Exempts 501(c)(3) nonprofits from data privacy law; applies to entities that control or process the personal data of at least 100,000 consumers, excluding data used solely to complete payment transactions; applies to entities that control or process the personal data of at least 25,000 consumers and derive more than 25 percent of their revenue from the sale of personal data; exempts certain research, health care, and commercial uses of information and data; establishes consumer rights to access their data, correct inaccuracies, delete personal data, and obtain copies of personal data processed by a controller; restricts the use of children's data; requires processors and controllers to retain certain records; establishes opt-out, appeal, and complaint procedures; requires processors and controllers to maintain data security, and to provide consumers with notice of privacy practices; establishes duties of processors and regulates contracts between data controllers and processors; requires data controllers to conduct and document periodic data protection assessments, and allows the Attorney General to use the reports to assess compliance; sets rules for de-identified and pseudonymous data; enumerates permitted data uses by controllers and processors; provides for a notice of violations and opportunity to cure, with penalties for failure to cure violations after 60 days; clarifies that there is no private right of action under the Act; protects privacy of consumer health data; prohibits using a geofence to determine when consumers are near a health care facility.