Florida Data Privacy Laws: Digital Bill of Rights & Breach Rules (2026)

Florida data privacy law runs on two tracks: the Florida Digital Bill of Rights (Fla. Stat. 501.701-501.721), which took effect July 1, 2024 and applies only to companies earning over $1 billion in global revenue meeting Big Tech criteria, and FIPA (Fla. Stat. 501.171), which covers all businesses handling Floridians' personal information.

Florida has taken a unique approach to data privacy. Rather than passing a broad consumer privacy law that covers all businesses operating in the state, the legislature created the Florida Digital Bill of Rights (FDBR), a statute aimed squarely at the largest technology companies in the world.

For the vast majority of Florida businesses, the primary data privacy obligation remains the Florida Information Protection Act (FIPA), which focuses on data security and breach notification rather than comprehensive consumer privacy rights.

This two-track system means that understanding Florida data privacy law requires looking at both statutes, along with the federal frameworks that fill gaps for most organizations.

The Florida Digital Bill of Rights (FDBR): What It Actually Covers

Governor Ron DeSantis signed the Florida Digital Bill of Rights into law on June 6, 2023, as SB 262. It took effect on July 1, 2024, and is codified at Fla. Stat. 501.701-501.721.

What sets the FDBR apart from every other state privacy law in the country is its applicability threshold. This is not a law that applies to your local dentist's office or a mid-size e-commerce company.

Who Must Comply: The $1 Billion Threshold

The FDBR applies only to entities that meet all of the following criteria:

• Conduct business in Florida or produce products or services consumed by Florida residents
• Collect personal data about consumers (or have someone collect it on their behalf)
• Earn more than $1 billion in global gross annual revenue
• Meet at least one of these three additional conditions:
  • Derive 50% or more of global revenue from online advertising sales, including targeted advertising
  • Operate a consumer smart speaker with a voice-activated virtual assistant connected to cloud computing
  • Operate an app store or digital distribution platform offering at least 250,000 software applications

In practical terms, this means the FDBR targets companies like Google, Amazon, Apple, and Meta. A company earning $999 million in global revenue is not covered, no matter how much consumer data it processes.

The Florida Senate bill summary confirms this narrow scope was intentional. Legislators designed the law to address the outsized data collection practices of Big Tech companies specifically.

Consumer Rights Under the FDBR

For Florida consumers whose data is held by a qualifying controller, the FDBR grants the following rights under Fla. Stat. 501.705:

Right to Confirm and Access. Consumers can confirm whether a controller is processing their personal data and access that data.

Right to Correct. Consumers can request correction of inaccuracies in their personal data, taking into account the nature and purposes of the processing.

Right to Delete. Consumers can request deletion of any or all personal data provided by or obtained about them.

Right to Data Portability. Consumers can obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format.

Right to Opt Out. Consumers can opt out of:

• Processing of personal data for targeted advertising
• The sale of personal data
• Profiling that produces legal or similarly significant effects
• Collection of sensitive data, including precise geolocation data
• Data collection through voice recognition or facial recognition features

Controllers must respond to consumer requests within 45 days, with one 45-day extension permitted if reasonably necessary.

Sensitive Data Protections

The FDBR treats certain categories of personal data with heightened protection. A covered controller may not sell sensitive data without receiving prior consent from the consumer.

Sensitive data under the FDBR includes:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data
• Personal data of a known child
• Precise geolocation data

For data collected through voice recognition or facial recognition features, the FDBR adds an additional protection: devices with these features cannot use them for surveillance when the consumer is not actively using the device, unless the consumer expressly authorizes it.

Controller Duties and Data Protection Assessments

Covered controllers under the FDBR must:

• Limit data collection to what is adequate, relevant, and reasonably necessary
• Implement reasonable data security practices
• Provide clear and meaningful privacy notices
• Conduct and document data protection assessments for processing activities that present a heightened risk, including targeted advertising, the sale of personal data, profiling, and processing sensitive data

These assessments must weigh the benefits of the processing against the potential risks to consumers, considering the use of de-identification, reasonable consumer expectations, and the context of the processing.

