FDBR

Florida Digital Bill of Rights

Flag of US
Florida, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
July 1, 2024
Enacted
June 6, 2023
Enforcing Authority
Florida Department of Legal Affairs (Attorney General)
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Entities with $1B+ annual global revenue AND (50%+ revenue from online ads OR operating consumer smart speakers OR operating app stores with 250,000+ apps)

Overview

Florida's FDBR has the narrowest applicability among US state privacy laws, effectively targeting only major technology companies through its $1 billion revenue threshold and additional digital business criteria. However, it has the highest base penalty ($50,000) and treble damages ($150,000) for violations involving children.

What This Means for Your Website

  • Only applicable to very large tech companies ($1B+ revenue with specific digital business criteria)
  • Highest base penalty among US states: $50,000 per violation
  • Treble damages ($150,000) for violations involving children
  • Consumer rights include opting out of targeted advertising, data sales, and profiling
  • Smart speaker and virtual assistant surveillance restrictions apply

Key Requirements

The Florida AG enforces the FDBR with penalties up to $50,000 per violation, tripling to $150,000 for children's data violations. A discretionary 45-day cure period applies except for known violations involving children. The narrow applicability means only a handful of companies are directly subject.

How ConsentStack Handles This

ConsentStack applies Florida's opt-out model for applicable businesses, with enhanced protections for children's data to avoid treble penalty exposure.

Penalties

Up to $50,000 per violation; treble ($150,000) for violations involving children.

Maximum Fine
USD50,000 per violation

Key Requirements

  • Consent before selling sensitive data
  • Consumer rights: access, correct, delete, portability, opt-out
  • Right to opt out of targeted advertising, data sales, and profiling
  • Enhanced protections for children's data
  • Restrictions on surveillance through smart speakers and virtual assistants

Notable Provisions

  • Narrowest applicability — effectively targets only major tech companies
  • Highest base penalty ($50,000) among US states
  • Treble damages for children ($150,000)
  • Smart speaker surveillance restrictions

US State Specifics

Cure Period
45 days
Private Right of Action
No
Global Opt-out Required
No
Sensitive Data Opt-in
Yes
Children Provisions
Enhanced protections for minors. Treble penalties ($150,000) for violations involving children.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

Which companies does Florida's FDBR target?

Only entities with $1B+ annual global revenue meeting additional criteria: 50%+ ad revenue, operating smart speakers, or operating app stores with 250,000+ apps.

What are the FDBR penalties?

Up to $50,000 per violation — the highest base penalty among US states. Treble damages ($150,000) for violations involving children.

Does the FDBR apply to most businesses?

No. The $1B revenue threshold plus additional criteria make it the narrowest US state privacy law — effectively targeting only major tech companies.

Stay compliant with FDBR

ConsentStack helps you implement Opt-out consent for Florida, United States automatically.

Get started