Skip to main content

Florida Digital Bill of Rights

The Florida Digital Bill of Rights imposes comprehensive privacy obligations mainly on very large technology companies exceeding 1 billion dollars in revenue. It grants consumer rights, requires consent for sensitive data, and adds protections for children's data, enforced by the Florida Attorney General.

Jurisdiction
Florida

Florida Digital Bill of Rights

The Florida Digital Bill of Rights (FDBR), enacted as Senate Bill 262, is Florida's consumer privacy statute. It took effect on July 1, 2024. Unlike most state privacy laws, the FDBR's comprehensive controller obligations apply only to very large technology companies, defined primarily by a high revenue threshold. It also contains provisions on children's online protections and on government-directed content moderation.

Who It Applies To

The core controller obligations apply to entities that make in excess of 1 billion dollars in global gross annual revenue and meet at least one additional criterion, such as deriving 50 percent or more of revenue from the sale of online advertisements, operating a consumer smart speaker and voice command service, or operating an app store with at least 250,000 applications. This unusually high threshold means most businesses are not subject to the full obligations. Certain provisions, such as those covering sensitive data of known children, apply more broadly. HIPAA and Gramm-Leach-Bliley data are exempt.

Key Requirements

In-scope controllers must provide a privacy notice and honor consumer rights to access, correct, delete, obtain a portable copy, and opt out of the sale of personal data and targeted advertising, and of profiling with significant effects. Sensitive data, including precise geolocation and biometric data, requires opt-in consent. The law restricts processing of the personal data of known children and addresses voice and facial recognition data collected by connected devices.

Penalties for Non-Compliance

The Florida Department of Legal Affairs, under the Attorney General, enforces the law as a violation of the Florida Deceptive and Unfair Trade Practices Act. Civil penalties may reach up to 50,000 dollars per violation, and may be tripled for violations involving known children or for failing to delete or correct data after a request. A 45-day cure period applies.

How to Comply

First determine whether you meet the 1 billion dollar revenue threshold and the additional criteria; most companies will not. If in scope, publish an accurate privacy notice and implement consumer-request workflows. Build opt-in consent for sensitive data, including geolocation and biometrics, and ensure heightened protections for children's data and connected-device voice and image data.

Relationship to Other Laws

Florida is an outlier among state privacy laws because its core obligations target only very large technology companies meeting a 1 billion dollar revenue threshold and specific business criteria. Most ordinary businesses fall outside the comprehensive duties, though narrower provisions on children's data and connected-device voice and image data apply more broadly. Organizations should first run the revenue and criteria test before investing in full Florida compliance, while still attending to the children's and device-data provisions where relevant.

Operational Mechanics

Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.