Compliance Program Charter - Florida
COMPLIANCE PROGRAM CHARTER — FLORIDA SUPPLEMENT
Company: [________________________________]
Effective Date: [__/__/____]
Approved by: [________________________________]
Version: [____]
TABLE OF CONTENTS
- Purpose and Authorization
- Florida Regulatory Landscape
- Scope — Florida Compliance Domains
- Governance Enhancements
- Core Program Elements — Florida Focus
- Florida Regulatory Change Management
- Florida-Specific Reporting and Metrics
- Resources
- Review and Approval
- Annexes
1. PURPOSE AND AUTHORIZATION
This supplement addresses Florida-specific regulatory requirements including the Florida Information Protection Act (FIPA), the Florida Digital Bill of Rights (FDBR, effective July 1, 2024), the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), and the Florida Civil Rights Act (FCRA).
2. FLORIDA REGULATORY LANDSCAPE
| Domain | Key Florida Statutes | Regulator |
|---|---|---|
| Privacy & Data Security | FIPA (Fla. Stat. § 501.171); FDBR (§ 501.701 et seq.) | FL Dept. of Legal Affairs (AG) |
| Consumer Protection | FDUTPA (§ 501.201 et seq.) | FL AG |
| Employment | FCRA (§ 760.01 et seq.); FL minimum wage (Art. X, § 24, FL Constitution) | FL Commission on Human Relations |
| Financial Services | FL Office of Financial Regulation (OFR); FL Insurance Code | OFR; FL Dept. of Financial Services |
| Healthcare | FL Patient's Bill of Rights (§ 381.026); AHCA regulations | FL Agency for Health Care Administration |
| Insurance | FL Insurance Code (Title XXXVII); FL OIR regulations | FL Office of Insurance Regulation |
3. SCOPE — FLORIDA COMPLIANCE DOMAINS
3.1 Privacy and Data Security
☐ FIPA compliance: reasonable security measures for personal information (§ 501.171(2)); 30-day breach notification (§ 501.171(3)); AG notification for >500 affected
☐ FDBR compliance (if applicable): consumer rights, sensitive data consent, data protection assessments, universal opt-out mechanisms, processor obligations
☐ FDBR applicability analysis: >$1B global revenue + data processing thresholds
3.2 Consumer Protection
☐ FDUTPA (§ 501.201): prohibition of unfair or deceptive acts or practices
☐ Marketing and advertising review for FDUTPA compliance
☐ Price transparency and disclosure requirements
3.3 Employment
☐ FCRA (§ 760.01): discrimination and harassment protections
☐ Florida minimum wage compliance (currently indexed to CPI)
☐ Florida Workers' Compensation (Ch. 440)
☐ E-Verify requirements for public employers and contractors (§ 448.095)
3.4 Sector-Specific
☐ Financial services: OFR regulatory requirements (if applicable)
☐ Healthcare: AHCA requirements, Patient's Bill of Rights
☐ Insurance: OIR regulatory requirements
4. GOVERNANCE ENHANCEMENTS
| Role | Florida Responsibilities |
|---|---|
| CCO | Oversee FL regulatory compliance; FL AG relationship management |
| Privacy Lead | FIPA/FDBR compliance; breach notification procedures |
| Consumer Protection Counsel | FDUTPA review; marketing/advertising compliance |
| Employment Counsel | FCRA compliance; FL wage/hour |
| Board/Committee | Receive FL-specific compliance reports |
5. CORE PROGRAM ELEMENTS — FLORIDA FOCUS
5.1 Risk Assessment — FL Additions
| Risk Area | Assessment Focus | Frequency |
|---|---|---|
| FIPA data security | Reasonable measures assessment; breach readiness | Annual |
| FDBR compliance | Applicability analysis; consumer rights; processor agreements | Annual |
| FDUTPA exposure | Marketing claims; pricing; disclosures | Annual |
| FCRA employment | Discrimination prevention; accommodation procedures | Annual |
5.2 Policies — FL-Specific
☐ FIPA breach notification procedures (30-day timeline)
☐ FDBR privacy notice and consumer rights procedures (if applicable)
☐ FDUTPA marketing/advertising review procedures
☐ FCRA anti-discrimination policy
☐ Florida-specific data retention and disposal policy
5.3 Training — FL-Specific
| Training | Audience | Frequency |
|---|---|---|
| FIPA data security awareness | All employees handling FL PI | Annual |
| FDBR privacy (if applicable) | Privacy team, customer service | Annual |
| FDUTPA consumer protection | Marketing, sales | Annual |
| FCRA discrimination prevention | All FL employees | Annual |
| Breach notification procedures | Incident response team | Annual |
5.4 Monitoring and Testing — FL Additions
☐ FIPA reasonable security measures verification
☐ Breach notification tabletop exercise (30-day timeline)
☐ FDBR consumer rights request handling (if applicable)
☐ FDUTPA marketing review
☐ FCRA complaint tracking and analysis
