Florida Data Privacy Laws: Digital Bill of Rights & Breach Rules (2026)
Florida has taken a unique approach to data privacy. Rather than passing a broad consumer privacy law that covers all businesses operating in the state, the legislature created the Florida Digital Bill of Rights (FDBR), a statute aimed squarely at the largest technology companies in the world.
For the vast majority of Florida businesses, the primary data privacy obligation remains the Florida Information Protection Act (FIPA), which focuses on data security and breach notification rather than comprehensive consumer privacy rights.
This two-track system means that understanding Florida data privacy law requires looking at both statutes, along with the federal frameworks that fill gaps for most organizations.
The Florida Digital Bill of Rights (FDBR): What It Actually Covers
Governor Ron DeSantis signed the Florida Digital Bill of Rights into law on June 6, 2023, as SB 262. It took effect on July 1, 2024, and is codified at Fla. Stat. 501.701-501.721.
What sets the FDBR apart from every other state privacy law in the country is its applicability threshold. This is not a law that applies to your local dentist's office or a mid-size e-commerce company.
Who Must Comply: The $1 Billion Threshold
The FDBR applies only to entities that meet all of the following criteria:
- Conduct business in Florida or produce products or services consumed by Florida residents
- Collect personal data about consumers (or have someone collect it on their behalf)
- Earn more than $1 billion in global gross annual revenue
- Meet at least one of these three additional conditions:
- Derive 50% or more of global revenue from online advertising sales, including targeted advertising
- Operate a consumer smart speaker with a voice-activated virtual assistant connected to cloud computing
- Operate an app store or digital distribution platform offering at least 250,000 software applications
In practical terms, this means the FDBR targets companies like Google, Amazon, Apple, and Meta. A company earning $999 million in global revenue is not covered, no matter how much consumer data it processes.
The Florida Senate bill summary confirms this narrow scope was intentional. Legislators designed the law to address the outsized data collection practices of Big Tech companies specifically.
Consumer Rights Under the FDBR
For Florida consumers whose data is held by a qualifying controller, the FDBR grants the following rights under Fla. Stat. 501.705:
Right to Confirm and Access. Consumers can confirm whether a controller is processing their personal data and access that data.
Right to Correct. Consumers can request correction of inaccuracies in their personal data, taking into account the nature and purposes of the processing.
Right to Delete. Consumers can request deletion of any or all personal data provided by or obtained about them.
Right to Data Portability. Consumers can obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format.
Right to Opt Out. Consumers can opt out of:
- Processing of personal data for targeted advertising
- The sale of personal data
- Profiling that produces legal or similarly significant effects
- Collection of sensitive data, including precise geolocation data
- Data collection through voice recognition or facial recognition features
Controllers must respond to consumer requests within 45 days, with one 45-day extension permitted if reasonably necessary.
Sensitive Data Protections
The FDBR treats certain categories of personal data with heightened protection. A covered controller may not sell sensitive data without receiving prior consent from the consumer.
Sensitive data under the FDBR includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data
- Personal data of a known child
- Precise geolocation data
For data collected through voice recognition or facial recognition features, the FDBR adds an additional protection: devices with these features cannot use them for surveillance when the consumer is not actively using the device, unless the consumer expressly authorizes it.
Controller Duties and Data Protection Assessments
Covered controllers under the FDBR must:
- Limit data collection to what is adequate, relevant, and reasonably necessary
- Implement reasonable data security practices
- Provide clear and meaningful privacy notices
- Conduct and document data protection assessments for processing activities that present a heightened risk, including targeted advertising, the sale of personal data, profiling, and processing sensitive data
These assessments must weigh the benefits of the processing against the potential risks to consumers, considering the use of de-identification, reasonable consumer expectations, and the context of the processing.
Government Content Moderation Restrictions
The FDBR includes provisions that are unique among state privacy laws. Government employees are prohibited from using their position or state resources to communicate with social media platforms to request content removal. Governmental entities cannot initiate or maintain agreements with social media platforms for content moderation purposes.
