Florida’s Digital Bill of Rights (FDBR), enacted in 2023, is one of the most distinctive and sector‑targeted privacy laws in the United States. Unlike the broad consumer privacy statutes adopted in many other states, Florida’s law focuses primarily on large technology companies, digital platforms, and high‑risk data practices, while also creating strong protections for children, surveillance transparency, and consumer choice.
The law took effect on July 1, 2024, and imposes compliance obligations that differ significantly from the “Virginia/Colorado model” used in most other states. Organizations operating in Florida—especially those meeting the law’s size and business‑model thresholds—must evaluate their data practices carefully.
Who Must Comply
The FDBR applies to a narrow but high‑impact category of companies, including:
- Large data collectors meeting specific revenue and data‑processing thresholds
- Online platforms that operate app stores, search engines, or digital advertising networks
- Entities engaged in targeted advertising, data sales, or cross‑context behavioral profiling
- Companies offering online services likely to be accessed by children
Small and mid‑sized businesses are generally outside the law’s scope unless they engage in certain high‑risk practices.
Key Consumer Rights
Florida residents receive several rights over their personal information, including:
- Right to access personal data
- Right to delete personal data
- Right to correct inaccuracies
- Right to opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in furtherance of automated decisions
- Right to transparency regarding digital surveillance technologies
These rights are similar to those in other state privacy laws but apply only to covered entities.
Obligations for Covered Businesses
Organizations subject to the FDBR must implement a comprehensive privacy program that includes:
1. Transparency Requirements
Businesses must provide clear disclosures regarding:
- Categories of personal data collected
- Purposes of processing
- Whether data is sold or used for targeted advertising
- Use of algorithms or automated decision‑making
- Use of digital surveillance technologies
2. Data Minimization and Purpose Limitation
Data collection must be limited to what is reasonably necessary for disclosed purposes.
3. Security Safeguards
Covered entities must maintain reasonable administrative, technical, and physical security measures.
4. Restrictions on Children’s Data
The FDBR includes strong protections for minors, including:
- Prohibitions on targeted advertising to children
- Restrictions on data collection for users under 18
- Requirements for age‑appropriate design and default privacy settings
5. Algorithmic Transparency
Companies using automated decision‑making must:
- Disclose the use of algorithms
- Provide meaningful information about their logic
- Offer opt‑out mechanisms for certain profiling activities
6. Data Protection Assessments
High‑risk processing activities require documented assessments evaluating:
- Benefits and risks of the processing
- Safeguards in place
- Potential impacts on consumers
7. Processor Contracts
Controllers must enter into binding contracts with processors governing data handling, confidentiality, and security.
Enforcement
- Enforced exclusively by the Florida Attorney General
- No private right of action
- Civil penalties may apply for violations, including enhanced penalties for misuse of children’s data
Florida’s enforcement posture is expected to be assertive, particularly in areas involving minors, digital surveillance, and large‑scale data collection.
Why the Florida Digital Bill of Rights Matters
The FDBR stands out in the U.S. privacy landscape because it:
- Targets large technology platforms rather than all businesses
- Imposes some of the strongest children’s privacy protections in the country
- Requires algorithmic transparency and surveillance disclosures
- Reflects Florida’s unique regulatory philosophy, diverging from the standard comprehensive privacy‑law model
For organizations operating nationally, Florida’s law requires a separate compliance track, particularly for companies that meet the law’s size thresholds or engage in high‑risk data practices.