Florida AG Targets Roku Over Consent Failures as EDPB Announces 2026 Transparency Enforcement Focus

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Florida’s Attorney General has filed a civil enforcement action against Roku under the Florida Digital Bill of Rights and the state’s Deceptive and Unfair Trade Practices Act, alleging the streaming platform failed to obtain proper consent for processing sensitive data and failed to prevent third parties from re-identifying user information. 

Meanwhile, the European Data Protection Board announced that transparency and information obligations under Articles 12, 13, and 14 of the GDPR will be the focus of its 2026 coordinated enforcement action.

Learn more about these two developments, along with my takeaways.

United States

Florida AG Takes Action Against Roku Over Consent and Transparency Failures

The Florida Office of Parental Rights, a division of the Florida Attorney General’s Office, filed a civil enforcement action against Roku under the Florida Digitial Bill of Rights (FDBR) and the Florida Deceptive and Unfair Trade Practices Act (FDUTPA). 

The action is based on allegations that Roku failed to obtain consent (or parental consent, as applicable) for, and failed to properly disclose, the processing and sale of sensitive data. The action also alleges that Roku failed to take reasonable measures to prevent third-party advertisers and data brokers from re-identifying data. The complaint calls for civil penalties up to $160,000 per violation (i.e., per each violating act with respect to each Roku user), plus attorneys’ fees. 

TAKEAWAY

This case serves as a stark reminder of the notable nuances within the FDBR and FDUTPA that distinguish it from laws in other states. 

First, controllers that sell sensitive data must include specific language in their privacy notices: “NOTICE: This website may sell your sensitive personal data.” The complaint alleges Roku did not do this, despite allegedly selling precise geolocation information and other sensitive information to third parties. 

Second, FDBR creates certain exceptions for deidentified data, pseudonymous data or aggregate consumer information but requires that controllers disclosing such information take certain measures to protect it from reidentification. In this case, Roku allegedly shared de-identified data with third parties who subsequently used other data sources to associate the data with individuals. Roku’s failure to take reasonable measures to ensure that the data couldn’t be associated with an individual and to contractually obligate any recipient of the deidentified data to do the same was considered a violation of the FDBR. 

Third, the children’s privacy restrictions under the FDBR apply when the controller has actual knowledge of, or willfully disregards, the child’s age. This knowledge threshold is common in other state laws. Florida, however, goes a step further to state that “a controller willfully disregards a consumer’s age if, based on readily available facts or circumstances, the controller should reasonably have questioned whether a consumer was a child and thereafter failed to perform reasonable age verification.” Under that standard, the complaint in this case alleges that Roku willfully disregarded that Florida users of the platform were under age 18 when they took certain actions, such as downloading or viewing apps or content from the “Kids & Family” sections of Roku’s Streaming and Channel Stores or delivering targeted advertisements and content recommendations to such users for child-directed content based on a history of viewing “Kids & Family” content. 

Finally, the FDBR and FDUTPA are tied together for enforcement purposes, making a violation of the FDBR a per se violation of the FDUTPA. The complaint against Roku therefore seeks damages under both FDBR and FDUTPA based on the same violations. 

EDPB Picks Transparency as its Topic for Coordinated Enforcement in 2026

The European Data Protection Board (EDPB) announced its fifth coordinated enforcement action topic: “compliance with the obligations of transparency and information under the General Data Protection Regulation (GDPR)”. 

The announcement cites Articles 12, 13, and 14 of the GDPR, which govern disclosure obligations concerning data subject requests, disclosure at the time of collection, and disclosure in circumstances where personal data is not obtained directly from the data subject. 

TAKEAWAY

Coordinated enforcement actions are conducted under the Coordinated Enforcement Framework, adopted in 2020. The Framework’s goal is to facilitate annual coordinated action focused on a pre-defined topic, which Supervisory Authorities (SAs) may pursue using a pre-defined methodology. 

After the EDPB selects a topic, participating SAs will determine the scope of their national execution of the action and carry it out over the course of a year. All national findings are consolidated in an EDPB-level report, which may include recommendations for follow-up action, such as enforcement or EDPB guidance. Past topics included the public sector’s use of cloud-based services, the designation and position of Data Protection Officers, controllers’ implementation of the right of access, and the right to erasure or the “right to be forgotten.” The action regarding access, as an example, resulted in 30 DPAs across Europe launching coordinated investigations into controllers’ compliance with the right of access. 

These investigations included opening formal investigations, assessing whether a formal investigation was warranted, and carrying out fact-finding exercises. The combined activity on that topic involved a total of 1,185 controllers. 

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Dutch DPA Fines Experian 2.7M Euros for Privacy Violations
• European Commission’s digital omnibus package: The end of consent fatigue?
• The next chapter of data privacy: a live discussion with Max Schrems

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.