Effective from July 1, 2024, the Florida Digital Bill of Rights (FDBR) is enacted because of growing worries about how personal information is being misused or accessed without permission. It sets clear rules for businesses and organizations called “Controllers,” that collect and use personal information and makes Controllers follow strict measures on how they collect, store, and use data, to respect people’s privacy. The law also gives consumers specific rights, like the right to access, correct, or delete their data and to opt out of certain types of data processing. If any controller breaks these rules, they can face big penalties.

What is the Scope of Applicability for the Florida Digital Bill of Rights (FDBR)?

The FDBR applies to:

1. Anyone who:
2. Does business or offers products/services used by residents of this state.
3. Processes or sells personal data.

It does not apply to:

1. State agencies or political subdivisions.
2. Financial institutions covered by the Gramm-Leach-Bliley Act.
3. Entities governed by U.S. Department of Health and Human Services regulations, such as those related to health information.
4. Nonprofit organizations.
5. Postsecondary education institutions.
6. Personal or household activities, and reporting or measuring advertising performance.

If a controller or processor follows the Children’s Online Privacy Protection Act (COPPA) for obtaining parental consent, they are considered compliant with parental consent requirements under this rule.

• Consumers can exercise their rights at any time by requesting them from a controller.
• Parents or guardians can exercise these rights on behalf of a child.

What is Personal Data?

“Personal data” refers to any information about an individual that can be linked to them or that identifies them. This includes sensitive data and pseudonymous data if it can be connected to a specific person when combined with other information. It does not include data that has been deidentified or information that is publicly available.

Exempted Information:

The following information is exempt from this rule:

1. Protected health information under HIPAA.
2. Health records.
3. Patient identifying information under specific federal laws.
4. Identifiable private information related to human subjects research.
5. Documents created under the Health Care Quality Improvement Act.
6. Patient safety work product under the Patient Safety and Quality Improvement Act.
7. Deidentified health-related information in compliance with HIPAA.
8. Information mixed with exempt health care information, if managed by covered entities.
9. Information in a limited data set as specified by federal regulations.
10. Information used solely for public health activities.
11. Data used for public health activities under HIPAA.
12. Personal data related to creditworthiness and managed under the Fair Credit Reporting Act.
13. Personal data managed under the Driver’s Privacy Protection Act.
14. Data regulated by the Family Educational Rights and Privacy Act.
15. Data managed under the Farm Credit Act.
16. Data related to employment or contracting with a controller or processor.
17. Emergency contact information.
18. Data necessary for administering benefits for an individual’s employment or contract role.
19. Data shared with financial service providers for short-term payment processing.
20. Data related to airline services under the Airline Deregulation Act.
21. Data shared between manufacturers and authorized third-party distributors for advertising, marketing, or servicing the product.

What Rights Do Consumers Have Under This Law?

The controller must comply with a verified consumer request for the following rights:

• Right to Access: Confirm whether they are processing the consumer’s data and provide access to that data.
• Right to Correction: Correct any inaccuracies in the consumer’s data, considering the nature and purpose of the data processing.
• Right to Deletion: Delete any or all personal data provided by or obtained about the consumer.
• Right to Data Portability: Provide a copy of the consumer’s data in a portable, easily usable digital format if available.
• Right to Opt-Out: Allow the consumer to opt out of:
  • Targeted advertising.
  • The sale of their personal data.
  • Profiling that leads to significant legal or similar effects on the consumer.
• Right to Opt-Out of Sensitive Data Collection: Opt out of the collection or processing of sensitive data, such as precise location data.
• Right to Opt-Out of Voice/Facial Recognition: Opt out of the collection of data through voice or facial recognition features.

Restrictions on Device Features:

Devices with features like voice or facial recognition and audio or video recording feature cannot be used by the Controller or Processor for surveillance when they are not actively in use by the consumer unless authorized explicitly by the consumer.

What Responsibilities Do Controllers and Processors Have?

Controller defined under FDBR

A “Controller” is a business or entity that:

1. Is set up for profit or financial gain.
2. Operates in the state.
3. Collects personal data about consumers or is the entity collecting that data on someone else’s behalf.
4. Decides how and why personal data is processed, either alone or with others.
5. Has over $1 billion in global annual revenue.
6. Meets at least one of the following:
7. Makes 50% or more of its revenue from online ads, including targeted ads.
8. Runs a smart speaker or voice service that uses verbal commands and connects to the cloud, excluding vehicles.
9. Manages an app store or digital platform with at least 250,000 apps for download.

Additionally, a “Controller” can also be any entity that controls or is controlled by another controller, defined by:

1. Owning or having the power to vote more than 50% of shares.
2. Controlling the election of most directors or similar officials.
3. Having significant influence over the company’s management.

Duties of Controller

Collection and Security of Personal Data:

• Controllers should only collect personal data that is necessary, relevant, and adequate for the purposes disclosed to the consumer.
• Controllers must implement reasonable security measures to protect personal data, considering the volume and nature of the data.

Prohibited Actions:

• Purpose Limitation: Controllers cannot process personal data for purposes unrelated to the original intent unless they get the consumer’s consent.
• Discrimination: Controllers cannot process data in ways that violate anti-discrimination laws.
• Consumer Rights: Controllers cannot discriminate against consumers who exercise their data rights by denying services, charging different prices, or offering lower quality services. They can offer financial incentives for data processing if the consumer agrees to clear terms, and consent can be withdrawn at any time.
• Sensitive Data: Controllers must get consent before processing sensitive data. For known children, consent must come from the child (if aged 13-18) or comply with the Children’s Online Privacy Protection Act for those under 13.

Exceptions:

• Controllers are not required to provide a product or service that depends on personal data they do not collect. They can offer different pricing or quality levels if a consumer opts out of certain data processing or participates in loyalty programs.

Search Engine Transparency:

• Controllers operating search engines must provide a clear, accessible description of the key factors that influence search result rankings, without requiring consumers to log in. They do not need to disclose specific algorithms or any details that could lead to consumer harm or manipulation.

Duties of Processor

“Processor” means a person who processes personal data on behalf of a controller. A processor has following duties:

Assistance to the Controller: Processors must help controllers respond to consumer rights requests, secure personal data, notify breaches, and provide necessary information to help controllers conduct and document data protection assessments.

Contractual Obligations:

• Processing Agreement: The contract between a controller and a processor must clearly outline the processing instructions, purpose, data type, duration, and rights and obligations of both parties.
• Confidentiality: The processor must ensure the confidentiality of the processing of personal data.
• Data Handling: At the direction of controller, the processor must delete or return all personal data after the service is completed unless legally required to retain it.
• Compliance: The processor must provide the controller with all necessary information to demonstrate compliance and allow reasonable assessments by the controller or a designated assessor.
• Subcontractors: If a processor engages a subcontractor, the subcontractor must meet the same data protection requirements.

Independent Assessments: Processors can have a qualified and independent assessor to assess their data protection measures and provide the report to the controller upon request.

What Are the Penalties for Violating the Florida Digital Bill of Rights?

A violation of this act is considered an unfair and deceptive trade practice, enforceable solely by the Department of Legal Affairs. The department can bring action against violators, including collecting civil penalties up to $50,000 per violation. Penalties may be tripled in certain cases, such as violations involving children, failure to delete or correct personal data, or continuing to sell or share personal data after a consumer opts out.