Introducing Florida's new data privacy law: The Digital Bill of Rights
Florida's recent legislative stride, the Digital Bill of Rights (FDBR), marks a new change in the US data privacy landscape. It draws a line in the sand for big tech companies while setting a precedent for robust digital rights.
Signed into law by Governor Ron DeSantis, the FDBR aligns Florida with states like California and Virginia, in enhancing consumer privacy protections. However, it distinguishes itself with higher jurisdictional thresholds and unique provisions, which indicates a tailored approach to regulating big players in the digital space.
Set to take effect on July 1, 2024, the FDBR's reach is designed to be narrow, focusing on "controllers" with annual global revenue exceeding $1 billion and specific operational criteria.
This strategic limitation means that the FDBR primarily targets large tech entities, sparing smaller businesses from its remit. The law aims to curb the unfettered collection and use of personal data by entities deeply embedded in the digital economy, such as online advertising giants, smart speaker services, and digital distribution platforms.
Consumer protections and rights under the FDBR
The FDBR empowers Florida residents with substantial control over their personal data. Consumers can request access, correction, deletion of their data, and opt-out of targeted advertising, sale of their data, or profiling.
Some stand-out protections include:
Mandatory consumer consent before the collection or sale of sensitive data (including biometric and facial recognition data).
The bill defines children as up to age 18, and triples financial penalties for violations that affect them.
It details definitions of substantial harm and privacy risks to children and outlines strict prohibitions for online platforms that are predominantly accessed by children.
It prohibits government officials from moderating content on social media platforms, to enhance protections for vulnerable internet users and safeguard digital speech from governmental outreach.
Additionally, the FDBR introduces obligations for controllers and processors to adopt stringent data security practices, provide transparent privacy notices, and conduct data protection impact assessments for high-risk processing activities.
Limitations and implications of the law
Despite its ambitious scope, the FDBR's high jurisdictional thresholds mean its impact will be felt by a relatively narrow segment of the market, primarily large tech companies.
This focus reflects a deliberate strategy to address the data privacy practices of the most influential digital entities without burdening smaller businesses with compliance obligations.
For entities under its radar, the FDBR demands significant adjustments in data handling practices, especially concerning sensitive and children's data. The law's detailed requirements around consent, data security, and transparency set a high standard for privacy protections, potentially serving as a model for future legislation in other states.
As Florida positions itself as a contender in the digital privacy space, the implications for big tech companies and the broader landscape of data protection laws are profound. The FDBR's targeted approach, emphasising consumer rights, children's online safety, and restrictions on government content moderation showcases a nuanced understanding of the contemporary challenges in an increasingly digitized world.