Government Content Moderation Restrictions

The FDBR includes provisions that are unique among state privacy laws. Government employees are prohibited from using their position or state resources to communicate with social media platforms to request content removal. Governmental entities cannot initiate or maintain agreements with social media platforms for content moderation purposes.

These restrictions do not apply to routine account maintenance, efforts to remove content related to criminal activity, or actions to prevent bodily harm, loss of life, or property damage. Certain government-related provisions took effect earlier, on July 1, 2023.

Exemptions

The FDBR exempts several categories of entities and data from its requirements:

• Entities governed by the Gramm-Leach-Bliley Act (GLBA) for financial institutions
• Entities subject to HIPAA privacy, security, and breach notification rules
• Nonprofit organizations
• Data subject to the Fair Credit Reporting Act
• Data covered by the Children's Online Privacy Protection Act (COPPA)
• Various other federal regulatory frameworks

These exemptions mean that banks, healthcare providers, and nonprofits operating in Florida are not subject to the FDBR, even if they otherwise meet the revenue threshold.

FDBR Enforcement and First Enforcement Action

The FDBR is enforced exclusively by the Florida Attorney General through the Department of Legal Affairs. There is no private right of action, meaning individual consumers cannot sue companies directly for FDBR violations.

Before bringing an enforcement action, the Attorney General must provide the controller with written notice identifying the specific provisions believed to be violated. The controller then has 45 days to cure the alleged violation.

On October 14, 2025, Attorney General James Uthmeier's Office of Parental Rights filed the state's first FDBR enforcement action against Roku, Inc. and its Florida subsidiary. The complaint was filed in Florida's 20th Judicial Circuit. The allegations: Roku "collected, sold, and enabled reidentification of sensitive personal data, including viewing habits, voice recordings, and other information from children, without authorization or meaningful notice to Florida families." Roku's 2024 operating revenue of $3.4 billion placed the company well above the FDBR's $1 billion threshold.

Available civil penalties under the FDBR reach up to $150,000 per violation involving children and up to $50,000 per violation affecting other individuals. The action also sought injunctive relief and measures requiring transparent disclosures and cessation of unauthorized data sales.

In February 2026, Attorney General Uthmeier announced the creation of the CHINA Prevention Unit, a specialized enforcement initiative within the AG's office. The unit investigates foreign-owned corporations, particularly those with Chinese ownership, that collect consumer data from Florida residents. It has issued subpoenas to medical device manufacturers demanding audits and verification of whether biometric or patient data transfers to foreign servers.

Children's Online Protections: Fla. Stat. 501.1735 and 501.1736

Florida law provides a layered set of protections for children in online spaces through two distinct statutes.

Fla. Stat. 501.1735 prohibits covered online platforms from:

• Processing children's data harmfully. Platforms cannot process a child's personal information if they have actual knowledge or willfully disregard that the processing may result in substantial harm or privacy risk to children.

• Profiling children without safeguards. Platforms cannot profile a child unless they can demonstrate appropriate safeguards are in place.

• Using dark patterns. Platforms cannot use manipulative design techniques to lead or encourage children to provide personal information beyond what would be reasonably expected, to forego privacy protections, or to take actions that may cause substantial harm.

• Misusing age estimation data. Any personal information collected to estimate a user's age cannot be used for any other purpose and cannot be retained longer than necessary for age estimation.

Companies must obtain clear consent before selling or using a child's sensitive data and must provide transparent notice about how children's personal information is collected and shared.

Fla. Stat. 501.1736 (enacted as HB 3 during the 2024 session) goes further. It requires social media platforms to:

• Prohibit accounts for children under 14. Platforms must terminate existing accounts held by minors under 14 and block new account creation.
• Require parental consent for 14- and 15-year-olds. Covered platforms must obtain verifiable parental or guardian consent before minors in this age group may create accounts.
• Restrict addictive features. Platforms cannot use algorithmic design features that cause users to lose track of time or forego sleep, or that push notifications after 10 p.m. for minors.

