Florida: New Digital Bill of Rights
|
APPLIES TO Employers Who Collect Personal Data from FL Consumers |
EFFECTIVE July 1, 2024
|
QUESTIONS? Contact HR On-Call |
Quick Look
|
Discussion
In June 2023, Florida’s Governor Ron DeSantis signed SB 262, creating the Florida Digital Bill of Rights (FDBR) and granting new rights for Florida residents related to their online and digital privacy. The law sets out to further regulate the different businesses that collect, process, and sell that data. The FDBR is set to go into effect on July 1, 2024.
Specifically, the FDBR provides Florida residents with: (1) the right to control personal data, including the right to confirm, access, and delete your personal data from a social platform; (2) the right to know that your personal data will not be used against you when purchasing a home, obtaining health insurance, or being hired; (3) the right to know how internet search engines manipulate search results; (4) the right to opt out of having personal data sold; and (5) the right to protect children from personal data collection.
The new legislation focuses on data “controllers,” who are defined generally as a for-profit legal entity that conducts business in Florida, collects personal data about consumers, determines the purposes and means of processing personal data, makes in excess of $1 billion in global gross annual revenues and satisfies one of three additional criterion: (1) derives 50% or more of its global gross revenues from the sale of advertisements online, (2) operates a consumer smart speaker and voice command component, or (3) operates an app store. Because the law does not apply to businesses with less than $1 billion in gross annual revenue, the FCBR will cover only a relatively small number of very large entities.
However, the terms “processor” and “third-party” do not include these same threshold criteria as a data “controller,” so there are still compliance implications for businesses that process data on behalf of data controllers, as well as those who receive personal data in a third-party capacity, but do not otherwise satisfy the data controller threshold.
Companies that qualify as a “controller” under the law will be required to, among other things, establish secure and reliable means for consumers to exercise their privacy rights under the law, as well as obtain consumer consent to process “sensitive data” and conduct and document data protection assessments. Additionally, covered businesses and their data processors are required to implement a retention schedule for the deletion of consumers’ personal data. Controllers or processors may only retain personal data until (1) the initial purpose of the collection is satisfied, (2) the contract for which the data was collected or obtained has expired or been terminated, or (3) two years after the consumer’s last interaction with the covered business.
For organizations that are not otherwise deemed data controllers, the FDBR prohibits all for-profit entities that conduct business in Florida and collect personal data from selling a consumer’s sensitive data without first obtaining the consumer’s consent.
Action Items
- Review current policies, including privacy, opt-out, and data retention policies, to ensure compliance.
- Consult with legal counsel regarding applicable restrictions on what data is collected from consumers, as well as how that data is collected and what the company does to protect that data once collected.
- Subscribers can call our HR On-Call Hotline at (888) 378-2456 for further assistance.
Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2023 ManagEase