Securiti Tops DSPM ratings by GigaOm

View

Florida’s Digital Bill of Rights (FDBR): Who Needs to Comply?

By Anas Baig | Reviewed By Adeel Hasan
Published June 21, 2023 / Updated June 28, 2024

I. Introduction

On June 6, 2023, Florida’s Governor Ron DeSantis signed Senate Bill 262 into law, which contains Florida’s Digital Bill of Rights (FDBR), making Florida the latest US state to have a comprehensive data privacy law. The law is set to take effect from July 1, 2024.

A billion-dollar gross revenue threshold makes the FDBR reach far more conservative than the other US state data privacy laws and makes it inapplicable to most of the small to medium-sized businesses operating in the state of Florida.

II. Who Needs to Comply with the FDBR

A. Material Scope

The law applies only to a person who:

  1. conducts business in Florida or produces a product or service used by the residents of Florida; and
  2. processes or engages in the sale of personal data.

A business, including a sole proprietorship, partnership, limited liability company, corporation, association, or legal entity, is a ‘controller’ and subject to most of the obligations under the FDBR if it:

  • Is organized or operated for the profit or financial benefit of its shareholders or owners;
  • Conducts business in this state;
  • Collects personal data about consumers, or is the entity on behalf of which such information is collected;
  • Determines the purposes and means of processing personal data about consumers alone or jointly with others;
  • Makes more than $1 billion in global gross annual revenues; and
  • Meets at least one of the following:
    • Derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;
    • Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. This excludes a motor vehicle or speaker or device associated with or connected to a vehicle that is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or
    • Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

B. Exemptions

The law does not apply to:

  • a state agency or a political subdivision of Florida;
  • a financial institution subject to Title V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);
  • a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services (HHS), established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH);
  • a nonprofit organization;
  • a postsecondary educational institution; and
  • the processing of personal data:
    • By a person in the course of a purely personal or household activity; and
    • Solely for measuring or reporting advertising performance, reach or frequency.

The following information is also exempt from the application of the FDBR:

  • Medical data covered under any medical laws: Many forms of health information, records, data, and documents protected and covered under HIPAA or other federal or state medical/healthcare laws;
  • Personal data used for research: Identifiable private information collected, used, or shared in research conducted in accordance with applicable laws;
  • FCRA-covered data: Any personal information of consumers collected or used for consumer credit scoring and reporting to the extent the activity is authorized and regulated by the federal Fair Credit Report Act (FCRA);
  • GLBA data: Financial data subject to Title V of the federal Gramm-Leach-Bliley Act;
  • Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
  • FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
  • FCA data: Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (FCA);
  • Employment data: Personal data maintained for employment records;
  • ADA data: Personal data collected, processed, sold, or disclosed in relation to price, route, or service as those terms are used in the Airline Deregulation Act (ADA), 49 U.S.C. ss. 40101 et seq., by entities subject to that act, to the extent the provisions of FDBR are preempted by 49 U.S.C. s. 41713;
  • Personal data used for payment: Personal data collected and transmitted which is necessary for the sole purpose of sharing such personal data with a financial service provider solely to facilitate short-term, transactional payment processing for the purchase of products or services; and
  • Personal data shared between a manufacturer and distributors: Personal data shared between a manufacturer of a tangible product and authorized third-party distributors or vendors of the product, as long as such personal data is used solely for advertising, marketing, or servicing the product that is acquired directly through such manufacturer and such authorized third-party distributors or vendors.

III. Definitions of key terms

A. Personal Data

Any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include de-identified data or publicly available information.

B. Sensitive Data

A category of personal data which includes any of the following:

  • Personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual;
  • Personal data collected from a known child; and
  • Precise geolocation data.

C. Biometric Data

Data generated by automatic measurements of an individual’s biological characteristics, including the fingerprints, voiceprints, eye retinas or irises, or other unique biological patterns or characteristics used to identify a specific individual. The term does not include physical or digital photographs, video or audio recordings or data generated from video or audio recordings, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.

When referring to a consumer, consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative act. Consent does not include the following:

  • Acceptance of general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
  • Hovering over, muting, pausing, or closing a given piece of content; and
  • Agreement obtained through the use of dark patterns.

E. Consumer

An individual who is a resident of or is domiciled in Florida acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.

F. Child

Child or children means an individual younger than 18 years of age.

G. Dark Pattern

A user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice and includes, but is not limited to, any practice the Federal Trade Commission refers to as a dark pattern.

H. Personal Information

Any information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child.

