A Detailed Overview of Florida SB 262; New Data Privacy Protections for Florida Residents

On June 6, 2023, Florida Gov. Ron DeSantis signed into law SB 262, which grants Florida consumers certain rights relating to the processing of their personal data by businesses. Parts of SB 262 will come into effect in 2023.

This GT Alert aims to interpret the types of entities and individuals that will be subject to SB 262’s prohibitions and obligations. Just like SB 262, this alert is split into three parts: the Florida Digital Bill of Rights,[1] protection of children in online spaces,[2] and prohibition of government-directed content moderation of social media platforms.[3]

1.  The Florida Digital Bill of Rights.

The Florida Digital Bill of Rights (FDBR), which is the longest part of the bill, sets forth the bill’s substantive general data privacy provisions.”[4] While the FDBR is somewhat modeled on a privacy bill recently passed in Texas and California’s Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, CCPA), the FDBR’s protections address matters not addressed by the CCPA and other current and emerging comprehensive state privacy laws.

The FDBR contains numerous exceptions, and its unique applicability thresholds means that most businesses are exempt from a majority of its scope.

A. To Which Businesses and Types of Personal Data Does the Florida Digital Bill of Rights Apply?

The FDBR applies to for-profit businesses that (1) conduct business in Florida or produce a product or service used by Florida residents, and (2) process or engage in the sale of personal data, except in a commercial or employment context.[5] Although the FDBR’s general applicability provisions appear to set forth a broad scope, as explained below, the class of businesses to whom it actually applies is significantly narrowed by its definition of “controller,” which is the type of entity to whom the FDBR’s obligations and prohibitions primarily apply.

The FDBR specifically exempts from its scope businesses or organizations that are financial institutions governed by the Gramm-Leach-Bliley Act, Florida agencies or political subdivisions, entities governed by the Health Insurance Portability and Accountability Act, non-profits, post-secondary educational institutions, persons processing personal data for purely personal or household activities, and persons processing data solely for advertising analytics.[6]

Generally, the FDBR’s requirements are divided into those applying to “controllers” and those applying to “processors.”[7] The FDBR defines “controller” as a legal entity that:

1. is for profit, conducts business in Florida, and directly or indirectly collects personal data about “consumers”[8];
2. alone or jointly determines the purposes and means of processing personal data about consumers;
3. has an annual gross revenue exceeding $1 billion;

and

(a) derives at least 50% of its global gross revenue from selling online ads, including providing targeted advertising;

or

(b) operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud-computing service that uses hands-free verbal activation (unless the smart speaker and voice command service is a motor vehicle speaker or device that is operated by a motor vehicle manufacturer or its affiliates/subsidiaries);

or

(c) operates an app store or digital distribution platform offering at least 250,000 different software applications for download and installation by consumers.[9]

An entity is also a controller if it controls or is controlled by a controller.[10] Due to the high revenue threshold and other requirements for an entity to be deemed a controller, the FDBR’s obligations on controllers will not apply to most businesses (except for the section dealing with sensitive data protection rights discussed below).

On the other hand, a “processor” is a person who processes personal data on behalf of a controller.[11]

While the FDBR generally applies to personal data, there are 21 categories of information that are exempt, including HIPAA-protected information, information subject to the Family Educational Rights and Privacy Act, information processed in compliance with the Driver’s Privacy Protection Act of 1994, consumer credit report information, financial information involved in a short-term payment processing transaction, and information shared between a manufacturer and its authorized third-party distributor or vendor for advertising or marketing.[12] Controllers and processors may also process, collect, and retain personal data without having to comply with the FDBR in certain situations, such as compliance with federal or state laws, government-related investigations or inquiries, and protecting the life or physical safety of consumers.[13]

B.  What Are the Obligations Imposed on Covered Businesses?

I.  CONTROLLERS

Although the FDBR’s controller obligations are similar to those set forth in other state privacy laws currently in effect, they are distinct in some respects. Under the FDBR, controllers must:

