SB 255-FN is a bill that establishes a new chapter in the law to protect consumer privacy. The bill defines terms related to personal data and establishes consumer rights, such as the right to access and correct personal data, delete personal data, and opt-out of certain processing. The bill also outlines the responsibilities of controllers and processors in handling personal data, including data protection assessments and security measures. The attorney general is granted exclusive authority to enforce violations of the law.

The bill also addresses the handling of de-identified data, stating that controllers must take measures to ensure it cannot be re-identified and must publicly commit to using it without attempting to re-identify it. The bill establishes requirements for the processing of personal data, including that it must be reasonably necessary and proportionate to the purposes listed in the bill and that reasonable measures must be taken to protect the data.

The bill grants the attorney general the authority to enforce violations of the law and requires a notice of violation to be issued before taking action. Violations under this chapter are considered unfair methods of competition or unfair or deceptive acts or practices. The bill does not provide a private right of action for violations. The bill will take effect on January 1, 2025.