Florida Passes New Privacy Law: What It Means for Businesses
Impact on Certain Businesses With Annual Gross Revenues of Over $1B and Businesses That Process Personal Information on Their Behalf
The Digital Bill of Rights imposes familiar rights and requirements on companies with annual gross revenues over $1 billion AND that (i) derive 50% or more of those revenues from the sale of online advertisements; (ii) operate a consumer smart speaker; or (iii) operate an app store or a digital distribution platform offering at least 250,000 different software applications (“controllers”). Those rights and requirements will, by virtue of the threshold noted above, only apply to very large companies, including privacy notices, data protection assessments, required contractual provisions between controllers and processors, rights to access, know, correct, and delete, and an expanded set of opt-out rights, including the right to opt out of (a) the collection and processing of sensitive or biometric data (e.g., data collected through voice and facial recognition technology) and (b) the use of their personal data for purposes of targeted advertising, data sales, and certain profiling. The Digital Bill of Rights also contains some familiar exemptions; for example, financial institutions, nonprofits, and covered entities or business associates subject to HIPAA are exempt from the law.
The Digital Bill of Rights also impacts businesses that process personal information on behalf of controllers (“processors”). For example, processors must execute a contract governing the processing to be performed on behalf of the controller, including a description of the parties’ legal obligations and a retention schedule for the deletion of nonexempt personal information. Other obligations imposed on processors more closely align with those set forth in other state privacy laws, including requiring the processor to adhere to the controller’s instructions and assist in responding to consumer rights requests.
The law does not create a private right of action but can be enforced by the Florida attorney general.
Impact on Businesses Predominantly Accessed by Children
In addition to creating the Digital Bill of Rights, for providers of an online service, product, game, or feature likely to be predominantly accessed by individuals under 18 (“online platforms”), S.B. 262 generally:
- Prohibits processing personal information that “may result in substantial harm or privacy risk to children”;
- Limits profiling children unless certain conditions are met; and
- Restricts online platform’s collecting, selling, sharing, using, and retaining of children’s personal information, especially precise geolocation data.
Impact on Other Businesses
More broadly, S.B. 262 expands the Florida Data Breach Notification Statute’s definition of “personal information” to include Floridians’ biometric data or geolocation paired with an individual’s name or initials and bars the sale of sensitive personal information, without prior consent, by any for-profit business in the state that collects data about consumers. For these instances, the business must post a notice on its website, stating: “This website may sell your sensitive personal data.” While the definition of “sensitive data” is narrow, it includes an individual’s race, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; certain genetic or biometric data; personal data collected from a known child; and precise geolocation data.
Takeaways and Next Steps
Based on the above, companies collecting or processing the personal information of Floridians should evaluate which of S.B. 262’s provisions apply to them, and how, and consider what adjustments may be advisable for compliance, such as changing practices related to children’s personal information, revising incident response plans to reflect the expanded definition of “personal information,” etc.