Privacy, AdTech, and “Controllers” in Florida: What Businesses Need to Know

What Changed in Florida

Florida now has a privacy law called the Digital Bill of Rights.

This law focuses on how certain businesses handle consumer data.

At the same time, Florida already has a breach law that requires fast action when data is exposed.

Together, these create two major risks:

• How you handle data every day
• How you respond when something goes wrong

Both matter to regulators. Both matter to insurance companies.

---

Who Does This Law Apply To?

Not every business is affected the same way.

Florida uses a term called “controller.”

A controller is a business that:

• Makes more than $1 billion in revenue
• Collects and uses consumer data
• Meets certain criteria related to advertising or digital platforms

This includes companies that:

• Make money from online ads
• Operate large apps or platforms
• Use advanced data tracking or analytics

If your business meets these criteria, the expectations are much higher.

---

Why This Matters Even If You’re Not a Controller

Many businesses will not meet the “controller” definition.

But that does not mean you are off the hook.

Why?

Because Florida’s breach law still applies to most businesses.

If personal information is exposed, you may still have to:

• Investigate the issue
• Notify affected individuals
• Work with regulators

And insurance companies still evaluate your data practices.

So even if the privacy law does not fully apply, your risk is still real.

---

How Data Creates Risk

Data risk is not just about being hacked.

It can come from normal business activity.

For example:

• Using tracking pixels on your website
• Sharing data with marketing vendors
• Collecting location data from mobile devices
• Storing customer information longer than necessary

These actions can create exposure.

Even without a cyber attack.

---

---

What Happens When There Is a Problem

When something goes wrong, costs can add up quickly.

Even if no hacker is involved.

You may need to:

• Hire forensic experts
• Work with legal teams
• Review your data practices
• Notify customers
• Handle regulatory inquiries

This is where cyber insurance comes into play.

---

First-Party Costs

First-party coverage helps your business handle internal costs.

These may include:

• Investigating what happened
• Fixing systems or processes
• Managing public relations
• Dealing with downtime

Even something like disabling a tracking tool can disrupt your operations.

---

Third-Party Costs

Third-party costs involve other people.

This includes:

• Legal defense
• Regulatory investigations
• Claims from customers

In Florida, regulators can take action if they believe your data practices were misleading or harmful.

That can create significant expenses.

---

Florida’s 30-Day Rule

Florida requires businesses to act quickly after a data issue.

You may need to notify individuals within 30 days after determining a breach occurred.

If a vendor is involved, they must notify you within 10 days.

But you are still responsible for taking action.

This creates pressure to move fast.

---

---

Why This Drives Insurance Costs

Insurance companies look closely at how you handle data.

If your processes are unclear, costs go up.

If your controls are strong, risk goes down.

The biggest cost drivers include:

• Large amounts of stored data
• Poor tracking of where data lives
• Weak vendor oversight
• Lack of documentation

The more uncertainty, the higher the risk.

---

What Insurance Companies Want to See

Underwriters are now asking different questions.

They want to know:

• Do you know what data you collect?
• Do you know where it goes?
• Do you limit how long you keep it?
• Do you control how vendors use it?

These are no longer “nice to have” answers.

They directly impact your coverage.

---

Key Controls That Reduce Risk

There are several important steps businesses should take.

Data Mapping

Know what data you have and where it flows.

Data Minimization

Only collect what you need.

Do not store data longer than necessary.

Vendor Management

Understand how your vendors use your data.

Set clear expectations in contracts.

Consent and Opt-Out Options

Give customers control over their data.

Make it easy for them to opt out.

Logging and Monitoring

Track how data is accessed and used.

This helps you respond quickly if something goes wrong.

---

---

Common Coverage Issues

Many businesses assume their insurance covers all privacy risks.

That is not always true.

Common issues include:

• Limited coverage for regulatory penalties
• Exclusions related to advertising practices
• Lower limits for certain types of data
• Disputes over what triggered the claim

This is why policy review is critical.

---

Real-World Lessons

There have been real cases where data exposure created major problems.

In some situations, large databases were exposed due to poor controls.

In others, companies faced penalties because of how they handled data internally.

The lesson is clear.

Privacy risk is not theoretical.

It is happening now.

---

Common Mistakes to Avoid

There are a few mistakes we see often.

One is thinking privacy only matters for large companies.

Another is ignoring how data flows through vendors.

A third is failing to document decisions.

If you cannot show how you manage data, you increase your risk.

---

Final Thoughts

Privacy is no longer just a legal issue.

It is a business risk.

It affects your operations, your reputation, and your insurance.

In Florida, the rules are becoming more defined.

And the expectations are rising.

The businesses that succeed will be the ones that understand their data and manage it well.

---

Call to Action

If you’re not sure how your data practices impact your risk, now is the time to find out.

Contact Florida Risk Partners for a complimentary privacy and cyber risk assessment.

We’ll help you understand your exposure, improve your controls, and align your insurance with today’s risks.