These restrictions do not apply to routine account maintenance, efforts to remove content related to criminal activity, or actions to prevent bodily harm, loss of life, or property damage. Certain government-related provisions took effect earlier, on July 1, 2023.
Exemptions
The FDBR exempts several categories of entities and data from its requirements:
- Entities governed by the Gramm-Leach-Bliley Act (GLBA) for financial institutions
- Entities subject to HIPAA privacy, security, and breach notification rules
- Nonprofit organizations
- Data subject to the Fair Credit Reporting Act
- Data covered by the Children's Online Privacy Protection Act (COPPA)
- Various other federal regulatory frameworks
These exemptions mean that banks, healthcare providers, and nonprofits operating in Florida are not subject to the FDBR, even if they otherwise meet the revenue threshold.
Enforcement
The FDBR is enforced exclusively by the Florida Attorney General through the Department of Legal Affairs. There is no private right of action, meaning individual consumers cannot sue companies directly for FDBR violations.
Before bringing an enforcement action, the Attorney General must provide the controller with written notice identifying the specific provisions believed to be violated. The controller then has 45 days to cure the alleged violation.
The Florida Attorney General's office has already begun active enforcement. In 2025, Attorney General James Uthmeier's Office of Parental Rights filed an enforcement action against Roku, Inc. for alleged violations of the FDBR and the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), seeking civil penalties, injunctive relief, and measures to protect children's data.
Children's Online Protections: Fla. Stat. 501.1735
Florida law provides heightened protections for children in online spaces under Fla. Stat. 501.1735. These provisions define "child" as any consumer under 18 years of age.
Covered online platforms are prohibited from:
-
Processing children's data harmfully. Platforms cannot process a child's personal information if they have actual knowledge or willfully disregard that the processing may result in substantial harm or privacy risk to children.
-
Profiling children without safeguards. Platforms cannot profile a child unless they can demonstrate appropriate safeguards are in place.
-
Using dark patterns. Platforms cannot use manipulative design techniques to lead or encourage children to provide personal information beyond what would be reasonably expected, to forego privacy protections, or to take actions that may cause substantial harm.
-
Misusing age estimation data. Any personal information collected to estimate a user's age cannot be used for any other purpose and cannot be retained longer than necessary for age estimation.
Companies must obtain clear consent before selling or using a child's sensitive data and must provide transparent notice about how children's personal information is collected and shared.
The Florida Information Protection Act (FIPA): Fla. Stat. 501.171
While the FDBR targets Big Tech, the Florida Information Protection Act (FIPA) is the data privacy law that actually applies to most businesses operating in Florida. Originally enacted in 2014 as SB 1524, FIPA focuses on two core requirements: data security and breach notification.
Who FIPA Covers
FIPA applies broadly to:
- Covered entities: Any entity that acquires, maintains, stores, or uses personal information (this includes businesses of all sizes)
- Governmental entities: State and local government agencies
- Third-party agents: Any entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity
There is no revenue threshold, employee count minimum, or data volume requirement. If your business handles personal information of Florida residents, FIPA applies to you.
What Counts as Personal Information Under FIPA
FIPA defines "personal information" as an individual's first name (or first initial) and last name combined with one or more of the following:
- A driver's license number, identification card number, passport number, military ID number, or similar government-issued identifier
- A financial account number, credit card number, or debit card number, combined with any security code, access code, or password needed to access the account
- Medical history information, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional
- A health insurance policy number or subscriber identification number, plus any unique identifier used by a health insurer
The definition also includes a user name or email address combined with a password or security question and answer that would permit access to an online account.
Data Security Requirements
FIPA requires each covered entity, governmental entity, and third-party agent to take reasonable measures to protect and secure data in electronic form containing personal information.
The statute does not prescribe specific technical controls. Instead, "reasonable measures" is a flexible standard that considers the size and complexity of the organization, the nature and scope of its activities, and the sensitivity of the data involved.
