The bill SB 255-FN introduces a comprehensive framework for consumer privacy rights, focusing on the processing of personal data by businesses. It applies to entities that control or process significant amounts of consumer data and exempts certain organizations, such as nonprofits and financial institutions covered by other privacy regulations. The bill grants consumers various rights, including the ability to access, correct, delete, and obtain a portable copy of their data, as well as to opt-out of targeted advertising, the sale of personal data, and profiling for automated decisions. Controllers must respond to consumer requests within a specified timeframe and establish an appeal process for denied requests. Special considerations are given to the data of children and individuals under guardianship.

The bill also outlines the obligations of data controllers and processors, requiring them to provide clear privacy notices, limit data collection, obtain consent for sensitive data, and maintain data security practices. Controllers must comply with requests from authorized agents, provide mechanisms for consumers to revoke consent, and refrain from processing data for discriminatory purposes. Processors are tasked with following controllers' instructions and assisting in fulfilling consumer rights requests. The bill mandates data protection assessments for certain high-risk processing activities and sets forth rules for handling de-identified and pseudonymous data. Enforcement is exclusively through the attorney general, with a cure period for violations before legal action is taken. The bill is scheduled to take effect on January 1, 2025, and does not indicate specific insertions or deletions from existing law.