The world is rapidly evolving, and our digital privacy laws are evolving, too. Florida is the tenth U.S. state to pass comprehensive consumer privacy legislation. The Florida Digital Bill of Rights will take effect July 1, 2024, and applies to certain controllers and data processors, with protections regarding personal information, and protection for minors.

A Guide to the Florida Digital Bill of Rights

The Florida legislation underscores a changing landscape for businesses. Consumer, customer, and patient privacy is becoming increasingly critical as more of this sensitive information is processed, stored, shared, and exposed by cyberattacks and user error. In response, consumer privacy protections have become more prevalent, and businesses must adapt. Several other states, for example, have already enacted similar laws, including California, Connecticut, Colorado, Iowa, Utah, Virginia, Montana, and Tennessee. Additionally, over a dozen other states are considering consumer privacy legislation. In this article, we will provide you with a guide to the Florida Digital Bill of Rights and how impacted businesses can comply.

What Is the Florida Digital Bill of Rights?

The Florida Digital Bill of Rights is a consumer privacy law that provides Floridians with rights and protections concerning their personal data. The law also establishes strict guidelines for data controllers and data processors who process, store, and share Floridians’ personal data.

The law provides consumers with rights similar to those provided by other states’ consumer privacy laws, including the right to opt out of the sale of their personal information and the right to see the data a company has about them.

What Are the Key Components of the Florida Digital Bill of Rights?

The Florida Digital Bill of Rights gives Floridians much more control of their personal data, namely how it’s used. These rights include:

  1. The right to access data
  2. The right to request the deletion of data
  3. The right to correct data
  4. The right to data portability for data previously provided by the consumer
  5. Opt-out rights for the purpose of targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer
  6. The right to revoke consent
  7. The right to appeal if a consumer’s request is denied

Which Organizations Must Comply With the Florida Digital Bill of Rights?

The Florida Digital Bill of Rights applies to data controllers and data processors that handle Florida citizens’ data.

According to the law, a data controller is an entity that conducts business in Florida, collects personal data about consumers (either directly or through another entity on its behalf), and determines the purposes and means of processing personal data about consumers alone or jointly with others. The law also creates requirements for individuals who process personal data on behalf of a controller.

The law applies to controllers that gross more than $1 billion a year and:

  • Make at least 50% of their revenue from the sale of advertisements online
  • Operate an app store or digital distribution platform that offers at least 250,000 different software applications for consumers to download and install, or
  • Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud-computing service that uses hands-free verbal activation.

A data processor, on the other hand, is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. The definition of “processor” is not limited to businesses that generate more than a certain amount of revenue, but instead includes “a person who processes personal data on behalf of a controller.” A data controller determines the purposes for which and the means by which personal data is processed.

Processors must adhere to the instructions of a controller and assist them in meeting or complying with the controller’s obligations under the Florida Digital Bill of Rights. Processors must also provide necessary information to enable the controller to conduct and document data protection assessments, delete or return all personal data to the controller as requested, and engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor.

What Rights Do Consumers Have Under the Florida Digital Bill of Rights?

The Florida law provides consumers with various rights, including:

  • The right to access and request deletion and correction of their personal data.
  • Consumers can also request data portability for the data they have previously provided, and opt out of the sale of their personal data, and profiling.
  • Furthermore, they have the right to revoke consent and appeal if their request is denied.
  • Requires that companies get consumer permission to collect and sell personal data and impose new disclosure requirements so that customers can know when and if their personal data is collected.

In contrast to privacy laws in Virginia, Colorado, and Connecticut, the Florida Digital Bill of Rights does not include the right to opt out of processing for targeted advertisements and using automated decision-making processes to opt out automatically, such as cookies.

What Obligations Do Eligible Businesses Have Under the Florida Digital Bill of Rights?

  • Controllers that sell sensitive personal or biometric data must clearly disclose their activities on their websites, as instructed.
  • Controllers must provide consumers with a notice about certain data practices and privacy policies.
  • Both controllers and processors must adopt and implement a retention schedule.
  • Controllers must obtain express consent for the processing of personal data of children between the ages of 13 and 18.
  • The Florida legislation does not provide a formal requirement for businesses to perform risk assessments of privacy procedures other than for pre-specified purposes.

Organizations Not Subject to the Florida Digital Bill of Rights

The Florida Digital Bill of Rights exempts several organizations, including nonprofits, government entities, and financial institutions, and the data they process and share that’s governed by the Gramm-Leach-Bliley Act (GLBA), healthcare organizations, including covered entities and business associates, as well as the data and information they produce, process, and share that’s subject to the Health Insurance Portability and Accountability Act (HIPAA), and finally colleges and universities, including the information they process and share that’s governed by the Family Educational Rights and Privacy Act (FERPA).

How Will the Florida Digital Bill of Rights Be Enforced?

The Florida state attorney general has exclusive authority to enforce the law, and there is no private right of action that would allow individuals to sue for a violation. The law also states that a violation cannot serve as the basis for any lawsuit under any other law, tort, or contract.

However, individuals can submit complaints and report violations to the state—and consumer complaints may trigger an investigation. If an individual feels that their rights as outlined in the Florida Digital Bill of Rights have been violated, they can file a lawsuit against the party responsible. The case will be heard in a court of law, and if it is determined that the individual’s rights were indeed violated, the court may issue a judgment or order to correct the situation. This process ensures that the protections afforded by the Florida Digital Bill of Rights are enforced and upheld.

Fines and Penalties for Noncompliance With the Florida Digital Bill of Rights

The Florida Department of Legal Affairs can assess a civil penalty of up to $50,000 per violation. Civil penalties may also be tripled if the violation involves a Florida consumer who is known to be a child, is based on the failure to delete data or correct personal information after receiving a request when an exception does not apply, or is based on continuing to sell or share a consumer’s personal data after the consumer chooses to opt out.

What Should Businesses Do in the Meantime?

If you are a controller or processor subject to the Florida Digital Bill of Rights, you should take immediate action to develop the capabilities and policies necessary for compliance before the law takes effect on July 1, 2024. This includes conducting a privacy gap assessment, creating a reporting mechanism, preparing appropriate privacy policies, hiring and training employees to respond to requests, and creating an appeal procedure.

Kiteworks Helps Organizations Comply With the Florida Digital Bill of Rights

The Kiteworks Private Content Network (PCN) helps businesses demonstrate compliance with the Florida Digital Bill of Rights by providing a secure platform for handling and sharing sensitive communications including personal information.

Kiteworks employs extensive security controls, such as multi-factor authentication, granular policy controls, role-based permissions, security infrastructure integrations, and end-to-end encryption to ensure the privacy of personal information. In addition, Kiteworks uses a self-contained and preconfigured hardened virtual appliance that minimizes the attack surface of the communication channels an organization uses to exchange sensitive content with partners, customers, suppliers, and other trusted third parties.

By using Kiteworks, businesses can properly track, control, and secure digital communications of sensitive content belonging to Florida citizens when they share it with trusted parties by email, file sharing, file transfer, and other communication channels.

Kiteworks’ comprehensive audit logs also enable organizations to demonstrate compliance with data privacy regulations such as the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA).

For more information on how the Kiteworks Private Content Network can be used to comply with the Florida Digital Bill of Rights, schedule a custom-tailored demo today.


Back to Risk & Compliance Glossary


Get email updates with our latest blogs news

console.log ('hstc cookie not exist') "; } else { //echo ""; echo ""; } ?>