Fla. Stat. 501.1736 targets social media platforms that "use algorithms to exploit psychological vulnerabilities" in minors. A federal district court initially enjoined the law, but on November 25, 2025, a 2-1 panel of the U.S. Court of Appeals for the Eleventh Circuit lifted the injunction, finding the state made a strong showing that the law is likely content-neutral and satisfies intermediate scrutiny. Florida's Attorney General announced immediate plans for aggressive enforcement. The underlying constitutional litigation (CCIA and NetChoice v. Uthmeier) continues.

The Florida Information Protection Act (FIPA): Fla. Stat. 501.171

While the FDBR targets Big Tech, the Florida Information Protection Act (FIPA) is the data privacy law that actually applies to most businesses operating in Florida. Originally enacted in 2014 as SB 1524, FIPA focuses on two core requirements: data security and breach notification.

Who FIPA Covers

FIPA applies broadly to:

• Covered entities: Any entity that acquires, maintains, stores, or uses personal information (this includes businesses of all sizes)
• Governmental entities: State and local government agencies
• Third-party agents: Any entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity

There is no revenue threshold, employee count minimum, or data volume requirement. If your business handles personal information of Florida residents, FIPA applies to you.

What Counts as Personal Information Under FIPA

FIPA defines "personal information" as an individual's first name (or first initial) and last name combined with one or more of the following:

• A driver's license number, identification card number, passport number, military ID number, or similar government-issued identifier
• A financial account number, credit card number, or debit card number, combined with any security code, access code, or password needed to access the account
• Medical history information, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional
• A health insurance policy number or subscriber identification number, plus any unique identifier used by a health insurer

The definition also includes a user name or email address combined with a password or security question and answer that would permit access to an online account.

Data Security Requirements

FIPA requires each covered entity, governmental entity, and third-party agent to take reasonable measures to protect and secure data in electronic form containing personal information.

The statute does not prescribe specific technical controls. Instead, "reasonable measures" is a flexible standard that considers the size and complexity of the organization, the nature and scope of its activities, and the sensitivity of the data involved.

Breach Notification Rules

FIPA's breach notification requirements are among the most detailed in the country.

Timeline for notification:

• Notice to affected individuals must be provided no later than 30 days after determination of the breach or reason to believe a breach occurred
• The entity may receive a 15-day extension if good cause for delay is provided in writing to the Florida Department of Legal Affairs within the initial 30-day window
• Law enforcement may authorize a reasonable delay if notification would interfere with a criminal investigation

Notice to the Florida Department of Legal Affairs:

If a breach affects 500 or more individuals in Florida, the covered entity must also notify the Department. If the breach affects 1,000 or more individuals, the entity must also notify all nationwide consumer credit reporting agencies within 30 days. This notice must include:

• A synopsis of the events surrounding the breach
• The number of individuals in Florida affected
• Any services being offered to affected individuals at no charge (such as credit monitoring)
• The name, address, telephone number, and email of an employee or agent who can provide additional information

When notice is NOT required:

An entity is not required to notify individuals if, after investigation and consultation with law enforcement, it reasonably determines the breach has not and will not likely result in identity theft or financial harm. This determination must be documented in writing and maintained for at least five years.

FIPA Penalties

A covered entity that violates the notification requirements faces civil penalties structured as follows:

• $1,000 per day for each day of violation during the first 30 days
• $50,000 per 30-day period (or portion thereof) for each subsequent 30-day period, up to 180 days
• A total cap of $500,000 per breach

Penalties are calculated per breach, not per individual affected. The Florida Attorney General enforces FIPA through the Florida Deceptive and Unfair Trade Practices Act (FDUTPA). There is no private right of action under FIPA.

Third-Party Agent Obligations

When a breach occurs in a system maintained by a third-party agent, that agent must notify the covered entity no later than 10 days after determining the breach occurred or having reason to believe it occurred. The covered entity, not the third-party agent, is then responsible for consumer notification.

Florida Telephone Solicitation Act: Consent for Calls and Texts

Florida's Telephone Solicitation Act, Fla. Stat. 501.059, governs telemarketing and automated calling practices for businesses that sell goods or services to Florida consumers. It applies to any person or entity doing business in Florida making telephonic sales calls to Florida residents, whether from within or outside the state.

