The Digital Bill of Rights: Florida’s Unusual Privacy Law

Florida Flag

Privacy remains a major priority for state legislatures, as Florida recently passed and signed the “Digital Bill of Rights.” This new privacy law, which goes into effect on July 1, 2024, has a lot of familiar features, but is quite different in its scope, as compared to other state laws such the California Consumer Privacy Act or the Virginia Consumer Data Protection Act.

Here is a quick introduction to Florida’s Digital Bill of Rights, and what it might mean for your business.

Why the Florida Privacy Law Is Different

The most striking difference between the Digital Bill of Rights and its counterparts in other states is the strict limitation on which businesses it applies to. Unless you’re running a very large tech company, you won’t have to worry about most of the law’s requirements. 

That’s because most of the Florida law only applies to companies that make in excess of $1 billion in annual revenue and meet one of the following requirements:

  1. Derive 50% of more of their annual revenue from the sale of advertisements
  2. Operate a “smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service” (car makers excluded)
  3. Operate an app store with at least 250,000 different apps available for download

It’s fairly clear who the lawmakers are going after here—tech giants like Meta, Amazon, and Google—though it’s not entirely clear why they did so at the exclusion of everyone else. Most of the law’s requirements are very similar to those of other states (see our state law comparison chart to get a general idea), so it wouldn’t add much burden to businesses that already have to comply with other privacy laws. The end result is that Florida residents are less protected than residents of Tennessee, Iowa, Indiana, and others.

That said, there are some new privacy rights in this law that don’t exist elsewhere. For example, Floridians will be able to opt out of the collection of their personal data via voice and facial recognition features. Also, devices that make sensory recordings such as voice, video, or facial recognition, may not collect data while not in active use by the consumer unless the consumer has given their affirmative consent.


One Requirement May Still Apply to Your Business

There is one section of the Florida Digital Bill of Rights that may apply to your business even if you don’t meet the $1 billion revenue threshold—the section that deals with the sale of “sensitive data.” Any for-profit organization that (1) does business in Florida and (2) collects personal data about Florida residents must first get consumers’ consent before engaging in the sale of their sensitive data, as well as post a disclosure of the sale in their privacy notice. 

There are two important terms to understand: “sale” and “sensitive data.”

A “sale,” as defined by the Florida law, is the disclosure of personal data for monetary or other valuable consideration. The “other valuable consideration” part is important because it means money does not have to change hands. If your business makes personal data available in exchange for free or discounted access to software, for example, or for access to personal data from other controllers in a “data cooperative,” this could be considered a sale of personal data.

“Sensitive data” is any of the following four types of personal data:

  1. Personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
  2. Genetic or biometric data processed for the purpose of uniquely identifying an individual
  3. Personal data collected from a known child (anyone under the age of 18)
  4. Precise geolocation data (information that identifies a person’s specific location with a radius of 1750 feet)

For businesses that are already compliant or in the process of becoming compliant with other state privacy laws, this shouldn’t be a difficult requirement to implement. Most of the other state laws already require consumer consent for any processing of sensitive data, not just selling it. The only area where the Florida law is more expansive in this area is its definition of “child.” Here it means anyone under the age of 18, while in other states it typically only includes people under the age of 13. 

Simplify Your Privacy Compliance

State privacy laws are multiplying rapidly, and with each new addition compliance becomes more complicated. For businesses without in-house privacy expertise, keeping up with all of these changes can be a near-impossible task.

TrueVault US simplifies privacy management by combining it all into one platform. Through careful planning and analysis, we are able to unify compliance with privacy laws from across the United States into one streamlined workflow. Even if you’re starting from scratch, you can get your business compliant with US privacy laws in as little as a few hours. Our software helps you onboard vendors, create a comprehensive data map, respond to privacy requests, and more. 

Contact our team to view a demo of TrueVault US.

Schedule Call