What is FDBR?

Effective July 1st, 2024, The Florida Digital Bill of Rights (FDBR) is a data privacy law enacted to protect the privacy rights of Florida residents. It aligns with the broader trend of state-level privacy regulations in the United States, focusing on providing users more control over their personal data, as well as imposing obligations on businesses that collect, process, and share such data.

Where does the FDBR apply?

Specifically, it targets for-profit organizations that conduct business in Florida or produce products or services targeted to Florida residents. These businesses must either have a gross annual revenue exceeding a specified amount, process personal data of a set number of Florida residents annually, or derive a significant portion of their revenue from selling or sharing personal data:
- Global gross annual revenues exceeding $1 billion, and,
- Revenue from Online Advertising: Derive 50% or more of their global gross annual revenues from the sale of online advertisements
- Smart Speaker Operations: Operate a consumer smart speaker and voice command component service with an integrated virtual assistant
- App Store Platforms: Operate an app store or digital distribution platform that offers at least 250,000 different software applications
These specific thresholds are designed to target large technology companies, ensuring that the FDBR primarily applies to major players in the tech industry.

The law also applies to businesses that process sensitive data, such as biometric information, health data, or precise geolocation.

graphic of a white magnifying glass against a blue background

What are possible reasons for a penalty under FDBR?

Some common reasons for a penalty include:
- Failure to Respond to Consumer Rights Requests: Ignoring or not fulfilling requests from consumers to access, delete, or correct their personal data, or to opt out of data sharing or targeted advertising within the required timeframe.
- Improper Handling of Sensitive Data: Collecting or processing sensitive personal information (e.g., biometric data, health data, or geolocation) without proper consent or protection.
- Lack of Transparency: Failing to provide a clear privacy policy or misrepresenting data collection and usage practices.
- Non-Compliance with Children’s Data Protections: Violating stricter rules around data collection for individuals under 18.

Who is liable for FDBR penalties?

Businesses that meet the law’s applicability criteria, such as large for-profit entities collecting or processing Florida residents' data. Senior executives or designated officers may also bear responsibility if their decisions or negligence lead to non-compliance. Penalties are enforced by the Florida Attorney General, targeting organizations rather than individual employees, except in cases of willful misconduct.

graphic of a building in white against a blue background
white sheet of paper graphic against a blue background with shield in front of it

What are the penalties?

Penalties can include:
- Financial penalties, often calculated per violation or per affected consumer.
- Injunctions: The Attorney General can issue court-ordered injunctions to stop ongoing violations and mandate compliance with the law.
- Damages: Businesses may be required to compensate affected individuals
- Reputational damage.

Get the APPI checklist for Free

Improve the effectiveness of your compliance strategy now.

Download checklist
graphic of a white notepad page against a black background

Frequently Asked Questions

How do I obtain consent from individuals under the FDBR?

Obtaining consent under the Florida Digital Bill of Rights (FDBR) involves providing a clear consent process to users, particularly those under 18.
- Use clear language about data collection, use, and sharing.
- Active Opt-In: Use affirmative actions, such as a checkbox or a clear “I agree” button, to record consent.
- Parental consent for minors: For individuals under the age of 18, obtain verifiable parental or guardian consent before collecting or processing their data.
- Allow easy withdrawal for individuals at any time and communicate this right clearly.

Who is the regulatory authority enforcing the Florida Digital Bill of Rights (FDBR)?

The regulatory authority enforcing the Florida Digital Bill of Rights (FDBR) is the Florida Attorney General's Office. This office is responsible for investigating violations, ensuring compliance, and imposing penalties for non-compliance. Businesses found in breach of the FDBR may face fines, injunctions, or other corrective measures as determined by the Attorney General.

How to make my business compliant with the FDBR?

To make your business compliant with the Florida Digital Bill of Rights (FDBR), start by determining whether your operations fall under its scope, such as meeting revenue thresholds or processing the personal data of Florida residents. Develop a clear and accessible privacy policy that outlines the types of data collected, the purposes for collection, how it’s used, and with whom it’s shared.

Shopify merchants can simplify compliance by using Consentmo, which provides tools to manage cookie consent, display privacy notices, and automate data subject requests.