Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Florida’s Digital Bill of Rights Joins the Regulatory Framework

By Cathy Mulrow-Peattie and J. Michael Paulino
January 01, 2025

The proliferation of data breaches and increased sophistication of criminal attack vectors has led more states to enact their own reasonable security provisions as part of the patchwork quilt of privacy laws. Nineteen of the U.S. states which have enacted comprehensive privacy laws along with Florida’s Digital Bill of Rights (which took effect summer 2024) have provisions requiring controllers and businesses to establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data. Adding to the risk post data breach of the enforcement of reasonable security provisions on the state level is also increased federal enforcement actions in an attempt to apply pressure companies to take more care on how they secure and disseminate consumer data. Companies should be aware of the varying applicable regulatory frameworks required to protect consumer data and avoid additional penalties and liabilities under the growing number of data security enforcers.

The Federal Trade Commission 2023 Privacy and Data Security Update publication released on March 28, 2024, demonstrated that the FTC filed 89 data security cases through 2023. In one of its enforcement actions for 2024, the FTC required a smaller company to reimburse consumers more than $370,000 stemming from inadequate data security measures that led to multiple data breaches over the course of several years. The corresponding orders for data security breaches levied by the FTC uniformly require organizations to perform data minimization, delete personal data that is no longer has a business justification to maintain; and develop a comprehensive information security program while certifying compliance to the agency for a set period of time, along with ongoing compliance review. The FTC’s data minimization requirements dictate companies must implement policies to retain personal information for only as long as is reasonably necessary to fulfill the business purpose for which the information was collected and specify the specific business need for retaining it. In addition, many of states with comprehensive privacy laws going into effect in 2025 have similar data minimization processes that should be in place.

The obligations companies have for data security was best expressed by the FTC’s Bureau of Consumer Protection, “ … shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Bonus Content: How Emerging Technologies Are Impacting IP: A Chat With Legalweek Speaker Ryan Phelan Image

A Q&A with conference speaker Ryan Phelan, a partner at Marshall, Gerstein & Borun and founder and moderator of legal blog PatentNext, to discuss how courts and jurisdictions are handling novel technologies, the copyrightability of AI-assisted art, and more.

Overview of Regulatory Guidance Governing the Use of AI Systems In the Workplace Image

Businesses have long embraced the use of computer technology in the workplace as a means of improving efficiency and productivity of their operations. In recent years, businesses have incorporated artificial intelligence and other automated and algorithmic technologies into their computer systems. This article provides an overview of the federal regulatory guidance and the state and local rules in place so far and suggests ways in which employers may wish to address these developments with policies and practices to reduce legal risk.

Is Google Search Dead? How AI Is Reshaping Search and SEO Image

This two-part article dives into the massive shifts AI is bringing to Google Search and SEO and why traditional searches are no longer part of the solution for marketers. It’s not theoretical, it’s happening, and firms that adapt will come out ahead.

While Federal Legislation Flounders, State Privacy Laws for Children and Teens Gain Momentum Image

For decades, the Children’s Online Privacy Protection Act has been the only law to expressly address privacy for minors’ information other than student data. In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children.

Revolutionizing Workplace Design: A Perspective from Gray Reed Image

In an era where the workplace is constantly evolving, law firms face unique challenges and opportunities in facilities management, real estate, and design. Across the industry, firms are reevaluating their office spaces to adapt to hybrid work models, prioritize collaboration, and enhance employee experience. Trends such as flexible seating, technology-driven planning, and the creation of multifunctional spaces are shaping the future of law firm offices.