With 'big tech' in DeSantis’ crosshairs, Florida becomes 10th state with data privacy law

Florida enacted a new data privacy law Tuesday that mirrors legislation passed in nine other states but also has faced criticism from privacy experts because it is geared toward only the largest tech companies and contains several other politically motivated provisions.

Gov. Ron DeSantis signed Senate Bill 262, making Florida the latest in a string of Republican-dominated states to get privacy legislation through statehouses in 2023 after Iowa, Indiana, Tennessee and Montana.

The law, which takes effect July 1, 2024, contains the kind of basic consumer rights found in most data privacy legislation, including the right to know what information companies are collecting, the right to correct and delete certain data and the right to limit some data disclosure.

But privacy advocates note that it only applies to companies making more than $1 billion in annual revenue, effectively leaving out large numbers of popular websites and apps that collect data from individuals.

The law also does not apply to pseudonymous information like online cookies, which experts say makes it “largely meaningless” that the law also gives Floridians the right to opt out of targeted advertising.

DeSantis, who is running for the Republican presidential nomination in 2024, made it clear that he was targeting a specific segment of Silicon Valley.

“If a multibillion-dollar company is conspiring to take your data and sell it or use it against you, it is your right to be able to protect that data,” DeSantis said in a statement. “No longer will the Big Tech oligarchs be able to commandeer your personal information and deprive you of the right to access, confirm, or delete that data as you wish.”

SB 262 also allows people to opt out of the collection of personal data through voice recognition and adds biometric data and geolocation information to the definition of personal information under the Florida Information Protection Act.

It contains data protections centered around children, banning games, products and services from processing, collecting, sharing, selling or retaining “any personal information that is not necessary to provide an online service, product, or feature.”

The ‘unprotected’ data

Matt Schwartz, a policy analyst at Consumer Reports who has been tracking privacy legislation across the U.S., said Florida’s legislature needs to broaden the scope of the law because it leaves Florida consumers’ personal information “unprotected in a wide variety of contexts.”

California, Montana and Connecticut are some of the states with more expansive privacy laws covering a wider swath of businesses.

“While we recognize that big tech companies are usually some of the worst privacy offenders, they are far from the only privacy offenders,” Schwartz said. “The Florida law should apply to any entity that collects significant amounts of consumer data. It should also make it far easier for consumers to take advantage of their rights by including a universal opt-out provision,”

Privacy law expert Dan Clarke, who has worked with legislators in multiple states on their own data privacy bills, noted some of the more politically charged provisions in Florida’s law.

It requires search engines like Google to publish descriptions of how their rankings are created because of perceived “prioritization or de-prioritization of political partisanship or political ideology.”

The law also bans government employees from working with social media companies to remove any content or accounts. No government entities are allowed to “initiate or maintain any agreements or working relationships with a social media platform for the purpose of content moderation.”

Those provisions tacitly address right-wing complaints about the removal of disinformation and misinformation related to COVID-19 and 2020 election, experts said.

Parts of the Florida law resemble Virginia’s privacy law, Clarke said, in applying standard privacy provisions to a narrow scope of companies and limiting the usage of this data for surveillance purposes.

The protections for children resemble California’s privacy laws, Clarke explained, noting that these kinds of additions to privacy legislation are “a good step towards online privacy protection of children in my opinion.”

He also lauded the bill for banning companies from using, processing, or selling sensitive data without obtaining the consumer's affirmative and explicit consent, noting that the definition of sensitive data is broad.

The law covers “an individual's race, ethnicity, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; personal data from a known child; and precise geolocation data.”

California was the first to pass a bill and was followed by Virginia, Colorado, Connecticut, Utah, Iowa and Indiana. The CPRA in California and VCDPA in Virginia went into effect at the beginning of 2023 while the CTDPA in Connecticut and CPA in Colorado will go into effect on July 1, 2023. The UCPA in Utah will go into effect on December 31, 2023.