While Florida has joined the ever-growing list of states passing privacy legislation in 2023, Senate Bill 262, the Florida Digital Bill of Rights, differs significantly from other state laws in that most of its provisions only apply to a limited group of large technology companies.
Two provisions of Florida’s Digital Bill of Rights have broad impact. First, businesses that hold Floridians’ electronic data are already subject to the Florida Information Protection Act, which requires them to take “reasonable measures” to protect consumers’ personal information and inform them of data breaches. However, SB 262 expands the definition of personal information beyond things like licenses, Social Security numbers, and financial account information to include biometric and geolocation data. Additionally, it imposes restrictions on companies collecting “sensitive” data (including race, ethnicity, health information, children’s data, etc.) and bans its sale without prior consent.
However, the majority of provisions apply to a smaller set of data “controllers,” which appear to be aimed at FAANG-style technology companies. These provisions include:
• Consumer rights to access, correct, delete, obtain copies of their data, and opt-out of certain types of data collection and usage
• At least two or more means for consumers to exercise their rights
• Limited collection, use, and retention of data necessary to the purpose of processing
• Data protection assessments for processing involving personal data
• Reasonably accessible and clear privacy notices
• Clear, affirmative, informed consent to specific data collection, processing, and sales activities
If signed into law by Gov. Ron DeSantis, SB 262 will go into effect July 1, 2024.
The majority of the provisions of the Florida Digital Bill of Rights apply to a much smaller set of large organizations than other recent state privacy laws. For these provisions to apply, the “controllers” must earn over $1 billion in annual revenue and fit into one of the below categories:
• Make 50% of global revenue from the sale of online advertising
• Operate a smart-speaker and voice-command service with a virtual assistant connected to a cloud computing service that uses hands-free verbal activation
• Operate an app store or digital distribution platform with at least 250,000 consumer-facing downloadable apps
Florida’s Digital Bill of Rights aligns with other states with respect to sensitive information, which includes children (under 18), biometrics, and precise geolocation. Consent is also an important requirement, as well as notification, and restrictions over data selling. Consumer rights are comparable to those of California, but employees are not seen as “consumers” and do not share their rights. The Bill does not cover non-profits, institutions of higher education, financial institutions, and entities governed by HIPAA.
However, the bill doesn’t go far enough. It only applies to large controllers, which is quite disconcerting. To compensate, the definition of “processor” — unlike that of controllers — is not limited to businesses that generate more than a certain amount of revenue, but instead includes “a person who processes personal data on behalf of a controller.” This recognizes that SMBs are introducing vulnerabilities in the digital commerce eco-system, and must boost their privacy and security posture, but the bill leaves an imbalance in the Florida consumer rights arena, where controllers who don’t meet the specific thresholds won’t have to honor consumers’ rights equally. The burden of compliance seems to have shifted onto processors, who historically have less resources for compliance.
State Laws
Controllers subject to the conditions in this bill (once signed into law) and all processors will still need to be concerned with consent management, demonstrating they protect sensitive personal information adequately, and proving they do not sell it without consent. Understand the key elements of enterprise-level consent with this infographic from Exterro.
Download the PDF version of this Data Privacy Alert here.