Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Pennsylvania: Consumer data privacy bill laid before House of Representatives

On November 15, 2023, the Pennsylvania General Assembly reported that House Bill 1201 for An Act providing consumer data privacy, for duties of controllers and for duties of processors; and imposing penalties was amended by the Committee on Commerce of the Pennsylvania House of Representatives, after it had been laid before the House on May 19, 2023 and referred to the Committee on Commerce on the same date. In the House, there was a unanimous vote from the majority and minority leaders of the Committee on Commerce to report the bill to the General Assembly.

Scope

The bill applies to legal entities that determine the purpose and means of processing consumer personal information, doing business within Pennsylvania, and:

  • have an annual gross revenue of more than $10 million; 
  • buy or receive personal information of at least 50,000 consumers for commercial purposes; or 
  • derive at least 50% of annual revenue from the sale of consumer personal information. 

The bill would also apply to an entity that controls a different legal entity that meets the standards outlined above. The bill, as amended, defines personal data to include any information that can be reasonably linked to an identifiable individual. Personal data does not include that data which is publicly identified or converted to a mathematical representation.   

Data subject rights

Under the bill, a consumer is granted the right to:  

  • confirm the processing of their data, unless doing so would reveal trade secrets; 

  • correct inaccuracies of personal data; 

  • delete personal data; 

  • obtain copies of personal data processed in a portable, readily usable, and transferrable format; and 

  • opt out of processing for targeted advertising, sale of personal data, or profiling with automated means.

Controllers are required to comply with consumer requests no later than 45 days after receipt, which can be extended by an additional 45 days when reasonably necessary.  

Obligations

The bill establishes data processing principles and introduces vendor management requirements as well as an obligation to conduct Data Protection Impact Assessments (DPIAs) in certain circumstances. Regarding sensitive data, the bill confirms such data should not be processed without the consumer's consent or parental consent in the case of a minor. 

Controllers must also provide an effective mechanism for the revocation of consumer consent which is no more difficult than the method through which consent was provided. Once a request to stop processing is received, the controller must no longer process the personal data within 15 days. 

In relation to disclosure, a privacy notice must be provided to consumers which includes, among other things, information regarding the sharing of personal data with third parties and the purpose of data processing. The privacy notice also requires the controller to provide an active email address or other online mechanisms that the consumer can use to contact the controller. 

Enforcement

The Pennsylvania Attorney General (AG) has the exclusive power to enforce the bill and there is no private right of action currently provided. Violations of the bill are provided a 60-day cure period. 

If enacted, the bill would take effect in six months. 

You can read the bill here and track its progress here.

Update: December 14, 2023

Bill amended on second consideration in House

On December 13, 2023, the bill was amended on second consideration and it was recommitted, on the same date, to the Committee of Appropriations. The amendments introduce a minor linguistic clarification concerning the definition of controller under the bill.

You can read the bill as amended here and track its progress here.

Update: March 19, 2024

Bill passed on third consideration in House

On March 18, 2024, the bill was passed by the House of Representatives on third consideration.

You can read the bill as passed here and track its progress here.

Update: April 5, 2024

Bill referred to Senate Committee

On March 18, 2024, the bill was referred to the Senate Communications and Technology Committee.

You can read the bill here and track its progress here.

Feedback