By Steve Levine · Updated July 3, 2026 · 7 min read
Quick Answer
The Florida Digital Bill of Rights (FDBR), Fla. Stat. § 501.701 et seq., is Florida's consumer data privacy law, enacted as Senate Bill 262 in 2023 and effective July 1, 2024. It gives Florida residents the right to access, correct, delete, and port their personal data, and to opt out of targeted advertising, data sales, profiling, and the collection of sensitive data — including data gathered through voice-recognition and facial-recognition features. Unlike most state privacy laws, its core obligations apply only to companies with more than $1 billion in global annual revenue that also run a major advertising, smart speaker, or app store business. It is enforced exclusively by the Florida Attorney General, with civil penalties of up to $50,000 per violation, and it does not create a private right of action — so Florida privacy class actions are typically brought under other statutes instead.
On this page
The Florida Digital Bill of Rights is Florida's entry in the wave of state consumer privacy laws that followed California's CCPA. Governor Ron DeSantis signed it into law as Senate Bill 262 on June 6, 2023, and its main provisions took effect on July 1, 2024. The law lives in Part V of Chapter 501 of the Florida Statutes, starting at section 501.701 — you can read the full text on the Florida Legislature's Online Sunshine site, and the enrolled bill on the Florida Senate's bill page.
On paper, the FDBR looks like the privacy laws Virginia, Colorado, and Connecticut passed around the same time: it sorts companies into "controllers" (who decide why and how personal data is processed) and "processors" (who handle data on a controller's behalf), gives consumers a set of rights over their data, requires privacy notices and data-protection assessments, and demands consent before processing sensitive data. What sets it apart is who it applies to — and who gets to enforce it.
SB 262 also carried provisions beyond the core privacy framework: covered controllers that operate search engines must publish an up-to-date, plain-language description of the main parameters that determine search rankings (including whether political partisanship or ideology is prioritized), and a separate section of the bill restricts government employees from using their positions to ask social media platforms to remove content or accounts.
Most state privacy laws apply to any business that crosses a modest revenue or data-volume threshold. The FDBR does not. Its definition of a covered "controller" is written so narrowly that, in practice, it is a Big Tech law. A company is covered only if it is for-profit, does business in Florida, collects personal data about Florida consumers, makes more than $1 billion in global gross annual revenue, and meets at least one of three additional gates:
· It derives 50% or more of its global gross annual revenue from selling online advertising;
· It operates a consumer smart speaker with a cloud-connected, voice-activated virtual assistant (in-vehicle systems don't count); or
· It operates an app store or digital distribution platform offering at least 250,000 software applications.
A retailer, hospital, insurer, or data broker earning $900 million a year — or even $10 billion a year without an ad, smart speaker, or app store business — is simply outside the law's core obligations. That makes the FDBR one of the narrowest consumer privacy laws in the country, and it is why most Florida businesses never had to build FDBR compliance programs the way companies did for California's CCPA. The notable exception is the sensitive-data rule covered below, which applies to every for-profit business in the state.
For companies that are covered, the FDBR gives Florida consumers a familiar menu of rights over their personal data:
· Access: confirm whether a controller is processing your personal data and get access to it.
· Correction: fix inaccuracies in the personal data a controller holds about you.
· Deletion: require the controller to delete personal data provided by or obtained about you.
· Portability: obtain a copy of the data you provided in a usable, portable format.
· Opt-outs: opt out of targeted advertising, the sale of your personal data, and certain profiling used in decisions that produce legal or similarly significant effects.
· Sensor and biometric opt-outs: two additions few other states have — the right to opt out of the collection of sensitive data (including precise geolocation), and the right to opt out of the collection of personal data through voice-recognition or facial-recognition features.
A covered controller must respond to an authenticated request within 45 days, with one 15-day extension available when reasonably necessary. Controllers must also get consent before processing sensitive data, and processing the personal data of a known child (borrowing the federal COPPA definition of a child under 13) has to comply with COPPA's parental-consent framework.
Buried in the statute is the provision with the broadest reach. Under Fla. Stat. § 501.715, any for-profit entity doing business in Florida that sells sensitive personal data must get the consumer's consent first — no $1 billion threshold, no ad-revenue gate. A business that sells sensitive data must also post a conspicuous notice on its website stating: "NOTICE: This website may sell your sensitive personal data." A parallel rule requires a business selling biometric data to post: "NOTICE: This website may sell your biometric personal data."
