Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
On 13 Oct., Florida Attorney General James Uthmeier announced that his Office of Parental Rights filed a civil enforcement action against Roku and its Florida subsidiary for violations of the Florida Digital Bill of Rights. According to the complaint, Roku used unfair, deceptive and unconscionable business practices to “build a vast and lucrative Florida user base that includes vulnerable children.”
The lawsuit follows a similar suit filed in April from the Michigan attorney general’s office that Roku’s collection of children’s data allegedly violated the Children’s Online Privacy Protection Act along with a handful of other allegations, including one under the Video Privacy Protection Act. Roku filed a motion to dismiss in that case, and a hearing is scheduled for 19 November.
A narrow law, interpreted broadly
The Florida Digital Bill of Rights is often excluded from lists of "comprehensive" consumer privacy laws. Most of the law’s operative provisions are extremely narrow in application due to multiple high thresholds of applicability, including a revenue threshold of USD1 billion dollars — Roku’s operating revenue in 2024 was USD3.4 billion.
Nevertheless, when companies do fall within scope of the law, Florida includes notable operational requirements that set it apart from the 19 states with similar laws. As some of these unique features are apparent in the Florida attorney general’s complaint against Roku — including rules for teens’ personal data with an expansive knowledge standard —the case should serve as a wake-up call for companies that may be operating near the edge of applicability of the Florida Digital Bill of Rights.
Roku will likely challenge Attorney General Uthmeier’s assertions about the applicability of the law. With this in mind, he offers two separate theories of applicability, relying on two of the three independent activity thresholds that Florida’s law contemplates. First, companies fueled by ad-revenue can fall within the scope of Florida’s law. The attorney general alleges that Roku meets the threshold of deriving more than 50% of its revenue from the “sale of advertisements online.” It’s notable that, while the statutory language mentions “providing targeted advertising” as one part of this threshold, it appears to be worded to apply to any type of online advertising revenue.
Second, Florida’s law includes a unique provision that brings companies operating services through smart speakers and similar devices within the scope of the law. The attorney general signals a willingness to broadly interpret this provision in the complaint, pointing to the voice command service integrated within Roku’s remote controls. The statutory language appears quite specific, applying only to a company that “operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation.” This suggests Uthmeier may be hard pressed to prove applicability of this provision, though a lot will turn on the types of hardware Roku offers.
The final independent activity threshold that could allow a company to fall within the scope of the Florida law is meant to capture those Big Tech companies that operate app store platforms “with at least 250,000 different software applications for consumers to download and install,” a category which does not apply to Roku.
Not so narrow after all?
Florida’s law has often been discounted due to the smart speaker provision, leaving many privacy professionals with the impression that the bill serves as a sort of signaling tool.
One often overlooked point though, even if an organization does not meet the revenue or activity thresholds, some aspects of Florida’s law still apply. The thresholds above are included in the definition for “controller” under the law. The obligations applicable to processors are in effect without regard to revenue or other thresholds; any for-profit entity that conducts business in Florida and collects personal data must obtain consumer consent prior to selling that consumer's sensitive personal data or biometric data.
Teens are everywhere
As state-level requirements for youth privacy and online safety continue to proliferate, Florida’s rules for processing the personal data of teenagers are not unique, but they are notable in the context of general consumer privacy laws.
The Florida Digital Bill of Rights defines “child” to mean any individual under the age 18 and treats all personal data collected from a “known child” as “sensitive personal data.” For younger children, i.e., those under age 13, compliance with the Children’s Online Privacy Protection Act is carved out as sufficient to meet Florida’s law.
But for minors older than the age of applicability under COPPA, controllers may not engage in the processing or sale of their personal data “without processing that data with the affirmative authorization for such processing by a known child who is between 13 and 18 years of age.” Therefore, Florida effectively requires opt-in consent twice, for both the processing and sale of personal data from minors.
Building on this, Florida recently adopted House Bill 3, currently enjoined, which prohibits children ages 12-14 from having or making social media accounts and enforces strict parental controls for teens aged 14-16.
To willfully disregard is to know
Another notable aspect of the Florida law is the term “known child,” which Florida’s legislature explicitly decided to expand beyond the traditional “actual knowledge” test under COPPA. As defined in the Florida Digital Bill of Rights, “known child” means “a child under circumstances of which a controller has actual knowledge of, or willfully disregards, the child’s age.”
