A new data protection and privacy bill (HB 1126) was recently introduced in Pennsylvania. Although not as robust as the California Consumer Privacy Act (CCPA), the proposed Consumer Data Privacy Act (the Act) would similarly give consumers in Pennsylvania more control over their personal information. It would also impose a series of requirements on covered businesses and create a private right of action following a 30-day cure period. If approved, the Act would go into effect immediately.

To whom would it apply?

The Act would apply to for-profit businesses that:

• Do business in Pennsylvania;
• Collect, sell, or share consumers' personal information;
• Alone, or jointly with others, determine the purposes and means of processing consumers' personal information; and
• Meet at least one of the following thresholds:

1. Have an annual gross revenue of at least $10 million;
2. Annually buys, sells, or shares, alone or in combination, the personal information of 50,000 consumers, households, or devices; or
3. Derives 50% of its annual revenues from the sale of consumers' personal information.

What types of information would it cover?

Under the Act, personal information would include:

• Identifiers
  • Real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver's license number, or passport number, or other similar identifiers
• Characteristics of protected classifications under state or federal law
• Commercial information
  • Personal property records, and products or services purchased, obtained, or considered
• Biometric information
• Internet activity
• Geolocation data
• Audio, electronic, visual, thermal, olfactory, or similar information
• Professional or employment-related information
• Certain education information
• Inferences drawn from other personal information to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, abilities, and aptitudes

The following publicly available information would not be considered personal information:

• Information that is lawfully made available from Federal, State, or local government records, as restricted by any conditions associated with the information
• Biometric information collected by a business about a consumer without the consumer's knowledge or consumer information that is de-identified or aggregate consumer information

However, to maintain the "publicly available" meaning, the information could not be used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.

What rights would it create?

The Act would create various consumer rights, including the right to:

• Know what personal information is being collected about the consumer;
• Know whether the consumer's personal information is sold or disclosed and to whom;
• Request to delete personal information;
• Decline or opt-out of the sale of the consumer's personal information;
• Access the consumer's personal information that has been collected; and
• Equal service and price, even if a consumer exercises any of its rights.

What obligations would it impose?

Upon request from a consumer, the Act would require a business that collects personal information about a consumer to disclose the:

• Categories of personal information collected;

• Categories of sources from which the personal information is collected;
• Business or commercial purpose for collecting or selling personal information;
• Categories of third parties with whom the business shares personal information; and
• Specific pieces of personal information the business has collected about the consumer.

Upon request from a consumer, a business that sells or discloses the personal information of consumers will be required to disclose the:

• Categories of personal information collected;
• Categories of personal information sold and the categories of third parties to whom the information was sold; and
• Categories of personal information that the business disclosed about the consumer for business purposes.

A business that sells the personal information of consumers must notify them that their personal information may be sold and give them the option to opt-out of a sale. Relatedly, a third-party who purchases consumers' personal information may not sell that information unless consumers have been provided with notice that their personal information may be sold and have been given the option of opting out of a sale.

To comply with its notice obligations, a business that collects or sells the personal information of consumers must provide two or more methods for consumers to submit requests, including, at a minimum, a toll-free telephone number and website address if the business maintains a publicly accessible website. If the business maintains a website, it must provide:

• A "clear and conspicuous" link on the website, title "Do Not Sell My Personal Information," that enables a consumer to opt-out of the sale of the consumer's personal information; and
• A description of a consumer's rights.

A business that collects personal information must notify consumers of their right to request deletion. Upon request from a consumer, a business must delete the personal information of the consumer that it has collected.

In addition, a business must ensure that all employees who handle consumer inquiries about the business's privacy practices know how to direct a consumer to exercise their rights.

Like other similar legislation, the Act does not restrict a business's ability to:

• Comply with Federal, State, or local laws.

• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by Federal, State, or local authorities.
• Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate Federal, State, or local laws.
• Exercise or defend legal claims.
• Collect, use, retain, sell or disclose consumer information that is de-identified or in the aggregate consumer information.
• Collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of Pennsylvania.

How would it be enforced?

The Attorney General's Office would enforce the Act. A business violates the Act if it fails to cure an alleged violation within 30 days after being notified of the violation. A violation may result in a civil penalty of up to $7,500 per violation.

The Act also creates a private right of action for violations that result in unauthorized access and exfiltration, theft, or disclosure of a consumer's nonencrypted or nonredacted personal information. The consumer must provide a 30 day notice setting forth the specific provision(s) of the Act allegedly violated. If the business fails to cure, money damages—totaling no more than $750 or actual damages per consumer—may be recovered, injunctive relief, or any other relief the court deems appropriate.

Where does it stand?

The Act was introduced to the House on April 7, 2021. It was subsequently referred to the Committee on Consumer Affairs.