Is Florida’s Digital Bill of Rights a ‘comprehensive privacy law’?

Florida’s Digital Bill of Rights takes effect in July. The law is often listed among the wave of “comprehensive privacy laws”, like the California Consumer Privacy Act (CCPA) or the Colorado Privacy Act (CPA). But with such a narrow scope, does the law deserve the “comprehensive” title? 

What’s a ‘comprehensive privacy law’ anyway? 

The first US privacy law that could reasonably be called “comprehensive” was California’s CCPA, which passed in 2018 and received an update in 2020 under the California Privacy Rights Act (CPRA). 

What’s “comprehensive” about the CCPA? Comprehensive privacy laws apply across many sectors – so businesses from fashion to IT could be covered by California’s privacy rules. 

But unlike the EU’s General Data Protection Regulation (GDPR), the CCPA applies only to businesses that make over $25 million a year or buy or sell data about a large number of California residents. 

And the CCPA also excludes businesses operating in many tightly regulated fields, like health and finance. The same applies to the so-called comprehensive laws passed in around 14 other states since California, such as Virginia, Connecticut, and, most recently, New Hampshire. 

Yet even though they let so many businesses off the hook, these comprehensive laws should impact thousands of companies operating in the US. Any company doing business in a given comprehensive privacy law” state should certainly figure out whether it’ll be affected by the new data protection rules. 

Can we say the same about Florida? 

A highly targeted law 

Let’s look at who’s covered by Florida’s new privacy law. 

The law covers a company that conducts business in Florida and meets the following conditions: 

• It operates for profit 
• It collects personal data about Florida residents 
• It “determines the purposes and means” of processing personal data (meaning that it decides how and why to collect or use personal data) 
• It earns $1 billion or more in gross annual revenues, and 
• It meets one or more of the following thresholds: 

• • It makes at least 50% of its revenues from selling online ads or providing ad-targeting or selling services 
  • It operates a cloud-based smart speaker with an integrated virtual assistant and hands-free verbal activation (unless integrated into a vehicle), or 
  • It operates an app store that offers at least 250,000 apps 

Reading through the thresholds at the end of that list—and bearing in mind the extremely high $1 billion annual revenue threshold—a few companies might come to mind, such as Meta, Google, Apple, and Amazon. 

It appears that social media and “big tech” firms were top of mind for Florida lawmakers when designing this part of the law. 

A bill of rights? 

Besides its relatively narrow application, Florida’s Digital Bill of Rights does provide some meaningful rights and protections for Florida residents. The law’s provisions should be familiar to anyone who has read similar laws, such as the CCPA or the Virginia Consumer Data Protection Act (VCDPA). 

Consumers protected by Florida’s Digital Bill of Rights have the following rights over controllers covered by the law: 

• To confirm whether a controller is processing their data 
• To access their personal data 
• To correct inaccuracies in their personal data 
• To delete any or all personal data provided by them obtained about them 
• To obtain a copy of their personal data in a portable digital format 
• To opt out: 

• • Targeted advertising 
  • The sale of their personal data 
  • Profiling in furtherance of decisions producing legal or similarly significant effects 

• To opt out of the collection or processing of sensitive data. 
• To opt out of the collection of personal data via a voice recognition or facial recognition feature 

Even if Florida residents can only exercise these rights over a limited number of companies, they are somewhat stronger than those afforded by other laws more reasonably described as “comprehensive”, such as those in Iowa and Utah. 

Florida also imposes further obligations on certain types of companies, such as social media firms, which face new rules on government content moderation requests. Businesses providing smart speakers are prohibited from using their devices for “surveillance”. 

As such, whether or not Florida’s Digital Bill of Rights is truly a “comprehensive privacy law”, Florida residents will achieve some new rights and protections in respect of data collected by a handful of very powerful companies.