Florida enters the privacy chat: Why Roku should be a wake-up call

On 13 Oct., Florida Attorney General James Uthmeier announced that his Office of Parental Rights filed a civil enforcement action against Roku and its Florida subsidiary for violations of the Florida Digital Bill of Rights. According to the complaint, Roku used unfair, deceptive and unconscionable business practices to “build a vast and lucrative Florida user base that includes vulnerable children.” 

The lawsuit follows a similar suit filed in April from the Michigan attorney general’s office that Roku’s collection of children’s data allegedly violated the Children’s Online Privacy Protection Act along with a handful of other allegations, including one under the Video Privacy Protection Act. Roku filed a motion to dismiss in that case, and a hearing is scheduled for 19 Nov.

A narrow law, interpreted broadly

The Florida Digital Bill of Rights is often excluded from lists of "comprehensive" consumer privacy laws. Most of the law’s operative provisions are extremely narrow in application due to multiple high thresholds of applicability, including a revenue threshold of USD1 billion dollars — Roku’s operating revenue in 2024 was USD3.4 billion.

Nevertheless, when companies do fall within scope of the law, Florida includes notable operational requirements that set it apart from the 19 states with similar laws. As some of these unique features are apparent in the Florida attorney general’s complaint against Roku — including rules for teens’ personal data with an expansive knowledge standard — the case should serve as a wake-up call for companies that may be operating near the edge of applicability of the Florida Digital Bill of Rights.