1. uphold consumer rights provided by the FDBR,[14] such as a consumers’ rights to confirm that that their personal data is being processed; correct, delete, and/or obtain a copy of their personal data in a portable and readily usable format (if feasible); opt out of personal data processing activities for purposes such as targeted advertising, personal data sales, profiling that produces a legal effect; opt out of the collection of sensitive data[15]; and opt out of the collection of personal data through voice or facial recognition features, among others;[16]
2. respond to consumers’ requests to exercise their rights “without undue delay” but no later than 45 days after receiving the request (subject to a 15-day extension if certain conditions are met); notify the consumer within 45 days of receiving the request if action cannot be taken on the request (with a justification for the inability to take action), including providing instructions on how a consumer may appeal the controller’s decision;[17]
3. establish two or more methods for consumers to submit such requests;[18]
4. limit collection and processing[19] of personal data to only that which is adequate, relevant, and reasonably necessary in relation to the processing purposes;[20]
5. maintain reasonable administrative, technical, and physical data security practices;[21]
6. not discriminate against consumers who exercise their rights and not process personal data in violation of federal laws prohibiting discrimination;[22]
7. process sensitive data in accordance with the heightened requirements of the FDBR, including obtaining consent;[23]
8. provide consumers with a reasonably accessible and clear privacy notice—updated at least annually—that meets the requirements set forth in the FDBR, including the following notice if the controller engages in the sale of sensitive data: “NOTICE: This website may sell your sensitive personal data”;[24]
9. conduct and document data protection assessments for certain specified processing activities;[25] and
10. when in possession of deidentified data, take reasonable measures to ensure the data cannot be reidentified, maintain and use the data in a deidentified form (except to determine whether the deidentification processes satisfy the FDBR), and contractually obligate any recipient of the deidentified data to comply with the FDBR.[26]

Barring certain limited exceptions, controllers must also adopt and implement a retention schedule that prohibits a controller or processor’s use or retention of personal data not subject to an exemption (1) after the satisfaction of the initial purpose for which such data was collected or obtained, (2) after the expiration or termination of the contract pursuant to which the information was collected or obtained, or (3) two years after the consumer’s last interaction with the controller or processor.[27]

With regards to sensitive data, any for-profit business or organization conducting business in Florida and collecting personal data about consumers (or any entity on behalf of which such information is collected) may not engage in the sale of sensitive data without prior consumer consent.[28]

II.  PROCESSORS

As compared to controller obligations, the FDBR’s processor obligations more closely align with those set forth in other comprehensive state privacy laws. For example, under the FDBR:

1. the processor must adhere to the controller’s instructions regarding the controller’s duties, obligations, and requirements under the FDBR;
2. the processor must assist the controller in responding to consumer rights requests and in complying with the controller’s duties to consumers in the event of a security breach;
3. the controller and processor must execute a contract governing the processing to be performed by the processor on behalf of the controller, including the legal obligations of both parties; and
4. the processor must provide necessary information to enable the controller to conduct and document data protection assessments and may allow for qualified and independent assessors to conduct assessments of the controller’s policies and the technical and organization measures taken to safeguard personal data.[29]

The FDBR lists requirements for the written contract between a controller and processor, which is commonly executed between businesses as a data processing or data protection agreement or addendum.[30] Additionally, like controllers, processors must also adopt and implement a retention schedule that prohibits the use or retention of personal data not subject to an exemption by the controller or processor: (1) after the satisfaction of the initial purpose for which such information was collected or obtained, (2) after the expiration or termination of the contract pursuant to which the information was collected or obtained, or (3) two years after the consumer’s last interaction with the controller or processor.[31]

C.  Enforcement and Penalties; Effective Date.

The FDBR grants the Florida Department of Legal Affairs authority to enforce violations as an unfair and deceptive trade practice and the ability to provide a 45-day period to cure violations after notification.[32] It may also issue a civil penalty of up to $50,000 per violation or triple that amount if the violation involves a Florida consumer under 18 years of age, the entity fails to delete or correct applicable personal data, or if the entity continues to sell or share the consumer’s personal data after the consumer chooses to opt out of such sale or sharing.[33] The FDBR does not create or authorize a private right of action.[34]

While the FDBR will go into effect on July 1, 2024,[35] one section governing data protection assessments will apply to processing activities generated on or after July 1, 2023.[36]

2.  Protection of Children in Online Spaces.

A portion of the bill addresses the protection of children in online spaces. It primarily affects an “online platform,” which is defined as any “form of electronic communication through which users create online communities or groups to share information, ideas, personal messages, and other content” (i.e., a “social media platform”[37]), an online game, or an online gaming platform.[38] Regardless of the online platform’s presence in the state, the Florida Department of Legal Affairs may enforce violations against any online platform “which operates an online service, product, game, or feature likely to be predominantly accessed by children and accessible by Florida children”[39] after it takes effect on July 1, 2024.[40] Furthermore, there is a 45-day period to cure after notification of the alleged violation.[41] If the online platform fails to cure the violation, it will be subject to a civil penalty of up to $50,000 per violation or triple that amount if the online platform has actual knowledge that the Florida child involved is under 18 years of age.[42]

Businesses that qualify as online platforms bear the burden of demonstrating that the processing of a child’s personal information does not violate the listed prohibited activities, which include:[43]

