Skip to Main Content
Main Menu

Florida Digital Bill of Rights

The Florida Digital Bill of Rights (FDBR) emphasizes transparency in technology usage, aiming to ensure Florida residents have privacy rights concerning the processing of their personal information and establishing data protection obligations for covered organizations. It grants the Department of Legal Affairs the authority to enforce, effective July 1, 2024.

Are you subject to the Florida Digital Bill of Rights (FDBR)?

The Florida DBR applies to any organization who meets the following criteria:
  • Organization is a controller conducting business in Florida that collects consumer personal data, makes more than $1 billion in global gross annual revenues; and

  • Processes or engages in the sale of personal information.

Obligations & rights under the FDBR

This data privacy and protection law requires organizations to provide control and transparency to Florida residents on how their personal information is collected, sold, and disclosed.

Consents & opt-outs

Consent must be obtained before processing the consumer’s personal information. Prior to processing the data of a known child, businesses must adhere to the parental consent requirements outlined in the Children’s Online Privacy and Protection Act (COPPA).

Consumers must be able to opt out of targeted advertising, the sale of personal information, profiling, and data collection through the operation of a voice recognition or facial recognition feature.

Policies & notices

Provide consumers with a clear, accessible, and annually updated privacy notice that outlines the categories of personal and sensitive personal information processed and shared with third parties, the purposes of data processing, the categories of third parties with whom data is shared, and instructions on how consumers can submit data subject requests. If a business engages in the sale of any of the following data, the equivalent notice must be provided to consumers in the same manner as the privacy notice and include the following links on the website homepage:

  • Sensitive personal information
    “NOTICE: This website may sell your sensitive personal data.”

  • Biometric data
    “NOTICE: This website may sell your biometric personal data.”

Data subject rights & requests

Consumers have the right to access, correct, delete, opt out of processing, and exercise data portability rights concerning their personal information. Businesses must be able to fulfill and address these requests without undue delay and within 45 days of receiving the request. Businesses are required to furnish consumers with notice within 60 days after receiving the request, confirming compliance with the consumer’s request.

Vendor management

Businesses must conduct vendor assessments and establish vendor contracts to ensure compliance concerning the data processing conducted on their behalf.


Nymity Framework: Privacy & Data Protection Update in 7 States

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data.


  • Who has privacy rights under the Florida Digital Bill of Rights (FDBR)?

    The FDBR provides privacy rights to Florida residents acting in an individual or household context. However, it excludes individuals acting in a commercial or employment context.

  • What is personal information and sensitive personal information under the Florida Digital Bill of Rights (FDBR)?

    Personal information refers to any data that is directly or indirectly associated with an identified or identifiable individual. This encompasses pseudonymous data when used alongside supplementary information that allows the identification of an individual. However, it excludes de-identified data and publicly available information.

    Sensitive personal information is a category of personal information that reveals (a) racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (b) genetic or biometric data processed for the purpose of uniquely identifying an individual; (c) personal information of a known child; and (d) precise geolocation data. Under the FDBR, obtaining consent is mandatory before processing sensitive personal information. Additionally, consumers retain the right to opt out of the processing of their sensitive personal information.

  • Are data protection assessments required under the Florida DBR?

    A data protection assessment must be conducted and documented prior to any of the following.

    • The processing of sensitive information
    • Processing information for targeted advertising
    • The sale of personal information
    • Profiling that could lead to harm
    • High-risk processing

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top