Blog

Florida signs Digital Bill of Rights into law

The law allows consumers more visibility into their data that’s been collected by businesses


Alexis Kateifides
Program Director, OneTrust Center of Excellence
Last updated June 8, 2023

Male and female lawyers walk in front of the courthouse

Florida governor Ron DeSantis signed the Digital Bill of Rights into law on June 6, 2023, joining the wave of US states with comprehensive state privacy laws.

 

Which businesses does this law apply to?

The law applies to "controllers" which are defined as companies that sell to customers in the state of Florida, make in excess of $1 billion in global annual revenue and:

  1. Derive 50% or more of its revenue from targeted advertising worldwide
  2. Operate a consumer smart speaker and voice component service with an integrated virtual assistant connected to the cloud
  3. Operate an app store that offers at least 250,000 different software applications for consumers to download  

 

What are the key highlights of the law? 

Let’s take a look at how the Florida Digital Bill of Rights defines consent, sensitive data, the “sale” of personal data, consumer rights, and data protection impact assessments. 

Consent 

Florida’s law defines consent as a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data”, similar to most other state laws. 

It explicitly mentions that the following methods of obtaining consent are not considered valid:

  1. Accepting a broad terms of use document that includes personal data processing along with other unrelated information
  2. Performing an action that is not clear and unambiguous, i.e. hovering over, pausing, closing, or muting any piece of content
  3. Agreements via dark patterns


Sensitive Personal Information (SPI)

SPI under Florida’s latest act includes the following categories of personal data:

  1. Racial or ethnic origin
  2. Religious beliefs
  3. Health data (mental and physical)
  4. Sexual orientation
  5. Citizenship status
  6. Genetic / Biometric data
  7. Children’s data
  8. Geolocation

Florida’s Act requires businesses to have consent in place in order to process sensitive data, via a separate opt-out mechanism. In the case of children between the ages of 13 and 18, an affirmative authorization needs to take place, i.e. an opt-in mechanism.


Consumer Rights

The Florida Digital Bill of Rights lays out the following consumer rights: 

  1. Right to access – Consumers are entitled to verify and access their data that is under processing by the data controller
  2. Right to correction – Consumers have the right to rectify any inaccuracies in their personal data
  3. Right to deletion – Consumers have the right to delete any personal data that relates to them
  4. Right to portability – Consumers have the right to obtain a copy of their data, in a portable format that is “readily usable”, allowing them to transfer this data to another controller without any issues
  5. Right to opt out of targeted advertising, behavioral profiling, and the sale of personal data
  6. Right to opt out of data collection via voice recognition features

Regarding rights request responses, controllers have a 45-day timeline to respond to any consumer requests – this can be extended for an extra 15 days if deemed “reasonably necessary”. In the case of an extension, controllers still need to inform consumers that the response deadline has been pushed out. 

Controllers are also required to answer requests at least twice a year from consumers, free of charge. The law states that if these requests are found to be “unfounded, excessive, or repetitive” then businesses can charge a “reasonable fee” in order to process these requests. 


Sale of Personal Data

The Florida Technology Transparency Act defines the sale of personal data as, “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by controller to a third party”. 

There are some caveats with this definition. It does not include the following:

  1. Information disclosed to a processor who processes data on the controller’s behalf
  2. Information disclosed to a third-party for providing a product/service to the consumer
  3. Information disclosed as a part to a third-party as part of a merger or an acquisition
  4. Information that the consumer has intentionally made available to the general public


Data Retention Schedules

Data controllers and processors are required to define retention schedules for the personal data that is collected or processed based on the nature and purpose of data collection. If no retention schedule is defined, then personal data must be deleted 2 years after the last customer interaction with the business.  


Privacy Notices and Disclosures

The law states that privacy notices must be updated on an annual basis and be “reasonably accessible and clear”. This notice must include the following: 

  1. The categories of personal data being processed (including any sensitive data)
  2. The purpose of processing this personal data 
  3. The mechanism for customers to exercise their rights (including the appeal process) 
  4. The categories of personal data being shared with third parties 
  5. The categories of third parties that personal data is being shared with
  6. A clear, separate section in the notice that calls out the sale of sensitive data, including biometric data, if the controller is involved in the sale of this information
  7. The process for which customers can opt out of targeted advertising and profiling


Data Protection Assessments (DPA)

Florida’s law requires data controllers to conduct DPAs in the following cases:

  1. If data is being processed for targeted advertising
  2. If personal data is being sold 
  3. If sensitive data is being processed
  4. If processing personal data has a “reasonable and foreseeable risk” of
  5. Treating customers unfairly, or engaging in deceptive practices
  6. Any sort of injury to customers including financial, physical, or reputational
  7. Any sort of intrusion on a customer’s privacy, to the extent that it would be considered “offensive to a reasonable person”

The law further states that these assessments must identify and weigh the benefits against the potential risks of the current data workflows with all stakeholders – the controller, processor, consumer, and other parties involved. 

 

What does this mean for your organization? 

Florida’s Digital Bill of Rights is currently set to go into effect on July 1, 2024. This means organizations that fall under its purview have less than a year to ensure that the appropriate compliance measures are in place across your data infrastructure and workflows. 

 

How can OneTrust help with compliance? 

OneTrust can help your organization introduce the right business workflows and data policies that help keep you compliant with all applicable privacy regulations. For more information on what you can do to stay on top of the US privacy landscape, take a look at how to operationalize privacy compliance, with OneTrust Privacy Management. Request a demo to see what works for your business today.   


You may also like

Webinar

GRC & Security Assurance

Empowering your cyber defense: Key insights into the latest NIST CSF update with PwC

Join this webinar with OneTrust and PwC and gain insights into the upcoming NIST CSF update and learn how to effectively deploy it across your organization.

November 09, 2023

Learn more

Webinar

Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more

Webinar

Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more