Florida Digital Bill of Rights: What Small Business Owners Should Know About S.B. 262

How S.B. 262 “The Florida Digital Bill of Rights” Impacts Small Businesses

As implied by the name, Florida’s Digital Bill of Rights grants new rights for Florida residents relating to their online and digital privacy, such as the right to opt out of the collection of sensitive personal data. However, it also sets out to further regulate the different businesses that collect, process, and sell that data.

SB. 262 is fairly comprehensive (the full bill is available through this link), but for our purposes here, we’ll be focusing on how it could impact small businesses in Florida. Its new requirements will start on July 1st, 2023, so keep on reading to learn what you need to know to ensure compliance and avoid enforcement from the Florida Department of Legal Affairs.

What are Controllers and Processors?

S.B. 262 creates new requirements for two main parties that process data in Florida, referred to as Controllers and Processors.

A business will qualify as a controller if it has more than $1 billion in global gross revenue and does one of the following:

• Receives 50% of its global gross revenue from selling online advertisements;
• Operates a consumer smart speaker and voice command service; or
• Operates an app store or digital distribution platform with 250,000 or more different software applications.

Processors, on the other hand, are defined as anyone who processes personal data for a Controller. This means that some small businesses in Florida could qualify as Processors under the Florida Digital Bill of Rights, such as those who handle third-party information.

What are the New Requirements for Processors?

There are many new legal obligations and responsibilities that Florida Processors will need to abide by. The Florida Digital Bill of Rights gives them new duties under the law, specifies requirements for contracts between Florida Controllers and Florida Processors, and mandates that applicable companies keep a retention schedule for personal data. The specifics break down as follows:

New Florida Processor Duties

• Follow the Controller’s instructions and help them with meeting and complying with their duties under the law;
• Help the Controller respond to consumer rights requests using the appropriate technical and organizational measures;
• Provide the Controller with the necessary information to conduct and document data protection assessments; and
• Help the Controller comply with personal data processing security and notification of breach of security requirements.
  • In doing so, the Processor must account for the nature of the processing and the information available to them at that time.

New Florida Processor Contractual Requirements

• The Processor’s data processing procedures will be governed by a contract between the Processor and the Controller;
• Clear instructions for data processing;
• A description of the nature and purpose of data processing;
• A description of the type of data subject to processing;
• A description of the rights and obligations for both the Processor and the Controller; and
• Provisions requiring that the Processor:
  • Impose a duty of confidentiality on each person processing personal data in respect to the information in question;
  • Delete or return all personal data to the Controller as requested at the Controller’s discretion once the service’s provisions are completed, unless retention is required by law;
  • Upon the Controller’s request, provide all information in the Processor’s possession that’s needed to confirm compliance with the new data privacy provisions in the Florida Digital Bill of Rights;
  • Allow and cooperate with reasonable assessments by the Controller or their designated assessor; and
  • Work with subcontractors to ensure that they are compliant with the new requirements in respect to personal data.

New Retention Schedule Requirements

Controllers and/or Processors also need to create and implement a retention schedule to stay compliant with the Florida Digital Bill of Rights. It must prohibit using or retaining non-exempt personal data after one of the following triggers:

• After fulfilling the initial purpose for which the information was gathered;
• After the end of the contract under which the information was gathered; or
• 2 years after the Controller or Processor last interacted with the consumer.

There are some exceptions to the new retention schedule requirements if the data was collected for:

• Providing a requested good or service to a consumer;
• Reasonably anticipating the request of a good or service based on an ongoing relationship with a consumer;
• Identifying, debugging, and repairing errors that impair functionality; or for
• Strictly internal purposes that are reasonably aligned with the consumer’s expectations that are either based on the relationship with the consumer or compatible with the context in which the consumer provided that information.

What Information is Defined as Sensitive Data?

Florida’s new Digital Bill of Rights considers the following to be sensitive information if it falls under any of the following categories:

• Racial or ethnic origin;
• Religious beliefs;
• Mental or physical health diagnosis;
• Sexual orientation;
• Citizenship or immigration status;
• Genetic or biometric data processed to identifying an individual;
• Personal data knowingly collected from a minor; or
• Precise geolocation data limited to a radius of 1,750 feet.

What are the Penalties for Noncompliance?

Businesses found to be out of compliance with the new data privacy laws under the Digital Bill of Rights will face civil penalties of up to $50,000.00 per violation. The Florida Attorney General may, at their own discretion, issue a 45-day cure or grace period for the business to correct these violation(s).

Are There Any Exceptions to S.B. 262’s New Requirements?

Yes – under Florida’s Digital Bill of Rights, Controllers and Processors cannot be restricted from collecting, using, or retaining data to:

• Conduct internal research to develop, improve, or repair products, services, or technology;
• Effect a product recall;
• Identify and repair technical errors impairing functionality; or
• Perform internal operations that are:
  • Reasonably aligned with a consumer’s expectations;
  • Reasonably anticipated based on the relationship with the consumer; or
  • Otherwise compatible with providing a product or service that was either specifically requested or as a part of a contract with a consumer.

How Will Florida’s Digital Bill of Rights Impact Companies That Sell Data?

Although S.B. 262 primarily targets companies that process personal data, it does contain a couple of new rules that will apply to those who sell it as well. Now, Florida businesses must get prior consent from consumers before selling their data in addition to posting the following notices depending on the type of information sold:

“NOTICE: This website may sell your sensitive personal data.”

“NOTICE: This website may sell your biometric personal data.”

How Can My Florida Small Business Prepare for the Florida Digital Rights Act?

Your business might be closer to compliance than you think if its policies already account for similar laws in other states and/or the European Union’s General Data Protection Regulation (GDPR). However, it’s still important to review present policies (especially privacy, opt-out, and data retention policies) to confirm that everything will be above board under S.B. 262’s new data privacy requirements.

How Can FL Patel Law PLLC Help My Business with Compliance?

Our firm exists to make life easier for Florida business owners and entrepreneurs in every way that we can. For assistance regarding our state’s new privacy laws under the Digital Bill of Rights, you can reach out to us for:

• An attorney consultation for advice on navigating the new requirements under the Florida Digital Bill of Rights;
• A compliance review of your business to ensure that your business won’t be found to be in violation of any new provisions; or
• Contracts (Privacy Policies, Service Agreements, and more) that your company needs to cover itself moving forward.

For assistance with data privacy compliance under Florida’s new Digital Bill of Rights, contact our firm now by calling (727) 279-5037 or by scheduling a time with our corporate attorney online.

Image by Tima Miroshnichenko from Pexels.