Florida Biometric Privacy Laws: Collection, Consent & Penalties (2026)
Florida does not have a standalone biometric privacy law like Illinois (BIPA) or Texas (CUBI). Instead, biometric data protections are woven into the Florida Digital Bill of Rights (FDBR), which took effect on July 1, 2024, and the Florida Information Protection Act (FIPA), which covers breach notification.
The FDBR treats biometric data as a subset of sensitive personal data and grants consumers specific opt-out rights. However, the law's narrow applicability threshold means that most of these protections apply only against the largest technology companies operating in the state.
What Counts as Biometric Data Under Florida Law
Fla. Stat. 501.702(4) defines biometric data as "data generated by automatic measurements of an individual's biological characteristics." The statute specifically lists:
- Fingerprints
- Voiceprints
- Eye retinas or irises
- Other unique biological patterns or characteristics used to identify a specific individual
The definition is broad enough to capture newer biometric technologies, such as gait analysis or vein pattern recognition, as long as the data is generated through automatic measurement and used for identification.
What Biometric Data Does Not Include
The statute explicitly carves out three categories:
- Photographs (including digital photos)
- Video or audio recordings (the recording itself, as opposed to biometric identifiers extracted from recordings)
- Data collected under HIPAA (health information governed by federal health privacy rules)
This exclusion means a security camera recording of someone walking through a store is not biometric data. But if software analyzes that footage to extract a faceprint or gait signature, the extracted identifier falls under the biometric data definition.
The $1 Billion Controller Threshold
The FDBR's biometric protections are powerful on paper but narrow in practice. Under Fla. Stat. 501.702(9), a company qualifies as a "controller" subject to the full FDBR requirements only if it meets all of these conditions:
- Conducts business in Florida or produces products/services consumed by Florida residents
- Collects personal data about consumers
- Earns more than $1 billion in global gross annual revenue
- Meets at least one additional condition:
- Derives 50% or more of global revenue from online advertising sales
- Operates a consumer smart speaker with a voice-activated virtual assistant
- Operates an app store or digital distribution platform offering at least 250,000 applications
This threshold is the highest of any state privacy law in the United States. By comparison, the California Consumer Privacy Act kicks in at $25 million in annual revenue.
In practice, only a handful of companies qualify: think Google, Amazon, Apple, and Meta. A Florida-based employer using fingerprint scanners for time tracking almost certainly falls below the threshold and is not subject to the FDBR's opt-out requirements for biometric data.
The Broader Sale-of-Sensitive-Data Rule
One provision reaches beyond the $1 billion threshold. Under Fla. Stat. 501.715, any controller that sells sensitive personal data (which includes biometric data) must obtain prior consumer consent before the sale. For children under 13, federal COPPA rules apply. For minors aged 13 to 17, the controller must obtain the child's affirmative authorization.
This consent requirement for the sale of sensitive data, combined with the biometric sale notice requirement in Fla. Stat. 501.711(3), creates obligations that may reach more businesses than the core FDBR framework.
Consumer Rights for Biometric Data
Consumers whose data is processed by qualifying controllers have several rights specific to biometric information.
Opt-Out of Biometric Data Processing
Under Fla. Stat. 501.705(2)(f), consumers may opt out of the collection and processing of sensitive data, which includes biometric data.
Opt-Out of Voice and Facial Recognition
Fla. Stat. 501.705(2)(g) creates a separate, specific right to opt out of personal data collection through "the operation of a voice recognition or facial recognition feature." This provision targets smart devices, apps, and platforms that use facial or voice recognition to identify or authenticate users.
No Background Surveillance
Fla. Stat. 501.705(3) prohibits controllers from using voice recognition, facial recognition, video recording, audio recording, or similar sensing features "when such features are not in active use by the consumer," unless the consumer has expressly authorized it. This targets always-on microphones and cameras in smart home devices and similar products.
