Florida
FDBR Consumer Rights: Florida Data Privacy Rights
Under the Florida Digital Bill of Rights (FDBR), Fla. Stat. 501.705, Florida residents can confirm and access their personal data, correct inaccuracies, delete it, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and profiling. The FDBR adds two opt-outs found in few other states: the right to opt out of the collection of sensitive data including precise geolocation, and the right to opt out of the collection of personal data through a voice recognition or facial recognition feature.
As of 2026, these rights run only against businesses that meet the FDBR's narrow "controller" definition in 501.702(9), generally for-profit firms with more than $1 billion in global revenue and a big-technology profile. A controller must respond within 45 days, may take one 15-day extension, and must offer an appeal process. The Florida Department of Legal Affairs enforces the rights; there is no private right of action.
Jurisdiction scope: This covers Florida's Florida Digital Bill of Rights (Fla. Stat. 501.701 et seq.). It is general legal information, not legal advice.
The core consumer rights under 501.705
The FDBR grants Florida consumers a defined set of rights over their personal data in 501.705(1). A "consumer" under 501.702 is an individual who is a resident of or domiciled in Florida acting only in an individual or household context, which excludes commercial and employment contexts.
The first cluster of rights is access and correction. Under 501.705(1)(a), a consumer may confirm whether a controller is processing the consumer's personal data and access that data. Under 501.705(1)(b), the consumer may correct inaccuracies, taking into account the nature of the data and the purposes of processing.
The second cluster is deletion and portability. Under 501.705(1)(c), a consumer may delete any or all personal data provided by or obtained about the consumer. Under 501.705(1)(d), the consumer may obtain a copy of the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance.
These rights mirror the structure of other 2023-2024 state privacy laws, but the FDBR pairs them with the opt-outs below, including two that are distinctive to Florida.
The opt-out rights: advertising, sale, and profiling
Under 501.705(1)(e), a Florida consumer may opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, and profiling in furtherance of a decision that produces legal or similarly significant effects concerning the consumer.
"Targeted advertising" is defined in 501.702 as displaying advertisements to a consumer based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict preferences or interests. It excludes contextual ads and ads based on a consumer's current search or a single visit.
"Sale of personal data" is defined as the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party, with specific exclusions. Because Florida uses a broad "monetary or other valuable consideration" standard, many data-sharing arrangements can count as a sale, which makes the sale opt-out a practically important right for consumers to exercise.
The voice and facial recognition collection opt-out
The FDBR's signature consumer right appears in 501.705(1)(g): a consumer may opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature. This is unusual. Most state privacy laws regulate the use or sale of biometric data, but the FDBR lets a consumer block the collection of data through those features in the first place.
The statute pairs this with a related limit on surveillance. Devices that include voice or facial recognition features may not use those features for the purpose of surveillance by the controller, processor, or affiliate when the features are not actively in use, unless the controller has the consumer's authorization.
Together, 501.705(1)(g) and the surveillance limit reflect the FDBR's central concern with always-listening and always-watching consumer technology. They are part of why the law was written to target consumer smart speakers and voice-assistant platforms through the controller definition in 501.702(9).
The sensitive-data collection opt-out and opt-in to process
Florida treats sensitive data two ways at once. On the collection side, 501.705(1)(f) gives the consumer a right to opt out of the collection of sensitive data, including precise geolocation data. On the processing side, 501.71(2)(d) provides that a controller may not process a consumer's sensitive data without obtaining the consumer's consent, an opt-in model.
Sensitive data is defined in 501.702 to include personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, as well as genetic or biometric data processed to uniquely identify an individual, personal data of a known child, and precise geolocation data.
"Consent" is defined as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, and the statute excludes acceptance of general terms of use and the use of dark patterns. For a known child, the controller must obtain authorization from a child between 13 and 18 or comply with the Children's Online Privacy Protection Act for a child under 13. The FDBR compliance checklist walks businesses through operationalizing both the opt-in and the opt-out.
How to exercise rights: response window and appeals
A consumer exercises FDBR rights by submitting an authenticated request to a controller under 501.709. Under 501.706(2), the controller must respond without undue delay and in no case later than 45 days after receipt of the request. The controller may extend the period once by an additional 15 days when reasonably necessary, taking into account the complexity and number of requests, and must inform the consumer of the extension and the reason for it within the initial 45 days.
Under 501.706, information must be provided free of charge at least twice annually per consumer. A controller may charge a reasonable fee or decline to act only where a request is manifestly unfounded, excessive, or repetitive, and it bears the burden of demonstrating that.
If a controller declines to act on a request, 501.706 requires it to inform the consumer of the justification within the 45-day window and to provide instructions on how to appeal under 501.707. The appeal mechanism in 501.707 gives the consumer a route to have the decision reviewed. These steps are summarized below.
| Step | FDBR provision | Key detail |
|---|---|---|
| Submit request | 501.709 | Authenticated consumer request to the controller |
| Controller response | 501.706(2) | Within 45 days; one 15-day extension allowed |
| Cost | 501.706 | Free at least twice annually; fee only if manifestly unfounded or excessive |
| Refusal | 501.706 | Justification plus appeal instructions within 45 days |
| Appeal | 501.707 | Consumer may appeal a controller's refusal to act |
| Enforcement | 501.72 | Department of Legal Affairs only; no private right of action |
Children's protections and the limits of these rights
The FDBR builds in extra protection for children. Through the sensitive-data definition, a known child's personal data is sensitive, so processing it requires consent under 501.71(2)(d), and selling it as sensitive data triggers the consent rule in 501.715. Separately, 501.1735 protects children on online platforms likely to be predominantly accessed by children, regardless of the controller threshold.
The most important practical limit on FDBR consumer rights is who they run against. The rights in 501.705 are owed by "controllers," and a controller under 501.702(9) must generally exceed $1 billion in global gross annual revenues and fit a big-technology prong. A consumer cannot use 501.705 to compel a small or mid-size Florida business that is not a controller to honor an access or deletion request, although other laws and the broader FDBR provisions may still apply.
Finally, these rights are enforced only by the state. Under 501.72, the Florida Department of Legal Affairs has exclusive enforcement authority, and 501.72(8) confirms that the part does not establish a private cause of action. A consumer who believes a controller has violated the FDBR can file a complaint with the Department of Legal Affairs rather than sue directly.
Related guides
- Florida data privacy laws parent hub
- What is the FDBR?
- FDBR compliance checklist
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- Fla. Stat. 501.705: Consumer rights, including voice and facial recognition opt-out(flsenate.gov).gov
- Fla. Stat. 501.706: Controller response to consumer requests(flsenate.gov).gov
- Fla. Stat. 501.707: Appeal(flsenate.gov).gov
- Fla. Stat. 501.709: Submitting consumer requests(flsenate.gov).gov
- Fla. Stat. 501.71: Controller duties (sensitive data consent, nondiscrimination)(flsenate.gov).gov
- Fla. Stat. 501.702: Definitions (consumer, sensitive data, sale, targeted advertising)(flsenate.gov).gov
- Fla. Stat. 501.715: Requirements for sensitive data(flsenate.gov).gov
- Fla. Stat. 501.72: Enforcement and implementation by the Department of Legal Affairs(flsenate.gov).gov
- Florida Department of Legal Affairs: Florida Digital Bill of Rights Annual Enforcement Report(myfloridalegal.com).gov