Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
Privacy remains a major priority for state legislatures, as Florida recently passed and signed the “Digital Bill of Rights.” This new privacy law, which goes into effect on July 1, 2024, has a lot of familiar features, but is quite different in its scope, as compared to other state laws such the California Consumer Privacy Act or the Indiana, and others.
That said, there are some new privacy rights in this law that don’t exist elsewhere. For example, Floridians will be able to opt out of the collection of their personal data via voice and facial recognition features. Also, devices that make sensory recordings such as voice, video, or facial recognition, may not collect data while not in active use by the consumer unless the consumer has given their affirmative consent.
There is one section of the Florida Digital Bill of Rights that may apply to your business even if you don’t meet the $1 billion revenue threshold—the section that deals with the sale of “sensitive data.” Any for-profit organization that (1) does business in Florida and (2) collects personal data about Florida residents must first get consumers’ consent before engaging in the sale of their sensitive data, as well as post a disclosure of the sale in their privacy notice.
There are two important terms to understand: “sale” and “sensitive data.”
A “sale,” as defined by the Florida law, is the disclosure of personal data for monetary or other valuable consideration. The “other valuable consideration” part is important because it means money does not have to change hands. If your business makes personal data available in exchange for free or discounted access to software, for example, or for access to personal data from other controllers in a “data cooperative,” this could be considered a sale of personal data.
“Sensitive data” is any of the following four types of personal data:
For businesses that are already compliant or in the process of becoming compliant with other state privacy laws, this shouldn’t be a difficult requirement to implement. Most of the other state laws already require consumer consent for any processing of sensitive data, not just selling it. The only area where the Florida law is more expansive in this area is its definition of “child.” Here it means anyone under the age of 18, while in other states it typically only includes people under the age of 13.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.