I. Search Engine

Technology and systems that use algorithms to sift through and index vast third-party websites and content on the Internet in response to search queries entered by a user. The term does not include the license of search functionality for the purpose of enabling the licensee to operate a third-party search engine service in circumstances where the licensee does not have legal or operational control of the search algorithm, the index from which results are generated, or the ranking order in which the results are provided.

J. Voice Recognition Feature

The function of a device that enables the collection, recording, storage, analysis, transmission, interpretation, or other use of spoken words or other sounds.

IV. Obligations for Organizations Under FDBR

A. Data Minimization and Purpose Limitation

A controller must limit the collection of personal data to data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed, as disclosed to the consumer.

B. Security Measures

To protect the confidentiality, integrity, and accessibility of personal data, the controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.

C. Non-Discrimination Requirements

Controllers must not process the consumers' personal data in violation of the state or federal laws that prohibit unlawful discrimination against the consumers.

Further, the controllers must not discriminate against a consumer for exercising any of their rights, including being denied products or services, being charged a different price or rate for the same goods or services, or being provided with inferior goods or services. If the consumer gives the controller prior consent that specifically outlines the key conditions of the financial incentive program, and as long as the incentive practices are not unfair, unreasonable, coercive, or usurious in nature, the controller may offer financial incentives, including payments to consumers as compensation, for the processing of personal data.

Without the consumer's consent, controllers are not allowed to process a consumer's personal data for a reason that is neither reasonably necessary nor compatible with the purpose for which the data was originally collected.

Additionally, a controller cannot process sensitive data about a consumer without the consumer's consent. The federal Children's Online Privacy Protection Act (COPPA) must be followed when processing sensitive data of a known child.

E. Methods for Submission of DSR Requests

Controllers must establish two or more methods to enable the consumers to submit a request to exercise their consumer rights under the FDBR. Such methods must be secure, reliable, and clearly and conspicuously accessible and must take into account the following:

  • the ways in which the consumers normally interact with the controller;
  • the necessity for secure and reliable communications of those requests; and
  • the ability of the controller to authenticate the identity of the consumer making the request.

F. Privacy Notice Requirements

Controllers must provide consumers with a reasonably accessible and clear privacy notice, updated at least annually, that includes all of the following information:

  1. The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller;
  2. The purpose of processing personal data;
  3. How consumers may exercise their rights, including the process by which they may appeal a controller’s decision concerning the consumer’s request;
  4. If applicable, the categories of personal data that the controller shares with third parties;
  5. If applicable, the categories of third parties with whom the controller shares personal data; and
  6. A description of the methods specified by which consumers can submit requests to exercise their consumer rights.

When engaging in the sale of sensitive personal data:

If a controller engages in the sale of personal data that is sensitive data, the controller must provide the following notice:

“NOTICE: This website may sell your sensitive personal data."

When engaging in the sale of personal data that is biometric data:

If a controller engages in the sale of personal data that is biometric data, the controller must provide the following notice:

“NOTICE: This website may sell your biometric personal data."

When processing personal data for targeted advertising or selling it to third parties, a controller must make that processing transparent to consumers and make it easy for them to exercise their right to opt-out. Without informing the consumer, a controller cannot obtain more categories of personal information or use the information for new uses.

G. Requirements for Controllers Operating Search Engines

Controllers operating a search engine must make available, in an easily accessible location on the web page, which does not require a consumer to log in or register to read, an up-to-date plain language description of the main parameters that are individually or collectively the most significant in determining ranking and the relative importance of those main parameters, including the prioritization or deprioritization of political partisanship or political ideology in search results. Algorithms are not required to be disclosed, nor is any other information that, with reasonable certainty, would enable deception of or harm to consumers through the manipulation of search results.

H. Data Protection Impact Assessment

Controllers must carry out and record a data protection assessment (DPA) for each of the following personal data processing activities generated on or after July 1, 2023:

  • Processing personal data for the purposes of targeted advertising;
  • Sale of personal data;
  • Processing of personal data to profile consumers, especially if the profiling presents a reasonably foreseeable risk of:
    • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    • Financial, physical, or reputational injury to consumers;
    • Physical or other intrusions upon the solitude or seclusion, or the private affairs or concerns, of consumers; or
    • Other substantial injury to consumers;
  • Processing sensitive data; and
  • Any other processing of personal data that presents a heightened risk of harm to consumers.

A DPA must do all of the following:

  • Identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce such risks;
  • Factor into the assessment the following:
    • The use of deidentified data;
    • The reasonable expectations of consumers;
    • The context of the processing; and
    • The relationship between the controller and the consumer whose personal data will be processed.

