Florida Privacy Law (FDBR): What Small Businesses Need to Know

The Florida Digital Bill of Rights (FDBR) took effect July 1, 2024, and is structurally unlike most other state privacy laws because of its $1 billion annual revenue threshold. The law applies primarily to large technology companies and major online platforms — not to small or mid-size businesses. To be in scope, a business must have $1 billion or more in global gross annual revenue AND meet certain Florida-specific operational thresholds, including processing data for targeted advertising or operating an app store. The Florida Attorney General is the sole enforcement authority. For most Shopify merchants, direct-to-consumer brands, and US small businesses, FDBR does not apply.

Does FDBR Apply to My Business?

FDBR applies only to a "controller" that conducts business in Florida or produces products or services targeted to Florida residents AND meets all of the following:

• Has annual global gross revenue of more than $1 billion, AND
• Derives 50% or more of global gross revenue from the sale of online advertisements, OR operates a consumer smart speaker and voice command service with cloud-based natural language interaction technology, OR operates an app store offering at least 250,000 different software applications.

The threshold structure is AND, not OR — a business must hit the $1 billion revenue floor and also meet one of the qualifying operational categories. This is fundamentally different from every other state privacy law.

The qualifying operational categories — large advertising-revenue businesses, smart speaker operators, and major app stores — make clear that FDBR was designed to regulate Google, Meta, Amazon, Apple, and similar companies. The Florida legislature explicitly carved this scope to avoid burdening Florida small businesses with compliance obligations.

What Does FDBR Require?

For the small number of businesses subject to FDBR, the law grants Florida consumers a robust set of rights similar to other state privacy laws.

Consumer rights you must honor. Access, correction, deletion, portability, and opt-out of targeted advertising and sale of personal data. Response deadline is 45 days, with one possible extension.

Disclosures you must publish. Privacy notice covering categories of data, purposes, third-party sharing, and rights instructions. Search engines covered by the law must also disclose how their algorithms prioritize political content.

Operational practices. Special protections for children's data. Search engine transparency requirements specific to political content prioritization. Sensitive data processing requires opt-in consent.

How FDBR Affects Small Businesses

The honest answer: in most cases, it doesn't. FDBR's $1 billion revenue threshold combined with the AND-logic operational categories means the law applies almost exclusively to major technology companies. A Shopify merchant with $50 million in revenue is not in scope. A direct-to-consumer brand with $200 million in revenue is not in scope. Even most large e-commerce operations fall far below the $1 billion revenue threshold.

The category that small businesses sometimes worry about is the targeted advertising exposure. But the operational test requires deriving 50% or more of revenue from selling online advertisements. A Shopify merchant runs ads as a buyer, not a seller. The law applies to platforms selling ad inventory — not to businesses purchasing ads from those platforms.

If you are a Florida business or selling to Florida consumers and you are not Google, Meta, Apple, Amazon, or a comparable platform, FDBR almost certainly does not apply to you. Your privacy compliance focus should be on the laws that do apply: California CCPA/CPRA, Texas TDPSA, and the other state laws with consumer-count thresholds that catch national e-commerce.

The one exception worth noting: certain children's data provisions in FDBR may apply more broadly. If you process personal data of known minors as part of your business, review the specific FDBR children's provisions even if the broader law does not apply.

Key Differences from Other State Privacy Laws

FDBR is the structural outlier among US state privacy laws. Compared to every other state law:

Threshold logic is AND, not OR. A business must meet both the revenue threshold AND a qualifying operational category. Every other state privacy law uses OR logic for its primary thresholds.

Revenue threshold is $1 billion — 40 times California's $25 million and infinitely higher than the no-revenue-threshold laws in Texas, Virginia, Colorado, and most other states.

Operational categories are narrow. The qualifying categories — ad-revenue platforms, smart speakers, app stores — are designed to capture specific big tech business models, not general consumer-facing businesses.

Compared to California CCPA/CPRA, FDBR is dramatically narrower in scope. CCPA captures any business meeting ONE threshold; FDBR requires a business meet the high revenue threshold AND a qualifying category.

Compared to Texas TDPSA, the contrast is stark: TDPSA has no revenue threshold and applies to many SMBs; FDBR requires $1 billion in revenue and applies to almost no SMBs.

How to Comply with FDBR

For the small number of businesses actually in scope, the compliance steps follow the standard state privacy law model.

1. Confirm scope. Verify that you have $1 billion or more in global gross annual revenue AND meet one of the qualifying operational categories. If you do not meet both, FDBR does not apply.
2. If in scope, update your privacy notice. Disclose categories of personal data processed, purposes, third-party sharing, and rights instructions.
3. Add opt-out mechanisms for targeted advertising and sale of personal data.
4. Build a consumer rights request workflow with 45-day response tracking.
5. Implement sensitive data opt-in consent before processing any sensitive personal data category.
6. Build children's data protections for processing data of known minors.
7. If a search engine, build political content transparency disclosures.

For businesses not in scope (the vast majority), no FDBR-specific compliance work is required. Focus instead on the state privacy laws that actually apply to your business.

FDBR Enforcement and Penalties

The Florida Attorney General has exclusive enforcement authority for FDBR. There is no private right of action — Florida consumers cannot sue businesses directly. The AG may seek civil penalties of up to $50,000 per violation, with penalties tripled to up to $150,000 per violation for violations involving consumers under 18, violations involving sensitive data, or willful violations.

FDBR includes a 45-day cure period before enforcement. If the business cures the violation within 45 days of notice, the AG may not bring an action for that violation.

Because FDBR applies to so few businesses, enforcement activity has been limited compared to other state privacy laws. Most published enforcement attention has been on major technology companies operating consumer-facing services in Florida.

Frequently Asked Questions

Does Florida's privacy law apply to my small business?

Almost certainly not. Florida's Digital Bill of Rights requires $1 billion or more in annual revenue. This law is specifically designed to regulate large technology companies, not small or mid-size businesses. A Shopify merchant or direct-to-consumer brand is unlikely to be in scope unless it is part of a billion-dollar parent company.

What is the FDBR revenue threshold?

$1 billion in annual global gross revenue. This is the highest revenue threshold of any US state privacy law — 40 times higher than California's $25 million threshold. The law is designed to capture major technology companies, not general consumer-facing businesses.

When did Florida FDBR take effect?

Florida FDBR took effect July 1, 2024. The Florida Attorney General is the sole enforcement authority.

Why is FDBR so different from other state privacy laws?

The Florida legislature explicitly carved FDBR's scope to avoid burdening Florida small businesses. The AND-logic combined with the $1 billion revenue floor and narrow qualifying operational categories was intentional — the law targets major technology platforms and search engines, not general e-commerce businesses.

Do I need to comply with FDBR if my Shopify store sells to Florida customers?

Almost certainly not. FDBR applies based on whether your business meets the $1 billion revenue threshold and a qualifying operational category. A Shopify merchant is a buyer of advertising, not a seller of ad inventory, and is therefore not in the qualifying category. Florida consumers shopping at your store does not bring you into scope.

What are the penalties for FDBR violations?

The Florida AG can seek civil penalties of up to $50,000 per violation, tripled to $150,000 for violations involving minors, sensitive data, or willful conduct. There is no private right of action. A 45-day cure period applies before enforcement.

Check if FDBR applies to your business → Take the free 5-minute quiz

This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.