Are you ready for the Florida Digital Bill of Rights (FDBR)? If your website has users from the Sunshine State, you better be! With new regulations coming into play, it's important to ensure your website complies to avoid any nasty surprises. Let's dive into the details and get your site ready for Florida's latest privacy law.

Florida joined the ranks of privacy-conscious states by giving the nod to SB 262 on June 6, 2023. This bill, known as FDBR, kicks into gear on July 1, 2024, giving organizations about a year to get their compliance game on point.

The Florida Digital Bill of Rights (FDBR) is an emerging framework designed to enhance the protection of personal data for residents of Florida. While it shares similarities with other privacy laws like the GDPR or CCPA, the FDBR has its own unique set of rules and obligations that businesses operating in Florida must follow. At its core, the FDBR aims to give individuals more control over their personal information, ensuring transparency and security in the way businesses collect, use, and share personal data.

Important

One significant aspect of the FDBR is its focus on consumer rights.

These include:

• The right to access personal information,
• The right to delete personal information,
• The right to opt-out of the sale of personal data.

For businesses, this means implementing robust systems and processes to handle these requests efficiently and transparently.

Florida's been keeping an eye on data protection since 2014 with the Florida Information Protection Act (FIPA). It's been doing a decent job at setting the bar for data security and breach reporting. But now, with the FDBR stepping in, things are getting a bit broader. FIPA's definition of personal info, which used to cover the basics like SSNs and contact details, is getting a facelift. Now, it's rolling in biometric and geolocation data, along with other cool tech stuff.

• Effective Date: The law will become effective on January 1, 2025.

• Regulator: The Florida Department of Legal Affairs is the primary regulator responsible for enforcement.

Feature	Consent	Fines	Effective Date
CCPA (California)	Required	$2,500-$7,500	Jan 1, 2020
VCDPA (Virginia)	Required	$7,500	Jan 1, 2023
CTDPA (Connecticut)	Required	$5,000	Jul 1, 2023
CPA (Colorado)	Required	$2,500-$7,500	Jul 1, 2023
TIPA (Tennessee)	Required	$2,500-$7,500	Jan 1, 2024
OCPA (Oregon)	Required	$2,500-$7,500	Jan 1, 2024
FDBR (Florida)	Required	$2,500-$7,500	Jan 1, 2025
TDSA (Texas)	Required	$7,500	Jan 1, 2025

To fully understand the FDBR, it’s essential to get familiar with some key terms:

• Personal Information: Under the FDBR, personal information is defined broadly to include any information that can be directly or indirectly linked to an individual. This could range from the obvious (like a name or email address) to the more nuanced (like browsing history a.k.a. Cookies and other trackers or geographic location).

• Consumer: The term 'consumer' specifically refers to residents of Florida, aligning with the law’s intent to protect the personal data of its state’s inhabitants.

• Data Controller: The entity that determines the purposes and means of processing personal data. If you’re a business making decisions about how personal data is handled, you’re likely a data controller under the FDBR.

Understanding these definitions helps businesses and consumers alike navigate the complexities of data privacy regulation. Whether it’s revising privacy policies or implementing a cookie banner that complies with the FDBR, clarity on these terms is a must!

Compliance with the FDBR involves several steps. First and foremost, businesses must ensure they have clear consent mechanisms in place. This includes deploying a CMP like AdOpt, which not only manages cookie consents effectively but also aligns with best practices like privacy by design.

Additionally, businesses should engage in data mapping to understand exactly what personal information they collect and process. This transparency aids in not only compliance but also in building trust with consumers.

Lastly, training and awareness are key. Ensuring that every part of the organization understands the importance of data protection and the specifics of the FDBR helps mitigate risks and enhances compliance efforts.

When it comes to managing cookies and ensuring compliance with various privacy laws, including the FDBR, AdOpt stands out as a Google Certified CMP and highly regarded option. Not only does AdOpt help you manage consents effectively, but it also integrates seamlessly into your digital environment, maintaining user experience without compromising on compliance.

Ready to take your data privacy compliance to the next level? Schedule a demo call with our AdOpt specialist today and discover how our CMP can transform your approach to privacy and consent management.

Under the Florida Digital Bill of Rights (FDBR), personal data is defined as:

 Any information that can identify an individual, either directly or indirectly. 

This broad definition encompasses a wide range of data types, from traditional identifiers like:

Names and Social Security numbers to digital footprints such as IP addresses or device IDs. 

Understanding what constitutes personal data is crucial for businesses as it forms the foundation of what needs to be protected under the FDBR.

