Code/Regulations
Effective Date: July 1, 2024
Details
Threshold
Applies to businesses in Florida with $1 billion or more in gross annual revenue and:
(1) Generate at least 50% of revenue from the sale of advertisements online;
(2) Operate an app store or digital distribution platform that offers at least 250,000 different software applications for consumers to download and install; OR
(3) Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud-computing service that uses hands-free verbal activation
Definition of "Personal Data"
Any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual.
Definition of "Sensitive Data"
As with all state general privacy laws, includes the following Personal Data:
- Race or ethnic origin;
- Religious beliefs;
- Citizenship or immigration status;
- Genetic data;
- Biometric data;
- Physical or mental health diagnosis; and
- Sexual orientation.
In addition, Florida’s definition also includes:
- Precise geolocation data; and
- Personal data collected from a known child.
Definition of "Sale"
Sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party
Data-Protection Assessments
Required for targeted advertising, sale, sensitive data, certain profiling
Opt-In Consent Required for Processing Sensitive Data
Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability
Yes
Consumer Right to Opt Out of Sale
Yes
Consumer Right to Opt Out of Targeted Ads
Yes
Consumer Right to Opt Out of Profiling
Yes
Pseudonymous Data Exempt from Consumer Requests
Yes
Appeal Rights
Yes
Universal Opt-Out Mechanism Required Recognition/Date
None
Data of Minors
Prohibitions on processing a child's PI if the online platform has actual knowledge or willfully disregards that the processing will result in "substantial harm or privacy risk to children;"
Profiling a child; using a child's PI for any reason other than the reason for which the PI was collected;
Collecting, selling, or sharing a child's precise geolocation data;
Using "dark patterns" to lead, or encourage, a child to take certain actions;
Using any personal information collected to estimate a child's age or age range
GLBA Exemption
Yes (both entity-level and data-level)
HIPAA Exemption
Yes (entity-level)
Applies/Does Not Apply to Personal Information in a Commercial or Employment Context
Does not apply to commercial or employment context; applies in an individual or household context
Nonprofit Exemption
Yes
Private Right of Action
No
Cure Period
45 Days, at the discretion of the Attorney General.
Cure Period Expiration
None
Enforcement Authority/Damages
Dept. of Legal Affairs (Attorney General)/up to $50,000 per violation with potential for treble damages for knowing or willful violations
Attorney General granted both discretionary and mandatory rulemaking authority
Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.