Florida Digital Bill of Rights (FDBR)

Overview

The Florida Digital Bill of Rights (FDBR), codified at Fla. Stat. § 501.701 et seq. and enacted as SB 262 (2023), took effect July 1, 2024. The FDBR is technically a comprehensive privacy law, but its applicability is so narrow that it targets only a handful of Big Tech companies. For the vast majority of organizations, including Inori and every U.S. SMB, the FDBR is irrelevant.

Applicability requires global revenue exceeding $1 billion AND at least one of:

• 50%+ of gross revenue from online advertising (captures Google, Meta), or
• Operates a smart speaker / virtual assistant (captures Amazon, Google, Apple), or
• Operates an app store with 250,000+ apps (captures Apple, Google).

The realistic universe of covered entities: Google, Apple, Meta, Amazon, Microsoft, possibly Samsung and TikTok/ByteDance.

Exemptions track the VCDPA template — HIPAA, GLBA, non-profits, higher-ed, FCRA/DPPA/FERPA, employee/B2B data.

Consumer Rights

• Right to confirm and access
• Right to correct
• Right to delete
• Right to portability
• Right to opt out of sale, targeted advertising, and profiling

The FDBR has a disproportionate focus on protections for minors, reflecting Florida's legislative agenda: mandatory parental consent for processing data of minors under 18 on covered platforms; prohibition on profiling of minors without parental consent; tripled penalties for violations involving minors; age-verification requirements; and restrictions on targeted advertising to minors.

Sensitive data (standard categories plus precise geolocation after 24-hour or 1,750-ping monitoring) requires opt-in consent.

Compliance Requirements

Covered entities must publish privacy notices, conduct DPIAs for covered processing, and obtain parental consent for minors' data. GPC/UOOM is not required. No dedicated privacy agency exists — enforcement runs through the Florida Department of Legal Affairs.

In February 2026 the AG created the CHINA Prevention Unit (Combating Hostile and Invasive Networks from Adversaries) to investigate Chinese-owned corporations collecting Florida consumer data, with a focus on healthcare and medical devices.

Cure Period + Enforcement

Florida AG (Department of Legal Affairs) holds exclusive enforcement authority. Penalties reach $50,000 per violation — one of the highest ceilings in the country — and $150,000 per violation when minors' data is involved (3×). A 45-day cure period is active — the longest among state privacy laws.

How Inori Addresses This

Inori is not a covered entity under FDBR — global revenue is well under $1B and the platform does not operate an ad network, smart speaker, or app store. The FDBR does not impose direct obligations.

However, Inori's general compliance stack already meets FDBR's consumer-rights baseline for any Florida resident exercising rights under other theories:

• Notice: src/content/legal/privacy.mdx v1.2 satisfies FDBR-style disclosures.
• DSAR: /api/dsar covers access, correction, deletion, and portability with a 30-day SLA.
• GPC: Honored via middleware.ts:respectGpc despite not being required by Florida.
• Deletion: 90-day hard-purge cron.
• Minors: Inori's Terms require users to be 18+; no minors' data is knowingly collected. Parental-consent infrastructure is not built because the collection is out of scope.
• Deferred: Minor-aware flows ship only if a B2B use case emerges that requires them.

Related Concepts

See CCPA/CPRA, VCDPA, and TDPSA for comparative scopes; DSAR for the unified request pipeline; GPC for the opt-out signal Inori honors as a multi-state default. UCPA similarly limits scope via high thresholds but through a different mechanism.