legal or operational control of the search algorithm, the index from which results are generated, or the ranking order in which the results are provided.
The function of a device that enables the collection, recording, storage, analysis, transmission, interpretation, or other use of spoken words or other sounds.
A controller must limit the collection of personal data to data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed, as disclosed to the consumer.
To protect the confidentiality, integrity, and accessibility of personal data, the controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.
Controllers must not process the consumers' personal data in violation of the state or federal laws that prohibit unlawful discrimination against the consumers.
Further, the controllers must not discriminate against a consumer for exercising any of their rights, including being denied products or services, being charged a different price or rate for the same goods or services, or being provided with inferior goods or services. If the consumer gives the controller prior consent that specifically outlines the key conditions of the financial incentive program, and as long as the incentive practices are not unfair, unreasonable, coercive, or usurious in nature, the controller may offer financial incentives, including payments to consumers as compensation, for the processing of personal data.
Without the consumer's consent, controllers are not allowed to process a consumer's personal data for a reason that is neither reasonably necessary nor compatible with the purpose for which the data was originally collected.
Additionally, a controller cannot process sensitive data about a consumer without the consumer's consent. The federal Children's Online Privacy Protection Act (COPPA) must be followed when processing sensitive data of a known child.
Controllers must establish two or more methods to enable the consumers to submit a request to exercise their consumer rights under the FDBR. Such methods must be secure, reliable, and clearly and conspicuously accessible and must take into account the following:
Controllers must provide consumers with a reasonably accessible and clear privacy notice, updated at least annually, that includes all of the following information:
When engaging in the sale of sensitive personal data:
If a controller engages in the sale of personal data that is sensitive data, the controller must provide the following notice:
“NOTICE: This website may sell your sensitive personal data."
When engaging in the sale of personal data that is biometric data:
If a controller engages in the sale of personal data that is biometric data, the controller must provide the following notice:
“NOTICE: This website may sell your biometric personal data."
When processing personal data for targeted advertising or selling it to third parties, a controller must make that processing transparent to consumers and make it easy for them to exercise their right to opt-out. Without informing the consumer, a controller cannot obtain more categories of personal information or use the information for new uses.
Controllers operating a search engine must make available, in an easily accessible location on the web page, which does not require a consumer to log in or register to read, an up-to-date plain language description of the main parameters that are individually or collectively the most significant in determining ranking and the relative importance of those main parameters, including the prioritization or deprioritization of political partisanship or political ideology in search results. Algorithms are not required to be disclosed, nor is any other information that, with reasonable certainty, would enable deception of or harm to consumers through the manipulation of search results.
Controllers must carry out and record a data protection assessment (DPA) for each of the following personal data processing activities generated on or after July 1, 2023:
A DPA must do all of the following:
A DPA carried out by the controller to comply with other regulations may also be used for the purposes of FDBR if the DPA has a reasonably comparable scope and effect to a DPA conducted under the provisions of FDBR and the controller may address a comparable set of processing operations which include similar activities within a single DPA.
A controller in possession of de-identified data must do all of the following:
A processor is required to comply with a controller's instructions and assist the controller in fulfilling its responsibilities, which include:
The processor must be required to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor. The contract must include all of the following information:
Consumers have the right to access their personal data.
Consumers have the right to confirm whether a controller is processing their personal data.
Consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data.
Consumers have the right to delete any or all personal data provided by or obtained about them.
Consumers have the right to obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format.
Consumers have the right to opt-out of the processing of their personal data for purposes of:
Consumers have the right to opt-out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data.
Consumers have the right to opt-out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.
How to exercise consumer rights:
Consumers have the right to exercise their rights at any time by making a request in writing to the controller that specifically lists the rights they want to exercise. A parent or legal guardian of the child may exercise these rights on the child's behalf concerning the processing of the personal data of a known child.
Controller’s response to data subject rights:
The controller must fulfill any request made by a consumer to exercise their rights. A controller must reply to a consumer request promptly but no later than 45 days after the date the request was received. As long as the controller notifies the consumer of the extension within the initial 45-day response period, along with the justification for the extension, the controller may extend the response period once by an additional 15 days when it is deemed reasonably necessary, taking into account the complexity and volume of the consumer's requests.
If a controller declines to act on a consumer's request, the controller must promptly notify the consumer of the reason(s) why and give instructions on how to appeal the decision. This notification must occur no later than 45 days after the date the request was received.
To verify the consumer and the consumer's request, a controller must reasonably attempt to request that the consumer give any additional information that is required. A controller can decline a consumer's request and require that the consumer update his or her own personal data through a self-service mechanism if the controller keeps such a system in place to allow a consumer to correct particular personal data. The notice that the controller has complied with the consumer's request must be given to the consumer within 60 days of receiving the request.
A controller must respond to a consumer request for information or action without charge at least twice per year for each consumer. Consumers may be charged a fair fee to offset the administrative costs of complying with clearly unjustified, excessive, or recurrent requests, or the controller may choose not to act on the request altogether. The obligation of proving that a request is plainly baseless, disproportionate, or recurrent rests with the controller.
When a consumer receives a decision from a controller, the controller must provide a procedure for the consumer to appeal the controller's refusal to act on the request within a reasonable amount of time. The procedure for filing an appeal must be readily accessible, similar to the procedure for taking steps to exercise consumer rights. Within 60 days of the appeal's receipt, the controller must provide written notice to the consumer of any action taken or not taken in response to the appeal, along with a documented justification for the decision.
The obligations imposed under FDBR do not restrict a controller’s or a processor's ability to:
The requirements imposed on controllers and processors under this part may not restrict a controller’s or processor’s ability to collect, use, or retain data to do any of the following:
Similarly, any obligations placed on a controller or a processor under FDBR do not apply if:
The Florida Department of Legal Affairs (DLA) is the regulatory authority responsible for enforcing the law.
If the DLA has reason to believe that a person is in violation of the FDBR, the department may notify the person of the violation and may bring an action against such person for an unfair or deceptive act or practice.
After the DLA has notified a person in writing of an alleged violation, the DLA may grant a 45-day period to cure the alleged violation; however, no cure period is granted for the violations involving a Florida consumer who is a known child. If the alleged violation is cured to the satisfaction of the DLA and proof of such cure is provided to the DLA, the DLA may not bring an action for the alleged violation but, at its discretion, may issue a letter of guidance that indicates that the person will not be offered a 45-day cure period for any future violations. However, if the person fails to cure the alleged violation within 45 calendar days, the department may bring an action on behalf of a consumer against such person for the alleged violation.
A violation of the FDBR is an unfair and deceptive trade practice actionable solely by the DLA. The DLA may collect a civil penalty of up to $50,000 for each violation of the provisions of the FDBR. Civil penalties may be tripled for any of the following violations:
Organizations can operationalize the FDBR by:
Securiti’s Unified Data Controls framework enables organizations to comply with Florida’s Digital Bill of Rights (FDBR) by securing the organization’s data and maximizing data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.