A DPA carried out by the controller to comply with other regulations may also be used for the purposes of FDBR if the DPA has a reasonably comparable scope and effect to a DPA conducted under the provisions of FDBR and the controller may address a comparable set of processing operations which include similar activities within a single DPA.

I. Deidentified or Pseudonymous Data Requirements

A controller in possession of de-identified data must do all of the following:

  • take reasonable steps to ensure that the data cannot be used to identify a specific individual;
  • maintain and use the data in a de-identified form and must not attempt to re-identify the data, except that the controller may attempt to re-identify the data solely for the purpose of determining whether its de-identification processes satisfy the requirements of the FDBR;
  • contractually obligate any recipient of the de-identified data to comply with the provisions of the FDBR; and
  • implement business processes to prevent the inadvertent release of deidentified data.

V. Data Processor Responsibilities

A. Assistance to Controller

A processor is required to comply with a controller's instructions and assist the controller in fulfilling its responsibilities, which include:

  • assisting the controller in responding to consumer rights requests;
  • assisting the controller in complying with the requirement pertaining to the security of processing personal data and the notification of a system security breach by taking into account the nature of processing and the information at the processor's disposal; and
  • providing the controller the data necessary to conduct and document data protection assessments.

B. Processing under Contract

The processor must be required to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor. The contract must include all of the following information:

  • clear instructions for processing data;
  • the nature and purpose of processing;
  • the type of data subject to processing;
  • the duration of the processing;
  • the rights and obligations of both the parties; and
  • a requirement that the processor shall:
    • ensure the confidentiality of the personal data;
    • delete or return the personal data to the collector on the direction of the controller, unless retention of personal data is required by the law;
    • upon reasonable request from the controller, make available all the information in possession necessary to demonstrate compliance with its obligations;
    • allow the controller to conduct an assessment, or arrange for a qualified and independent assessor to conduct an assessment, of the processor's policies and technical and organizational measures in support of the processor's obligations; and
    • engage any subcontractor or agent through a written instrument requiring them to fulfill obligations towards the personal data.

VI. Data Subject Rights

A. Right to Access

Consumers have the right to access their personal data.

B. Right to Confirm

Consumers have the right to confirm whether a controller is processing their personal data.

C. Right to Correct Inaccuracies

Consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data.

D. Right to Delete

Consumers have the right to delete any or all personal data provided by or obtained about them.

E. Right to Obtain a Copy

Consumers have the right to obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format.

F. Right to Opt-Out of the Processing

Consumers have the right to opt-out of the processing of their personal data for purposes of:

  • Targeted advertising;
  • The sale of personal data; or
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

G. Right to Opt-Out of the Collection of Sensitive Data

Consumers have the right to opt-out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data.

H. Right to Opt-Out of the Collection of Personal Data

Consumers have the right to opt-out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.

How to exercise consumer rights:

Consumers have the right to exercise their rights at any time by making a request in writing to the controller that specifically lists the rights they want to exercise. A parent or legal guardian of the child may exercise these rights on the child's behalf concerning the processing of the personal data of a known child.

Controller’s response to data subject rights:

The controller must fulfill any request made by a consumer to exercise their rights. A controller must reply to a consumer request promptly but no later than 45 days after the date the request was received. As long as the controller notifies the consumer of the extension within the initial 45-day response period, along with the justification for the extension, the controller may extend the response period once by an additional 15 days when it is deemed reasonably necessary, taking into account the complexity and volume of the consumer's requests.

If a controller declines to act on a consumer's request, the controller must promptly notify the consumer of the reason(s) why and give instructions on how to appeal the decision. This notification must occur no later than 45 days after the date the request was received.

To verify the consumer and the consumer's request, a controller must reasonably attempt to request that the consumer give any additional information that is required. A controller can decline a consumer's request and require that the consumer update his or her own personal data through a self-service mechanism if the controller keeps such a system in place to allow a consumer to correct particular personal data. The notice that the controller has complied with the consumer's request must be given to the consumer within 60 days of receiving the request.

A controller must respond to a consumer request for information or action without charge at least twice per year for each consumer. Consumers may be charged a fair fee to offset the administrative costs of complying with clearly unjustified, excessive, or recurrent requests, or the controller may choose not to act on the request altogether. The obligation of proving that a request is plainly baseless, disproportionate, or recurrent rests with the controller.

Appeal process:

When a consumer receives a decision from a controller, the controller must provide a procedure for the consumer to appeal the controller's refusal to act on the request within a reasonable amount of time. The procedure for filing an appeal must be readily accessible, similar to the procedure for taking steps to exercise consumer rights. Within 60 days of the appeal's receipt, the controller must provide written notice to the consumer of any action taken or not taken in response to the appeal, along with a documented justification for the decision.