For example, even seemingly innocuous data, when pieced together, can become personal. This emphasizes the need for comprehensive data mapping strategies to ensure all personal data is identified and adequately protected.

Sensitive data under the FDBR refers to specific categories of personal data that require higher levels of protection due to their nature. This includes information such as:

- racial or ethnic origin, 
- political opinions, 
- religious beliefs, 
- genetic data, 
- biometric data for the purpose of uniquely identifying an individual, 
- health information, 
- data concerning a person's sex life or sexual orientation.

Handling sensitive data brings additional compliance obligations, such as implementing stricter consent requirements and ensuring that such data is processed with extra care.

Businesses must clearly understand what qualifies as sensitive data to adapt their privacy practices accordingly and avoid potential breaches that could lead to significant consequences under the FDBR.

Consent under the FDBR is defined as:

A clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of an individual's agreement to the processing of their personal data.

This means that consent must be an active, not passive, decision.

Florida's privacy law isn't playing games when it comes to consent. It's got some pretty clear rules about what doesn't count:

- It's a no to accepting broad terms of use documents that mix in personal data details.

- Just hovering over, muting, pausing, or closing content doesn't count as consent.

- Dark patterns? Not a chance for getting consent here.

- And hey, if you change your mind, you can revoke your consent whenever.

• Users must give explicit consent before their data is collected.
• Consent requests must be clear and straightforward.

• Users should be able to withdraw consent as easily as they gave it.
• Ensure there’s an easy-to-find option on your site for users to retract their consent.

• Clear Information: Your cookie banner must clearly inform users about the data being collected.
• Consent Management: Users must have the option to accept or reject cookies.
• Continued Compliance: Regularly review and update your cookie policies to ensure ongoing compliance.

For businesses, this definition underscores the importance of designing consent management platforms (CMPs) like AdOpt, which allow for clear and straightforward mechanisms for users to express their consent. Consent must be as easy to withdraw as it is to give, ensuring user control over their personal data at all times.

Compliance with the FDBR is mandatory for all businesses that operate in Florida and handle personal data of its residents, regardless of the business's physical location. This includes both local and international companies that offer goods or services to Florida residents or monitor their behavior within the state.

Not every business needs to worry about FDBR, but if your company meets certain criteria, you’ll need to pay attention. Here’s who must comply:

1. Businesses: Operating in Florida or targeting Florida residents.

2. Revenue Threshold: Gross annual revenue of over $25 million.

3. Data Handling: Buys, receives, sells, or shares personal data of 50,000 or more consumers, households, or devices.

4. Revenue from Data: Derives 50% or more of annual revenue from selling consumers' personal data.

If you tick any of these boxes, it’s time to get compliant!

Businesses need to implement appropriate measures, including privacy by design strategies, robust privacy policies, and effective CMPs like AdOpt, to ensure they meet the regulation's standards.

Non-compliance can lead to hefty fines and damage to a company's reputation, making FDBR compliance not just a legal obligation but a critical component of business operations.

FDBR comes with strict penalties for non-compliance.

Potential Fines:

• Per Violation: Up to $2,500 per violation.

• Intentional Violations: Up to $7,500 per intentional violation.

• Data Breaches: Additional penalties may apply if a data breach occurs due to non-compliance.

The scope and application of the Florida Digital Bill of Rights (FDBR) are comprehensive, covering all entities that conduct business in Florida and possess or process personal data of Florida residents.

This includes both online and offline operations. The FDBR applies irrespective of the size or revenue of the business, making it essential for any entity operating within the state to understand and comply with its provisions.

While the FDBR is broad in scope, there are specific exemptions that apply. For instance, small businesses that meet certain criteria related to the quantity of data processed or the nature of their business activities may be exempt from some of the requirements.

Additionally, sectors that are already heavily regulated, such as healthcare providers covered under HIPAA, might find that some of their data processing activities are exempt from the FDBR. Understanding these exemptions is crucial for businesses to assess their specific compliance needs effectively.

Here’s a breakdown of what you need to do to stay compliant:

1. Data Inventory: Keep a detailed record of the data you collect and process.

2. Privacy Policy: Update your privacy policy to reflect FDBR requirements.

3. Data Security: Implement strong data security measures to protect user information.

4. Consumer Rights: Facilitate users' rights to access, correct, delete, and opt-out of data processing.

DSAR or Data Subject Access Request are a response to rights given by the law. Below is a detailed description of each right.

Under the FDBR, consumers have the right to access their personal data held by businesses. This means individuals can request and receive a copy of their personal data, along with information about how and why it is being processed.

This transparency is a core element of the regulation, aimed at increasing accountability and trust between consumers and businesses.

