DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: FL)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (FDBR): ☐ Racial/ethnic origin; ☐ Religious beliefs; ☐ Mental/physical health diagnosis; ☐ Sexual orientation; ☐ Citizenship/immigration; ☐ Genetic/biometric; ☐ Child (known); ☐ Precise geolocation. Consent required for processing sensitive data. Sale of sensitive data requires consent + required notice: "NOTICE: This website may sell your sensitive personal data."
• Volume and retention: [records/year], [retention schedule and deletion triggers].
• Processing: [collection, storage, analysis, sale, targeted advertising, profiling]. "Sale" = exchange for monetary/other consideration; "Targeted advertising" = ads based on consumer activities; "Profiling" = automated processing.

3. Legal Basis, Notices, and Rights

• Primary law: Florida Digital Bill of Rights (FDBR), effective July 1, 2024. Signed May 6, 2023.
• HIGHEST REVENUE THRESHOLD: $1 BILLION+ global annual revenue AND meets one of: (1) ≥50% revenue from online ads; OR (2) operates consumer smart speaker with cloud assistant; OR (3) operates app store/platform with ≥250,000 apps. Targets tech giants only (TikTok, Google, etc.). <6,000 FL businesses qualify (est.).
• Exemptions: State government, nonprofits, HIPAA, higher ed, utilities, GLBA.
• Rights: Access, correct, delete, portability, confirm processing, opt-out of targeted ads/sale/profiling/sensitive data collection, opt-out of voice recognition/facial recognition collection (unique). Response: 45 days.
• Consent required for processing sensitive data. Sale of sensitive data requires consent + notice "NOTICE: This website may sell your sensitive personal data."
• 45-day discretionary cure period (Department of Legal Affairs).
• DPA required for targeted ads, sales, sensitive data, certain profiling (FDBR §501.713). Document assessment.
• Processor contracts: Must include instructions, purpose, data types, duration, processor obligations (confidentiality, deletion/return, compliance info, assessment support) per FDBR §501.712.

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: encryption in transit/at rest [specify], key management, network segmentation, endpoint protections, logging/monitoring, DLP, backups, vulnerability management.
• Organizational controls: policies, training cadence, vendor due diligence, incident response playbook, change management.
• Authentication/authorization: [MFA/SAML/SSO]; session timeouts; privileged access reviews cadence.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• POWR/State-specific equal employment or anti-discrimination considerations (if applicable): [insert].

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Statute: Fla. Stat. § 501.171 (Florida Information Protection Act - FIPA); effective July 1, 2014; amended to include health data, tightened deadlines, and state regulator notice.
• Timeline: 30 days max after determination of breach (or reason to believe breach occurred). +15 days extension available if good cause provided in writing to Department within 30 days. Third-party agents: 10 days to notify covered entity.
• Department of Legal Affairs notice: Required if 500+ residents affected (written notice within timelines).
• Triggers: Unauthorized access of electronic data containing PI. PI = first + last name + (SSN, DL, financial account, medical info, health insurance, username/password, etc.).
• Exception: No notice if reasonably determined breach has not and will not likely result in identity theft/financial harm (document in writing for 5 years; provide determination to Department within 30 days). Good-faith employee access not further used. Law enforcement delay permitted.
• Penalties: Up to $500,000 per breach (not per individual). $1,000/day up to 30 days; $50,000 per 30-day period up to 180 days; max $500,000 if >180 days.
• NO private right of action.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [plan].

9. State Overlay Checklist (FL)

• Applicability: $1 BILLION+ global annual revenue AND: (1) ≥50% revenue from online ads; OR (2) operates consumer smart speaker with cloud assistant; OR (3) operates app store/platform with ≥250,000 apps. Narrowest scope in US - targets tech giants only. <6,000 FL businesses qualify (est.). Exemptions: State government, nonprofits, HIPAA, higher ed, utilities, GLBA.
• Sensitive data: 8 categories requiring consent for processing: racial/ethnic origin, religious beliefs, health diagnosis, sexual orientation, citizenship/immigration, genetic/biometric, known child, precise geolocation. Sale of sensitive data requires consent + required notice "NOTICE: This website may sell your sensitive personal data."
• Consumer rights: Access, correct, delete, portability, confirm processing, opt-out of targeted ads/sale/profiling/sensitive data collection, opt-out of voice/facial recognition collection (unique right). Response: 45 days.
• Opt-out: Sale, targeted advertising, profiling, sensitive data collection, voice/facial recognition (unique).
• Processor contracts: Must include instructions, purpose, data types, duration, processor obligations (confidentiality, deletion/return, compliance info available, assessment support) per FDBR §501.712.
• DPA triggers: Required for targeted ads, sales, sensitive data processing, certain profiling. Document assessment (FDBR §501.713).
• Security: Reasonable safeguards appropriate to data sensitivity.
• Breach notice: 30 days max (+15 days extension with good cause). Third-party agents: 10 days. Department of Legal Affairs if 500+. Exception if no identity theft/financial harm (document 5 years, notify Department within 30 days). Penalties up to $500,000 per breach ($1K/day to 30d; $50K/30d to 180d; $500K if >180d). NO private action.
• Children: Known child data is sensitive (consent before sale). COPPA compliance.
• Non-discrimination: Standard non-discrimination provisions.
• Recordkeeping: 45-day discretionary cure period (Department of Legal Affairs). Department of Legal Affairs enforcement. NO private right of action under FDBR or breach law.

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and DPAs/SCCs.
• Legitimate interests assessment or risk assessment (if applicable).
• Testing summaries and pen test reports (if applicable).
• State-specific notices/links and breach templates.