VII. Limitations

The obligations imposed under FDBR do not restrict a controller’s or a processor's ability to:

  • Comply with federal, state, or local laws, rules, or regulations;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • Investigate, establish, exercise, prepare for, or defend legal claims;
  • Provide a product/service specifically requested by a consumer, perform a contract, fulfill the terms of a written warranty, or take steps at the request of the consumer before entering into a contract;
  • Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual and in which the processing cannot be manifestly based on another legal basis;
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity;
  • Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security;
  • Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines if:
    • Deletion of the information is likely to provide substantial benefits to the controller;
    • The expected benefits of the research outweigh the privacy risks;
    • The controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including risks associated with reidentification;
  • Assist another controller, processor, or third party with their obligations under the FDBR;
  • Provide personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of Florida as part of a privileged communication;
  • Disclose personal data disclosed when a consumer uses or directs the controller to intentionally disclose information to a third party or uses the controller to intentionally interact with a third party. An intentional interaction occurs when the consumer intends to interact with the third party, by one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party; and
  • Transfer personal data to a third party as an asset that is part of a merger, an acquisition, a bankruptcy, or other transaction in which the third party assumes control of all or part of the controller, provided that the information is used or shared in a manner consistent with this part. If a third party materially alters how it uses or shares the personal data of a consumer in a manner that is materially inconsistent with the commitments or promises made at the time of collection, it must provide prior notice of the new or changed practice to the consumer. The notice must be sufficiently prominent and robust to ensure that consumers can easily exercise choices consistent with the FDBR.

The requirements imposed on controllers and processors under this part may not restrict a controller’s or processor’s ability to collect, use, or retain data to do any of the following:

  • Conduct internal research to develop, improve, or repair products, services, or technology.
  • Effect a product recall.
  • Identify and repair technical errors that impair existing or intended functionality.
  • Perform internal operations that are:
    • Reasonably aligned with the expectations of the consumer;
    • Reasonably anticipated based on the consumer’s existing relationship with the controller;
    • Otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

Similarly, any obligations placed on a controller or a processor under FDBR do not apply if:

  • compliance by the controller or processor would adversely affect the rights or freedoms of a person, including the right to free speech; and
  • compliance by the controller, processor, or third party requires them to disclose a trade secret.

VIII. Regulatory Authority

The Florida Department of Legal Affairs (DLA) is the regulatory authority responsible for enforcing the law.

If the DLA has reason to believe that a person is in violation of the FDBR, the department may notify the person of the violation and may bring an action against such person for an unfair or deceptive act or practice.

After the DLA has notified a person in writing of an alleged violation, the DLA may grant a 45-day period to cure the alleged violation; however, no cure period is granted for the violations involving a Florida consumer who is a known child. If the alleged violation is cured to the satisfaction of the DLA and proof of such cure is provided to the DLA, the DLA may not bring an action for the alleged violation but, at its discretion, may issue a letter of guidance that indicates that the person will not be offered a 45-day cure period for any future violations. However, if the person fails to cure the alleged violation within 45 calendar days, the department may bring an action on behalf of a consumer against such person for the alleged violation.

IX. Penalties for Non-compliance

A violation of the FDBR is an unfair and deceptive trade practice actionable solely by the DLA. The DLA may collect a civil penalty of up to $50,000 for each violation of the provisions of the FDBR. Civil penalties may be tripled for any of the following violations:

  1. A violation involving a Florida consumer who is a known child. A controller that willfully disregards the consumer’s age is deemed to have actual knowledge of the consumer’s age.
  2. Failure to delete or correct the consumer’s personal data after receiving an authenticated consumer request or directions from a controller to delete or correct such personal data, unless an exception applies to the requirements to delete or correct such personal data.
  3. Continuing to sell or share the consumer’s personal data after the consumer chooses to opt-out.

X. How an Organization Can Operationalize the FDBR

Organizations can operationalize the FDBR by:

  • Establishing policies and procedures for processing data in compliance with the requirements of the FDBR;
  • Developing clear and accessible privacy notices in compliance with the requirements of the FDBR;
  • Obtaining informed consent from individuals before processing their sensitive personal data;
  • Developing a robust framework for receiving and processing data requests and complaints from consumers; and
  • Training employees who handle the consumers’ data on the organization's policies and procedures, as well as the requirements of the FDBR.

XI. How Can Securiti Help

Securiti’s Data Command Center framework enables organizations to comply with Florida’s Digital Bill of Rights (FDBR) by securing the organization’s data and maximizing data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.

Share

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

What's
New