1. processing the personal information of any child if the online platform knows or willfully disregards that such processing of personal information may result in substantial harm or privacy risk to children;[44]
2. profiling a child, unless the online platform can demonstrate a compelling reason why that profiling does not pose a substantial harm or privacy risk to children; [45][46]
3. collecting, selling, sharing, or retaining a child’s personal information that is not necessary to provide an online service, product, or feature, where a child is actively and knowingly engaged with such features, unless the online platform can demonstrate that such processing does not pose a substantial harm or privacy risk to the child;[47]
4. using a child’s personal information for any reason other than the reason such personal information was collected, unless the online platform can demonstrate that such processing does not pose a substantial harm or privacy risk to the child;[48]
5. collecting, selling, or sharing precise geolocation data of a child unless such collection is strictly necessary to perform the service, product, or feature and only then for a limited time;[49]
6. collecting any precise geolocation data of a child without providing, during the duration of the collection, that child with an obvious sign that such data is being collected;[50]
7. using dark patterns to encourage children to provide personal information beyond what would reasonably be expected to be provided for the online feature, service, game, or product; to forego privacy safeguards; or to take any action the online platform actually knows will, or willfully disregards that the action will, result in substantial harm or a privacy risk to the child;[51] and
8. using any personal information collected to estimate age or age range for any other purpose or retaining that personal information longer than necessary to estimate age.[52]

This section also includes definitions for the sale or sharing of a child’s personal information. Notably, the definition of “share” includes “allowing a third party to advertise or market based on a child’s personal information without disclosure of the personal information to the third party.”[53]

3.  Prohibition of Government-Directed Content Moderation of Social Media Platforms.

Through a brief section that will become effective on July 1, 2023, SB 262 creates Fla. Stat. §112.23, which aims to limit government control of a “[s]ocial media platform.”[54] A “[s]ocial media platform” is defined as “a form of electronic communication through which users create online communities or groups to share information, ideas, personal messages, and other content.[55]

Broadly, the bill prohibits government entities from (1) communicating with social media platforms to request that they remove accounts or content and (2) initiating or maintaining relationships with social media accounts for content moderation.[56]

These prohibitions do not apply if the government entity or its employees are engaged in the following:

1. routine account management of the government entity’s own account, including “the identification of accounts falsely posing as a governmental entity, officer, or salaried employee”;
2. an attempt to remove content or an account relating to the commission of crimes or a violation of Florida’s public records law; or
3. investigation or inquiry related to the prevention of imminent bodily harm, property damage, or loss of life.[57]

4.  Takeaways

While only a limited number of large businesses conducting specific activities will be subject to the FDBR, the bill has requirements for other businesses to abide by in collecting and processing personal data.

[1] Fla. SB 262, §§ 4-27 (2023) (creating Fla. Stat. §§ 501.701-501.721 and amendments to Fla. Stat. §§ 501.171, 16.53).

[2] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735).

[3] Fla. SB 262, § 1 (2023) (creating Fla. Stat. § 112.23).

[4] Section 2 of the bill, which relates to protecting children online, uses the term “[p]ersonal information,” which is defined as “information that is linked or reasonably linkable to an identified or identifiable child, including biometric information and unique identifiers to the child.” Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735(1)(f)). In contrast, the FDBR uses the term “[p]ersonal data,” which is defined as “any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual.” Fla. SB 262, § 5 (2023) (creating Fla. Stat. § 501.702(19)).

[5] Fla. SB 262, § 6 (2023) (creating Fla. Stat. § 501.703(1)). Note that in setting forth the FDBR’s applicability, the bill uses the term “person” instead of “business” or some other like term. Based on the specific exemptions to the FDBR’s scope, however, it appears the FDBR applies only to persons acting on behalf of a for-profit business engaged in certain commercial activities in Florida. Id.

[6] Fla. SB 262, § 6 (2023) (creating Fla. Stat. § 501.703(1)).

[7] Fla. SB 262, § 5 (2023) (creating Fla. Stat. § 501.702(9), (24)); see generally Fla. SB 262, § 13 (2023) (creating Fla. Stat. § 501.71) (controller duties); Fla. SB 262, § 15 (2023) (creating Fla. Stat. § 501.712) (processor duties).

[8] The FDBR defines “consumer” as an individual residing or domiciled in Florida who is acting only in an individual or household context (i.e., not in a commercial or employment context). Fla. SB 262, § 5 (2023) (creating Fla. Stat. § 501.702(8)).

[9] Fla. SB 262, § 5 (2023) (creating Fla. Stat. § 501.702(9)).

[10] Fla. SB 262, § 5 (2023) (creating Fla. Stat. § 501.702(9)(b)). For purposes of this provision, the term “control” means ownership of, or the authority to vote, more than 50 percent of any class of the controller’s voting securities, power over the election of a majority of directors or individuals exercising similar corporate functions, or the power to exert a controlling influence over a company’s management. Id.