"Sensitive data" under the FDBR means personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify a person; personal data collected from a known child; and precise geolocation data. Because this piece of the law applies to ordinary businesses — not just tech giants — it is the FDBR provision most Florida companies actually have to think about, and it overlaps with the biometric-privacy issues OCA covers in cases like biometric data breaches.
Here is the part that matters most for anyone searching "can I sue under the FDBR": you can't. The law is enforced exclusively by the Florida Attorney General, through the Department of Legal Affairs. A violation may be treated as an unfair and deceptive trade practice, but only the department can bring the action — the statute creates no private right of action, so individual consumers and class action lawyers cannot sue a company for an FDBR violation directly.
The department can seek civil penalties of up to $50,000 per violation. Penalties can be trebled — up to $150,000 per violation — in three situations: a violation involving a Florida consumer who is a known child, a failure to delete or correct personal data after receiving an authenticated consumer request, and continuing to sell or share a consumer's personal data after the consumer opts out. The Attorney General may, at its discretion, give a company a 45-day period to cure a violation before proceeding — but unlike some states' laws, the cure period is not guaranteed.
Because the FDBR cannot be enforced by private lawsuits, it has not produced consumer class actions — and you should be skeptical of anyone claiming to file an "FDBR class action" on behalf of consumers. Florida privacy class actions instead run through older statutes that do let consumers sue. The workhorse is the Florida Security of Communications Act (FSCA, Fla. Stat. § 934.03), Florida's all-party-consent wiretap law, which plaintiffs use against websites that deploy session replay software, tracking pixels, and chat-logging tools without visitor consent — the same theory California plaintiffs pursue under CIPA, which OCA covers in a separate guide.
That FSCA theory has already produced real settlements for Florida consumers. The WISP website-tracking settlement pays visitors of hellowisp.com whose sessions were allegedly recorded without consent, and earlier cases like the European Wax Center and Ideal Image website-privacy settlements resolved similar claims that those companies' websites intercepted Florida visitors' communications. Federal statutes fill in the rest: video-viewing data flows to the Video Privacy Protection Act (VPPA), and intercepted communications to the federal wiretap laws.
The practical takeaway for Florida consumers: the FDBR sets rules for a handful of the biggest technology companies and gives you rights you can exercise directly with those companies — access, deletion, opt-outs — but if a company violates your privacy in Florida, any money you eventually see is far more likely to come from an FSCA, VPPA, or negligence class action settlement than from the FDBR itself. When those cases settle, class members are notified by the court-appointed administrator and can file through the official settlement website.
What is the Florida Digital Bill of Rights?
The Florida Digital Bill of Rights (FDBR), Fla. Stat. § 501.701 et seq., is Florida's consumer data privacy law. Enacted as Senate Bill 262 in 2023 and effective July 1, 2024, it gives Florida residents the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of targeted advertising, the sale of their data, certain profiling, and the collection of sensitive data — including precise geolocation and data gathered through voice-recognition or facial-recognition features.
Which companies does the FDBR apply to?
Most FDBR obligations apply only to for-profit companies that do business in Florida, collect consumers' personal data, make more than $1 billion in global gross annual revenue, and also meet at least one of three gates: earning 50% or more of global revenue from online advertising, operating a cloud-connected smart speaker with a voice-activated virtual assistant, or operating an app store or digital distribution platform with at least 250,000 apps. One exception reaches further: any for-profit business that sells sensitive personal data must get consent first and post a notice on its website, regardless of revenue.
Can I sue a company for violating the Florida Digital Bill of Rights?
No. The FDBR does not create a private right of action. It is enforced exclusively by the Florida Attorney General through the Department of Legal Affairs, which can treat violations as unfair and deceptive trade practices and seek civil penalties of up to $50,000 per violation — trebled for violations involving a known child, failing to delete or correct data after a request, or continuing to sell or share data after a consumer opts out. Florida privacy class actions are instead typically brought under other laws, such as the Florida Security of Communications Act, which does allow private lawsuits.
How is the FDBR different from other state privacy laws like the CCPA?
The biggest differences are scope and enforcement. Laws like California's apply to a broad range of businesses based on revenue or data-volume thresholds in the millions; the FDBR's core obligations apply only to companies with more than $1 billion in global revenue that also run a major advertising, smart speaker, or app store business — effectively a Big Tech law. The FDBR also adds unusual provisions, such as opt-outs for voice- and facial-recognition data collection and a requirement that covered search engines publish a plain-language description of their main ranking parameters. Like most state privacy laws, it is enforced only by the state attorney general.