Florida governor Ron DeSantis signed the Digital Bill of Rights into law on June 6, 2023, joining the wave of US states with comprehensive state privacy laws.
Which businesses does this law apply to?
The law applies to "controllers" which are defined as companies that sell to customers in the state of Florida, make in excess of $1 billion in global annual revenue and:
What are the key highlights of the law?
Let’s take a look at how the Florida Digital Bill of Rights defines consent, sensitive data, the “sale” of personal data, consumer rights, and data protection impact assessments.
Consent
Florida’s law defines consent as a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data”, similar to most other state laws.
It explicitly mentions that the following methods of obtaining consent are not considered valid:
Sensitive Personal Information (SPI)
SPI under Florida’s latest act includes the following categories of personal data:
Florida’s Act requires businesses to have consent in place in order to process sensitive data, via a separate opt-out mechanism. In the case of children between the ages of 13 and 18, an affirmative authorization needs to take place, i.e. an opt-in mechanism.
Consumer Rights
The Florida Digital Bill of Rights lays out the following consumer rights:
Regarding rights request responses, controllers have a 45-day timeline to respond to any consumer requests – this can be extended for an extra 15 days if deemed “reasonably necessary”. In the case of an extension, controllers still need to inform consumers that the response deadline has been pushed out.
Controllers are also required to answer requests at least twice a year from consumers, free of charge. The law states that if these requests are found to be “unfounded, excessive, or repetitive” then businesses can charge a “reasonable fee” in order to process these requests.
Sale of Personal Data
The Florida Technology Transparency Act defines the sale of personal data as, “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by controller to a third party”.
There are some caveats with this definition. It does not include the following:
Data Retention Schedules
Data controllers and processors are required to define retention schedules for the personal data that is collected or processed based on the nature and purpose of data collection. If no retention schedule is defined, then personal data must be deleted 2 years after the last customer interaction with the business.
Privacy Notices and Disclosures
The law states that privacy notices must be updated on an annual basis and be “reasonably accessible and clear”. This notice must include the following:
Data Protection Assessments (DPA)
Florida’s law requires data controllers to conduct DPAs in the following cases:
The law further states that these assessments must identify and weigh the benefits against the potential risks of the current data workflows with all stakeholders – the controller, processor, consumer, and other parties involved.
What does this mean for your organization?
Florida’s Digital Bill of Rights is currently set to go into effect on July 1, 2024. This means organizations that fall under its purview have less than a year to ensure that the appropriate compliance measures are in place across your data infrastructure and workflows.
How can OneTrust help with compliance?
OneTrust can help your organization introduce the right business workflows and data policies that help keep you compliant with all applicable privacy regulations. For more information on what you can do to stay on top of the US privacy landscape, take a look at how to operationalize privacy compliance, with OneTrust Privacy Management. Request a demo to see what works for your business today.