Hot on the trail of the latest state privacy laws to come into effect, Florida has jumped on board to keep the momentum going. On June 6, 2023, Florida Senate Bill 262 (“SB 262,”) was signed into law, meaning a new set of data privacy requirements will become effective soon. SB 262 has already enacted some changes related to state moderation of social media platforms, but data privacy laws relevant for businesses (including what will be known as the “Florida Digital Bill of Rights”) are set to become effective July 1, 2024. SB 262 provides residents of Florida with rights regarding their personal information similar to many other state laws — in fact, SB 262 is a good indicator of the current trends and priorities of data privacy in the United States. However, a narrow scope keeps this new law focused on “big tech” companies.
What’s in the Florida Digital Bill of Rights?
SB 262 provides Floridians with the right to confirm if, and what, specific pieces of their personal information are collected sold or disclosed by a covered company (defined as “controllers”), and to access, correct, delete, and receive a copy of their (or their under-18 child’s) personal information from a controller. Additionally, Floridians will have the right to opt out of certain collection, use, or sale of their personal information, such as opting out of use of their personal information for targeted advertising and certain profiling, as well as the sale of their personal information and the collection of certain “sensitive” and “biometric personal data.” In some cases, SB 262 requires controllers to receive a consumer’s authorization before even collecting their data.
SB 262 notably targets technology and features of products used “for surveillance.” Under the explicit rights of consumers, SB 262 prohibits a device with “a voice recognition feature, facial recognition features, voice recording feature, audio record feature, or any other electronic, visual, thermal, or olfactory feature” from using said features for surveillance purposes when not in active use, unless expressly authorized. This specific language appears to target popular virtual assistance technology, such as Amazon Alexa, Google Home, and other similar devices and services. This targeting, plus the narrow application of SB 262, has led some commentators to suggest that SB 262 is specifically targeting “big tech.” SB 262 defines a “controller” narrowly, covering for-profit or business entities that conduct business in Florida, collect and control processing of personal data, make over $1 billion in global gross annual revenue, and either (i) generate at least half of their global gross annual revenue from online advertisements, (ii) operate a consumer “smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation”, or (iii) operate an app store or a digital distribution platform with at least 250,000 different “software applications for consumers to download and install.”
Ramifications Beyond Big Tech
However, while it may seem as though the high threshold to be categorized as a “controller” eliminates any risk for most businesses, it is important to keep in mind that SB 262 also specifically protects children, which it defines as “consumers who are under 18 years of age,” from “online platforms”, like social media and online gaming platforms. The laws of SB 262 apply to online platforms regardless of a platform’s categorization as a controller. These protections, which are similar to state and federal laws protecting the privacy and data of children, prohibit using “dark patterns” that are designed to “subvert” or impair a child’s autonomy or decision-making and from collecting “precise” geolocation of children, defined as within a radius of 1,750 feet. SB 262 includes reference to any practice the Federal Trade Commission refers to as a dark pattern. Similar to the recently passed California Age Appropriate Design Code Act, SB 262 prohibits online platforms that are likely to be “predominately accessed by children” from processing a child’s personal information if the platform has “actual knowledge of or willfully disregards that the processing may result in substantial harm or privacy risk to children.”
Excluding its limited applicability, SB 262 is a good barometer for the current trends in data privacy, as well as a good reminder of the evolving understanding of what constitutes an individual’s personal data. Although SB 262’s restrictions and requirements regarding “biometric” data aren’t unique — several other states also cover an individual’s physical, biological, or behavioral characteristics under their data privacy acts — it is a timely reminder that data protections are expanding. Recently, Worldcoin, a new cryptocurrency that uses biometric data to confirm users’ identities, was announced. It is worth noting that SB 262 also includes the specific examples of “eye retinas or irises” in the definition of “biometric data.” We should be reminded that in many cases, a consumer’s data isn’t limited to their name, addresses or government-issued identification numbers, but also includes the physical features and behaviors that can identify them. And, data privacy isn’t limited only to the four corners of a web browser. Businesses, particularly those collecting, analyzing, and transferring consumer data would do well to understand and integrate this shift into their policies and processes.
As more and more states adopt data privacy acts, it is critical that business that collect, use, or disclose any consumer data, particularly businesses that offer services across multiple states, analyze how their processes and policies may violate different state laws. Taking the time now to review, adjust and adapt to trends and the direction of consumer data protection in the United States will help your business avoid last-minute or expensive changes, fees or corrective actions.
This DarrowEverett Insight should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This Insight is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. We are working diligently to remain well informed and up to date on information and advisements as they become available. As such, please reach out to us if you need help addressing any of the issues discussed in this Insight, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.
Unless expressly provided, this Insight does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.