Florida Digital Bill of Rights (FDBR): 2026 Compliance Guide
If you sell to consumers in Florida, you have probably heard about the Florida Digital Bill of Rights (FDBR). It was signed into law in 2023, took effect on 1 July 2024, and has steadily reshaped how large data-driven businesses operate in the state. The headline most coverage missed: while only the largest companies face the full sweep of obligations, every for-profit entity doing business in Florida must follow specific rules around the sale of sensitive data and how minors are treated online.
This guide explains who is in scope, what consumer rights look like under the FDBR, what changed for 2026, and a practical compliance checklist you can act on this quarter. None of this is legal advice — it is plain-English context to help you scope work and brief your counsel.
What the FDBR Is and Why It Matters
The FDBR sits at the centre of Florida Senate Bill 262 (SB 262). Unlike the comprehensive privacy laws in California, Virginia, Colorado, Connecticut, or Texas, Florida did not build a sweeping consumer privacy regime. The drafters narrowed the headline obligations to a small set of very large companies — primarily Big Tech — while extending narrower rules to a much wider audience.
That two-tier design is the single most important thing to understand. A SaaS startup with $5M ARR almost certainly does not trip the FDBR's main applicability threshold, but the same startup may still be subject to the law's restrictions on selling sensitive personal data and to its government-data and protection-of-minors provisions.
Where the FDBR Fits in the State Privacy Law Map
Florida joined a wave of state privacy laws active in 2026, including Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, Utah's UCPA, the Texas Data Privacy and Security Act, and the Washington My Health My Data Act. The FDBR is unusual among them because of its narrow scope plus targeted sensitive-data carve-outs.
Who Must Comply With the FDBR
The FDBR's main consumer-rights obligations apply to a "controller" — defined as a for-profit entity that conducts business in Florida or produces a product or service used by Florida residents, makes more than $1 billion in global gross annual revenue, and meets at least one of three additional conditions:
- Derives at least 50% of its global gross revenue from the sale of online advertisements;
- Operates a consumer smart speaker and voice command service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or
- Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for download and installation by consumers.
Read carefully, this design targets a small group: very large advertising-funded platforms, smart-speaker ecosystems, and the dominant mobile app stores. Most SaaS, e-commerce, and small business operators sit outside the main controller obligations.
The Carve-Outs Everyone Should Know
Even if you are not a "controller," several FDBR provisions apply more broadly. The most important: any for-profit entity that conducts business in Florida and processes or engages in the sale of "sensitive data" must obtain consumer consent before that sale. Sensitive data under the FDBR includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation, and personal data collected from a known child.
The law also includes notable rules about government-directed content moderation, search engine transparency, and the protection of minors that reach beyond the $1 billion threshold. If you operate a service where minors can register or where you sell biometric or precise geolocation data, treat the FDBR as relevant regardless of your size.
Consumer Rights Under the FDBR
For in-scope controllers, the FDBR grants Florida residents — when acting in an individual or household context — a familiar bundle of consumer rights:
- Right to confirm and access personal data the controller is processing.
- Right to correct inaccuracies in their personal data.
- Right to delete personal data provided by or obtained about the consumer.
- Right to data portability — to obtain a copy of personal data in a portable, readily usable format.
- Right to opt out of the sale of personal data, targeted advertising, and certain profiling decisions that produce legal or similarly significant effects.
- Right to opt out of the collection or processing of sensitive data and the collection of personal data through a voice or facial recognition feature.
Controllers must respond to a verifiable consumer request within 45 days, with a single 15-day extension if reasonably necessary. Responses must be free of charge for the first request in any 12-month period.
