The bill SB 255-FN introduces a comprehensive framework for consumer privacy rights, focusing on the processing and handling of personal data by businesses. It defines key terms such as "personal data," "consumer," "controller," and "processor," and sets out the rights of consumers, including the right to access, correct, delete, and obtain a portable copy of their data, as well as to opt-out of targeted advertising, the sale of personal data, or profiling. The bill applies to entities that control or process significant amounts of personal data and derive a substantial portion of their revenue from selling personal data, with certain exemptions for state bodies, nonprofits, financial institutions, and health-related information covered by HIPAA. Controllers must respond to consumer requests within 45 days and provide an appeal process, while consumers can designate an authorized agent to act on their behalf.

The bill also details the obligations of data controllers and processors, such as disclosing data sharing practices, establishing secure methods for consumers to exercise their rights, and complying with opt-out preference signals by January 1, 2025. Processors must follow controllers' instructions and help them meet their obligations, including data security and responding to consumer rights requests. Controllers must conduct data protection assessments for processing activities that pose a heightened risk of harm and ensure that de-identified data cannot be associated with individuals. Enforcement of the bill is exclusively under the authority of the attorney general, with no private rights of action allowed. The effective date of the act is January 1, 2025, and it prioritizes compliance with the law offering greater privacy protection in case of conflicting regulations.