Florida’s Comprehensive Privacy Law: A Digital Bill of Rights

As of May 4, 2023, Florida became one of the latest states to pass a comprehensive privacy bill (SB 262), entitled the Florida Digital Bill of Rights (DBR). If signed by the governor of Florida, the bill will require the largest companies (those with at least $1 billion in annual global gross revenue and meet other provisions) to pay the largest fines per violation. What makes Florida’s privacy bill stand out from other regulations?

Thresholds and terminology for covered entities

All privacy laws have nuanced differences, but the Florida DBR is a bit more dramatic with the differences compared to existing privacy laws. Many terms follow Virginia’s CDPA and EU’s GDPR, but the fines and thresholds are much higher. Although there is no private cause of action, the Florida Department of Legal Affairs can enforce the law and impose civil penalties up to $50,000 per violation with increases in certain instances.

Data Subject vs Consumer

The term “data subject” is a legal and technical term used in privacy and data protection regulations to refer to individuals whose personal data is being processed. While some may argue that the term can be dehumanizing, it is important to understand the context in which it is used.

The term “data subject” is primarily employed in legal and regulatory frameworks to establish rights, responsibilities, and safeguards concerning the collection, use, and processing of personal data. It is intended to encompass all individuals whose data is being handled, including customers, employees, website users, and others. EU’s GDPR and Brazil’s LGPD use the term “Data Subject.”

The Florida DBR, like California’s CCPA, uses the term “Consumer.” A “Consumer” means a natural person who resides in or is domiciled in this state, however identified, including by any unique identifier, who is acting in a personal capacity or household context. The term does not include a natural person acting on behalf of a legal entity in a commercial or employment context.

Florida uses “Controller” and “Processor” similar to the EU’s GDPR.

Controller

A “controller” is a legal entity or organization that conducts business in Florida, collects personal data about “consumers” (either controls the data, or collects on behave of a controller), determines the purposes and means of processing personal data about consumers alone or jointly with others;

• Makes $1 billion or more in global gross annual revenues; and
• Derives 50 percent or more of its global gross annual revenues from online advertisement, including providing targeted advertising or the sale of advertisements online;
• Operates a “consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation” (think Apple’s Siri function or Amazon’s Alexa), but excluding certain voice command features connected to a vehicle that is operated by a motor vehicle manufacturer; or
• Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

Processor

A Processor is a legal entity that provides a “for profit” processing service of personal information on behalf of a controller. “Processing” means any operation or set of operations performed on personal information or on sets of personal information, regardless of whether by automated means.

Sell and Share

The Florida DBR uses sell or share. These terms definitions have been debated, and Florida has very clear definitions. “Sell” means to sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, a consumer’s personal information or information that relates to a group or category of consumers by a controller to another controller or a third party for monetary or other valuable consideration.

“Share” means to share, rent, release, disclose, disseminate, make available, transfer, or access a consumer’s personal information for advertising or marketing.

The term includes:

• Allowing a third party to advertise or market to a consumer based on a consumer’s personal information without disclosure of the personal information to the third party.
• Monetary transactions, nonmonetary transactions, and
• Transactions for other valuable considerations between a controller and a third party for advertising or marketing.

Precise geolocation data

“Precise geolocation data” is any information from technology that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. This does not include information generated by transmission of communications or utilities equipment.

Technology Transparency

The Florida DBR contains an Act within an Act that is meant to protect “freedom of speech” on social media platforms. If signed into law, government-directed content moderation on social media platforms will be prohibited. A member of a government entity may not use their position or resources to remove content or accounts unless connected to a crime. “Social media platform” is any form of electronic communication that communities use to share information, ideas, opinions, personal messages, and other personal content.

Preparing for the Florida Digital Bill of Rights

Privacy laws in the United States are a complex and continually evolving. Until there is a Federal Act that sets the baseline, corporations should expect challenges to meet compliance. As consumers continue to generate and share personal information in their daily digital lives, the need for strong privacy protections will only continue to grow. Clarip takes data privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust!

For more 2023 Privacy Readiness on all emerging US laws, request a copy today! Learn how Clarip’s privacy governance platform is powered with true automation. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.