Consumers also have the right to request the correction of their personal data if it is inaccurate or incomplete. This empowers consumers to ensure their data is up-to-date and correct, which is particularly important in contexts where such data may influence decisions that affect their lives.

The right to deletion, often referred to as the "right to be forgotten," allows individuals to request the deletion of their personal data when it is no longer necessary for the purpose it was collected, among other conditions. This right is crucial for protecting privacy and preventing businesses from holding onto personal data indefinitely.

Data portability is a consumer's right to receive their personal data in a structured, commonly used, and machine-readable format, and to transfer it to another data controller without hindrance. This right supports consumer autonomy over personal information in a digital environment.

Consumers have the right to opt-out of certain data processing activities, such as the sale of personal data or data used for direct marketing purposes. Businesses must provide clear and straightforward mechanisms for consumers to exercise this right, such as through a cookie banner.

The FDBR ensures that consumers exercising their privacy rights are not subjected to discrimination. This means businesses cannot deny goods or services, charge different prices, or provide a different level or quality of service because an individual exercised their privacy rights.

Finally, consumers have the right to appeal a business's decision regarding a request to exercise any of the rights listed above. This ensures that consumers have a means to seek redress if they believe their rights are not being adequately respected or enforced.

AdOpt has developed features to help you with customer DSAR, schedule a call with our team to understand it better.

The FDBR offers a comprehensive definition of a controller, setting it apart from other regulations. It intricately embeds compliance thresholds within the definition itself, a unique feature.

• Entity Type: Sole proprietorship, partnership, LLC, corporation, association, or any legal entity.

• Operational Scope:

  • Operates for profit.
  • Conducts business in Florida.
  • Collects personal data directly or indirectly.
  • Determines processing purposes and methods independently or jointly.
  • Has over USD 1 billion in global annual revenue.

Additionally, the Entity Must Meet One of the Following Criteria:

1. Derives 50% or more of its global revenue from online ad sales or targeted advertising.


2. Operates a consumer smart speaker service with a virtual assistant and cloud service.
   - Excludes vehicle-associated devices by motor vehicle manufacturers.


3. Operates an app store offering over 250,000 software applications for consumer download.

Under the FDBR, a controller can share personal data with a third party for processing, termed as a processor or "a person processing data on behalf of a controller" in legal terms.

Under the FDBR, data controllers are required to adhere strictly to the principle of purpose limitation. This principle mandates that personal data must be collected for explicit, legitimate purposes and not further processed in a manner that is incompatible with those purposes.

This means that data controllers must clearly define why they are collecting personal data and stick to those reasons throughout their processing activities. This obligation helps ensure transparency and fosters trust between consumers and businesses, as individuals understand exactly why their data is needed and how it will be used.

—--- Understand the difference between Data Controller and Data Processor —---

According to the Florida data privacy law, sale is defined as "sharing, disclosing, or transferring personal data for monetary or other valuable consideration by the controller to a third party."

- Data disclosed to a processor for processing on behalf of the controller.

- Data shared with a third party to fulfill a product or service request by the consumer.

- Data intentionally made public by the consumer through mass media without audience restrictions.

- Data transferred to a third party as part of a merger or acquisition, including personal data assets.

Data security is a cornerstone of the FDBR. Controllers are obligated to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes protecting personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

For example, employing encryption, ensuring the confidentiality of processing systems, and conducting regular cybersecurity assessments are all part of complying with this requirement. The aim is to create a secure environment that safeguards consumer data and minimizes the risk of data breaches, which can have severe financial and reputational consequences.

A Data Protection Assessment (DPA) is another critical obligation for controllers under the FDBR. This assessment helps identify and mitigate risks associated with data processing activities. Controllers must conduct a DPA before initiating any processing operation that could result in a high risk to the privacy rights of individuals, such as large-scale processing of sensitive data or deploying new technologies for data processing.

The DPA should detail the processing purposes, assess the necessity and proportionality of the processing activities, and evaluate the risks to the rights and freedoms of data subjects, along with measures to mitigate those risks.

The FDBR places a strong emphasis on consent as a legal basis for processing personal data. Consent must be freely given, specific, informed, and unambiguous, with controllers required to demonstrate that consent was obtained from the data subject.

This means that controllers must provide clear and comprehensive information about the extent and purpose of data processing, ensuring that consent is given through an affirmative action that signifies agreement (e.g., checking a box on a website or choosing settings in a CMP).

Importantly, data subjects must be able to withdraw their consent as easily as they gave it, which emphasizes the need for ongoing management and compliance mechanisms to respect user preferences continuously.

