FDBR Compliance Checklist: Florida Data Privacy

Florida Digital Bill of Rights (FDBR) compliance starts with one question most businesses can answer quickly: are you a "controller" under Fla. Stat. 501.702(9)? The core controller duties apply only to a for-profit business that makes more than $1 billion in global gross annual revenues and meets one of three big-technology prongs, so most companies are outside the central obligations. But several broader provisions reach ordinary businesses, so no Florida company should assume it has zero FDBR exposure.

As of 2026, a covered controller must publish a clear privacy notice, honor consumer rights within 45 days, obtain opt-in consent before processing sensitive data, support the sale, targeted-advertising, profiling, sensitive-data, and voice and facial recognition opt-outs, and contract properly with processors. The Florida Department of Legal Affairs enforces the FDBR with a discretionary 45-day cure period and civil penalties up to $50,000 per violation, triplable in defined cases. There is no private right of action.

Jurisdiction scope: This covers Florida's Florida Digital Bill of Rights (Fla. Stat. 501.701 et seq.). It is general legal information, not legal advice.

Step 1: Run the applicability analysis

The first step is the most decisive. The FDBR's core controller obligations apply only to a person that qualifies as a "controller" under 501.702(9). That definition requires the business to be organized for profit, to conduct business in Florida or produce products or services used by Florida residents, to collect personal data and determine the purposes and means of processing, to make in excess of $1 billion in global gross annual revenues, and to satisfy one of three prongs.

The three prongs in 501.702(9)(a)6. are: deriving 50 percent or more of global gross annual revenues from the sale of online advertisements; operating a consumer smart speaker and voice command service with an integrated virtual assistant connected to a cloud computing service; or operating an app store or digital distribution platform offering at least 250,000 different software applications.

A business that does not clear the $1 billion revenue line, or that exceeds it but fits none of the three prongs, is not a controller. Document this analysis in writing. The conclusion that you are not a controller is itself a compliance artifact worth keeping, because it explains why the core duties below do not apply to you.

Step 2: Check the broader provisions any business must heed

Concluding that you are not a controller does not end the inquiry. SB 262 created several provisions that reach businesses well beyond the $1 billion threshold, and these are where ordinary Florida companies most often have FDBR exposure.

The children's online protections in 501.1735 apply to an online platform that provides an online service, product, game, or feature likely to be predominantly accessed by children, regardless of revenue. That section restricts processing a known child's personal data in ways that cause substantial harm or privacy risk, prohibits certain dark patterns, and limits collecting a known child's precise geolocation without consent. Any consumer-facing business with a youthful audience should review it.

The breach-notification statute 501.171 was amended to add biometric data (as defined in 501.702) and geolocation information to the categories of personal information that trigger breach-notification duties. That broadens incident-response obligations for businesses generally. Finally, the sale-of-sensitive-data consent rule in 501.715 should be reviewed by any business that monetizes sensitive data. Map your exposure to each before assuming the FDBR does not touch you.

Step 3: Privacy notice

A covered controller must provide consumers a reasonably accessible and clear privacy notice under 501.711. The notice must describe the categories of personal data the controller processes, the purposes for processing, how consumers may exercise their rights and appeal a decision, the categories of personal data the controller shares with third parties, and the categories of those third parties.

If the controller sells personal data to third parties or processes personal data for targeted advertising, the notice must clearly and conspicuously disclose that and explain how a consumer may exercise the right to opt out. The disclosure should be specific enough that a consumer can act on it, not buried in general terms of use.

Because "consent" under 501.702 excludes acceptance of general terms and the use of dark patterns, a privacy program should keep notice and consent distinct. A notice informs; consent is a separate, affirmative act. Treating a single terms-of-use acceptance as both is a common compliance gap.

Step 4: Opt-in for sensitive data, opt-outs including voice and facial recognition

A covered controller must obtain opt-in consent before processing sensitive data. Under 501.71(2)(d), a controller may not process a consumer's sensitive data without consent, and for a known child must obtain authorization from a child between 13 and 18 or comply with COPPA for a child under 13. Sensitive data under 501.702 includes health, religious, racial or ethnic, sexual orientation, immigration, genetic, biometric, known-child, and precise geolocation data.

On the opt-out side, a controller must build and honor several mechanisms. Under 501.705(1)(e), consumers can opt out of the sale of personal data, targeted advertising, and profiling. Under 501.705(1)(f), consumers can opt out of the collection of sensitive data, including precise geolocation. Under 501.705(1)(g), consumers can opt out of the collection of personal data through a voice recognition or facial recognition feature.

The voice and facial recognition opt-out is the one businesses most often overlook, because it sits at the collection stage rather than the use or sale stage. A controller operating devices or features that collect voiceprints or facial geometry must give consumers a way to turn that collection off, and must not use those features for surveillance when they are not actively in use without authorization. The opt-out and opt-in mechanics are explained for consumers in the FDBR consumer rights guide.

Step 5: Consumer-request handling and processor contracts

A controller must operationalize the consumer-request lifecycle. Under 501.709, it must provide one or more secure and reliable means for consumers to submit authenticated requests. Under 501.706(2), it must respond within 45 days, with one 15-day extension allowed when reasonably necessary. Information must be free at least twice annually per consumer, and a refusal must come with a justification and appeal instructions under 501.707.

A controller must also bind its processors. Under 501.712, a processor must adhere to the controller's instructions and assist the controller in meeting its FDBR obligations, and the relationship must be governed by a contract that sets out processing instructions, the nature and purpose of processing, the type of data, the duration, and the rights and obligations of both parties. The contract should require the processor to ensure a duty of confidentiality, delete or return data at the end of the engagement, and make available information needed to demonstrate compliance.

These contracts are a frequent enforcement focus because they allocate responsibility across the data-handling chain. A controller that relies on vendors for ad targeting, voice processing, or analytics should confirm each vendor relationship is papered to the 501.712 standard.

Step 6: Enforcement, cure period, and penalties

The Florida Department of Legal Affairs, within the Attorney General's office, has exclusive enforcement authority under 501.72. A violation of the FDBR is treated as an unfair and deceptive trade practice actionable solely by the department. Under 501.72(8), the part does not establish a private cause of action, so there is no consumer lawsuit risk under the FDBR itself.

The department may, at its discretion, grant a 45-day period to cure an alleged violation and issue a letter of guidance. Because the cure period is discretionary rather than guaranteed, a business should not count on it. Civil penalties run up to $50,000 per violation, and the department may seek injunctive relief and other remedies available under the consumer-protection chapter.

Penalties may be tripled in three defined situations under 501.72: a violation involving a Florida consumer who is a known child; a controller's failure to delete or correct a consumer's personal data after receiving an authenticated request; and a controller's continued sale or sharing of a consumer's personal data after the consumer has opted out. The penalty matrix below summarizes the enforcement structure.

The department's early enforcement posture is real. Its annual enforcement reports show hundreds of consumer complaints in the first reporting period after July 1, 2024, and it has brought actions alleging unauthorized collection and sale of children's data. For the law's identity, history, and the $1 billion threshold in context, see what is the FDBR.

Related guides

• Florida data privacy laws parent hub
• What is the FDBR?
• FDBR consumer rights
• State data privacy law comparison
• What is the CCPA?

Sources