Florida's Digital Bill of Rights - enacted as Senate Bill 262 and codified primarily in Chapter 501, Part II of the Florida Statutes - took effect July 1, 2024. It is Florida's comprehensive consumer data privacy law, and while it has a narrower scope than California's CCPA or the EU's GDPR, it creates real compliance obligations for covered businesses operating in Florida and nationwide.
For Tampa Bay area technology companies, data-driven businesses, and national companies with Florida operations, understanding whether the law applies and what it requires is essential in 2026. This guide covers the law's applicability thresholds, consumer rights, controller obligations, data protection assessment requirements, and enforcement by the Florida Attorney General.
Who Does the Florida Digital Bill of Rights Apply To?
The Florida Digital Bill of Rights (FDBR) applies to "controllers" - entities that conduct business in Florida or provide products or services targeted to Florida residents - that meet both of the following thresholds:
- Annual global gross revenues exceeding $1 billion
- Satisfy at least one of the following:
- Derive at least 50% of global revenues from the sale of online advertising
- Operate a consumer smart speaker and related voice command component service with a Florida user base
- Operate an app store or digital distribution platform
This dual threshold - $1 billion in revenue plus one qualifying operational characteristic - means the FDBR primarily targets large technology platforms: think companies like Google, Amazon, Apple, Meta, and similar enterprises. The vast majority of small and mid-size Florida businesses are not directly covered by the FDBR as controllers.
Most Florida small and mid-size businesses do not meet the $1 billion revenue threshold and are therefore not covered as "controllers" under the FDBR. However, businesses that process data on behalf of covered controllers as service providers may have contractual compliance obligations. And the FDBR's consumer rights apply to your customers' data held by the large platforms you use - not to your own data practices.
Consumer Rights Under the Florida Digital Bill of Rights
For Florida residents whose personal data is processed by a covered controller, the FDBR provides six categories of rights:
- Right to access: Consumers may request confirmation that a controller is processing their personal data, along with a copy of that data.
- Right to correct: Consumers may request that inaccurate personal data be corrected.
- Right to delete: Consumers may request deletion of personal data provided by or obtained about them.
- Right to portability: Consumers may request their data in a portable, commonly used format to transmit to another controller where technically feasible.
- Right to opt out of targeted advertising: Consumers may opt out of the processing of their personal data for targeted advertising.
- Right to opt out of the sale of personal data: Consumers may opt out of the sale of their personal data to third parties.
- Right to opt out of profiling: Consumers may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
Special Protections: Sensitive Data and Children
The FDBR contains heightened requirements for sensitive data categories, including:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship status
- Genetic or biometric data processed for the purpose of identifying an individual
- Precise geolocation data
- Personal data of known children under age 18
Controllers must obtain explicit consent before processing sensitive data categories. For known child users, additional restrictions apply to the use of targeted advertising and data collection. The FDBR's child protection provisions are among the strongest in any U.S. state privacy law.
Controller Obligations
Covered controllers under the FDBR must:
- Publish a clear and meaningful privacy notice that describes the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, and any data sold or shared with third parties.
- Respond to consumer rights requests within 45 days of receipt (extendable by 45 additional days with notice for complex requests).
- Establish a data appeals process allowing consumers to appeal a refusal to act on their request within a reasonable period.
- Maintain data security practices appropriate to the volume and sensitivity of the personal data processed.
- Contractually bind service providers through data processing agreements that restrict the service provider's use of personal data to the specified purposes.
- Limit data collection to what is adequate, relevant, and reasonably necessary for the specified purposes.
Data Protection Assessments
One of the FDBR's most significant requirements for covered controllers is the mandatory data protection assessment (DPA). Controllers must conduct a DPA before engaging in any processing activity that presents a "heightened risk of harm" to consumers. Qualifying activities include:
- Processing of sensitive data
- Targeted advertising
- The sale of personal data
- Certain forms of profiling
A DPA must identify and document the risks, mitigating safeguards, benefits to the controller, and the weighing of those benefits against the risks to consumers. Assessments must be made available to the Florida Attorney General upon request during an investigation.
Enforcement by the Florida Attorney General
The FDBR is enforced exclusively by the Florida Attorney General - there is no private right of action for individual consumers to sue for violations. This is a key distinction from the CCPA (which has a limited private right of action for data breaches).
Before initiating an enforcement action, the AG must provide a 45-day cure period for violations that are capable of being cured. If the violation is cured within that period and a written statement of compliance is provided, the AG cannot proceed with the action.
Penalties for violations:
- Civil penalties up to $50,000 per violation
- Civil penalties up to $50,000 per violation involving known minor users (tripled to $150,000 for intentional violations involving children)
- Injunctive relief
- Civil penalties up to $50,000 per intentional violation for data used to conduct a political, religious, or other discrimination
FDBR vs. CCPA vs. GDPR: Key Differences
| Factor | Florida FDBR | California CCPA/CPRA | EU GDPR | |
|---|---|---|---|---|
| Who it covers | Revenue $1B+ with specific ops | Revenue $25M+, 100K consumers, or 50% revenue from data | Any business processing EU resident data | |
| Private right of action | No (AG enforcement only) | Limited (data breaches only) | Yes (in member states) | |
| Cure period | 45 days | No cure period for CPRA | Varies by supervisory authority | |
| Consent for sensitive data | Required | Opt-out model for most data | Explicit consent required | |
| Data protection assessments | Required for high-risk processing | Required (called risk assessments) | Required (called DPIAs) | |
| Children's protections | Under 18 | Under 16 (opt-in) | Under 16 in most member states | |
| Extraterritorial reach | Florida residents only | California residents | EU residents worldwide |
What Does the FDBR Mean for Most Florida Businesses?
For businesses below the $1 billion threshold, the FDBR does not impose direct compliance obligations as a controller. However, there are still important considerations:
- Service provider agreements: If your business provides data processing services to a covered controller, you will be required to sign a data processing agreement limiting your use of personal data.
- Privacy policy review: The FDBR signals the direction of Florida's regulatory expectations. Businesses of all sizes should ensure their privacy policies accurately describe their data practices.
- Companion laws: The FDBR was enacted alongside the Florida Information Protection Act (Section 501.171), which requires ALL businesses (regardless of size) to protect personal information and notify consumers of breaches. This applies to your business now.
Questions About Florida Data Privacy Compliance for Your Business?
FL Patel Law helps Tampa and St. Petersburg businesses evaluate their data privacy obligations under Florida law, including the FDBR and the Florida Information Protection Act. Whether you need a privacy policy review, a vendor data agreement, or guidance on a security breach, we offer flat-fee and hourly pricing. Call (727) 279-5037 to schedule a consultation.
Related Service
Corporate Law
This article is part of our comprehensive resource on corporate law in Florida. Learn more about how FL Patel Law can help you.
View Corporate LawServices โ