RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJuly 17, 2026

Florida Digital Bill of Rights AI Compliance 2026: Does It Apply to You?

Florida's Digital Bill of Rights carries a $1 billion global revenue floor — the highest of any state privacy law — plus a second gate that narrows scope to ad-sales giants, smart speaker operators, large app stores, and search engines. Most AI companies are out of scope. The ones close to that threshold need to check the details carefully.

$1 Billion Floor
Highest revenue threshold of any state privacy law
4 Alternate Triggers
Ad sales, smart speakers, app stores, or search engines
AI Disclosure Duty
Required only for companies that clear both gates

Two Gates, Not One

FDBR uses a structure most other state privacy laws don't: a business has to clear a revenue gate and a business-model gate before any consumer rights or AI disclosure obligations apply. The revenue gate is $1 billion in global gross annual revenue — roughly ten times the size of company that CCPA reaches, and with no consumer-count alternative path the way most other state laws offer.

Clearing the revenue gate isn't enough on its own. A business must also satisfy at least one of four business-model triggers: deriving 50% or more of global gross revenue from online advertising sales, operating a smart speaker or voice assistant service, operating an app store with at least 250,000 available applications, or operating a search engine. In practice, this combination reaches a short list of platform-scale technology companies rather than the AI SaaS market broadly.

Who Actually Falls In Scope

Large ad-tech and adtech-adjacent platforms

Companies at billion-dollar scale that derive most of their revenue from selling online advertising, including ad-serving businesses with AI-driven targeting.

Smart speaker and voice assistant operators

Businesses operating consumer-facing smart speaker hardware or voice assistant software integrated with cloud AI processing.

Large app store operators

Platforms distributing at least 250,000 distinct consumer applications — a bar that excludes nearly all niche or vertical app marketplaces.

Search engine operators

Businesses operating a consumer search engine at billion-dollar revenue scale, including AI-powered search and answer engines that meet the revenue floor.

The AI Disclosure Obligation, If You're In Scope

Covered businesses must disclose, in a reasonably accessible way, whether personal data is processed through an algorithm or AI system that makes decisions producing legal or similarly significant effects on the consumer — the same "legal or similarly significant effects" language used across most state privacy laws for profiling. FDBR also gives consumers rights to access, correct, delete, and port personal data, plus opt-outs for sale, targeted advertising, and profiling — but every one of those rights is gated behind the same $1 billion-plus-trigger scope test. A mid-market AI SaaS company generally never reaches the point where these rights apply.

FDBR Scope Checklist for AI Companies

1. Revenue Gate
  • Calculate global gross annual revenue, not just Florida or US revenue
  • Confirm whether $1 billion is realistically on the roadmap before investing in FDBR-specific compliance
  • Re-check annually if your company is approaching billion-dollar scale through growth or acquisition
2. Business-Model Gate
  • Check whether 50%+ of revenue comes from online ad sales
  • Check whether you operate a smart speaker/voice assistant, a 250,000+ app app store, or a search engine
  • Document why your business model doesn't meet any of the four triggers if you're excluding FDBR from your compliance program
3. If You Clear Both Gates
  • Build the AI/algorithm disclosure into your privacy notice
  • Build opt-out flows for sale, targeted advertising, and profiling
  • Support access, correction, deletion, and portability requests
4. If You Don't Clear Both Gates
  • Don't skip Florida entirely — check FDUTPA exposure for AI marketing claims
  • Check whether your Florida user base triggers a lower-threshold state law elsewhere in your footprint
  • Revisit this determination if your revenue model shifts toward advertising, search, or platform distribution

See where your AI product is exposed

RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.

Scan Your Product for Free →

Frequently Asked Questions

Why is Florida's threshold so much higher than every other state's?

FDBR was drafted with a narrower target than most comprehensive state privacy laws — legislators framed it around the largest technology platforms rather than the broader business population that laws like CCPA or VCDPA reach. The $1 billion floor combined with the four alternate triggers was a deliberate design choice to limit scope to platform-scale companies.

Could a fast-growing AI company ever become subject to FDBR?

Only if it both crosses $1 billion in global gross annual revenue and independently satisfies one of the four business-model triggers. An AI company generating that much revenue purely from software subscriptions, without meeting the ad-sales, smart-speaker, app-store, or search-engine test, would still fall outside FDBR's scope regardless of size.

Should out-of-scope AI companies still track FDBR?

It's worth monitoring if you're a platform partner or downstream vendor to a company that is in scope, since covered businesses may push AI disclosure and data-handling requirements down through vendor contracts even when the vendor itself doesn't independently meet FDBR's thresholds.

Related Guides