Go Back
Data Privacy Alerts

Florida’s First Digital Privacy Lawsuit Targets Roku Over Children’s Data Practices

Read this alert to learn why Florida's enforcement action against Roku could reshape how technology companies handle sensitive data.

Why This Alert Is Important

Florida’s enforcement action against Roku marks the first test of the Florida Digital Bill of Rights (FDBR) and could reshape how streaming platforms, smart TVs, and other voice-enabled devices handle sensitive data. With growing regulatory attention to child-directed content and data monetization, organizations must be prepared for scrutiny under evolving state privacy laws.

Overview of the Enforcement Action

On October 14, 2025, the Florida Attorney General filed a lawsuit against Roku, Inc. and its subsidiary, alleging the unlawful collection and sale of children’s personal data, including geolocation, voice recordings, and TV viewing habits. The lawsuit claims Roku failed to comply with requirements under Florida’s Digital Bill of Rights (FDBR) and the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), including obligations around age verification, disclosure of data sales, and limits on re-identification of de-identified information.
The AG’s complaint centers on the platform’s child-oriented features, including a “Kids & Family” category, children’s screensavers, and third-party apps, asserting that these elements should have triggered proactive age verification and privacy safeguards. Florida alleges that Roku knowingly profited from the use and sale of sensitive children’s data without proper consent or transparency.
Though the FDBR applies to a limited class of entities—those with over $1 billion in annual global revenue and offering smart speakers, voice assistants, or digital advertising—the case sets a precedent that could influence regulatory strategies in other states and prompt broader compliance reviews across industries with voice-enabled or child-directed content.

What It Covers

  • Florida’s action against Roku may foreshadow a new wave of state-level privacy enforcement, particularly targeting companies with features that appeal to children or collect sensitive data via voice technology. While the FDBR’s narrow applicability focuses on large digital platforms and device makers, the underlying concerns—child privacy, data sales, and re-identification risks—are relevant across multiple sectors, including education tech, digital advertising, and connected home devices.
  • Organizations outside the streaming and consumer electronics industries may not be directly subject to FDBR, but similar laws in other jurisdictions (e.g., California, Connecticut, Texas) are broader and more inclusive. Additionally, the FTC has signaled increasing concern around child data and re-identification practices under COPPA and Section 5 of the FTC Act, indicating that overlapping regulatory risks are real.
  • This case serves as a reminder that product features aimed at or attractive to minors must trigger heightened privacy considerations, especially when involving voice data, location tracking, or behavioral analytics.

Expert Analysis

Florida’s enforcement action against Roku under the new Digital Bill of Rights makes one thing clear: states are ready to crack down on how companies collect, share, and reidentify consumer, especially children’s, data. It’s the first case under Florida’s law and sets a precedent for how regulators will expect companies to prove compliance in real time.

To stay ahead, organizations need a centralized, multichannel consent and age-assurance system that acts as a single source of truth; automated updates that push consent and opt-out signals to every downstream platform and data partner; and audit-ready logs that show exactly when and how those signals were honored. Without this level of coordination, it’s nearly impossible to stop unlawful data use or to prove you did the right thing when regulators come calling.

Fahad Diwan, JD, FIP, CIPP/M, CIPP/C, Director of Product, Privacy, Exterro

Data Privacy Tip

Establish a centralized consent management system that tracks user permissions at a granular level—by data type, purpose, and audience. This ensures compliance with diverse state laws and provides clear audit trails in case of regulatory inquiries. Learn the basics of deploying an enterprise-level consent solution in this quick guide.

Download PDF

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy Policy
Do Not Sell or Share My Personal Information