SB 255-FN is a comprehensive bill that introduces a new chapter in the law to establish a consumer expectation of privacy, defining key terms related to personal data and outlining the scope of application to businesses based on their data processing activities. It exempts certain entities and types of information, such as those covered by HIPAA, and grants consumers rights to access, correct, delete, and obtain copies of their personal data, as well as to opt-out of certain data processing activities. The bill also mandates controllers to provide privacy notices, limit data collection, implement security practices, and allow consumers to revoke consent. Additionally, it allows consumers to designate an authorized agent to exercise their rights and sets requirements for controllers to respond to consumer requests, including the possibility of charging a fee for excessive or repetitive requests.

The bill further details the responsibilities of controllers and processors, including the establishment of secure methods for consumers to opt-out of targeted advertising or the sale of their personal data, and the requirement for controllers to conduct data protection assessments for high-risk processing activities. It also addresses the handling of de-identified data, ensuring it cannot be re-identified, and outlines various obligations and exemptions for controllers and processors in compliance with legal requirements and protection of rights. The attorney general is granted exclusive authority to enforce the chapter, with the ability to issue a notice of violation and allow a 60-day cure period before taking action. The bill emphasizes that violations are considered unfair competition or deceptive practices and will be enforced by the attorney general, without providing a private right of action. The bill is set to take effect on January 1, 2025.