By Leslie Veloz
Florida’s SB 262 was signed into law Tuesday, June 6, 2023, making it the 10th comprehensive state privacy law enacted in the United States. SB 262 consists of several parts.
Section 1 restricts government-directed content moderation of social media platforms.
Section 2 contains novel requirements to protect children (under the age of 18) on certain online platforms similar to those provided under California’s Age-Appropriate Design Code (AADC).
The bulk of the Act, Sections 3 through 24, creates the Florida Digital Bill of Rights (FDBR), a Virginia-style comprehensive privacy law but with some important and unique differences - including thresholds that limit its applicability to only large businesses providing certain types of products or services.
Section 25 amends Florida's existing data security and breach notification law to add biometric and geolocation data to the definition of personal information.
This summary addresses the AADC-like provisions and the FDBR. It focuses on the scope and applicability of these provisions, the requirements unique to this Act, and the enforcement mechanism. These aspects of the Act will take effect on July 1, 2024. Companies should be aware of these requirements if they conduct business in Florida or offer products or services available to Florida consumers.
Key Differences Between Florida’s SB 262 Section 2 and California’s AADC
While California’s AADC and Florida’s SB 262 Section 2 are nearly identical concerning default privacy settings, notice requirements, and prohibitions on data collection and usage for children, there are a few notable differences, including:
The Florida law’s prohibition on harmful processing requires actual knowledge of or willful disregard of a child’s age.
Unlike the AADC, Florida’s law does not require a Data Protection Impact Assessment.
Florida’s law applies only to businesses with an “online platform,” while the AADC applies to all online services likely to be accessed by children that meet its threshold requirements.
Note also that the scope of businesses subject to Section 2 of the Florida law is much broader than Sections 3-24, the FDBR, as explained below.
While both laws prohibit age estimation from being used for any other purpose, Florida’s bill does not require age estimation - unlike the AADC.
The penalties for violating Florida’s law are 20 times more than the AADC.
In the context of an enforcement action, Florida’s law explicitly puts the burden of proof on the online platform to demonstrate that the processing does not violate the law’s prohibitions.
Florida’s law allows the AG, at its discretion, to grant 45 days to cure the alleged violation. In contrast, the AADC may allow up to 90 days to cure a violation.
Key Differences Between FDBR and Other Comprehensive State Privacy Laws
The FDBR is an outlier amongst other U.S. privacy laws in some regards, including:
Due to threshold requirements, described below, only a narrow scope of large businesses providing certain types of products or services are regulated under the FDBR.
The FDBR diverges from other state comprehensive privacy laws by considering all persons under the age of 18 as “children” - making all personal data collected from a person known to be under the age of 18 “sensitive” personal data subject to consent requirements, and giving parents the ability to exercise rights (including data access) on behalf of Floridians up to the age of 18.
Controllers are obligated to obtain opt-in consent for (and subsequently allow the opt-out from) the collection, processing, and sale of sensitive data.
Companies that employ voice or facial recognition, video, audio, or other electronic, visual, thermal, or olfactory features are subject to heightened restrictions on the use of such functionality for “surveillance” (which is not defined).
In addition to a general privacy notice, controllers that “sell” sensitive data or biometric data are obligated to separate notices with specific required that that begins with an all-caps “NOTICE.”
Controllers and processors must implement a retention period for consumer data no greater than two years beyond the last interaction with the consumer.
Search engines must provide a plain language description of the main parameters used to determine how results are provided to consumers.
Novel consumer opt-out rights including the right to opt out of the collection or processing of sensitive personal information (which, when taking into account the opt-in consent requirements for such data, operates as a right to withdraw consent), as well as the right to opt out of the collection of personal data collected through visual, audio, thermal, and olfactory technology.
Applicability of the FDBR
A business acting as a controller (i.e., they determine the purposes for and means of processing personal data alone or jointly with others) or processor (i.e., they process data on behalf of a controller) will be bound by the FDBR if it:
is organized or operated for the profit or financial benefit of its shareholders or owners;
conducts business in Florida;
makes in excess of $1 billion in global gross annual revenues; and
satisfies one of the following:
derives 50 % or more of its global gross annual revenues from the sale of online advertisements (including targeted advertisements),
operates a consumer smart speaker or voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation (not including features found in a motor vehicle), or
operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
A consumer is a Florida resident acting in an individual or household context. A consumer does not include individuals acting in a commercial or employment context.