The FDBR specifies targeted advertising as "presenting an advertisement to a consumer based on personal data gathered from the consumer's activities across various websites and online applications, whether affiliated or not, to anticipate the consumer's preferences or interests."

- Ads tailored to the consumer's activities within the controller's own internet platforms.

- Ads responding to a consumer's search query on the controller's website or app for information or feedback.

Under the Florida Digital Privacy Rights (FDBR), nondiscrimination provisions ensure that businesses cannot treat consumers differently based on their decision to exercise their privacy rights.

This means if you decide not to allow a website to use your personal data, for example by not consenting to cookies, the website should not degrade your service experience as a penalty.

This aspect of the law is crucial because it protects consumer choices and fosters a more transparent digital environment.

Every website that collects personal information from Floridians must provide a clear and accessible privacy policy. This policy should detail what data is collected, why it's collected, and how it's used.

Furthermore, companies must ensure that their cookie banners are set up not only to inform but also to gather consent in a manner that respects the user's privacy according to the FDBR's standards.

The FDBR introduces the concept of a universal opt-out signal, which allows consumers to communicate their privacy preferences across websites and services easily. This means a single setting could potentially control consent across multiple sites, simplifying the process for users who are concerned about their digital footprints. Integrating such a feature can be complex, but using a CMP like AdOpt, which is highly ranked and certified by industry leaders, can streamline this process.

Businesses operating under the FDBR need to ensure that all third-party services they use to process personal data on their behalf are also in compliance. This is typically managed through Data Processing Agreements (DPAs), which must clearly outline the roles, responsibilities, and expectations from each party to ensure that all data handling meets FDBR standards.

The FDBR is enforced through fines and penalties that can be quite severe to ensure businesses take the regulations seriously. Non-compliance can lead to financial penalties, which are determined based on the nature and severity of the breach. Ensuring compliance through proactive measures like thorough data mapping and adherence to privacy by design principles is less costly than facing fines.

Let’s see how FDBR stacks up against other state laws like CCPA, TIPA, VCDPA, CTDPA, OCPA, TDSA, and CPA.

Law	State	Revenue Threshold	Data Processing	Consent Required	Fines
TDPSA	Texas	$25M	50,000 residents	Yes	Up to $7,500 per violation
CCPA	California	$25M	50,000 residents or 50% revenue	Yes	Up to $7,500 per violation
TIPA	Tennessee	N/A	25,000 residents or 50% revenue	Yes	Up to $7,500 per violation
VCDPA	Virginia	$25M	100,000 residents or 50% revenue	Yes	Up to $7,500 per violation
CTDPA	Connecticut	N/A	100,000 residents or 25% revenue	Yes	Up to $7,500 per violation
OCPA	Oregon	$25M	100,000 residents	Yes	Up to $7,500 per violation
FDBR	Florida	-	50,000 residents or 50% revenue	Yes	Up to $5,000 per violation
CPA	Colorado	$25M	100,000 residents or 25% revenue	Yes	Up to $20,000 per violation

If you're looking to ensure compliance with the FDBR and other privacy regulations, consider scheduling a demo with AdOpt. As a Google-certified Consent Management Platform, AdOpt can help streamline your privacy operations and ensure that you're fully prepared to meet these regulations.

Schedule a meeting with our specialist today and see how we can help you maintain compliance efficiently and effectively.

The Florida Digital Privacy Rights (FDBR) shares similarities with other U.S. data privacy laws like the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA).

However, it introduces unique elements, such as stricter user consent mechanisms and broader rights for data deletion. Understanding these distinctions can help businesses tailor their compliance strategies effectively, not just in Florida but across state lines.

Preparing for FDBR compliance involves several key steps:

1. Data Inventory and Mapping: Conduct a thorough data mapping to understand what personal data you collect, where it comes from, and how it is used.

2. Update Privacy Policies: Ensure your privacy policy is up to date and includes all the necessary disclosures required by the FDBR.

3. Implement Consent Mechanisms: Using a certified Consent Management Platform (CMP) like AdOpt can help manage user consents effectively and transparently.

4. Staff Training: Educate your team about the FDBR requirements, focusing on those handling personal data to ensure everyone is aware of their responsibilities.

5. Regularly Audit Your Compliance: Compliance is not a one-time effort. Regular audits are necessary to ensure ongoing compliance and to address any new compliance challenges that might arise.

Under the FDBR, obtaining user consent for cookies is more stringent than ever. Businesses must ensure that consent is freely given, specific, informed, and unambiguous.

This means pre-ticked boxes or implied consent strategies are not sufficient. Transparent communication about what cookies are set and what they do is crucial to ensuring that consent is valid.