Opt-In vs. Opt-Out: How Florida Compares
Florida uses an opt-out model for most biometric data processing. Covered controllers can collect and process biometric data by default, and consumers must take affirmative action to stop it.
This differs significantly from Illinois' Biometric Information Privacy Act (BIPA), which requires opt-in written consent before any collection of biometric identifiers. Under BIPA, collection without prior consent is a violation from the start. Under the FDBR, collection without consent is generally permissible until a consumer exercises their opt-out right.
The one exception is the sale of biometric data. Selling biometric data requires prior consent under Fla. Stat. 501.715, making that specific activity opt-in.
Notice Requirements for Biometric Data
Controllers that sell biometric personal data must display a specific notice under Fla. Stat. 501.711(3):
"NOTICE: This website may sell your biometric personal data."
This notice must appear in the same location as the company's general privacy notice. Controllers must also disclose:
- The categories of personal data processed, including whether sensitive data is involved
- How consumers can exercise their opt-out rights
- Categories of third parties that receive personal data
- The purposes for processing
Privacy notices must be updated at least annually.
Data Protection Assessments
Under Fla. Stat. 501.713, controllers must conduct data protection assessments for activities that present a "heightened risk of harm to consumers." Processing sensitive data, including biometric data, triggers this requirement.
Each assessment must weigh the benefits of the processing activity against the potential risks to consumer rights, considering factors such as:
- Whether the data has been deidentified
- Consumer expectations regarding the processing
- The context and relationship between the controller and consumer
- Available safeguards to reduce risk
These assessments are confidential but must be made available to the Department of Legal Affairs upon request during an investigation.
Biometric Data and Breach Notification
Separately from the FDBR, the Florida Information Protection Act (Fla. Stat. 501.171) includes biometric data in its definition of personal information subject to breach notification requirements.
If a breach exposes an individual's biometric data (as defined in Fla. Stat. 501.702) along with their first name or first initial and last name, the entity must:
- Notify affected individuals within 30 days of discovering the breach
- Notify the Florida Department of Legal Affairs within 30 days (with a possible 15-day extension upon written request)
- Notify credit reporting agencies if the breach affects 500 or more individuals
FIPA's breach notification rules apply to all covered entities in Florida, not just $1 billion companies. Any business or government entity that maintains, stores, or uses Floridians' biometric data must comply.
Penalties for failing to meet notification deadlines under FIPA reach up to $500,000 per breach: $1,000 per day for the first 30 days, then $50,000 for each subsequent 30-day period, up to 180 days.
Enforcement: Attorney General Only
The FDBR is enforced exclusively by the Florida Department of Legal Affairs (the Attorney General's office) under Fla. Stat. 501.72.
There is no private right of action. Individual consumers cannot sue companies for biometric data violations under Florida law. This is one of the sharpest contrasts with Illinois' BIPA, where private lawsuits (including class actions) have produced hundreds of millions of dollars in settlements.
Penalty Structure
| Violation Type | Maximum Penalty |
|---|---|
| Standard FDBR violation | $50,000 per violation |
| Violation involving a known child | $150,000 per violation (treble damages) |
| Failure to delete/correct data after consumer request | $150,000 per violation (treble damages) |
| Continuing data sale after opt-out | $150,000 per violation (treble damages) |
| FIPA breach notification failure | Up to $500,000 per incident |
Cure Period
Controllers receive a 45-day cure period after written notice from the AG's office. If the violation is cured within that window, the department may choose not to pursue action. The one exception: violations involving children's data have no cure period.
Enforcement Activity to Date
The Florida AG's office issued its first annual enforcement report covering January through December 2025. During that period, the department received 1,496 consumer complaints, placed 811 under active review, issued 186 Notices of Alleged Violation to controllers, and initiated 60 inquiries to determine whether entities fell within the FDBR's scope.
The first major enforcement action came in October 2025, when the AG filed suit against Roku, Inc. for alleged violations involving children's data, including geolocation and voice recordings. Florida sought civil penalties of up to $150,000 per violation.