Personal data is any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. Personal data does not include de-identified information if there are measures to prevent re-identification, the controller publicly commits to not re-identify, and it contracts with all recipients to require the same.
Exemptions. Compared to the other state comprehensive privacy laws, the FDBR has a longer list of exemptions for personal data processing covered by other laws, including the Driver’s Privacy Protection Act of 1994, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), Health Care Quality Improvement Act of 1986, Family Educational Rights and Privacy Act of 1974, Children’s Online Privacy Protection Act of 1998, Farm Credit Act of 1971, Patient Safety and Quality Improvement Act of 2005, or Fair Credit Reporting Act. The FDBR also does not apply to certain air carriers or information used or de-identified in accordance with the HIPAA Privacy Rule. Employment and emergency contact data is also excluded from the FDBR.
Consumer Rights Under the FDBR
Companies acting as controllers must honor the following consumer rights:
Confirm whether personal data of a consumer is processed and provide access to personal data processed, including in a portable format;
Correction of inaccurate personal data;
Deletion of personal data provided by or obtained about the consumer; and
Opt-in consent for the collection or processing of sensitive data including precise geolocation data (and a subsequent opt-out right that, in effect, acts as a withdrawal of consent);
Opt-out of targeted advertising based on data collected over time and across online services;
Opt-out of sale of personal data provided for monetary or other valuable consideration (opt-in if it involves sensitive data);
Opt-out of profiling for decisions about financial services, housing, insurance, education, criminal justice, employment, healthcare, or essential goods or services;
Opt-out of the collection of personal data through voice or facial recognition, video, or audio recording, or any other electronic, visual, thermal, or olfactory feature.
Appeal of any denial of consumer rights.
While most of the rights listed above align with some or all of the other state privacy laws, the last opt-out right is unique to Florida.
Controllers must clearly and conspicuously establish two or more methods for consumers to exercise these rights on their website. Controllers must respond to consumer requests within 45 days of receiving the request. However, the controller may extend the response period once by an additional 15 days. If a controller cannot act on the request, the controller must justify why and provide instructions on how to appeal the decision to the consumer. Additionally, within 60 days of receiving a request, a controller must inform the consumer whether they’ve complied.
Controller Obligations Under the FDBR
Like all other comprehensive privacy laws, a controller may only process personal data, as necessary, reasonable, and proportionate to that purpose. In addition, controllers have several other obligations:
Transparency. Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice containing certain information on the controller’s practices and the consumer’s rights. This policy must be updated at least annually.
Heightened notice for sale of sensitive personal data. Controllers must provide consumers with additional explicit notice if they sell sensitive personal data. Separate notice is also required if the controller sells biometric data.
Consent. In addition to needing consumer consent to process children’s data and sensitive data, controllers must obtain consent to process personal data for purposes not already disclosed to the consumer. All consent must be affirmative, freely given, specific, informed, and unambiguous.
Data Protection Assessments. Businesses must conduct and document a data protection assessment for processing personal or sensitive data for purposes of targeted advertising or profiling, the sale of personal data, and any other processing activities that present a heightened risk of harm to consumers.
Security. Controllers must also secure personal data during storage and use from unauthorized acquisition.
FDBR Enforcement and Rulemaking
The FDBR is enforced exclusively by the Attorney General (AG or the Department of Legal Affairs). There is no private right of action. Controllers have a 45-day right to cure violations. The state may seek an injunction under the FDBR, or damages based on the violation as a per se deceptive trade practice. In the latter case, a defendant faces civil penalties of up to $50,000 per violation, possibly tripling the penalties for specific violations outlined in the bill.
The Attorney General has permissive rulemaking authority. So, as with California and Colorado, it will be important to closely monitor the rulemaking process as requirements are clarified and supplemented.
Leslie Veloz is an Associate at Hintze Law PLLC focused on the intersection of privacy, security, and data ethics.
Hintze Law PLLC is a Chambers-ranked, boutique privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.