Florida Biometric Privacy Law Guide

Florida Biometric Privacy Law Guide – lorida does not have a standalone biometric privacy law like Illinois’ BIPA. Instead, biometric data receives strong protections under the Florida Digital Bill of Rights (FDBR), enacted in 2023 and effective since July 1, 2024. Biometric information is also covered by updates to the Florida Information Protection Act (FIPA) for data breach notifications. This guide explains the current rules, who they apply to, consumer rights, business obligations, and practical steps for compliance.

What Is Biometric Data Under Florida Law?

Florida law defines biometric data as part of “sensitive data.” It includes genetic or biometric information processed to uniquely identify an individual. Examples include:

  • Fingerprints
  • Voiceprints
  • Facial geometry or facial recognition data
  • Iris or retina scans
  • Hand or face geometry scans

It does not include photographs, physical descriptions (height, weight, hair color), or medical images used for diagnosis.

Biometric data is treated as especially sensitive because it is unique, permanent, and difficult to change if compromised—unlike a password.

Does Florida Have a Dedicated Biometric Privacy Law Like BIPA?

No. Proposed bills in 2019 (SB 1270 / HB 1153) aimed to create a “Florida Biometric Information Privacy Act” modeled after Illinois BIPA, but they did not pass.

Instead, Florida protects biometric data through the broader Florida Digital Bill of Rights (FDBR) and amendments to the Florida Information Protection Act (FIPA). These laws took effect in 2024 and remain the governing framework as of 2026.

Overview of the Florida Digital Bill of Rights (FDBR) and Biometric Protections

Signed by Governor Ron DeSantis in June 2023, the FDBR (Florida Statutes § 501.701 et seq.) is Florida’s comprehensive consumer data privacy law. It treats biometric data as sensitive data and adds unique protections not found in many other state laws.

Key biometric-specific features include:

  • A dedicated consumer right to opt out of the collection of personal data via voice or facial recognition technology.
  • Restrictions on devices using voice, facial, video, or audio features for surveillance when not actively in use (unless the consumer gives affirmative consent).
  • Special website notices required if a business sells biometric data.

Who Does Florida’s Biometric Privacy Law Apply To?

The FDBR has a very narrow scope compared to laws in California or Virginia. It only applies to “controllers” (for-profit businesses) that:

  • Conduct business in Florida
  • Collect personal data about Florida consumers
  • Have $1 billion or more in global gross annual revenue
  • Meet at least one additional criterion (e.g., derive 50%+ of revenue from online targeted advertising, operate a smart speaker/virtual assistant, or run an app store with 250,000+ apps)

Broader impact on all businesses: Any for-profit business in Florida that collects consumer data and sells sensitive data (including biometric data) must post specific notices and generally cannot sell without proper disclosures. In addition, all businesses must follow the expanded FIPA data breach rules that now include biometric data.

Consumer Rights Under Florida Biometric Privacy Rules

Florida residents have powerful rights regarding their biometric data:

  1. Opt-out of sensitive data processing — including biometric data used to uniquely identify you.
  2. Opt-out of voice or facial recognition data collection — a right unique to the FDBR.
  3. Access, correct, delete, or obtain a copy of your personal data (including biometric data).
  4. Data minimization — businesses can only collect what is reasonably necessary.
  5. No passive surveillance — devices cannot collect biometric data (voice, facial, etc.) when not actively in use without your explicit consent.

Consumers can submit requests directly to covered companies, which must respond within set timelines and offer an appeals process.

Business Compliance Requirements for Biometric Data

Covered controllers must:

  • Conduct data protection assessments for high-risk processing of sensitive (biometric) data.
  • Enter contracts with processors that include specific privacy protections.
  • Provide clear privacy notices updated at least annually.
  • Post conspicuous notices if selling sensitive or biometric data:
    • “NOTICE: This website may sell your sensitive personal data.”
    • “NOTICE: This website may sell your biometric personal data.”
  • Implement reasonable security safeguards and limit data retention.
  • Honor opt-out requests promptly.

Even businesses below the FDBR threshold should follow best practices to avoid FIPA breach notification obligations and reputational risk.

Biometric Data and Florida Data Breach Notification Requirements

The FIPA now explicitly includes biometric data (and geolocation paired with name/initials) in the definition of “personal information.” If a breach affects 500 or more individuals, businesses must notify:

  • Affected Florida residents
  • The Florida Department of Legal Affairs (Attorney General)
  • Credit reporting agencies (in some cases)

Penalties and Enforcement for Florida Biometric Privacy Violations

  • No private right of action — consumers cannot sue directly.
  • Enforced by the Florida Attorney General — violations can result in civil penalties under the Florida Deceptive and Unfair Trade Practices Act.
  • The AG has already begun enforcement actions under the FDBR (e.g., against Roku in 2025), showing active oversight.

How Florida’s Rules Compare to Other States?

Aspect Florida (FDBR) Illinois (BIPA) Texas / Washington
Dedicated biometric law No (part of broader privacy law) Yes Yes
Private right of action No Yes (statutory damages) Limited
Applicability Very narrow ($1B+ revenue) Broad (any private entity) Broad
Voice/facial opt-out Yes (unique) No specific Varies
Sale notices Specific biometric notice Consent required before sale Consent required

Florida’s law is business-friendly in scope but strong on specific biometric collection methods like voice and facial recognition.

Best Practices for Handling Biometric Data in Florida

  1. Inventory all biometric data collection (time clocks, security systems, customer apps, AI tools).
  2. Obtain clear, informed consent where required and document it.
  3. Implement strong security (encryption, access controls) and data minimization policies.
  4. Update privacy policies and website notices to address biometric sales.
  5. Train staff on FDBR and FIPA obligations.
  6. Prepare for consumer rights requests even if not currently a covered controller.
  7. Monitor for future legislative changes—Florida continues to expand privacy protections.

Frequently Asked Questions About Florida Biometric Privacy

Can my employer in Florida use fingerprint time clocks without consent?
If the employer meets FDBR thresholds, yes—they must comply with notice and opt-out rules. All employers must protect the data under FIPA breach rules.

Do small businesses need to worry about Florida biometric laws?
The full FDBR applies only to very large companies, but any business selling biometric data must post notices, and all must follow breach notification rules.

What if a device collects my voice data passively?
Under the FDBR, this is prohibited unless you give affirmative consent and the device is actively in use.

Where can I submit a biometric data request in Florida?
Contact the business directly using the methods in their privacy policy. Covered companies must provide an easy way to exercise rights.

Conclusion: Staying Compliant with Florida Biometric Privacy Rules in 2026

Florida’s approach balances consumer protection with a narrow regulatory scope. By treating biometric data as sensitive and adding unique voice/facial recognition rights, the FDBR gives Floridians meaningful control while focusing enforcement on the largest data collectors.

Businesses operating in Florida should review their biometric practices now—whether under the FDBR or general best-practice standards—to avoid enforcement actions and build consumer trust. Florida residents concerned about biometric data can use their opt-out rights and monitor company privacy notices.

For the latest official text, visit the Florida Statutes Chapter 501, Part V. Consult qualified legal counsel for advice specific to your situation, as privacy regulations continue to evolve.