Breach Notification Rules
FIPA's breach notification requirements are among the most detailed in the country.
Timeline for notification:
- Notice to affected individuals must be provided no later than 30 days after determination of the breach or reason to believe a breach occurred
- The entity may receive a 15-day extension if good cause for delay is provided in writing to the Florida Department of Legal Affairs within the initial 30-day window
- Law enforcement may authorize a reasonable delay if notification would interfere with a criminal investigation
Notice to the Florida Department of Legal Affairs:
If a breach affects 500 or more individuals in Florida, the covered entity must also notify the Department. This notice must include:
- A synopsis of the events surrounding the breach
- The number of individuals in Florida affected
- Any services being offered to affected individuals at no charge (such as credit monitoring)
- The name, address, telephone number, and email of an employee or agent who can provide additional information
When notice is NOT required:
An entity is not required to notify individuals if, after investigation and consultation with law enforcement, it reasonably determines the breach has not and will not likely result in identity theft or financial harm. This determination must be documented in writing and maintained for at least five years.
FIPA Penalties
A covered entity that violates the notification requirements faces civil penalties structured as follows:
- $1,000 per day for each day of violation during the first 30 days
- $50,000 per 30-day period (or portion thereof) for each subsequent 30-day period, up to 180 days
- A total cap of $500,000 per breach
Penalties are calculated per breach, not per individual affected. The Florida Attorney General enforces FIPA through the Florida Deceptive and Unfair Trade Practices Act (FDUTPA). There is no private right of action under FIPA.
Third-Party Agent Obligations
When a breach occurs in a system maintained by a third-party agent, that agent must notify the covered entity no later than 10 days after determining the breach occurred or having reason to believe it occurred. The covered entity, not the third-party agent, is then responsible for consumer notification.
Federal Frameworks That Apply in Florida
Because the FDBR covers only the largest technology companies, most Florida businesses rely on federal privacy frameworks for their primary compliance obligations.
HIPAA (Health Insurance Portability and Accountability Act)
Healthcare providers, health plans, healthcare clearinghouses, and their business associates must comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. HIPAA preempts less-protective state laws but not more-protective ones.
GLBA (Gramm-Leach-Bliley Act)
Financial institutions including banks, credit unions, insurance companies, and securities firms must comply with GLBA's privacy and safeguards requirements. GLBA requires financial privacy notices and limits sharing of nonpublic personal information.
COPPA (Children's Online Privacy Protection Act)
Websites and online services directed at children under 13, or that knowingly collect information from children under 13, must comply with COPPA's parental consent requirements and data minimization principles.
FCRA (Fair Credit Reporting Act)
Consumer reporting agencies, users of consumer reports, and furnishers of information must comply with FCRA's accuracy, disclosure, and dispute resolution requirements.
FTC Act Section 5
The Federal Trade Commission can bring enforcement actions against any company engaging in unfair or deceptive practices regarding consumer data, providing a baseline of protection for all Florida consumers.
2025-2026 Legislative Developments
Florida's legislature continues to expand data privacy protections in specific sectors.
Motor Vehicle Data Privacy (HB 1557, 2026 session). This bill addresses operator data and personal identifying information collected by vehicle manufacturers. It would prohibit manufacturers from certain actions relating to operator data and require them to provide vehicle owners with access to and control of their data. The proposed effective date is July 1, 2026.
Social Media Protections for Minors (SB 1722, 2026 session). This bill builds on existing children's protections by allowing parents or guardians of account holders aged 14 or 15 to request termination of the minor's account.
Government Contracting Restrictions. Beginning July 1, 2025, a governmental entity may not extend or renew a contract with certain foreign entities if the contract would give that entity access to individuals' personal identifying information.
These bills signal Florida's continued interest in sector-specific privacy protections rather than a broad expansion of the FDBR to cover smaller businesses.
