You're reading the Florida version.Change state →
FL

Data Privacy Rights in Florida

Researched by , Lead Engineer

Primary sources cited; not legal advice.

Last verified:

Source: Federal: FTC Act § 5 (15 U.S.C. § 45), HIPAA (42 U.S.C. § 1320d), COPPA (15 U.S.C. §§ 6501–6506), FERPA (20 U.S.C. § 1232g), GLBA (15 U.S.C. §§ 6801–6809). State: California Consumer Privacy Act/CPRA (Cal. Civ. Code § 1798.100 et seq.), Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.), Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.), Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541).

About this article

Sourced from primary statutes (U.S. Code, CFR, state compiled statutes) and official government agency guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

Florida Law

How Florida differs from federal law

Florida does not have a comprehensive consumer privacy law but provides protections through several targeted statutes:

  • Florida Constitution Art. I, § 23: Florida is one of the few states with an explicit constitutional right to privacy. This has been applied broadly by courts to protect personal information from government intrusion.
  • Florida Information Protection Act (Fla. Stat. § 501.171): Requires businesses to notify individuals within 30 days of a data breach — one of the shortest notification deadlines in the nation. Businesses must also notify the FL Department of Legal Affairs if 500+ residents are affected.
  • SB 262 (2023) — Digital Bill of Rights: A limited digital privacy law focused primarily on protecting minors under 16 from social media data collection. Requires parental consent for data processing of minors. Does not provide broad CCPA-style consumer rights for adults.
  • FDUTPA enforcement: The Florida AG uses the Florida Deceptive and Unfair Trade Practices Act (Fla. Stat. § 501.204) to pursue companies with deceptive data practices, privacy policy violations, and inadequate data security.
  • No comprehensive adult privacy law: Florida does not provide consumers with rights to access, delete, or opt out of the sale of personal data comparable to California's CCPA or Virginia's CDPA.

Additional Steps in Florida

Report data breaches to the Florida AG at myfloridalegal.com or call (866) 966-7226. File FTC complaints for deceptive data practices at reportfraud.ftc.gov. For children's privacy violations, file with the FTC under COPPA. Place security freezes with all three credit bureaus if your data was breached.

Relevant Law: Florida Constitution Art. I, § 23 (right to privacy), Fla. Stat. § 501.171 (FIPA — data breach notification), SB 262 (2023 — Digital Bill of Rights), Fla. Stat. § 501.204 (FDUTPA)

Federal baseline: Data Privacy Rights nationwide

What is this right?

The United States is one of the only major economies without a single comprehensive federal data privacy law. Congress has come close several times — the American Data Privacy and Protection Act died in committee in 2022, and APRA stalled in 2024 — but never gotten over the line. The result is a patchwork: federal sector-specific laws (HIPAA for health data, FERPA for education records, COPPA for kids under 13, GLBA for financial data) plus a fast-growing list of state laws that look more like the EU's GDPR.

California led with the CCPA in 2018 (strengthened by the CPRA in 2020). Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and a dozen other states have followed with their own comprehensive privacy laws, all with rolling effective dates through 2026. The rights vary, but the core is consistent: you can ask what data a company has, ask them to delete it, and opt out of the sale or sharing of it. Where you live decides what you can demand.

When does it apply?

Your data privacy rights kick in when:

  • A company collects, stores, or sells your personal data — name, email, phone, location, browsing history, purchase history.
  • You want to know what they have on you.
  • You want them to delete it.
  • You want to opt out of the sale or sharing.
  • You're notified of a data breach that exposed your information.

The state-by-state landscape, as of 2026:

  • California (CCPA/CPRA): Still the strongest. Rights to know, delete, opt out of sale and sharing, correct, and limit use of sensitive personal information. Enforced by the California Privacy Protection Agency, the only standalone state privacy regulator. Applies to businesses with $25M+ revenue, data on 100,000+ consumers, or 50%+ revenue from selling data.
  • Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, and several more — comprehensive privacy laws, varying effective dates through 2026. Most cover access, deletion, correction, and opt-out.
  • States without comprehensive laws: Your main backstop is the FTC's general authority to chase "unfair or deceptive" data practices under Section 5 of the FTC Act, plus the federal sector-specific laws (HIPAA, COPPA, GLBA, FERPA).

