Florida is the latest state to pass a consumer privacy bill, pending Governor DeSantis’ signature, that will go into full effect on July 1, 2024.
While the Florida Digital Bill of Rights found in S.B. 262 provides similar rights as the other state laws going into effect, it also differs in important and significant ways. The primary difference is the definition of a “controller.” A controller must have $1 billion in global gross revenue (a significant departure from the $25 million dollar requirement in other states), and at least one of the following: i) 50% of global gross revenue coming from the sale of advertisements online; ii) operates a consumer smart speaker and voice command service; or iii) operates an app store or digital distribution platform with at least 250,000 different software applications. Based on these threshold requirements, most of the bill is clearly intended to target only a select group of businesses. However, there are obligations placed on businesses that don’t meet the full definition of a controller in Section 501.715, as we discuss below.
The bill provides new rights for Florida residents, including a right to opt out of the collection of sensitive personal data and a right to opt out of the collection of personal data through a voice recognition feature. So applicable businesses will need to adjust their current consumer rights requests programs to process requests for these new consumer rights.
Although this bill is clearly focusing in on the top tech and data companies, the definitions of “processor” and “third-party” do not have these same limitations so there are still implications for businesses that process data on behalf of these large companies as well as those who receive data in a third-party capacity. Thankfully the requirements follow the other state laws and mandate such things as specific contractual requirements and an obligation to assist controllers in their compliance with this law.
Although the bill is largely targeted to businesses with over $1 billion in revenue, one section sets requirements that all businesses (for profit businesses conducting business in Florida who collect personal data about consumers, without a revenue threshold) must follow. Under Section 501.715, all businesses must obtain prior consent from a consumer before selling that consumer’s sensitive data. Further, if a business sells sensitive data, it must include the following notice on its website: “NOTICE: This website may sell your sensitive personal data.” Section 501.715(2). Sensitive data is defined as “(a) Personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status[;] (b) Genetic or biometric data processed for the purpose of uniquely identifying an individual[;] (c) Personal data collected from a known child[; or] (d) Precise geolocation data.” Section 501.702(31)(a)-(d). Precise geolocation data is limited to a radius of 1,750 feet. Section 501.702(22).
S.B. 262 does not include a private right of action, and is enforced by the Department of Legal Affairs (the Florida Attorney General). A 45-day cure period is at the discretion of the Florida AG. Civil penalties can reach up to $50,000 per violation.
In addition, the definition of personal information, as used in Florida’s data breach statute, Section 501.171, is expanded by S.B. 262 to include both biometric information and information regarding a person’s geolocation (if in combination with the individual’s first name or first initial and last name). This is an important development for all businesses to consider in reviewing their breach notification obligations.
The PW team will continue to monitor the developing privacy law landscape to keep you in the loop. For more information contact the authors or your SPB relationship partner.