Overview
The Florida Digital Bill of Rights (FDBR), signed into law in June 2023 and effective July 1, 2024, establishes data privacy protections for Florida residents. The FDBR is notable for its relatively high applicability thresholds, which limit its scope primarily to larger businesses and technology companies. It also includes specific provisions around children's data protection and surveillance technology that distinguish it from other state privacy laws.
The FDBR reflects Florida's approach of targeting major technology platforms while reducing the compliance burden on smaller businesses. Its provisions around children's online safety align with a broader national trend toward stricter protections for minors' data.
Who Does It Apply To?
The FDBR applies to organizations that meet all of the following criteria:
- Conduct business in Florida or produce products or services targeted to Florida residents
- Are not a governmental entity, nonprofit, financial institution, or HIPAA-covered entity
- Have annual global gross revenues exceeding $1 billion
- Meet one or more of these additional conditions:
- Derive 50% or more of global gross revenue from the sale of online advertisements
- Operate a consumer smart speaker and voice command service with an integrated virtual assistant
- Operate an app store or digital distribution platform with at least 250,000 different software applications
Because of the $1 billion revenue threshold, the FDBR applies primarily to large technology companies, social media platforms, and major digital service providers. However, smaller organizations should still be aware of its requirements as they may apply through vendor relationships or platform dependencies.
Key Requirements
Privacy Notice
Covered organizations must provide a clear and accessible privacy notice that includes:
- Categories of personal data processed
- Purpose of data processing
- How consumers can exercise their rights under the FDBR
- Categories of third parties with whom personal data is shared
- A description of the process for appealing a denied consumer rights request
Consent for Sensitive Data
Processing sensitive data requires the consumer's opt-in consent. Sensitive data under the FDBR includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation or sex life
- Citizenship or immigration status
- Genetic or biometric data used to identify an individual
- Personal data of a known child under 18
- Precise geolocation data
Children's Data Protections
The FDBR includes specific protections for children:
- Controllers may not process personal data of a known child for targeted advertising without consent
- Social media platforms must not use personal data of a known child under 18 for profiling purposes
- Online platforms accessible to children must provide mechanisms for parents to access and delete their child's data
Surveillance Restrictions
The FDBR prohibits the use of voice recognition or facial recognition data collected through consumer smart speakers or connected devices without explicit consent. This provision specifically targets smart home devices and voice-activated assistants.
Data Security
Organizations must implement reasonable security practices to protect personal data, including administrative, technical, and physical safeguards appropriate to the volume and sensitivity of the data processed.
Individual Rights
Florida residents have the following rights under the FDBR:
- Right to know: Confirm whether a controller is processing their personal data and access that data
- Right to correct: Request correction of inaccurate personal data
- Right to delete: Request deletion of personal data held by the controller
- Right to data portability: Obtain a copy of previously provided personal data in a portable, readily usable format
- Right to opt out: Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling
- Right to opt out of surveillance: Opt out of the collection of personal data through voice recognition, facial recognition, and other biometric technologies in consumer devices
Enforcement and Penalties
The Florida Attorney General has exclusive enforcement authority:
- Cure period: Controllers must be given a 45-day notice and opportunity to cure alleged violations before the Attorney General takes enforcement action
- Civil penalties: Violations can result in civil penalties of up to $50,000 per violation, with treble damages (up to $150,000) for violations involving children's data
- Injunctive relief: The Attorney General can seek court orders to halt ongoing violations
- No private right of action: Individual consumers cannot bring lawsuits under the FDBR. Enforcement is exclusively through the Attorney General's office.
The elevated penalties for violations involving children's data reflect the FDBR's particular emphasis on protecting minors in digital environments.
How Apidly Helps
Apidly supports FDBR compliance with targeted tools:
- Applicability assessment evaluates whether your organization meets the FDBR's revenue and operational thresholds, helping you determine your specific compliance obligations
- Children's data management identifies processing activities involving known children under 18 and ensures appropriate consent mechanisms and profiling restrictions are in place
- Surveillance technology audit reviews your use of voice recognition, facial recognition, and biometric technologies to ensure compliance with the FDBR's consent requirements
- Consumer rights workflows automate the handling of access, correction, deletion, portability, and opt-out requests, including the required appeals process for denied requests
- Privacy notice generation creates compliant privacy notices that include all FDBR-required disclosures and links to your rights request and appeals processes