An Overview of Florida Data Privacy Law: Digital Bill of Rights (FDBR)
The Florida Digital Bill of Rights (FDBR) establishes strict fines for businesses that fail to comply. But what is FDBR, and how does it apply to your business?
What is the Florida Digital Bill of Rights?
The Florida Data Bill of Rights is a data privacy law regulating how large businesses can process, maintain, and sell customers’ data. It can be compared to other state-wide data laws, such as California’s CCPA (although, as we’ll explore, FDBR is smaller in scope).
The bill is split into three distinct sections. These are:
- A section detailing the rights of consumers concerning how their personal data is collected, maintained, and used.
- A section preventing government employees from using their influence to remove posts on social media.
- A section that establishes protections for personal data relating to children.
Consumer rights established within FDBR
As mentioned, FDBR assigns certain rights to customers. These include:
- The right to access – Customers can request access to the data an organisation holds about them.
- The right to opt out – Customers can ask businesses not to sell or use their data for advertising purposes.
- The right to deletion – Customers can request that their data be deleted.
- The right to rectification – Customers can request that businesses correct their data if they believe it is incorrect.
To remain compliant, organisations that fall under the scope of FDBR must respect and honour these rights.
Does FDPR apply to me?
FDPR largely applies to larger organisations. According to the Florida data law, this includes any business that has an annual gross revenue exceeding $1 billion. Alongside this, organisations must fall into one of the following categories:
- They must derive 50% of their global revenue from sales attributed to online advertisements.
- They must utilse a consumer smart speaker that has an integrated virtual assistant that connects to a cloud computing device.
- They must operate an app store or digital distribution platform that contains at least 250,000 apps.
In effect, this means that the majority of businesses will be unimpacted by most of FDPR’s provisions. This doesn’t mean, however, that your organisation can avoid the legislation entirely. The law still regulates the sale of personal information by for-profit businesses. This includes data such as information relating to children, health conditions, and sexual orientation.
Personal information vs personal data
FDBR refers to both personal information and personal data. While these might sound the same, the bill makes a clear differentiation.
According to the law, personal data is any information that is collected, processed, and used that relates to Florida residents. Personal information, on the other hand, is any information that relates specifically to children.
What are the penalties for violating FDBR?
As the Florida Digital Bill of Rights primarily targets large corporations, it outlines lofty fines for non-compliance. An organisation can be fined up to $50,000 for each violation that it commits. It should be noted, however, that this number may be tripled if the organisation knowingly violated children’s rights.
FDBR allows a 45-day ‘cure period’ for organisations. During this window, a business can rectify an infringement and avoid penalties. The cure period doesn’t apply to violations that involve children’s rights.
Main requirements of the FDBR
FDBR is a highly detailed piece of legislation. Let’s look at the parts of the Florida data law that apply directly to businesses.
Note: It’s important to remember that the majority of these provisions apply only to large corporations.
Processing requirements
According to FDBR, organisations must only process personal data for “adequate, relevant, and reasonably necessary” means. If your business processes personal data, it must make a credible case for doing so to its customers.
If you process data for purposes that aren’t deemed completely necessary, you must gain consent first. Similarly, if your processing involves sensitive personal information, you must also seek permission.
Regardless of the data you hold, you must have protections in place to prevent wrongdoing. The legislation expects businesses to take both physical and digital steps to protect data.
A physical step could be to use a biometric system to ensure only employees with authorised access can view data. Digital methods include end-to-end encryption and ensuring staff use strong passwords.
Selling biometric or personal data
FDPR also has provisions regulating the sale of biometric and personal data. If an organisation plans on selling either form of information, it must make it clear to consumers. This can be handled by posting the relevant message clearly on your company website:
- NOTICE: This website may sell your sensitive personal data.
- NOTICE: This website may sell your biometric personal data.
Requirements for third-party processors
If a company works with a third party to handle data processing, it must create a contract that outlines key information. This should include:
- Information outlining how processing should take place.
- The rights and responsibilities of all parties involved.
- The duration for which the processor will hold the data.
- The forms of data that will be processed.
- The purpose of the processing.
- A clause that binds any subcontractors to the contract.
- A clause obligating the processor to delete data once a contract has expired (unless retention is required by law).
- A clause that requires the contractor to make necessary information available to prove compliance with FDBR (if requested by the data controller).
Data relating to children
As mentioned, the FDBR outlines several requirements for businesses that process children’s data. According to the bill, companies cannot:
- Gather, share, or sell the personal information of children, unless it is necessary to provide a certain service. If a company sells information, it must prove that it poses no harm to children.
- Gather any direct geolocation data without providing notice.
- Gather, share or sell geolocation data unless essential for a service to operate.
- Use personal data for any purpose other than initially stated. If an organisation does use data for additional purposes, it must prove that it poses no risk to children.
- Use dark patterns to mislead children.
- Attempt to determine a user’s age using personal data.
- Hold on to data for longer than necessary.
Data protection assessments
The FDBR requires businesses to conduct a Data Protection Impact Assessment (DPIA) in certain circumstances. This is a form of assessment that identifies and reduces any risks linked with data processing.
An organisation will need to assess whether it uses data for any of the following purposes:
- Selling personal information.
- Processing sensitive information.
- Collecting personal data that has the potential to harm a customer.
- Carrying out profiling that could present a risk to a customer.
Carrying out a DPIA
If your organisation needs to carry out a data protection assessment, be sure to include the steps listed below.
- Describe the data processing – Describe the sorts of data you collect, the purpose of the collection, and any important contextual information related to your assessment.
- Consult individuals – Document the views of your audience in relation to data privacy. Outline any concerns or issues they might have.
- Risk identification – When assessing risks, consider the effect of data processing on the consumer. In particular, think about the impact on customers’ rights and whether it could harm them in any way.
- Risk mitigation – It’s important to outline methods for minimising any of the risks you’ve identified. For example, you might choose to avoid collecting certain forms of data or reduce the retention period of certain types of information.
Requirements for companies that own search engines
The Florida Digital Bill of Rights also contains provisions that regulate search engine operators. It means that companies such as Google are now required to list their methods for ranking websites on the search results page.
The bill asks that companies include details about the “prioritisation or deprioritization of political partisanship or political ideology in search results.” It doesn’t require companies to disclose their use of algorithms.
Companies are expected to keep this information in a clear, easily accessible space. Users shouldn’t be required to sign in to access documentation.
What about other data privacy laws?
Unless you’re within the top 1% of businesses, it’s unlikely that FDBR applies to you. That doesn’t mean, however, that you’ll be excluded from other worldwide data privacy laws.
If you process data from customers in a certain market, you must comply with its data laws. Many of these laws have a greater scope than the Florida data law. The EU’s GDPR, for instance, requires businesses to gather consent before collecting a user’s data.
To protect your business from worldwide data privacy laws, you can take the following steps:
- Seek expert advice – Many data privacy regulations are extremely detailed, and what’s more, they’re updated regularly. Expert advice can help you avoid painful legal fees.
- Use a consent management platform (CMP) – While explicit user consent isn’t required in all jurisdictions, A CMP boosts transparency and helps with compliance.
- Train your staff – Ensuring data privacy is only possible when there is strong awareness throughout your organisation. Educate your staff about handling data and the laws they should be aware of.
Review your approach to data privacy
The Florida Digital Bill of Rights may not apply to your business, but as we’ve explored, you may still be covered by other legislation. To ensure compliance and boost transparency, it’s worth running a thorough review of your data privacy approach.
If you want to learn more, you can read our blog on preventing costly data privacy class actions.