[11] Fla. SB 262, § 5 (2023) (creating Fla. Stat. § 501.702(9)(b)).

[12] Fla. SB 262, § 7 (2023) (creating Fla. Stat. § 501.704).

[13] Fla. SB 262, §§ 19-20 (2023) (creating Fla. Stat. §§ 501.716-501.717).

[14]See Fla. SB 262, § 8 (2023) (creating Fla. Stat. § 501.705).

[15] The FDBR defines “sensitive data” as “[p]ersonal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status”; “[g]enetic or biometric data processed for the purpose of uniquely identifying an individual”; “[p]ersonal data collected from a known child”; and “precise geolocation.” Fla. SB 262, § 5 (2023) (creating Fla. Stat. § 501.702(31)).

[16] Fla. SB 262, § 8 (2023) (creating Fla. Stat. 501.705).

[17] Fla. SB 262, § 9 (2023) (creating Fla. Stat. 501.706); see also Fla. SB 262, § 10 (2023) (creating Fla. Stat. 501.707) (establishing requirements for appeal process).

[18] Fla. SB 262, § 12 (2023) (creating Fla. Stat. § 501.709).

[19] Note that although the FDBR defines “processing,” it does not define “collection.”

[20] Fla. SB 262, § 13 (2023) (creating Fla. Stat. § 501.71(1)(a), (2)(a)).

[21] Fla. SB 262, § 13 (2023) (creating Fla. Stat. § 501.71(1)(b)).

[22] Fla. SB 262, § 13 (2023) (creating Fla. Stat. § 501.71(2)(b)-(c)).

[23] Fla. SB 262, § 13 (2023) (creating Fla. Stat. § 501.71(2)(d)); Fla. SB 262, § 18 (creating Fla. Stat. § 501.715).

[24] Fla. SB 262, § 14 (2023) (creating Fla. Stat. § 501.711); Fla. SB 262, § 18 (2023) (creating Fla. Stat. § 501.715(2)).

[25] Fla. SB 262, § 16 (2023) (creating Fla. Stat. § 501.713).

[26] Fla. SB 262, § 17 (2023) (creating Fla. Stat. § 501.714).

[27] Fla. SB 262, § 22 (2023) (creating Fla. Stat. § 501.719).

[28] Fla. SB 262, § 18 (2023) (creating Fla. Stat. § 501.715(1)).

[29] Fla. SB 262, § 15 (2023) (creating Fla. Stat. § 501.712).

[30] Fla. SB 262, § 15 (2023) (creating Fla. Stat. § 501.712(2)).

[31] Fla. SB 262, § 22 (2023) (creating Fla. Stat. § 501.719(3)).

[32] Fla. SB 262, § 23 (2023) (creating Fla. Stat. § 501.72(1)-(2)).

[33] Fla. SB 262, § 23 (2023) (creating Fla. Stat. § 501.72(1)).

[34] Fla. SB 262, § 23 (2023) (creating Fla. Stat. § 501.72(8)).

[35] Fla. SB 262, § 27.

[36] Fla. SB 262, § 16 (2023) (creating Fla. Stat. § 501.713(6)).

[37] Fla. SB 262, § 1 (2023) (creating Fla. Stat. § 112.23).

[38] Fla. SB 262, §§ 1-2 (2023) (creating Fla. Stat. §§ 112.23(1)(b), 501.1735(1)(e)).

[39] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735(5)).

[40] Fla. SB 262, § 27 (2023).

[41] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735 (4)(b)).

[42] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735 (4)(a)).

[43] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735(3)).

[44] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735 (2)(a)).

[45] Under Section 2 of the bill, “[p]rofile” or “profiling” “means any form of automated processing performed on personal information to evaluate, analyze, or predict personal aspects relating to the economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of a child.” Fla. SB 262, § 2 (creating Fla. Stat. 501.1735(1)(i)).

[46] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735(2)(b)).

[47] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735(2)(c)).

[48] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735(2)(d)).

[49] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735(2)(e)).

[50] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735(2)(f)).

[51] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735(2)(g)).

[52] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735(2)(h)).

[53] Fla. SB 262, § 2 (2023) (creating Fla. Stat. § 501.1735 (1)(k)(1)).

[54] Fla. SB 262, § 1 (2023) (creating Fla. Stat. § 112.23).

[55] Fla. SB 262, § 1 (2023) (creating Fla. Stat. § 112.23(1)(b)).

[56] Fla. SB 262, § 1 (2023) (creating Fla. Stat. § 112.23(2)-(3)).

[57] Fla. SB 262, § 1 (2023) (creating Fla. Stat. § 112.23(4)).