On 4 May, the Florida Legislature passed Senate Bill 262, the Florida Digital Bill of Rights. Unlike the comprehensive privacy laws recently enacted in other states, most of the bill's provisions carry narrow scopes that apply only to large technology companies.

However, there are two parts of SB 262 that will apply broadly if Gov. Ron DeSantis, R-Fla., signs the bill into law.

Notably, SB 262 also includes youth privacy and safety provisions which apply to a broader range of entities than the Digital Bill of Rights section. For purposes of this overview, these children's provisions will be set aside for future analysis and comparison with other recent youth privacy laws.

Provisions with broad impact

All commercial entities that store electronic data regarding Floridians are already subject to Section 501.171 of the Florida Information Protection Act, which requires "covered entities" to take "reasonable measures" to protect and secure data containing personal information, and in the event of a data breach, follow reporting requirements.

SB 262 would expand FIPA's definition of personal information beyond things like Social Security numbers, government IDs and financial account information to include biometric and geolocation data.

Biometric data is defined as "data generated by automatic measurements of an individual’s biological characteristics," including fingerprints, voiceprints, retinas or irises and other unique biological patterns used to identify a specific individual.

FIPA provides exclusive enforcement authority to the Office of the Florida Attorney General, and there is no private cause of action.

SB 262 would also impose restrictions on for-profit companies doing business in Florida that collect sensitive data regarding Floridians. Sensitive data is defined in SB 262 to include: personal data revealing an individual's race, ethnicity, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; personal data from a known child; and precise geolocation data.

Specifically, SB 262 prohibits companies from selling sensitive data without receiving prior consent from the consumer or processing sensitive data of children without the affirmative authorization defined under the Children's Online Privacy Protection Act. While COPPA applies to children under age 13, SB 262 defines a child as an individual under the age of 18. The bill would also require companies that sell sensitive personal data to provide the following statement on their website: "NOTICE: This website may sell your sensitive personal data."

The narrower application

Scope

The proposed Digital Bill of Rights would codify common fair information practice principles. However, the application of those principles is, for the most part, limited to a uniquely defined set of "controllers."

In scope of the proposed statute, controllers must make over USD1 billion in global annual revenue and fall under any of the following categories:

• Derive at least 50% of its global gross revenue from the sale of online advertising.
• Operate a smart-speaker and voice-command service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation.
• Operate an app store or a digital distribution platform that offers at least 250,000 apps for consumers to download.

By way of comparison, other states use a monetary threshold as part of their scoping provisions. The disjunctive list of requirements would be unique to Florida, creating limits on the application of the law.

Consumer Rights

Florida consumers would have a range of data rights, including the right to confirm controller possession along with rights to access, correct, delete and obtain a copy of their data. Additional opt-out rights allow consumers to limit targeted advertising, data sales, certain profiling, and collection of defined sensitive and biometric data.

Controller obligations include establishing two or more methods for consumers to submit requests to exercise their rights, and responding to consumer request responses within 45 days. Pursuant to Section 501.706 (2) of the bill, response periods can be extended to 60 days "when reasonably necessary." Establishing processes for consumer appeals against a controller’s refusal to take a requested action is also required.

SB 262 prohibits any form of discrimination in data subject requests. It also does not allow controllers to process sensitive data without obtaining consent as defined under the statute.

Any contractual waiver or limitation on these consumer rights is deemed contrary to public policy and is void.

Significantly, while the term personal data is broadly defined, it does not include pseudonymous data, which includes most third-party cookies or aggregated/anonymous consumer information. Other states provide certain exemptions for pseudonymous data, but they generally do not exclude it entirely from their privacy laws.

Limited collection, use, and retention of data

Consistent with fair information practice principles, SB 262 would impose a number of duties upon controllers. Those include limits on personal data collection to what is reasonably necessary to the purpose of processing and the implementation of  "reasonable administrative, technical and physical data security practices."

Data retention duties are also provided for under the bill. Controllers must create retention schedules that "prohibit use or retention of data after the satisfaction of the initial purpose for which the data was collected, after the expiration of the party’s contract, or 2 years after the consumer’s last interaction with the controller or processor." 

Big Tech 'surveillance'

In addition to giving consumers the right to opt out of the collection of personal data through voice and facial recognition technology by controllers, SB 262 would prohibit controllers from using those technologies for surveillance purposes. The surveillance data collection opt-out extends to audio or video recording features, or "any other electronic, visual, thermal, or olfactory feature that collects data" to use those features "for the purpose of surveillance." Controllers and processors are prohibited from collecting data when devices are not in active use by a consumer, unless expressly authorized by the consumer. 

The term surveillance is not defined in SB 262, and thus controllers will need to be careful when crafting any opt-in for consumer authorization.

Data protection assessments

As discussed above, FIPA already requires companies to "take reasonable measures to protect and secure data … containing personal information," and SB 262 would require controllers to develop and implement reasonable data security practices.

The bill adds the requirement to conduct and document data protection assessments for certain processing activities involving personal data. Activities that require an assessment include sensitive data processing and processing activities for data sales, targeted advertising and profiling that "presents reasonably foreseeable or heightened risk of harm to consumers."

Controllers are required to address and consider a number of factors impacting risks associated with data collection and processing, and reasonable expectations of consumers, but SB 262 does not state how often such assessments must be conducted, or whether or how long the assessment must be preserved. However, the bill provides the Florida attorney general with the authority to request such assessments.

Privacy notices

The bill would require controllers to provide a reasonably accessible and clear privacy notice. Controllers must update notices at least annually, including certain disclosures to consumers regarding the controller’s data collection, processing and use practices.

If the controller engages in the sale of sensitive data or biometric data, the controller must provide a specifically-worded statement alerting users to that fact on their website.  If the controller sells or processes personal data for the purpose of targeted advertising, the controller must disclose that process and the manner in which a consumer can opt out of the process.

The bill would prohibit controllers from collecting or using additional categories of personal information without providing notice to consumers.

Specifics for consumer consent

A number of SB 262's provisions prohibit companies from using, processing, or selling sensitive or personal data in certain circumstances without obtaining the consumer's consent.

As defined under the bill, consent requires a clear affirmative act signifying a consumer's specific, informed and unambiguous agreement to process data relating to the consumer. Consent may be written, including by electronic means, but it cannot be obtained by acceptance of general or broad terms of use. Collection by hovering over, muting, pausing or closing some content, or through the use of "dark patterns" is prohibited as well.

In other words, companies cannot rely upon consumer acceptance of general terms of use or on a website's privacy notice to establish consumer consent for purposes of SB 262.

Enforcement

The Florida attorney general will have exclusive enforcement authority over the provisions of SB 262. The bill provides for penalties of up to USD50,000 per violation, which can be tripled under certain circumstances. The attorney general will have the discretion to provide a notice and 45-day cure period.

If signed by the governor, the consumer data protection provisions of SB 262 would go into effect 1 July 2024.