Florida’s Digital Bill of Rights (Senate Bill 262)

On 7 June 2023, Governor Ron DeSantis signed Florida’s Digital Bill of Rights (SB 262) (codified at FL Stat § 112.23). 

The law will most impact large tech companies but contains several ambiguous definitions and provisions. This article will explain who is covered by Florida’s Digital Bill of Rights and explore key requirements around consumer rights and targeted advertising. 

Who is covered by Florida’s Digital Bill of Rights? 

Here are some of the types of entities covered by Florida’s Digital Bill of Rights.

The main target of the law is a “controller”, meaning any legal entity that: 

• Operates for profit, 
• Collects personal data about Florida residents or has such data collected on its behalf, 
• Conducts business in Florida, 
• Determines the “purposes and means” of processing personal data (decides how and why personal data is processed), 
• Makes at least $1 billion in gross annual revenues, and 
• Satisfies at least one of the following conditions: 
• Makes half or more of its revenues from selling online ads or providing ad-targeting or selling services, 
• Operates a cloud-based smart speaker with an integrated virtual assistant and hands-free verbal activation (unless the smark speaker is integrated into a vehicle), or 
• Operates an app store that offers at least 250,000 apps 

As such, the scope of the law is relatively narrow and should mostly affect “big tech” companies. 

The law also references the following types of entities: 

• Processor: A person who processes personal data on behalf of a controller. 
• Social media platform: A “form of electronic communication” enabling users to create online communities or groups to share content. 
• Online platform: A social media platform, online game, or online gaming platform. 

Key Definitions 

In addition to the definitions of different covered entities above, Florida’s Digital Bill of Rights provides the following important definitions. 

Profiling 

Florida’s Digital Bill of Rights defines “profiling” only in relation to children. 

“Profile” or “profiling” means “any form of automated processing performed on personal information to evaluate, analyze, or predict personal aspects relating to the economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of a child.” 

Consumers (impliedly only those who are children) have the right to opt out of profiling performed “in furtherance of a decision that produces a legal or similarly significant effect”. 

Sale of Personal Data 

“Sale of personal data” means: 

• The sharing, disclosing, or transferring of personal data, 
• For “monetary or other valuable consideration” (any benefit), 
• By the controller to a third party.  

“Sale” does not include any of the following: 

• The disclosure of personal data to a processor who processes the personal data on the controller’s behalf, 
• The disclosure of personal data to a third party to provide a product or service requested by the consumer, 
• The disclosure of information that the consumer: 
• Intentionally made available to the general public through a “mass media channel”, and 
• Did not restrict to a specific audience. 
• The disclosure or transfer of personal data to a third party as an asset that is part of a merger or an acquisition.

Consumers have the right to opt out of the sale of their personal data. 

Targeted advertising 

“Targeted advertising” means displaying an ad to a consumer that meets the following conditions:  

• The ad is based on personal data obtained from the consumer’s activities over time across affiliated or unaffiliated websites and online applications,  
• The personal data is used to predict the consumer’s preferences or interests.  
• The ad is not:
• Based on the context of a consumer’s current search query on the controller’s own website or online application; or 
• Directed to a consumer search query on the controller’s own website or online application in response to the consumer’s request for information or feedback.

Note that this definition is broader than the equivalent definition included in some other “Virginia-style” state privacy laws, as it does not exclude targeted ads based on “first-party data”. 

Consumers have the right to opt out of targeted advertising. 

Voice recognition feature 

Florida’s Digital Bill of Rights provides a specific requirement for controllers operating “voice recognition” devices. The law takes an unconventionally broad definition of such devices. 

“Voice recognition feature” means “the function of a device which enables the collection, recording, storage, analysis, transmission, interpretation, or other use of spoken words or other sounds.” 

Beyond voice recognition, this definition appears to cover any device that can record or transmit audio. 

Rules for governmental entities and social media platforms 

One headline provision of the Digital Bill of Rights relates to government interference in social media platforms’ content moderation activities. 

Essentially, the law states that a governmental entity may not:  

• Request that a social media platform take down content or block an account, or 
• Enter into a relationship with a social media platform that would influence content moderation. 

There are exceptions to this rule, such as where the governmental entity is managing its own social media content, attempting to prevent certain crimes, or preventing imminent harm or loss of life. 

Consumer rights 

Consumers have the following rights under Florida’s Bill of Rights: 

• To confirm whether a controller is processing the consumer’s personal data and to access the personal data. 
• To correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data. 
• To delete any or all personal data provided by or obtained about the consumer. 
• To obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format. 
• To opt out of the processing of personal data for purposes of: 
• Targeted advertising; 
• The sale of personal data; or 
• Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer. 
• To opt out of the collection or processing of sensitive data. 
• To opt out of the collection of personal data collected via a voice recognition or facial recognition feature.

Responding to a Consumer Rights Request 

A controller must respond to a consumer rights request “without undue delay” and within 45 days of receiving the request.  

A controller may extend this 45-day period once, by 15 days, if “reasonably necessary,” considering the complexity and number of requests. A controller must notify the consumer within the initial 45-day response period, providing a reason for the extension. 

If a controller maintains a self-service portal enabling consumers to correct their personal information, the controller may require the consumer to use the portal to facilitate a request under the “right to correction”. 

A controller must make a “reasonable effort” to verify the identity of a consumer making a request, including by requesting further information from the consumer. The controller does not need to comply with a request if it cannot authenticate the consumer. 

Right to appeal 

A controller must establish a process to enable consumers to appeal the outcome of a consumer rights request within “a reasonable period of time” after the consumer receives the outcome of their request. 

The appeals process must be “conspicuously available” and similar to the process for making a consumer rights request. 

A controller must notify the consumer in writing of the outcome of the consumer’s appeal, the reasons for the outcome, and any action taken in response to an appeal within 60 days of receiving the appeal. 

Virtual assistant and recording devices 

An additional rule applies regarding any device that includes a voice recognition, facial recognition, video recording, or audio recording feature, or any other “electronic, visual, thermal, or olfactory feature” that collects “data” (this part of the law does not refer to “personal data”). 

A controller (or processor, or any affiliates of either) that operates such a device may not use the above features for the purpose of “surveillance” unless the consumer is actively using those features. “Surveillance” is not defined under the law. 

The above rule does not apply if the controller (etc) if the “surveillance” is “expressly authorized” by the consumer.  

“Express authorization” is also not defined in the law. 

Florida’s Digital Bill of Rights: Narrowly scoped but ambiguously drafted 

Florida’s Digital Bill of Rights is clearly scoped so as to apply to quite a narrow range of large, tech-oriented companies. Nonetheless, the law includes some ambiguous obligations and definitions that could make compliance challenging.