Three myths:

  • "No federal law means no rights." The state laws now cover roughly half of all Americans, and the federal sectoral laws cover health, financial, education, and kids' data nationwide.
  • "Free service means they can do anything." They still owe you a privacy policy disclosure and, in CCPA-and-similar states, opt-out rights regardless of whether you paid.
  • "Deleting my account deletes my data." Not automatically. Companies retain data for legal, business, and analytics reasons. To force deletion, you generally have to submit a specific deletion request under your state law.

What to Do If a Company Is Collecting or Selling Your Personal Data

Step 1: Figure out which law covers you. Your residence usually controls. If you're in California, Colorado, Connecticut, Virginia, Texas, Oregon, or one of the newer states, you have specific statutory rights you can exercise.

Step 2: Submit access requests. Most companies have a "Privacy" or "Do Not Sell My Information" link in the footer. California residents can use the phrase "right to know"; the company has 45 days to respond (extendable to 90).

Step 3: Opt out of sale and sharing. Under CCPA-style laws, companies have to give you a clear opt-out mechanism. Look for "Do Not Sell or Share My Personal Information" links, and turn on Global Privacy Control in your browser — California-style laws now treat that signal as a binding opt-out.

Step 4: After a breach, take the steps. Most states require notification and many require offered credit monitoring. Use it. Change passwords, enable two-factor authentication, freeze your credit.

Step 5: Complain. State attorneys general enforce most state privacy laws. California has its dedicated CPPA. The FTC takes federal complaints at reportfraud.ftc.gov.

What should you NOT do?

Don't toss the breach notice. If a company tells you your data was compromised, the clock has already started. Change passwords, enable 2FA on the affected accounts and any account that reuses the password, and freeze your credit.

Don't auto-accept cookie banners. Most are designed to look like accepting all is the easy path — and "Reject All" is hidden behind two clicks. Take the two clicks.

Don't read privacy policies as protection. They're disclosures, not commitments. The interesting sections are usually "how we share your data with third parties," "data retention," and "your rights" — the rest is boilerplate.

Don't pay data-removal services upfront without comparison. Many of them charge $10–$30 a month to send the same opt-out requests you can send yourself for free. Try DIY first; the requests for the major data brokers are mostly automated forms.

You shouldn't have to hire a lawyer to assert your rights.

Answer a few questions. We generate a personalized letter citing your state's exact statutes, deadlines, and penalties — ready to print and send in minutes.

Lawyers charge $350+. Your letter: $19.

Privacy Deletion$19Debt Collector C&D$19Debt Validation$19Credit Dispute$19
See all 20 letter types →

Data Privacy Rights in other states

Same topic, different jurisdiction. Pick the one that applies to you.

More in Consumer Rights

Debt Collection (in Florida)Before 1977, debt collectors could call your house at 2 a.m., tell your neighbors you were a deadbeat, threaten violence...Read more →Credit Report Rights (in Florida)For most of the 20th century, credit bureaus were closed shops — they kept files on you, sold them to lenders, employers...Read more →Small Claims Court (in Florida)Small claims court is the part of the court system actually built for normal people. No lawyer required, simplified rule...Read more →

Related Topics

Workers' RightsWorkplace Harassment (nationwide)Tax RightsPenalty Abatement (in Florida)
← Browse all Consumer Rights

Legal Resources

We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.

Credit KarmaFree credit monitoring, dispute tools, and alerts. Know when your credit report changes.Check Your Credit FreeIdentityGuardIdentity theft protection and monitoring. Get notified if your personal information is misused.Protect Your Identity

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission