Florida Digital Bill of Rights: Why It Only Applies to Big Tech (and What Small Businesses Should Know Anyway)

The Florida Digital Bill of Rights (FDBR) took effect on July 1, 2024, and it's the most unusual state privacy law in the country. Unlike every other state, Florida set its revenue threshold at $1 billion in annual gross revenue — meaning it effectively only applies to large tech companies.

So why should small businesses care?

Who Does the FDBR Actually Apply To?

The FDBR applies to businesses that meet all of the following:

• Annual global gross revenue exceeding $1 billion
• Conduct business in Florida or target Florida residents
• Meet one of these additional criteria:
• Derive 50%+ of revenue from selling online ads
• Operate an app store or digital distribution platform with 250,000+ apps
• Operate a smart speaker or voice command service with 25M+ users

In practice, this means the FDBR targets companies like Google, Meta, Amazon, Apple, and similar tech giants. The vast majority of businesses — including all small-to-medium e-commerce stores — are exempt.

What the FDBR Requires (for Covered Entities)

For the large companies it covers:

• Consumer rights: access, correct, delete, data portability, opt out of sale and targeted advertising
• Sensitive data consent: opt-in required for processing sensitive data, including children's data (under 18)
• Data retention limits: must delete data after the purpose is fulfilled, the contract expires, or 2 years after the consumer's last interaction
• Children's protections: enhanced protections for data from users under 18
• Privacy notice: standard disclosure requirements
• Government surveillance reporting: must publish transparency reports about government data requests

Why Small Businesses Should Still Pay Attention

Even though the FDBR doesn't apply to you directly, here's why it matters:

1. Florida Customers Are Still Covered by Other Laws

If you have customers in Florida who also live in or visit states with comprehensive privacy laws (California, Texas, Virginia, etc.), those states' laws apply based on the consumer's location, not yours. A Florida resident shopping on your site might also be a snowbird with a California address.

2. Florida May Lower Its Threshold

Florida's $1 billion threshold was controversial. Privacy advocates and legislators have proposed amendments to lower it. If Florida follows the trend of states like Maryland and Rhode Island (which set thresholds as low as 35,000 consumers), a future amendment could bring millions of businesses into scope.

3. Platform Requirements Still Apply

Even if the FDBR doesn't apply to you, Shopify, Google, Meta, and Stripe still require privacy policies and data handling disclosures. These platform requirements effectively impose privacy compliance standards on all businesses, regardless of state law applicability.

4. The Penalties Are Severe

For covered entities, FDBR penalties are among the highest in the country:

• $50,000 per violation (standard)
• $150,000 per violation involving minors under 18 or failure to process deletion/opt-out requests (triple damages)

This aggressive penalty structure signals Florida's intent to take privacy enforcement seriously.

What Small Businesses in Florida Should Do

Even though the FDBR exempts you, you're almost certainly covered by other states' laws if you sell online. The practical advice is the same:

• Privacy policy disclosing your data practices
• Cookie consent banner with opt-out for non-essential tracking
• Consumer request process for access, deletion, and opt-out
• Compliance with CCPA, TDPSA, and other state laws that apply based on your customers' locations

Check Your Compliance

The FDBR may not apply to your business, but 19 other state privacy laws probably do. ClearConsent scans your site against all of them and shows you exactly where you stand.

Scan your site free — no signup required.