5.5 Third-Party Risk — FL Additions
☐ Vendor FIPA compliance verification
☐ FDBR processor agreements (if applicable)
☐ Vendor breach notification SLA alignment with 30-day timeline
☐ Data protection assessment support for high-risk vendor processing
6. FLORIDA REGULATORY CHANGE MANAGEMENT
| Source | Monitoring Approach |
|---|---|
| FL Legislature | Track proposed legislation through FL Legislative session |
| FL AG enforcement | Monitor AG enforcement actions and advisory opinions |
| FL Commission on Human Relations | Monitor guidance and complaint trends |
| FL OFR / OIR | Monitor regulatory changes (if applicable) |
7. FLORIDA-SPECIFIC REPORTING AND METRICS
| Metric | Target | Frequency |
|---|---|---|
| FIPA breach notification readiness | Tabletop completed | Annual |
| FDBR consumer rights response (if applicable) | Within statutory deadlines | Quarterly |
| FDUTPA marketing review completion | All material campaigns | Ongoing |
| FCRA training completion | 100% of FL employees | Annual |
| Vendor FIPA SLA compliance | 100% | Quarterly |
8. RESOURCES
☐ Privacy/data security resources for FIPA/FDBR
☐ Consumer protection review for FDUTPA
☐ Employment counsel for FCRA
☐ External FL regulatory counsel
9. REVIEW AND APPROVAL
Review annually or upon material Florida regulatory change.
10. ANNEXES
Annex A: FIPA Breach Notification Checklist
☐ Breach determination made (date: [__/__/____])
☐ 30-day notification clock starts (Fla. Stat. § 501.171(3))
☐ Affected individuals identified by Florida residency
☐ Notification content prepared per § 501.171(4)(e):
- Date or estimated date of breach
- Description of personal information compromised
-
Contact information for the entity providing notice
☐ If >500 FL residents: FL Dept. of Legal Affairs notified (§ 501.171(3))
☐ If >1,000 FL residents: consumer reporting agencies notified (§ 501.171(6))
☐ Substitute notice procedures (if direct notice not feasible) (§ 501.171(4)(f)): -
Email notice (if email address available)
- Conspicuous posting on entity's website
- Notification to statewide media
☐ Records retained for AG inspection
☐ Third-party vendors notified of breach responsibilities
☐ Documentation of all notification efforts and timelines preserved
Annex B: FDBR Consumer Rights Compliance Checklist
☐ Privacy notice updated to include FDBR disclosures (if applicable)
☐ Consumer rights request intake mechanism operational
☐ Processes for the following rights verified:
- Right to confirm processing and access personal data
- Right to correct inaccurate personal data
- Right to delete personal data
- Right to obtain copy in portable format
- Right to opt out of targeted advertising
- Right to opt out of sale of personal data
- Right to opt out of profiling for decisions with legal/significant effects
☐ Response timeline: 45 days (extendable by 45 days with notice)
☐ Universal opt-out mechanism recognized and operational (§ 501.711(5))
☐ Sensitive data consent mechanisms in place (§ 501.711(2))
☐ Data protection assessments completed for high-risk processing (§ 501.715)
☐ Vendor/processor agreements updated with FDBR terms
Annex C: FDUTPA Compliance Checklist
☐ Marketing materials reviewed for deceptive or unfair claims
☐ Pricing disclosures accurate and complete
☐ Product/service descriptions truthful and substantiated
☐ Refund and return policies clearly disclosed
☐ Advertising claims supported by documentation
☐ Customer complaint tracking for FDUTPA-related issues operational
Annex D: Florida Regulatory Calendar
| Date/Period | Event | Responsible |
|---|---|---|
| Ongoing | FIPA breach notification (30-day deadline from determination) | Security / Compliance |
| Ongoing | FDBR consumer rights requests (45-day response) | Privacy |
| Annual | FIPA security measures review | Security |
| Annual | FDBR data protection assessment updates | Privacy |
| Annual | FDUTPA marketing review | Consumer Protection Counsel |
| Annual | FCRA training completion | HR / Employment Counsel |
| Annual | FL regulatory landscape review | Compliance |
SOURCES AND REFERENCES
- FIPA, Fla. Stat. § 501.171
- FDBR, Fla. Stat. § 501.701 et seq. (eff. July 1, 2024)
- FDUTPA, Fla. Stat. § 501.201 et seq.
- FCRA, Fla. Stat. § 760.01 et seq.
- DOJ Evaluation of Corporate Compliance Programs (2023)
- U.S. Sentencing Guidelines § 8B2.1
This template is provided for informational purposes only and does not constitute legal advice. Consult qualified legal counsel before use.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026