Cookie banners must be clearly visible and must explain the use and purpose of cookies in a simple language. The cookie banner should provide options for users to accept, reject, or manage their cookie preferences in detail.

This level of control not only complies with the FDBR but also enhances user trust and confidence in how their data is handled.

While many sites use cookie banners merely as a formality, under the FDBR, they serve a crucial role in compliance. A well-designed cookie banner acts as the first point of communication between the website and the user regarding data privacy.

It is a tool not just for compliance, but for transparency, making it essential for websites to design their banners with care and consideration for the user experience.

Managing cookie preferences should be straightforward and user-friendly. Provide clear options to users to modify their cookie settings at any time through a simple interface.

This might include a preference center linked directly from the cookie banner, allowing users to adjust their settings as their preferences change or as more information becomes available.

Challenge: Navigating the complexity of user consent for cookies and other tracking technologies.

Solution: Implement a clear and user-friendly cookie consent mechanism through a CMP, which can help manage consents effectively and ensure they are obtained in compliance with the FDBR.

Challenge: Ensuring all data processing agreements with third-party vendors comply with the FDBR.

Solution: Regularly review and update all agreements to include necessary FDBR provisions, and conduct audits to ensure third parties adhere to these terms.

Challenge: Dealing with data subjects' rights requests efficiently.

Solution: Develop standardized processes for handling requests, such as access, correction, and deletion, to ensure they are dealt with within the legally required time frames.

1. Privacy by Design: Incorporate privacy by design principles from the onset of any new product or service development to ensure compliance is built into the fabric of your operations.

2. Transparency: Be transparent with users about how their data is collected, used, and shared. Transparency not only aids compliance but also builds trust.

3. Proactive Management: Don't wait for compliance issues to arise. Be proactive in managing data protection risks by keeping abreast of legal changes and technological advancements.

4. Engage with Experts: Consider consulting with data protection experts or legal counsel to stay informed about best practices and compliance requirements.

By following these steps and embracing these best practices, businesses can navigate the complexities of the FDBR more smoothly and ensure that they not only comply with the law but also protect their customers' data effectively.

The FDBR is a data protection regulation designed to enhance the privacy rights of Florida residents. It sets guidelines for businesses on how to handle personal information, emphasizing transparency, security, and the control individuals have over their personal data.

While the FDBR shares common goals with the GDPR and CCPA, such as enhancing user privacy and increasing transparency, it includes unique provisions like stricter consent requirements and broader rights for data deletion, which differ from the other regulations.

Under the FDBR, personal data includes any information that can identify an individual either directly or indirectly. This ranges from obvious details like names and addresses to more nuanced data like browsing history or geographical location.

Consumers have several rights under the FDBR, including the right to access, correct, delete their personal data, and opt-out of its sale. They also have the right to data portability and the right to non-discrimination for exercising their privacy rights.

Any business operating in Florida that processes the personal data of Florida residents must comply with the FDBR. This applies regardless of the business’s size or location.

Businesses can comply by implementing robust data protection measures, including clear consent mechanisms, comprehensive data mapping, regular compliance audits, and training for employees on FDBR requirements.

Non-compliance can result in significant fines and penalties. The severity of these sanctions depends on the nature and extent of the violation.

A DPA is an evaluation that businesses must conduct prior to processing activities that pose a high risk to privacy. It helps identify risks and determine measures to mitigate them.

Sensitive data under the FDBR requires higher protection levels due to its nature. Businesses must ensure stricter consent processes and handle such data with extra care to prevent breaches.

A CMP, like AdOpt, is a tool that helps businesses manage and document user consents for data processing, ensuring compliance with regulations like the FDBR. It facilitates transparent interactions about data consent with customers.

Privacy by design is a principle that involves integrating data protection from the onset of designing a system or process. It is essential for complying with the FDBR as it ensures privacy is considered at every step of business operations.

Cookie banners are tools that inform users about the use of cookies and collect their consents, crucial for FDBR compliance. They must be clear, provide options to accept or reject cookies, and explain the purposes of data processing.

The universal opt-out signal is a mechanism that allows consumers to communicate their privacy preferences across multiple platforms easily, simplifying the process of managing consent.

Certain small businesses and regulated sectors like healthcare may have exemptions or reduced obligations under the FDBR, depending on the nature and scale of their data processing activities.

Consumers can request the deletion of their personal data when it is no longer necessary for the purpose it was collected, among other conditions. Businesses must provide a straightforward process for consumers to make such requests.

Businesses must implement appropriate technical and organizational measures to ensure data security. This includes using encryption, conducting regular security assessments, and maintaining data integrity and confidentiality.