How Florida Compares to Other State Privacy Laws
Florida's approach stands in sharp contrast to comprehensive state privacy laws like the California Consumer Privacy Act (CCPA), Colorado Privacy Act, and Connecticut Data Privacy Act.
| Feature | Florida FDBR | California CCPA/CPRA | Colorado CPA | Connecticut CTDPA |
|---|---|---|---|---|
| Revenue threshold | $1 billion+ global | $25 million+ | None | None |
| Additional criteria | Must meet 1 of 3 Big Tech tests | Data volume or revenue % | 100K consumers or 25K + revenue % | 100K consumers or 25K + revenue % |
| Approximate businesses covered | ~20-30 companies | Millions | Thousands | Thousands |
| Consumer rights | Access, correct, delete, portability, opt out | Access, correct, delete, portability, opt out, limit sensitive data | Access, correct, delete, portability, opt out | Access, correct, delete, portability, opt out |
| Private right of action | No | Limited (data breaches) | No | No |
| Enforcement | AG only | AG + limited private | AG only | AG only |
| Cure period | 45 days | 30 days (expired 2023) | 60 days (expires 2025) | 60 days (expires 2025) |
The practical effect is that a Florida-based online retailer doing $50 million in annual revenue and handling significant consumer data would be subject to California, Colorado, and Connecticut privacy laws if it serves residents of those states, but would not be subject to the FDBR in its home state.
Practical Steps for Florida Businesses
Given Florida's framework, businesses operating in the state should focus on the following:
1. Comply with FIPA's breach notification requirements. This is the baseline obligation for every Florida business handling personal information. Ensure you have an incident response plan that can meet the 30-day notification deadline.
2. Implement reasonable security measures. FIPA's "reasonable measures" standard requires data security practices proportional to your organization's size and the sensitivity of the data you handle.
3. Assess federal privacy obligations. Determine whether HIPAA, GLBA, COPPA, FCRA, or other federal frameworks apply to your specific industry and data practices.
4. Monitor multi-state compliance. If you serve consumers in states with comprehensive privacy laws (California, Colorado, Connecticut, Virginia, and others), those laws likely apply to you even though the FDBR does not.
5. Watch children's data carefully. Florida's children's protections under Fla. Stat. 501.1735 and the broader FDBR provisions apply to online platforms regardless of revenue thresholds. If your platform is accessible to minors, review these requirements.
6. Document your data practices. Even without a comprehensive state privacy law mandate, maintaining records of what data you collect, how you use it, where you store it, and who you share it with positions your business for compliance as privacy laws continue to evolve.
More Florida Laws
- Florida Hit and Run Laws
- Florida Car Seat Laws
- Florida Whistleblower Laws
- Florida Statute of Limitations
- Florida Sexting Laws
- Florida Child Support Laws
- Florida Dog Bite Laws
- Florida Recording Laws
Sources and References
Sources and References
- Florida Statutes 501.701-501.721 (Florida Digital Bill of Rights) -- The 2025 Florida Statutes(leg.state.fl.us).gov
- SB 262 Enrolled Text -- Florida Digital Bill of Rights(flsenate.gov).gov
- Florida Statute 501.171 -- Security of Confidential Personal Information (FIPA)(leg.state.fl.us).gov
- Florida Statute 501.1735 -- Protection of Children in Online Spaces(leg.state.fl.us).gov
- SB 262 Bill Summary -- Florida Senate 2023 Session(flsenate.gov).gov
- Florida Digital Bill of Rights Annual Enforcement Report (2026)(myfloridalegal.com).gov
- Attorney General Enforcement Action Against Roku -- My Florida Legal(myfloridalegal.com).gov
- SB 1524 (2014) -- Florida Information Protection Act Original Legislation(flsenate.gov).gov
- Data Security Consumer Protection -- My Florida Legal(myfloridalegal.com).gov
- HB 1557 (2026) -- Motor Vehicle Data Privacy(flsenate.gov).gov