To date, there is no comprehensive Pennsylvania privacy law in effect.
A Pennsylvania consumer data privacy act has been introduced in the state legislature this year. Known as HB 708, the Pennsylvania privacy act was introduced by lawmakers Kenyatta, Shusterman, Kinsey, Madden, Galloway, Sanchez, Rabb, Samuelson, Hill-Evans, Parker, Fleming, and Neilson earlier this year. On March 27, 2023, the bill was referred to the Committee on Commerce.
The proposed Pennsylvania privacy law was established as an act providing for the protection of certain personal data of consumers; imposing duties on controllers and processors of personal data of consumers; providing for enforcement; prescribing penalties; and establishing the Consumer Privacy Fund. We’ll outline and explain some of these points below.
Key Takeaways of the Bill
Applies to persons that conduct business in Pennsylvania, produce goods, products or services that are sold or offered for sale to Pennsylvania residents, and control or process personal data of either:
- at least 100,000 consumers during a calendar year or
- at least 25,000 consumers during a calendar year and derive more than fifty percent of gross revenue from the sale of personal data.
Exempts various entities and information types, including state government entities:
- financial institutions and data subject to GLBA
- covered entities, business associates, and protected health information governed by HIPAA
- nonprofit organizations; institutions of higher education; information governed by the Fair Credit Reporting Act
- information governed by the Driver’s Privacy Protection Act
- personal data governed by the Family Educational Rights and Privacy Act (FERPA)
- personal data governed by the Farm Credit Act
- personal data collected in relation to employment
- a controller that complies with the Children’s Online Privacy Protection Act (COPPA) is deemed in compliance with obligations under this Act.
- the right to confirm whether a controller is processing personal data and to access that data
- the right to delete personal data and correct inaccuracies
- the right to obtain a portable copy of the consumer’s personal data
- the right to opt out of processing for the purposes of targeted advertising or the sale of personal data
Privacy By Design
Incorporates privacy by design principles, including purpose limitation and reasonable security measures.
- Requires that controllers obtain consumer written consent before processing sensitive data, which includes biometric data.
- Requires that controllers provide meaningful notice which includes providing consumers with a description of the categories of personal information being processed; a purpose for processing; the methods by which a consumer may exercise their rights; categories of data shared with third parties and which third parties receive shared information; and disclosure of sale and targeted advertising practices.
- Requires controllers to conduct a data protection assessment on processing activities that present a heightened risk of harm to consumers, beginning on January 1, 2024. The state AG may request any data protection assessments, but they must be kept confidential and are exempt from public inspection.
- Does not create a private right of action. Violations are only enforceable by the Pennsylvania AG’s office.
- Imposes civil penalties of up to $7,500 for each violation. The AG may recover reasonable expenses incurred in investigating and preparing the case, including attorneys’ fees.
- Creates a thirty-day cure period after the AG provides written notice. If the entity cures the violation and provides AG express written statement, no action for statutory damages will be initiated.
Consumer Privacy Fund
- Establishes a Consumer Privacy Fund in the state treasury, into which civil penalties collected under the Act will be deposited.
- Would go into effect on January 1, 2024, or in 18 months, whichever is later.