On June 6, 2023, Governor DeSantis signed Senate Bill (SB) 2262, legislation intended to create a “Digital Bill of Rights” for Floridians. While Florida’s new law provides similar privacy rights to consumers as other states’ comprehensive privacy laws passed in recent months, the law is narrower in the businesses that are regulated.

Generally, the requirements of the law take effect on July 1, 2024, with certain sections taking effect sooner.

Covered Businesses

The new legislation applies to businesses that collect consumers’ personal information, make in excess of $1 billion in gross revenues, and meet one of the following thresholds:

  • Derive 50% or more of its global annual revenues from providing targeted advertising or the sale of ads online; or
  • Operate a consumer smart speaker and voice command component service with an integrated virtual assistant connected to cloud computing service that uses hands-free verbal activation.

Consumer Rights

Like many of the comprehensive privacy laws passed in recent months, the new law provides Florida consumers the right to:

  • Access their personal information;
  • Delete or correct personal information; and,
  • Opt out of the sale or sharing of their personal information.

In addition to these rights, the law adds biometric data and geolocation information to the definition of personal data, for purposes of protecting consumers.

Covered Business Obligations

Under the new law, covered businesses and their processors are required to implement a retention schedule for the deletion of personal data. Controllers or processors may only retain personal data until:

  • The initial purpose of the collection was satisfied;
  • The contract for which the data was collected or obtained has expired or terminated; or
  • Two years after the consumer’s last interaction with the covered business.

Covered businesses will be required to provide reasonably accessible and clear privacy notices, and such notices will need to be updated annually, including disclosures to consumers regarding data collection, processing, and use practices.  

The law also requires covered businesses to develop and implement reasonable data security practices.

If you have questions about Florida’s new Digital Bill of Rights or related issues, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Tags: biometric, correct, delete, Digital Bill of Rights, Florida, geolocation, opt out, SB2262
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Privacy blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Read more about Jason C. Gavejian
Show more Show less
Related Posts
Top 10 Privacy, AI & Cybersecurity Issues for 2026
January 28, 2026
Florida’s Digital Wiretapping Surge: What Businesses Need to Know About FSCA Litigation
January 27, 2026
The Hidden Legal Minefield: Compliance Concerns with AI Smart Glasses, Part 2 – Two-Party Consent and AI Note-Taking
December 15, 2025