On June 6, 2023, Florida Governor Ron de Santis signed the Florida Digital Bill of Rights (FDBR) into law, making Florida the tenth US State to introduce a comprehensive data privacy law regime. If you target consumers in Florida and meet certain applicability thresholds, the new law may apply to you.


Are you interested in learning about Florida’s new data privacy law and what obligations you may be subject to? Read more to find out.






What is the Florida Digital Bill of Rights?


Florida Digital Bill of Rights(“FDBR”) is a comprehensive data privacy law that will take effect on July 1, 2024. The Bill consists of three separate sections. Section 1 sets out comprehensive data privacy obligations on data controllers for processing consumer's personal data and it is the most detailed part of the Bill. Section 2 of the Bill aims to protect children from harm in online spaces by imposing more stringent requirements on data controllers. Section 3 of the Bill addresses the government’s control over social media platforms and places limitations on content moderation. 


In this article, we focus on section 1 of the FDBR, namely the data privacy provisions. 


Does the Florida Digital Bill of Rights apply to you?


Although it includes similar obligations to its California and Utah counterparts such as data subject rights and privacy notice requirements, the FDBR is quite different from the rest of the US privacy laws: It is mainly aimed at big tech platforms such as search engines and social media platforms. This is due to the applicability criteria set by the Law. 


Article 501.702 (9) of the FDBR states that the Law will apply to data controllers that collect and process consumers' personal data. A data controller is defined as an entity that operates in Florida collects or processes personal data, and operates for-profit purposes. 


The Law will apply to such a data controller if the following two criteria are met: 


Criteria 1: An organization’s gross annual revenue is more than $1 billion and;

Criteria 2:  An organization fulfills one of the following


“Derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including  providing targeted advertising or the sale of ads online;




Operates a consumer smart speaker and voice command  component service with an integrated virtual assistant connected.”


- Florida Digital Bill of Rights (source: Florida Senate)


Considering that the new Law will only apply if a commercial organization’s revenue exceeds $1 billion, most small and medium-sized businesses will not be subject to the FDBR’s requirements. Only the big-tech companies such as large search engines, social media platforms, and online retail giants will likely be. 


What are the exemptions from the scope of the Florida Digital Bill of Rights?


The new Law exempts certain categories of consumers' personal data and certain entities from its scope of applicability. 


What personal information is exempt from the scope of applicability?

Article 501.704 of the FDBR lists the categories of consumers' personal data that are outside the scope of the FDBR. For instance, protected health information under the HIPAA, health records, data processed in a commercial or employment context, and data processing for credit-worthiness purposes are excluded from the FDBR. 


What entities are exempt from the FDBR?

Article 501.703 of the FDBR lists the categories of organizations outside the scope of the Law. For example, state agencies, financial organizations subject to the Gramm-Leach-Bliley Act, and nonprofit organizations are excluded from the scope of the FDBR. 


What are the main obligations of data controllers under the Florida Digital Bill of Rights?


Article 501.71 of the FDBR lists the obligations a data controller must fulfill when processing a consumer's personal data. The main obligations are as follows: 


Data minimization: The FDBR requires data controllers to “Limit the collection of personal data to data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed.” (source: Florida Senate)


Purpose limitation: The FDBR imposes restrictions on the secondary use of personal data collected by controllers by requiring them to not process personal data for a secondary purpose incompatible with the original purpose. However, the data controller may still use personal data collected for secondary purposes if they obtain the consumer’s prior consent. 


Data security: Data controllers are required to establish and implement appropriate administrative, technical, and physical data security measures to maintain the integrity, confidentiality, and accessibility of personal data collected directly or indirectly by consumers.


Obtain consent before processing sensitive data: A data controller must obtain a consumer’s prior consent before collecting and processing sensitive personal data, revealing ethnic and racial origin, biometric personal data, genetic data, and precise geolocation data. 


Create a Privacy Notice: Article 501.711 of the FDBR imposes on the data controller the obligation to display a privacy notice to consumers. This notice must be easily accessible and clear. Therefore, having a link to a privacy notice on a website will likely satisfy this requirement. 


Regarding the content, the privacy notice must address the types of personal data collected by the data controller, for what purposes it is used, and the categories of third parties with which you share personal data. Furthermore, it should also address how consumers can exercise their data subject rights.


Data subject rights: Under article 501705 of the FDBR, consumers can exercise their data subject rights. The Law gives consumers the right to confirm whether their data is processed, obtain a copy of their data, correct any inaccuracies related to their data, and delete their data. 


Under the Law, the data controllers are obligated to respond to the data subject requests within 45 days following the receipt of the request. However, if the request is complex, the data controllers extend this deadline by 15 days


How Didomi can help you comply with the Florida Digital Bill of Rights


If you are processing Florida consumers' personal data and you satisfy the applicability criteria for Florida’s FDBR, you will have to comply with various obligations, such as obtaining consent before processing sensitive data and displaying an easily accessible privacy notice. 


This is where Didomi can help with our Global Privacy UX Solutions, which range from a Consent Management Platform (CMP) to Preference Management, DSAR, and more.


Get in touch with our team to discuss your privacy challenges and find out how our solutions can help you turn data privacy into a business opportunity: 


Talk to an expert


Frequently Asked Questions (FAQ)


Who enforces the Florida Digital Bill of Rights?

If a data controller fails to comply with Florida’s FDBR, the State Department of Legal Affairs may impose a penalty of up to 50,000 $ per violation


Can individuals bring a private right of action?

Individuals are not provided with the right to bring an action against data controllers


When will the FDBR become effective? 

The FDBR will come into force on July 1, 2024. 


What is the deadline for responding to data subject requests? 

Data controllers shall respond to data subject requests within 45 days following the receipt of the request. 


What is sensitive personal data under the FDBR?

Sensitive personal data includes genetic or biometric data and data revealing racial or ethnic origin.