How the FDBR's Rights Compare to CCPA and GDPR
The mechanics will look familiar to anyone who has built a privacy programme around the CCPA or GDPR. The differences worth flagging: Florida explicitly addresses voice and facial recognition opt-outs, requires controllers to recognise universal opt-out signals as the law is implemented, and pairs its enforcement framework with a stronger penalty multiplier when minors are involved.
| Right | FDBR (Florida) | CCPA/CPRA (California) | GDPR (EU) |
|---|---|---|---|
| Access / Confirm | Yes | Yes | Yes |
| Correct / Rectify | Yes | Yes | Yes |
| Delete / Erase | Yes | Yes | Yes |
| Portability | Yes | Yes | Yes |
| Opt-out of sale / sharing | Yes | Yes | Consent-based regime |
| Opt-out of profiling | Yes (significant decisions) | Yes | Yes (Article 22) |
| Voice/facial collection opt-out | Yes (specific) | Indirect via sensitive PI | Via biometric provisions |
Controller and Processor Obligations
Beyond rights, the FDBR sets baseline programme requirements. In-scope controllers must publish a clear, accessible privacy notice describing the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, and the categories of personal data shared with third parties. The notice must also describe the categories of third parties involved.
Controllers are required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. They must also conduct and document data protection assessments for processing activities that present a heightened risk of harm — including targeted advertising, the sale of personal data, profiling that produces legal or similarly significant effects, and the processing of sensitive data. The Florida Attorney General can request these assessments during an investigation.
If you rely on vendors, the FDBR requires written contracts that mirror the GDPR-style processor terms many teams already use under the data processing agreement framework: clear instructions, confidentiality, security, sub-processor terms, deletion or return, and assistance with consumer requests.
Universal Opt-Out Signals
The FDBR contemplates honoring universal opt-out mechanisms — for example, the Global Privacy Control browser signal — for sales and targeted advertising opt-outs. If you operate ad tech or run paid acquisition that depends on third-party identifiers, your cookie banner and consent management platform should already be configured to detect and respect these signals.
Special Protections for Minors
One of the FDBR's most distinctive features is its enhanced protection for minors. Controllers may not process the personal data of a known child — generally a consumer under 13 — for targeted advertising, sale, or certain profiling without affirmative authorization. For consumers between 13 and 17, separate rules require opt-in consent before sale or targeted advertising, where the controller has actual knowledge of the consumer's age.
The penalty schedule reinforces this priority. Civil penalties are tripled when violations involve a Florida consumer who is a minor. Combined with federal COPPA obligations, this creates a layered framework that any platform with a meaningful teen or child user base needs to map carefully.
Enforcement and Penalties
The FDBR is enforced exclusively by the Florida Department of Legal Affairs, the office of the state Attorney General. There is no private right of action.
Enforcement follows a familiar pattern: the Attorney General must provide written notice of an alleged violation and a 45-day period to cure. The cure period is intended to give responsible operators time to remediate before formal action. If a violation is not cured, the Attorney General may pursue civil penalties of up to $50,000 per violation, with that amount tripled when the violation involves a Florida consumer under the age of 18, the violation results from intentional rather than inadvertent conduct, or the controller fails to provide a required deletion or correction.
Practical takeaway: Treat the 45-day cure period as a planning tool, not a safety net. By the time you receive notice, the underlying compliance gap may have produced months of exposure across other state regimes that do not offer the same grace period.
FDBR vs Other 2026 State Privacy Laws
If you are building a multi-state compliance programme, the FDBR is best understood as a satellite layered on top of a baseline programme designed for the major comprehensive laws. The work you have already done for the CCPA/CPRA, Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, and Texas's TDPSA covers most of the muscle movements: rights handling, notice content, vendor contracts, and assessment workflows.
Florida's specific additions to that baseline are the sensitive-data sale prohibition that reaches all for-profit entities, the voice/facial-collection opt-out, and the minor-focused penalty multiplier. Map these to your existing controls and you will avoid duplicating work.
A 2026 FDBR Compliance Checklist
Use this list as a starting point. The right scope depends on your business model, data flows, and counsel's risk assessment.
- Confirm scope. Calculate global gross revenue and check the three trigger conditions (online advertising revenue mix, smart speaker operations, app store size). Most operators will not be controllers — but document the analysis.
