Privacy & Information Security Law Blog

On May 4, 2023, the Florida Senate and House of Representatives voted in favor of sending the Florida Digital Bill of Rights (“FDBR”) and other amendments related to government moderation of social media and protection of children in online spaces (S.B. 262) to Governor Ron DeSantis for signature. Unlike the other comprehensive state privacy laws that have been enacted, the FDBR applies to a much narrower subset of entities.

FDBR

Applicability

If enacted, the FDBR would apply to a “controller,” meaning an entity that conducts business in Florida, collects personal data about consumers, makes in excess of $1 billion in global gross annual reviews and satisfies at least one of the following: (1) derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online; (2) operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or (3) operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install. “Consumer” means an individual resident or domiciled in Florida and does not include an individual acting in a commercial or employment context.

Controller Obligations

The FDBR would require controllers to: (1) provide a privacy notice with certain specified content; (2) establish a secure and reliable means for consumers to exercise their privacy rights under the law; (3) obtain a consumer’s consent to process sensitive data; (4) enter into contracts with its processors; and (5) conduct and document data protection assessments.

The FDBR also uniquely would require a controller that operates a search engine to make available on its website “an up-to-date plain language description of the main parameters that are individually or collectively the most significant in determining ranking and the relative importance of those main parameters, including the prioritization or deprioritization of political partisanship or political ideology in search results.” Controllers would not be required to disclose algorithms or any other information that, “with reasonable certainty, would enable deception of or harm to consumers through the manipulation of search results.”

Consumer Rights

The FDBR would provide consumers the right to (1) confirm whether a controller is processing the consumer’s personal data and to access the personal data; (2) correct inaccuracies in the consumer’s personal data; (3) delete any or all personal data provided by or obtained about the consumer; (4) obtain a copy of the consumer’s personal data; (5) opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer; (6) opt out of the collection or processing of sensitive data; and (7) opt out of the collection of personal data collected through the operation of a voice recognition or facial  recognition feature.

Enforcement

The FDBR would provide for enforcement by the Florida Department of Legal Affairs, civil penalties of up to $50,000 per violation, and tripled penalties for certain violations, such as those involving a known child.

The FDBR would:

• Not contain a private right of action;
• Provide for the Department to adopt implementing rules; and
• Permit but not require the Department to provide a 45-day period to cure an alleged violation.

Effective Date

The FDBR would go into effect on July 1, 2024.

Related Statutory Amendments in S.B. 262

In addition to the FDBR, S.B. 262 also contains provisions relating to government moderation of social media and protection of children in online spaces.

Government Moderation of Social Media

S.B. 262 would prohibit a governmental entity from communicating with a social media platform to request that it remove content or accounts from the platform, and from initiating or maintaining any agreements or working relationships with a social media platform for the purpose of content moderation (subject to certain exceptions).

Protection of Children in Online Spaces

S.B. 262 would impose restrictions on an online platform that provides an online service, product, game or feature “likely to be predominantly access by children” relating to:

• Processing the personal information of a child;
• Profiling a child;
• Collecting, selling, sharing or retaining any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged;
• Using the personal information of a child for any reason other than the reason for which the personal information was collected;
• Collecting, selling, or sharing any precise geolocation data of children;
• Using dark patterns to lead or encourage children to take certain actions; and
• Using any personal information collected to estimate age or age range.

For violations of these provisions, S.B. 262 would provide for the same enforcement provisions as those in the FDBR, including exclusive enforcement by the Florida Department of Legal Affairs, civil penalties of up to $50,000 per violation, tripled penalties for certain violations, and a permitted 45-day cure period.

Update: On June 6, 2023, Florida State Governor Ron DeSantis signed S.B. 262 into law, making Florida the tenth state to enact a comprehensive privacy law.