Automated calls and texts. Section 501.059(8)(a) prohibits making unsolicited telephonic sales calls using an automated system for the selection and dialing of telephone numbers (or playing a recorded message when a connection is completed) without the prior express written consent of the called party. The 2023 amendments to the FTSA changed the phrase from "selection or dialing" to "selection and dialing," narrowing the definition of covered automated systems.

Prior express written consent requirements. Valid consent must be a written agreement bearing the called party's signature (including electronic or digital signatures) that clearly authorizes automated calls or texts to a specific telephone number, includes a clear and conspicuous disclosure explaining the authorization, and states that signing is not a condition of any purchase. Consent may also be demonstrated by checking a box or responding affirmatively to an email or text campaign.

Text message opt-out rule. Before filing a lawsuit for unwanted text messages, a recipient must first reply "STOP" to the sender. The solicitor then has 15 days to cease sending text message solicitations, or it faces statutory liability.

The FTSA does not independently require businesses to record calls, but it does require consent before automated or pre-recorded calls are placed. Florida recording consent laws under Fla. Stat. 934.03 separately govern whether call recording is lawful.

Digital Voyeurism: Fla. Stat. 810.145

Florida's digital voyeurism statute was renamed from "video voyeurism" to "digital voyeurism" by 2024 legislative changes effective October 1, 2024. The law prohibits secretly viewing, recording, or broadcasting images of individuals in private settings (bathrooms, changing rooms, residential dwellings) where they have a reasonable expectation of privacy.

Key offenses include:

• Secretly using an imaging device to view or record a person who is dressing or privately exposing their body without consent
• Upskirt photography (recording under or through clothing without consent)
• Dissemination or commercial distribution of such recordings

Penalties under the 2024 amendments:

• Adults 19 and older who commit digital voyeurism face third-degree felony charges
• Minors under 19 face first-degree misdemeanor charges
• Dissemination of digital voyeurism recordings constitutes a third-degree felony regardless of the offender's age
• When the offender is a family or household member of the victim, or holds a position of authority or trust over the victim, penalties increase to the next higher felony degree

Each instance of secretly viewing a person, or of broadcasting or distributing a recording, constitutes a separate offense under the statute.

Federal Frameworks That Apply in Florida

Because the FDBR covers only the largest technology companies, most Florida businesses rely on federal privacy frameworks for their primary compliance obligations.

HIPAA (Health Insurance Portability and Accountability Act)

Healthcare providers, health plans, healthcare clearinghouses, and their business associates must comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. HIPAA preempts less-protective state laws but not more-protective ones.

GLBA (Gramm-Leach-Bliley Act)

Financial institutions including banks, credit unions, insurance companies, and securities firms must comply with GLBA's privacy and safeguards requirements. GLBA requires financial privacy notices and limits sharing of nonpublic personal information.

COPPA (Children's Online Privacy Protection Act)

Websites and online services directed at children under 13, or that knowingly collect information from children under 13, must comply with COPPA's parental consent requirements and data minimization principles.

FCRA (Fair Credit Reporting Act)

Consumer reporting agencies, users of consumer reports, and furnishers of information must comply with FCRA's accuracy, disclosure, and dispute resolution requirements.

FTC Act Section 5

The Federal Trade Commission can bring enforcement actions against any company engaging in unfair or deceptive practices regarding consumer data, providing a baseline of protection for all Florida consumers.

TAKE IT DOWN Act (Pub. L. 119-12)

President Trump signed the TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes On Websites and Networks Act) on May 19, 2025. The law criminalizes the publication of nonconsensual intimate imagery (NCII), including AI-generated deepfakes, with penalties of up to two years in prison (harsher for imagery involving minors). Criminal prohibitions took effect immediately. Covered platforms have until May 19, 2026 to establish notice-and-removal procedures: upon a victim's request, platforms must remove NCII within 48 hours and delete all copies. The FTC enforces the platform-obligation provisions. Florida Rep. Maria Salazar was a primary House sponsor of the bill.

2025-2026 Legislative Developments

Florida's legislature continues to expand data privacy protections in specific sectors.

