When the Florida Digital Bill of Rights (FDBR) was passed, the Florida Governor’s Office promised consumers the “right to control their own personal data.”[1] And so they have. In the six-month period after the FDBR was enacted, the Florida Office of the Attorney General (OAG) received almost 800 consumer complaints.[2] These complaints have now spawned dozens of investigations against companies that collect or process consumer’s private data.[3] Given the price tag of up to $50,000 per violation of the FDBR, such investigations are not to be taken lightly. So, what is the FDBR? And what should a company do when they receive notice of an investigation? This article provides a brief overview of the FDBR before walking through 4 Steps a company should take if the OAG comes knocking.
The Florida Digital Bill of Rights
The FDBR provides consumers with specific rights over their data, including the right to correct inaccuracies in their personal data, delete their personal data, obtain a copy of their personal data, and opt out of the sale of their personal data. These rights extend to personal data obtained through facial or voice recognition technologies. Consumers can assert their rights under the FDBR by submitting a request to the company controlling their data. Companies are required to respond within forty-five days for standard requests and sixty days for voluminous or complicated requests. And this requirement is just the tip of the iceberg for businesses subject to the FDBR.
The FDBR also limits those companies’ collection of personal data to data this is relevant and reasonably necessary for the purposes for which it is processed. There are also disclosure requirements and companies subject to the Bill are required to establish, implement, and maintain appropriate data security practices, among other things.
So, who is subject to the Bill?
The FDBR applies to businesses with revenue of more than $1 billion and one of the following requirements:
- Derives 50 percent or more of its global gross annual revenues from the sale of advertisements online;
- Operates a consumer “smart speaker” and “voice command component service”; or
- Operates an app store offering at least 250,000 software applications.
Now, what should you do if you receive a subpoena from the OAG?
1. Understand the Stakes
The OAG’s Department of Legal Affairs is charged with enforcing the FDBR—and any violation of the FDBR is deemed to be an unfair and deceptive trade practice. Such violations come with steep potential penalties. The OAG may seek up to $50,000 per violation—and up to $150,000 for any violation involving children or knowing violations.
To give you an example of how the Bill could apply: picture a nationwide neighborhood watch app that mishandles data belonging to a family of two parents and three minor teenagers. Assuming a violation, the business could face civil penalties of up to $550,000 ($50,000 for each parent and $150,000 for each minor teenager). And that is for just one home who complains to the OAG via the easy-to-find website designed for complaints.
2. Find Representation
Preparation begins before any investigation into your company’s business practices, especially if you operate in the digital economy and interface directly with consumers. Your business should engage counsel to evaluate your data privacy procedures and consumer privacy notices for compliance with the FDBR. And once an investigation begins, proceed with caution. Often a company learns it is being investigated when it receives an inquiry or correspondence from OAG. These inquiries can appear to be informal. They are not. Company admissions about business practices and customer complaints in initial conversations with OAG can (and will) be used against the company.
Your company could also receive more formal process, such as a subpoena, civil investigative demand, or even service of a lawsuit. Both informal and formal contact with the government should be taken seriously and immediately elevated to senior management and in-house counsel. And before engaging in any substantive discussions with the state about the underlying allegations, the company should retain counsel experienced in matters involving OAG.
3. Preserve Relevant Material and Investigate
Once you become aware of an investigation or lawsuit, preserve all relevant materials that may relate to the matter. An alert should be distributed across the company to all employees with access to pertinent information to refrain from deleting or destroying potential evidence. This instruction pertains to electronically stored information, such as email and financial records, as well. Evidence of failing to preserve or deliberately destroying data can make any situation worse and subject the company to potentially severe sanctions.
After preserving all relevant data, review it to determine whether the government’s allegations have any merit. Also, review your data processing practices, privacy disclosures, and interview the employees who deal with consumers and complaints. After conducting its own investigation, the company will better evaluate its options for addressing the government’s concerns.
4. Respond
Once you understand the facts and have evaluated the government’s investigation, your company will be prepared to engage with the state. Your next steps will vary based on your findings but could include presenting your side of the story to the prosecution; producing the data requested by the state along with mitigating information; and reaching an agreed resolution with the government. And, ultimately, if the investigation is not resolved by agreement, the matter could end up in litigation between OAG and the company. Whatever you choose, choose carefully once you understand the stakes, facts, and business and legal costs of your decision.
[1] Executive Office of the Governor, Governor Ron DeSantis Signs Legislation to Create Digital Bill of Rights for Floridians (June 6, 2023), https://www.flgov.com/eog/news/press/2023/governor-ron-desantis-signs-legislation-create-digital-bill-rights-floridians.
[2] Office of the Attorney General for the State of Florida, Florida Digital Bill of Rights Annual Enforcement Report (Feb. 1, 2025), https://www.myfloridalegal.com/sites/default/files/2025-01/digital-bill-of-rights-annual-report.pdf.
[3] Id.
YES! PLEASE SIGN ME UP TO RECEIVE EMAIL ALERTS FROM OTHER GUNSTER PRACTICE AREAS.
This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.
About Gunster
Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 13 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Coral Gables, Fort Lauderdale, Jacksonville, Miami, Naples, Orlando, Palm Beach, Stuart, Tallahassee, Tampa, Vero Beach, and its headquarters in West Palm Beach. With more than 320 attorneys and consultants, and 300 committed support staff, Gunster is ranked among the top 200 largest law firms by the National Law Journal and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practices, industries, offices and news is available at www.gunster.com.
