Businesses should prepare now for state digital privacy law that goes into effect this summer

Last year, the Florida Legislature passed Senate Bill 262, known as the Florida Digital Bill of Rights. Unlike many state laws, which go into effect in July of the same year, this law goes into effect on July 1, 2024, giving businesses more time to prepare for the law’s significant changes in data privacy. But that start date is now nearly upon us, and companies, especially large technology companies doing business in Florida, must prepare now.

Unlike other state privacy laws, the Florida statute focuses on entities that generate more than half their revenue from online ads (e.g., Facebook, Google), those that operate online app stores with a quarter-million apps (e.g., Apple, Google), those that operate smart speakers connected to the cloud (e.g., Amazon, Google), and companies with over $1 billion in revenue that conduct business in the Sunshine State. Unlike privacy laws in many other U.S. states and in Europe, Florida’s privacy statute seems to be aimed not just at protecting Florida residents’ privacy, but at providing the state with a mechanism to hold “Big Tech” companies accountable.

The Florida Digital Bill of Rights (FDBR) establishes a comprehensive framework for data privacy in Florida, giving consumers greater control over their personal information and holding businesses accountable for responsible data-handling practices.

While initially aimed at Big Tech, the FDBR has broader implications for the Florida business community and is the latest development in the evolution of privacy legislation. Florida businesses should embrace the FDBR and interpret this act as a signal to re-evaluate their data practices, particularly regarding minors, and adopt agile frameworks to navigate the evolving regulatory landscape. By doing so, companies can not only confirm compliance but also secure long-term success in a world where privacy is increasingly paramount. Moreover, the new law may set the standard for other Florida regulators, including the Attorney General or consumer protection agencies, to enforce general privacy principles found in the law as “unfair” or “deceptive” trade practices.

Companies that regularly collect personal information or sensitive personal information from Florida residents should, at a minimum, consider the following recommendations:

• Identify data you collect: Make a comprehensive list of personal data you collect from consumers, including what is collected directly and what comes from third parties.
• Understand how data is used: Map out how you use the data. Align this with the FDBR’s requirement of data collection being limited to what’s necessary for disclosed purposes.
• Craft a clear privacy notice: Develop a clear and accessible privacy notice that details the categories of data you collect, how it’s used, with whom it’s shared, and how consumers can exercise their rights under the FDBR.
• Obtain consent for sensitive data: Identify any sensitive data you handle (e.g., health information) and confirm you have a mechanism to obtain explicit consent from consumers before processing it.
• Implement strong safeguards: Evaluate and strengthen your data security measures to protect personal information from unauthorized access, disclosure or misuse. This may involve employee training, data encryption and regular security audits. It is also critical to establish an incident response plan and to engage a cybersecurity professional who can help you respond swiftly to data security incidents and events.
• Establish a process for rights requests: Develop a system to handle consumer requests to access, correct or delete their personal data. Be prepared to respond to these requests within the timeframe outlined within the FDBR.
• Set data retention limits: Establish a data retention schedule that dictates how long you will store personal information. This should confirm data is not retained beyond what’s necessary for the intended purpose or the timeframes mandated by the FDBR.
• Review agreements with data processors: If you rely on third-party data processors, confirm your contracts comply with the FDBR. These agreements should address data security, consumer rights requests, and any limitations on data processing activities.

Data privacy and protection — whether required by the Florida Digital Bill of Rights or not — is something Florida residents and companies will increasingly come to expect. It requires more than data security — it requires companies to know what data they are collecting, why they are collecting it, what they are doing with it, and how.

Jeffrey Bernstein is director of cybersecurity and data privacy in the risk advisory services group at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S. This article should not be relied upon or construed as legal advice or a legal opinion, generally, nor regarding any specific issue or factual circumstance.

Read the full article on the South Florida Sun Sentinel.