Social Media Age Verification (Fla. Stat. 501.1736 / HB 3). Enacted during the 2024 session and codified as Fla. Stat. 501.1736, this law prohibits social media platforms from allowing account creation by children under 14 and requires parental consent for 14- and 15-year-olds. After an initial federal injunction, the Eleventh Circuit lifted the block on November 25, 2025, allowing active enforcement. Litigation on the merits continues as of May 2026.

Motor Vehicle Data Privacy (HB 1557, 2026 session). This bill addresses operator data and personal identifying information collected by vehicle manufacturers. It would prohibit manufacturers from certain actions relating to operator data and require them to provide vehicle owners access to and control of their data. The proposed effective date is July 1, 2026. Verify current enrollment status before citing as enacted.

Florida AI Bill of Rights (SB 482, 2026 session). The Florida Senate passed SB 482 by a 35-2 vote on March 4, 2026. The bill would have required parental consent before minors could use companion chatbots, restricted state agency contracts with AI providers linked to foreign governments, and imposed data-de-identification requirements. The bill died in the Florida House on March 13, 2026, and was not signed into law.

CHINA Prevention Unit (February 2026). Attorney General Uthmeier established a specialized unit within the AG's office to investigate foreign-owned corporations, particularly those with Chinese ownership, that collect consumer data from Florida residents. The unit has issued subpoenas to medical device manufacturers.

Government Contracting Restrictions. Beginning July 1, 2025, a governmental entity may not extend or renew a contract with certain foreign entities if the contract would give that entity access to individuals' personal identifying information.

How Florida Compares to Other State Privacy Laws

Florida's approach stands in sharp contrast to comprehensive state privacy laws like the California Consumer Privacy Act (CCPA), Colorado Privacy Act, and Connecticut Data Privacy Act.

The practical effect is that a Florida-based online retailer doing $50 million in annual revenue and handling significant consumer data would be subject to California, Colorado, and Connecticut privacy laws if it serves residents of those states, but would not be subject to the FDBR in its home state.

Practical Steps for Florida Businesses

Given Florida's framework, businesses operating in the state should focus on the following:

1. Comply with FIPA's breach notification requirements. This is the baseline obligation for every Florida business handling personal information. Ensure you have an incident response plan that can meet the 30-day notification deadline.

2. Implement reasonable security measures. FIPA's "reasonable measures" standard requires data security practices proportional to your organization's size and the sensitivity of the data you handle.

3. Assess federal privacy obligations. Determine whether HIPAA, GLBA, COPPA, FCRA, or other federal frameworks apply to your specific industry and data practices.

4. Monitor multi-state compliance. If you serve consumers in states with comprehensive privacy laws (California, Colorado, Connecticut, Virginia, and others), those laws likely apply to you even though the FDBR does not.

5. Watch children's data carefully. Florida's children's protections under Fla. Stat. 501.1735 and 501.1736 apply to online platforms regardless of revenue thresholds. If your platform is accessible to minors, review these requirements before the AG's enforcement ramps up further.

6. Review TAKE IT DOWN Act obligations. If your platform hosts user-generated content, platform-side NCII removal obligations under the TAKE IT DOWN Act took effect May 19, 2026. Establish notice-and-removal procedures.

7. Document your data practices. Maintaining records of what data you collect, how you use it, where you store it, and who you share it with positions your business for compliance as privacy laws continue to evolve.

In-depth guides

• What Is the FDBR? Florida Digital Bill of Rights
• FDBR Consumer Rights: Your Data Privacy Rights
• FDBR Compliance Checklist for Businesses (2026)

More Florida Laws

• Florida AI Meeting Recording Laws
• Florida Alimony Laws
• Florida At-Will Employment Laws
• Florida Car Accident Laws
• Florida Car Seat Laws
• Florida Child Custody Laws
• Florida Child Support Laws
• Florida Common Law Marriage Laws
• Florida Deepfake Laws
• Florida Divorce Laws
• Florida Dog Bite Laws
• Florida Emancipation Laws
• Florida Expungement Laws
• Florida Hit and Run Laws
• Florida Landlord-Tenant Laws
• Florida Lemon Laws

Related news

• Florida Sues TikTok Under HB3 Social Media Minors Law (2026)