SB 2500 Summary

• Establishes the Mississippi Consumer Data Protection Act requiring businesses processing personal data of 100,000+ Mississippi residents (or 25,000+ residents deriving 50%+ revenue from data sales) to implement data security practices and provide privacy notices.

• Grants consumers rights to access, delete, and obtain portable copies of their personal data, and to opt out of personal data sales, with controllers required to respond within 90 days and establish appeal processes for denied requests.

• Prohibits controllers from processing sensitive data (racial origin, health information, biometric data, children's data, precise geolocation) without clear notice and opt-out opportunity, and prohibits discrimination against consumers exercising these rights.

• Exempts financial institutions, HIPAA-covered entities, nonprofits, higher education institutions, and data subject to federal regulations (Fair Credit Reporting Act, FERPA, COPPA, etc.) from the act's requirements.

• Grants exclusive enforcement authority to the Attorney General, who must provide 90 days' notice before taking action and may seek injunctions and civil penalties up to $7,500 per violation; prohibits private right of action.