On April 12, 2024, the Florida Department of State published a Notice of Proposed Rule to implement Section 501.72(5) of the Florida Statutes. Specifically, the Proposed Rule is separated into four distinct rules under the Florida Digital Bill of Rights (FDBR), namely authorized persons, data security, enforcement, and standards for authenticated consumer requests.

Authorized persons

The Proposed Rule defines an 'authorized person' under the FDBR as:

• a consumer whose data is processed or sold by a controller or processor;
• a person granted express, written authority by a consumer to act for the consumer in exercising the consumer's rights;
• a person granted authority to act for a consumer under a power of attorney, whether denominated an agent, attorney in fact, or otherwise. The term includes an original agent, co-agent, and successor agent; or
• a person who is a parent or legal guardian of a child who is exercising the rights granted to the child or to the parents of a child.

An authorized person who is authenticated pursuant to the information below is entitled to act on a consumer's behalf to exercise all rights and protections conferred under the FDBR.

Data security

The Proposed Rule details a series of security practices under the FDBR. General data security practices include:

• protecting the confidentiality, integrity, and accessibility of personal data from unauthorized access, use, disclosure, deletion, or modification;
• establishing, implementing, and maintaining data security practices compliant with the risk management framework and standards adopted by the National Institute of Standards and Technology (NIST); and
• establishing, implementing, and maintaining security practices for the most sensitive data within a dataset with mixed sensitivity levels.

Administrative security controls include:

• organizational controls for personal data;
• designating a responsible individual for data security practices;
• documenting compliance with data security practices;
• authentication; and
• access controls.

The Proposed Rule also provides for technical and physical data security practices, such as encryption and preventing access from electronic devices.

Enforcement

The Proposed Rule stipulates that a consumer who files a complaint with the Department of Legal Affairs must include in the complaint:

• the consumer's name, address, telephone number, email address, and any user name or identity with the controller;
• the authorized person's name, address, telephone number, email address, and relationship with the consumer if an authorized person is submitting a complaint on their behalf;
• the controller's name and website; and
• a description of all the actions the consumer or authorized person requested the controller to take in connection with consumer rights.

Further, according to the Proposed Rule, 'reasonable age verification' is considered as 'any commercially reasonable method regularly used by the Government or businesses for the purpose of age and identity verification.' Also, 'reasonable parental verification' is defined as 'any method that is reasonably calculated at determining that a person is a parent of a child that also verifies the age and identity of that parent by commercially reasonable means.'

The Proposed Rule states that a controller would be found to have wilfully disregarded a consumer's age if, based on the facts or circumstances readily available, the controller should reasonably have been aroused to question whether a consumer was a child but failed to perform reasonable age verification. A controller will not be found to have willfully disregarded a consumer's age if that controller utilizes a reasonable age verification method with respect to all its consumers and the method determines that the consumer was not a child, unless the controller later obtained actual knowledge that the consumer was a child and failed to act.

Standards for authenticated consumer requests

The Proposed Rule provides that upon receipt of a request to exercise consumer rights and prior to taking any action or providing a response, controllers must use a commercially reasonable method to authenticate the consumer. In the case of a person submitting a request on behalf of another, controllers should use a commercially reasonable method to authenticate the person and determine whether they are an authorized person. In determining whether a method of authentication is commercially reasonable, controllers must consider:

• the rights requested to be exercised;
• the type, sensitivity, value, and volume of personal data;
• the degree of harm that could be suffered by the consumer in the event of improper access, use, or deletion of their data; or
• the cost to the controller.

The Proposed Rule would require that controllers avoid requesting additional personal data for authentication and would not require a consumer or authorized person to pay a fee to authenticate a request.

You can download the Proposed Rule here and view its history here.