Employer Use of Biometric Data
Florida does not have a separate employer-specific biometric privacy law. Businesses that use fingerprint scanners for timekeeping, facial recognition for building access, or other biometric tools in the workplace are generally not subject to the FDBR unless they meet the $1 billion controller threshold.
However, employers should be aware of two considerations:
Breach notification still applies. If an employer stores employees' fingerprints or other biometric data and suffers a data breach, the FIPA notification requirements apply regardless of company size. Failure to notify within 30 days exposes the employer to penalties.
No BIPA-style lawsuit risk. Unlike in Illinois, where employees have filed thousands of class action lawsuits over biometric data collection in the workplace, Florida's lack of a private right of action means employees cannot bring similar claims. Enforcement runs through the AG's office only.
Pending Legislation: 2025-2026 Session
The Florida Legislature has not advanced a standalone biometric privacy act in recent sessions. A 2019 proposal, the Florida Biometric Information Privacy Act (SB 1270), modeled on Illinois' BIPA, did not pass. No comparable bill has been filed in the 2025 or 2026 legislative sessions.
The 2026 session did see SB 482, an Artificial Intelligence Bill of Rights, which passed the Senate 35-2 but died in the House. That bill addressed AI governance and chatbot consent but did not amend the FDBR's biometric provisions.
As of March 2026, there is no pending legislation that would lower the FDBR's $1 billion threshold, create a private right of action for biometric data violations, or establish a standalone biometric privacy statute in Florida.
How Florida Compares to Other States
| Feature | Florida (FDBR) | Illinois (BIPA) | Texas (CUBI) |
|---|---|---|---|
| Standalone biometric law | No (part of broader privacy law) | Yes | Yes |
| Consent model | Opt-out (opt-in for sale only) | Opt-in written consent | Opt-in notice and consent |
| Applicability | $1B+ revenue Big Tech only | All private entities | All persons |
| Private right of action | No | Yes (statutory damages) | No (AG only) |
| Penalty per violation | $50,000 ($150,000 for children) | $1,000-$5,000 per violation | $25,000 per violation |
| Breach notification | Yes (via FIPA, all businesses) | Not specifically | Not specifically |
This comparison matters for businesses operating across multiple states. A company that collects fingerprints in both Florida and Illinois faces vastly different compliance burdens and litigation risks in each jurisdiction.
More Florida Laws
- Florida Recording Laws
- Florida Whistleblower Laws
- Florida Recording Laws
- Florida Recording Laws
- Florida Recording Laws
- [Florida Data Privacy Laws](/us-laws/data-privacy-laws/florida-data-privacy-laws/data-breach-notification)
- Florida Recording Laws
- Florida Recording Laws
This article provides general legal information about Florida biometric privacy laws and is not legal advice. Laws and enforcement practices change over time. Consult an attorney for advice specific to your situation.
Sources and References
- Fla. Stat. 501.702 - Definitions (biometric data, sensitive data, controller)(leg.state.fl.us).gov
- Fla. Stat. 501.705 - Consumer rights (opt-out of biometric and facial/voice recognition)(leg.state.fl.us).gov
- Fla. Stat. 501.711 - Privacy notices (biometric sale notice requirement)(leg.state.fl.us).gov
- Fla. Stat. 501.715 - Requirements for sensitive data (consent for sale)(leg.state.fl.us).gov
- Fla. Stat. 501.713 - Data protection assessments(leg.state.fl.us).gov
- Fla. Stat. 501.72 - Enforcement and implementation (AG-only, penalties, cure period)(leg.state.fl.us).gov
- Fla. Stat. 501.171 - Security of confidential personal information (breach notification)(leg.state.fl.us).gov
- SB 262 (2023) - Florida Digital Bill of Rights enrolled text(flsenate.gov).gov
- Florida AG Digital Bill of Rights Annual Enforcement Report (2025)(myfloridalegal.com).gov
- Florida AG enforcement action against Roku - Holland & Knight analysis(hklaw.com)