What the Florida Digital Bill of Rights actually does
Florida's privacy law was framed as 'Big Tech only' when it passed. The thresholds are narrower than that, and the outline of who actually has to comply is worth understanding.
When Florida passed the Florida Digital Bill of Rights, the political framing emphasized that it would only apply to large technology platforms. That framing is partially accurate and partially misleading, and the difference matters for any tech company doing business in or with Florida.
The law has two layers. The first layer applies to “controllers” that meet a set of high thresholds: more than $1 billion in annual global gross revenue plus one of several activity-based triggers, including operating an app store with more than 250,000 apps, processing certain volumes of personal data, or running a smart speaker service. That layer is the “Big Tech only” piece, and it is genuinely narrow.
The second layer is the part most commentary has skipped. Florida added consumer protection requirements that apply much more broadly, and added separate provisions for sensitive data that reach further than the Big Tech thresholds. These provisions cover health data, biometric identifiers, precise geolocation, and information about children, and they apply to any business that collects or processes that data from Florida residents in the course of activities that meet smaller volume tests. A wellness app, an HR-tech product, or a SaaS company serving Florida customers can land inside the law’s substantive provisions without being remotely large enough for the headline thresholds.
The breach notification provisions of the Florida Information Protection Act, which sit alongside the FDBR, are also unchanged in their core structure. Notice to affected Florida residents within 30 days of determining a breach has occurred, with notice to the Florida Department of Legal Affairs when the breach affects more than 500 Florida residents. That 30-day window is one of the shorter ones in the country and does not move with company size.
For a tech company operating in Florida, three practical readings follow.
First, the analysis of whether the FDBR applies to you should be done at the data category level, not the company level. You may not be a controller for general FDBR purposes and still be inside the sensitive data provisions. The conclusion that “we are too small to be covered” is true for some provisions and not others.
Second, if you collect health, biometric, geolocation, or children’s data from Floridians, the operating posture is to assume coverage and design accordingly. The cost of that posture is small. The cost of the alternative is high enough that the tradeoff is one-sided.
Third, the breach notification timing is short enough that the time to write the incident response plan is now, not after an incident. Most companies that miss the 30-day window miss it because they did not realize they had triggered it, not because they refused to notify. The plan that prevents that is one document, two pages, written in advance.
Florida is not the most aggressive state on privacy. It is also not as narrow as the political framing suggested.