Author

Amanda Anderson

4A's VP, Government Relations

Topic

  • Government Relations
  • Privacy Law

Florida

The Florida Department of Legal Affairs has finalized regulations, effective July 18, 2024, to implement the state’s privacy law, the Florida Digital Bill of Rights (FDBR). The regulations address topics such as who is an “authorized person” that can submit consumer rights requests, data security requirements, enforcement processes and standards, and standards for authentication of consumer requests. FDBR went into effect on July 1, 2024.

With the exception of the sale of sensitive personal data provisions found in FDBR section 501.715, FDBR generally does not extend to businesses operating in the state with annual gross revenues below $1 billion, which means it will only impact a relatively small number of very large companies. Additionally, the law’s scope is further restricted by other criteria: it applies only to entities that generate at least 50% of their revenue from digital advertising, manage specific app stores or digital distribution platforms, or provide particular smart home speakers equipped with virtual assistants, i.e. “Big Tech” companies.  In addition, the FDBR includes several unique provisions that provide expanded opt-out rights, protections for children online, and prohibitions on government officials moderating content.

Agencies operating in Florida or working with Florida business should review these new regulations, the scope of applicability of FDBR, and Section 501.715 of FDBR to assess any potential compliance responsibilities.

Authorized Person Definition

Per the new FDBR regulations, Florida regulators now define an “authorized person” as:

  • A consumer whose data is processed or sold by a controller or processor;
  • A person granted express, written authority by a consumer to act for the consumer in exercising the consumer’s rights;
  • A person granted authority to act for a consumer under a power of attorney, whether denominated an agent, attorney in fact, or otherwise. The term includes an original agent, co-agent, and successor agent; or
  • A person who is a parent or legal guardian of a child who is exercising the rights granted to the child or to the parents of a child.

An authorized person who is authenticated is allowed to act on a consumer’s behalf to exercise all consumers rights and protections bestowed by the FDBR.

Authenticating Consumer Requests

The FDBR regulations authorize that after a business receives a consumer rights request and prior to taking any action or providing a response, covered businesses must authrenticate the consumer.

When a person submits a request on behalf of a consumer, covered businesses must use a commercially reasonable approach to verify the individual’s identity and confirm their authorization. To determine what constitutes a commercially reasonable method of authentication, businesses should consider:

  • The consumer rights the requester intends to exercise;
  • The type, sensitivity, value, and amount of personal data involved;
  • The potential harm to the consumer from improper access, use, or deletion of their personal data; and
  • The associated costs for the business.

These authentication protocols must also be adhered to if a request is denied and the consumer, or their representative, files an appeal. Additionally, covered businesses should avoid requests for extra data for authentication and should not impose a fee.

Data Security

Security is another key topic covered by the FDBR regulations. Required “general data security practices” include:

  • Protecting the confidentiality, integrity, and accessibility of personal data from unauthorized access, use, disclosure, deletion or modification;
  • Maintaining data security practices that comply with the risk management framework and standards adopted by the National Institute of Standards and Technology (NIST);
  • Considering the volume and nature of the personal data being processed or sold;
  • Establishing, implementing, and maintaining the security practices for the most sensitive type of data within a data set with mixed levels of sensitivity;
  • Establishing, implementing, and maintaining data security practices for personal data not subject to an exemption by the controller or processor after the satisfaction of the initial purpose for which such information was collected or obtained until the personal data has met its retention schedule; and
  • Establishing, implementing, and maintaining procedures for the secure disposal of personal data.

“Administrative data security practices” are also covered and include, but are not limited to:

  • Establishing, implementing, and maintaining effective organizational controls for personal data;
  • Designation of a qualified individual responsible for overseeing and implementing data security practices, as required by the FDBR;

Regularly testing and monitoring compliance with data security practices, including key controls, systems, and procedures, to detect actual and attempted attacks or intrusions; and

  • Limiting access to the systems containing personal data to authenticated users who have been trained and tasked with performing those duties.

Technical and physical data security practices are required for covered businesses.  Per the regulations, “unencrypted storage of personal data on mobile electronic devices and passive storage media is prohibited.”

Enforcement

When a consumer complaint is filed, a consumer must provide the Florida Department of Legal Affairs with certain information including:

  • The consumer’s name, address, telephone number, email address, and any user name or identity with the controller;
  • The authorized person’s name, address, telephone number, email address, and relationship with the consumer if an authorized person is submitting a complaint on their behalf;
  • The controller’s name and website; and
  • A description of all the actions the consumer or authorized person requested the controller to take in connection with consumer rights.

Children’s Privacy Provisions

The FDBR rule stipulates that a covered business employing a “reasonable age verification ‘method’ commonly utilized by governmental bodies or businesses for age and identity verification” will not be deemed by the Department to have willfully ignored the child’s age. Furthermore, reasonable parental verification is mandated before any consumer rights can be exercised. In essence, the regulations underscore that covered businesses must employ commercially reasonable methods for authentication and verification when addressing consumer rights.

Texas

Recently, Texas Attorney General Kevin Paxton (R) took action to rigorously enforce the state’s data broker registration law and its associated regulations. The data broker registration law mandates that covered businesses that buy, sell, trade, and process individuals’ personal data register with the Texas Secretary of State by submitting a registration statement and paying a $300 fee before March 1, 2024. Texas law also requires data brokers to implement and maintain safeguards to adequately protect Texans’ data.

True to his previous attestations, Attorney General Paxton launched an enforcement sweep at the end of June, notifying over 100 companies of their alleged failure to register as data brokers.

The scale of this initial sweep highlights both the Attorney General’s and the state’s dedication to consumer privacy and a broader effort to hold data brokers accountable. To avoid penalties, fines, and potential reputational damage, agencies operating in Texas or working with Texas clients should review the Texas Data Privacy and Security Act and the state’s data broker registry law to determine what compliance obligations need attention.

Earlier in the month, Attorney General Paxton established a team that is focused on aggressive enforcement of Texas privacy laws. The initiative, housed within the Consumer Protection Division of the Office of the Attorney Generatl, will ensure companies respect Texans’ privacy rights and safeguard their personal data. The data privacy team will be focused on enforcing the Texas Data Privacy and Security Act, the Identity Theft Enforcement and Protection Act, Data Broker Law, Biometric Identifier Act, Deceptive Trade Practices Act, and two federal laws, the Children’s Online Privacy Protection Rule and the Health Insurance Portability and Accountability Act.

Oregon and California also have data broker registration laws taking effect on July 1, 2024 and January 1, 2024 respectively. The Oregon Attorney General’s Office issued FAQs to assist businesses in complying with their data broker law. Information on requirements related to California’s data broker registry can be found here. Vermont has had a data broker registry law on the books since 2018.

Have questions about the Florida Data Bill of Rights or ongoing privacy law enforcement in Texas? Please contact Amanda Anderson, VP of Government Relations & Sustainability.

Related Posts

View All Posts
A bald man in a gray blazer writes notes during a conference. He is surrounded by people seated at tables. The atmosphere is focused and professional.

03/05/2025

White House Seeks Public Comment on U.S. AI Strategy

Learn More
A woman in a blue sweater speaks into a microphone during a meeting or conference. She is seated at a table with a cup of coffee and a smartphone in front of her. Other attendees are seated nearby, listening attentively.

03/05/2025

Oklahoma Bill Introduced to Broadly Ban DTC Pharmaceutical Advertising

Learn More

02/03/2025

U.S. Copyright Office Publishes Part 2 of AI Report, Offering Clarity on Copyright for Generative AI Outputs

Learn More
View All Posts