- Audit sensitive data flows. Map every place you collect or sell sensitive data, including biometrics, precise geolocation, and data about known children. The sensitive-data sale rules apply broadly.
- Refresh your privacy notice. Make sure your privacy policy describes categories of personal data, purposes of processing, third-party sharing, consumer rights, and how to exercise them.
- Stand up a request workflow. Build or verify a process to handle access, correction, deletion, portability, and opt-out requests within 45 days, with identity verification and a single 15-day extension when justified.
- Configure consent. If you are an in-scope controller or process sensitive data, ensure you have an opt-in flow for sensitive-data sales and targeted advertising for minors. Recognise universal opt-out signals.
- Update vendor contracts. Confirm processor terms, including security, sub-processor controls, deletion, and assistance with rights requests.
- Run data protection assessments. Document assessments for high-risk activities — targeted advertising, sale, profiling with significant effects, and sensitive-data processing.
- Plan for minors. If your service is likely to be accessed by minors, layer FDBR rules on top of your COPPA programme and document age-verification and consent mechanics.
- Train internal teams. Customer support, marketing, and engineering should know how to escalate Florida consumer requests and identify sensitive-data flows.
- Track regulator activity. Watch the Florida Attorney General's enforcement actions and consumer alerts in 2026 for early signals about how the law will be interpreted in practice.
Common FDBR Mistakes to Avoid
Three recurring patterns trip up otherwise well-prepared teams. First, assuming that being below the $1 billion threshold means the FDBR is irrelevant — it is not, because the sensitive-data and minor provisions reach further. Second, copy-pasting a CCPA-only privacy notice without surfacing Florida-specific rights and contact information. Third, neglecting universal opt-out signal handling, which is a configuration step in most modern consent management platforms but is easy to miss during a vendor migration.
If your stack has drifted, a quick way to start is to run an internal pass with a compliance audit checklist and triage the gaps before scheduling external review.
Frequently Asked Questions
When did the Florida Digital Bill of Rights take effect?
The FDBR's principal provisions took effect on 1 July 2024. Some assessment-related provisions apply to processing activities created or generated on or after 1 July 2023.
Does the FDBR apply to small businesses?
The main controller obligations apply only to for-profit entities with more than $1 billion in global gross annual revenue that also meet at least one of three trigger conditions. However, the FDBR's restrictions on the sale of sensitive personal data, government-data provisions, and protections for minors can apply to a broader set of businesses.
What counts as sensitive data under the FDBR?
Sensitive data includes information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed to identify an individual, precise geolocation, and personal data collected from a known child.
What are the penalties for violating the FDBR?
The Florida Department of Legal Affairs may seek civil penalties of up to $50,000 per violation. Penalties are tripled when violations involve a Florida consumer under 18, when the violation is intentional, or when a controller fails to comply with a required deletion or correction. There is a 45-day cure period after written notice from the Attorney General.
Is there a private right of action under the FDBR?
No. Enforcement is reserved exclusively to the Florida Department of Legal Affairs. Consumers cannot sue businesses directly under the FDBR.
How long do I have to respond to an FDBR consumer request?
Controllers must respond within 45 days of receiving a verifiable consumer request, with a single 15-day extension when reasonably necessary. The first request in any 12-month period must be handled free of charge.
Does the FDBR replace the CCPA or GDPR for businesses operating across jurisdictions?
No. The FDBR is layered on top of other privacy regimes. Businesses subject to GDPR, CCPA/CPRA, or other state privacy laws still need to satisfy those frameworks. A consolidated rights and notice programme typically handles all of them, with Florida-specific additions where needed.
This article is for informational purposes only and is not legal advice. Consult a qualified attorney for your specific situation.
For practical templates and a fast starting point, our free privacy policy generator and cookie policy generator can help you draft documents that align with FDBR notice requirements alongside your other state and federal obligations. Authoritative primary sources for further reading include the Florida Senate's official SB 262 bill page, the enrolled text of the Digital Bill of Rights, and ongoing analysis from the International Association of Privacy Professionals.