Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Regulation

Florida Digital Bill of Rights

The Florida Digital Bill of Rights (FDBR) emphasizes transparency in technology usage, aiming to ensure Florida residents have privacy rights concerning the processing of their personal information and establishing data protection obligations for covered organizations. It grants the Department of Legal Affairs the authority to enforce, effective July 1, 2024.

Are you subject to the Florida Digital Bill of Rights (FDBR)?

The Florida DBR applies to any organization who meets the following criteria:

  • Organization is a controller conducting business in Florida that collects consumer personal data, makes more than $1 billion in global gross annual revenues; and

  • Processes or engages in the sale of personal information.

Obligations & rights under the FDBR

This data privacy and protection law requires organizations to provide control and transparency to Florida residents on how their personal information is collected, sold, and disclosed.

Consents & opt-outs

Before processing a consumer’s personal information, consent is required. Additionally, businesses must comply with the parental consent requirements of the Children’s Online Privacy and Protection Act (COPPA) before processing data from a known child. Consumers should have the option to opt out of targeted advertising, the sale of their personal information, profiling, and the collection of data through voice or facial recognition features.

Policies & notices

Provide consumers with a clear, accessible, and annually updated privacy notice outlining the categories of personal and sensitive information processed, shared with third parties, the purposes of data processing, and how consumers can submit data subject requests. If a business sells sensitive or biometric data, it must inform consumers with notices on the homepage:

  • Sensitive personal information
    “NOTICE: This website may sell your sensitive personal data.”
  • Biometric data
    “NOTICE: This website may sell your biometric personal data.”

Data subject rights & requests

Consumers have the right to access, correct, delete, opt out of processing, and exercise data portability rights concerning their personal information. Businesses must address these requests without undue delay and within 45 days of receiving the request. Additionally, businesses must notify consumers within 60 days, confirming compliance with the request.

Vendor management

Businesses must conduct vendor assessments and establish vendor contracts to ensure compliance concerning the data processing conducted on their behalf.

Webinar

Nymity Framework: Privacy & Data Protection Update in 7 States

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data.

Achieve compliance

FAQs

  • Who has privacy rights under the Florida Digital Bill of Rights (FDBR)?

    The FDBR provides privacy rights to Florida residents acting in an individual or household context. However, it excludes individuals acting in a commercial or employment context.

  • What is personal information and sensitive personal information under the Florida Digital Bill of Rights (FDBR)?

    Personal information refers to any data that is directly or indirectly associated with an identified or identifiable individual. This encompasses pseudonymous data when used alongside supplementary information that allows the identification of an individual. However, it excludes de-identified data and publicly available information.

    Sensitive personal information is a category of personal information that reveals (a) racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (b) genetic or biometric data processed for the purpose of uniquely identifying an individual; (c) personal information of a known child; and (d) precise geolocation data. Under the FDBR, obtaining consent is mandatory before processing sensitive personal information. Additionally, consumers retain the right to opt out of the processing of their sensitive personal information.

  • Are data protection assessments required under the Florida DBR?

    A data protection assessment must be conducted and documented prior to any of the following.

    • The processing of sensitive information
    • Processing information for targeted advertising
    • The sale of personal information
    • Profiling that could lead to harm
    • High-risk processing

Related resources

View all resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top