Florida Suit Citing Downplayed Privacy Law Raises Eyebrows
Florida’s privacy lawsuit last week against Roku surprised some data-protection experts, since the state’s Digital Bill of Rights frequently carries an asterisk in lists of the 20 state comprehensive privacy laws -- if it’s included at all. In the aftermath, however, some privacy experts told Privacy Daily that they’re still not ready to add Florida to the list.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
In the Oct. 14 suit, Florida AG James Uthmeier (R) claimed that Roku violated the Florida Digital Bill of Rights by collecting, selling and enabling reidentification of children’s sensitive personal data without receiving authorization or providing meaningful notice (see 2510140024). Roku vowed to challenge those claims, which the video-streaming box maker says are inaccurate (see 2510160003).
But many privacy experts, including the IAPP, don’t consider the Florida Digital Bill of Rights a true comprehensive privacy law due to high applicability thresholds that seem to limit its scope to Big Tech companies. For instance, it applies to for-profit entities doing business in the state and collecting personal data, which have more than $1 billion in annual global revenue and meet one of three criteria: (1) Derive 50% of revenue from ad sales; (2) operate a consumer smart speaker with a virtual assistant; or (3) operate an app store with at least 250,000 apps.
IAPP doesn’t count Florida’s statute as a comprehensive privacy law “because of its extremely narrow scope, despite it having otherwise most of the characteristics of the 19 states we do track,” Cobun Zweifel-Keegan, IAPP managing director for Washington, D.C., posted on LinkedIn last week. The IAPP official admitted that a Florida privacy enforcement action wasn’t on his “bingo card.”
Florida said in its complaint last week that Roku qualifies as a controller under the privacy law because it “generates in excess of $1 billion in global gross annual revenue” and derives at least 50% of that revenue from selling ads online, “including through the provision of targeted advertising and the sale of ads in Florida.” Plus, the company “operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation through” a remote control.
"Classifying Florida's law amongst the state comprehensive privacy laws has been difficult given its unusually narrow applicability,” Jordan Francis, Future of Privacy Forum senior policy counsel, said in an email to us. “This enforcement action is perhaps a wake-up call for people who assumed they were not the primary targets of the law.” However, Francis said that if “this is an isolated case, then it does not substantially change how ‘comprehensive’ the law is to me.”
Still, said Francis, if the law “portends more enforcement activity, then, I think, we will see more analysis and focus on Florida amongst the privacy community, especially in light of the law's significant civil penalties.”
The lawsuit against Roku hasn’t changed how Electronic Privacy Information Center (EPIC) sees the Florida law, emailed EPIC Deputy Director Caitriona Fitzgerald. "While we are glad to see the Florida AG take action against Roku, EPIC still does not consider Florida’s privacy law to be ‘comprehensive’ because of its extremely high thresholds.”
"Many companies making less [than] $1 billion annually cause grave privacy harms," such as the facial-recognition software company Clearview AI, said Fitzgerald (see 2510080016). “The way Florida’s thresholds are written, Clearview AI wouldn’t fall under the law even if it makes [$1 billion] annually because it doesn’t have an app store, generate at least 50% of its revenue from ad sales, or operate a smart speaker. If you’re not covering a company like Clearview AI, you don’t have a comprehensive privacy law.”
Steven Robinson, a former chief privacy officer for Ricoh USA, said in an email that the Florida privacy law “reflects all the fair information privacy principles at some level. If that is what people mean by 'comprehensive,' fine, but that sets a pretty low bar.”
Robinson agreed with those who say that Florida’s law is narrower than privacy statutes in other states. “The recent Roku complaint doesn’t really change my view -- any privacy law should protect children‘s privacy,” he said. “In 2025, it's hard to consider any consumer privacy law comprehensive in practical terms unless it includes a data minimization requirement along the lines of the new laws in Maryland and Connecticut."
For Hinshaw privacy attorney Cathy Mulrow-Peattie, the complaint against Roku “is another example of [how] state attorneys general across the U.S. are leveraging their entire regulatory toolbox, including consumer protection and privacy laws, to prevent the collection, use, and sharing of sensitive data without consent, especially as it relates to children’s personal information and data shared with data brokers.”
Privacy is bipartisan, so “businesses should be reviewing their privacy practices and notices to see how these laws apply to them and if they meet the applicable thresholds under the state privacy laws where they are processing consumer personal information,” said the Hinshaw lawyer. “And that includes Florida.”