For some time, “willfully disregards” remained undefined under Florida law. In 2024, however, clarifying regulations were released — as required under the law — that included guidance on what this knowledge standard means in practice.
As it happens, this is a load-bearing component of the Florida attorney general’s case against Roku, whom it alleged willfully disregarded the age of young users of its platform.
To prove this allegation, Uthmeier will need to show that Roku’s actions met the test for willful disregard. That is, “based on the facts or circumstance readily available to the controller, should reasonably have been aroused to question whether a consumer was a child and thereafter failed to perform reasonable age verification.”
Big trouble in little Florida
In the complaint, Uthmeier lays the groundwork for this, relying heavily on the age-banded content categories on the Roku platform and data showing the prevalence of young viewers. Notably, the attorney general appears to embrace a household-level analysis of privacy practices, arguing that the presence of young viewers should trigger the sensitive data restrictions of the law. As the complaint puts it, “Roku is present in millions of Florida households and therefore cannot plausibly claim ignorance of the fact that a substantial portion of its Florida user base includes children.” Further, Roku hosts a variety of third-party apps that Uthmeier argues are targeted to children.
Violations of the Florida Digital Bill of Rights count as per se violations of the state’s consumer protection law, so Uthmeier includes three claims of unfair or deceptive practices in the complaint. As the attorney general points out, each violation with respect to each affected user in Florida is subject to civil penalties of up to USD50,000. For those violations involving known children, the max penalty is tripled to USD150,000 per violation. While Uthmeier does not assert just how many violations Roku is being accused of, it’s likely that these violations will add up to tens of millions, if not hundreds of millions, if the attorney general’s estimation of millions of child users holds up.
Unauthorized processing of sensitive data
Though the allegations are focused on Roku’s handling of young users’ data, the complaint also alleges that the company has failed to obtain consent to process sensitive data from all users, “including geolocation data.”
Setting that aside, the rest of the unauthorized processing count is related to the data of children and teens. The attorney general alleges that Roku willfully disregards children on its platform when households download and install kid-targeted apps, screensavers, channels, or when users in any given session view child-directed content, including content on channels that self-identify in their title or description as targeting "kids," "kidz," "boys," "girls," or "teens.”
Sale of sensitive data
Under a similar set of alleged facts, Uthmeier also claims Roku sells the sensitive personal data of its users, including precise geolocation information, without obtaining consent. If correct, this means the company also does not comply with the requirement under the law to include a special notice about the sale of sensitive data.
As for the personal data of young users, the same alleged insufficiencies also apply to the second count in the complaint. In short, “Roku processes and sells this sensitive data to advertisers and data brokers without obtaining affirmative authorizations from children between ages 13 and 18 and without performing any age verification, obtaining affirmative authorization or consent, or otherwise complying with [the Florida Digital Bill of Rights] with respect to the sensitive data of children under age 13.”
Reidentification raises its head
With a final flourish, Uthmeier points to another interesting feature of Florida’s law in the third count in its complaint against Roku, which alleges that the company failed “to prevent reidentification under the Florida Digital Bill of Rights.”
The attorney general claims specifically that some of the data Roku shares with third parties, “including advertisers and data brokers like Kochava,” is shared in a deidentified form. However, according to the complaint, the company “fails to take reasonable measures to ensure that the data it shares with data brokers and advertisers cannot be associated with an individual.” This quotes the statutory text of the Florida Digital Bill of Rights in a provision about deidentified data, which also explicitly requires controllers to “contractually obligate any recipient of the deidentified data to comply with this part.”
Why this casematters
Companies, even those not traditionally considered Big Tech, should take the Roku complaint seriously as it signals Florida’s intent to aggressively interpret the Florida Digital Bill of Rights — a law that many privacy pros discounted due to its unique smart speaker provision — transforming the law from a signaling bill into a particularly heavy cudgel. Attorney General Uthmeier won't stop with Roku either if the office's recent aggressive investigations are anything to go by.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.
Katelyn Ringrose, CIPP/E, CIPP/US, CIPM, FIP, is an associate and Alexander Southwell, CIPP/US, is partner at McDermott, Will & Schulte.
Editor's note: Stephen Reynolds, CIPP/US, and Anthony Upshall, partners at McDermott, Will & Schulte contributed to this article.
