On May 4, the Florida House passed an amended version of SB 262, a bill establishing the Florida Digital Bill of Rights. The bill now moves to Governor Ron DeSantis’s desk for signature. If enacted, SB 262 would be an important development for certain companies that meet the law’s narrow definition of a “controller” but overall has a narrower scope than the “comprehensive” privacy laws that have passed in other states this year (Iowa, Indiana, Montana, and Tennessee). Still, and as we elaborate on below, the law does have some provisions related to the processing of “sensitive data” that are going to be applicable to businesses more broadly and should be accounted for by companies operating in Florida.
SB 262’s defining characteristic is its scope. Unlike the state comprehensive privacy laws that been enacted to date, SB 262 defines “controller” extremely narrowly, to include only entities that generate more than $1 billion in global revenues and either: (1) derive more than 50% of those revenues from online advertisement sales; (2) operate a consumer smart speaker and voice command service, or (3) operate an app store with at least 250,000 apps. This means that the bulk of the bill’s provisions will not apply to most businesses. That does not mean, however, that other businesses should ignore SB 262 entirely. The bill’s provisions requiring consumer consent for the sale of “sensitive data”, for instance, apply to any for-profit entity that conducts business in Florida. And other novel features of SB 262, such as its expanded set of opt-out rights, while only applicable here to the bill’s narrow class of “controllers,” could be incorporated into future privacy law proposals with broader applicability.
In this post, we identify notable takeaways from SB 262 and summarize the bill’s key provisions. We are happy to answer any questions you have about this bill and its implications for your company’s privacy compliance program. And to continue to keep abreast of the latest state privacy law developments, be sure to follow the WilmerHale Privacy and Cybersecurity Law blog.
- Narrow Applicability: SB 262 is most notable for its narrow definition of “controller,” which applies only to entities that, among other things, generate more than $1 billion in annual global revenues and satisfy at least one of the following requirements: (1) derive at least 50% of global annual revenues from the sale of advertisements online; (2) “[o]perate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation”; or (3) operate an app store or digital distribution platform with at least 250,000 apps. Notably, this narrow scope does not apply to the bill’s requirement that entities obtain consumer consent before selling sensitive data — that provision applies to any for-profit entity that conducts business in Florida and collects personal data.
- Expanded Opt-Out Rights: In addition to the opt-out rights frequently found in state comprehensive privacy laws (e.g., the right to opt out of processing of personal data for the purposes of targeted advertising, sale of personal data, and certain types of profiling), SB 262 also grants consumers the right to opt out of the collection or processing of sensitive data, as well as the right to opt out of the collection of personal data collected through a voice or facial recognition technology.
- Exclusive AG Enforcement and Cure Period: SB 262 does not create a private right of action, instead relying solely on the Florida Department of Legal Affairs for enforcement. In addition, the Act creates a discretionary 45-day cure period that the Department may provide before initiating an enforcement action.
- Government Moderation of Social Media and Protection of Children in Online Spaces: In addition to the Florida Digital Bill of Rights, which constitutes the bulk of the bill, SB 262 also includes provisions that impose restrictions on government-directed content moderation of social media platforms and provide protections for children engaging with online platforms.
- Effective Date: The Act will go into effect on July 1, 2024.
Key provisions of Florida SB 262 include the following:
- Definition of “Controller”: Defines “controller” to include for-profit entities that conduct business in Florida, collect personal data about consumers, determine the purposes and means of processing that personal data, generate more than $1 billion in global gross annual revenues, and satisfy at least one of the following: (1) derive at least 50% of global gross annual revenues from the sale of advertisements online; (2) “[o]perate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation”; or (3) operate an app store or digital distribution platform with at least 250,000 apps.
- Broad Exemptions: Exempts various entities and information types, including state agencies and political subdivisions of the state; financial institutions and information subject to GLBA; entities and information governed by HIPAA; nonprofit organizations; postsecondary educational institutions; information subject to FCRA; information subject to FERPA; and certain employment-related data. In addition, entities that comply with COPPA’s parental consent requirements are deemed to comply with the Act’s parental consent requirements.
- Definition of “Consumer”: Exempts individuals acting in commercial or employment contexts from the class of “consumers” protected by the Act.
- Consumer Data Rights: Creates individual rights for consumers, including the right to confirm whether a controller is processing personal data; the right to access personal data; the right to delete personal data; the right to correct personal data; the right to obtain a portable copy of personal data; the right to opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, or “[p]rofiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer”; the right to opt out of the collection or processing of sensitive data; and the right to opt out of the collection of personal data collected through a voice or facial recognition technology.
- Prohibition on Surveillance: Expressly prohibits devices with voice or facial recognition, video, audio, and other monitoring features from engaging in surveillance when such features are not in active use by a consumer, without the consumer’s express authorization.
- Privacy By Design: Incorporates privacy by design principles, including purpose limitation and reasonable data security measures.
- Consent for Sensitive Data Processing and Sale: Prohibits controllers from processing sensitive data without obtaining consumer consent. In addition, any for-profit entity that conducts business in Florida and collects personal data must obtain consumer consent before selling sensitive data.
- Search Engine Transparency: Requires that search engines publish descriptions of the main parameters used to determine search results rankings, as well as the relative importance of those parameters.
- Privacy Notice: Requires that controllers publish privacy notices that describe categories of personal data processed; purposes of processing; how consumers may exercise their data rights; categories of personal data shared with third parties; and categories of third parties with which personal data is shared. In addition, controllers must provide additional notices if they sell sensitive or biometric personal data.
- Processor Duties: Imposes a range of requirements on processors, including, among other things, requiring that a contract govern a processor’s execution of data processing activities on behalf of the controller.
- Data Protection Assessments: Requires controller to conduct data protection assessment for processing activities including: processing of personal data for purposes of targeted advertising; sale of personal data; processing of personal data for purposes of profiling (if profiling presents certain specified risks); processing of sensitive data; and any other processing activities that “present a heightened risk of harm to consumers.”
- Retention Schedules: Requires controllers and processors to implement retention schedules that prohibit the use or retention of personal data after satisfaction of the purpose for which the data was collected, after termination of the contract pursuant to which the data was collected, or two years after the relevant consumer’s last interaction with the controller or processor.
- Enforcement: Grants Department of Legal Affairs exclusive authority to enforce the Act. Violation of the Act is deemed an unfair and deceptive trade practice. In addition, Act authorizes civil penalties of up to $50,000 per violation, with treble damages available in specified circumstances.
- Discretionary Cure Period: Department of Legal Affairs may grant 45-day cure period to alleged violators prior to bringing enforcement action.
- Rulemaking Authority: Grants Department of Legal Affairs rulemaking authority to assist in implementation of the Act.
- Effective Date: Subject to specified exceptions, the Act will go into effect on July 1, 2024.
- Government Content Moderation of Social Media Platforms: Imposes restrictions pertaining to government-directed content moderation of social media platforms. These provisions enter into effect on July 1, 2023.
- Protection of Children in Online Spaces: Imposes various requirements intended to protect children on online platforms, including prohibition of processing that “may result in substantial harm or privacy risk to children”; restriction of platforms’ ability to profile children; and restriction of platforms’ ability to collect, sell, share, use, or retain children’s personal information (with particular focus on precise geolocation data and the use of dark patterns). Violations of these provisions are treated as unfair and deceptive trade practices and subject to $50,000-per-violation civil penalties.
- Like the Digital Bill of Rights, these provisions will be exclusively enforced by the Department and subject to a discretionary 45-day cure period.