Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Pennsylvania - Sectoral Privacy Overview
Back

Pennsylvania - Sectoral Privacy Overview

September 2022

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION

1.1. Overview

Like many US jurisdictions, Pennsylvania information privacy and security guidance is a patchwork and continues to evolve. Pennsylvania constitutional and common law rights in informational privacy is well developed by a deep bedrock of case law. The Supreme Court of Pennsylvania ('the PA Supreme Court') has recognised a common law duty of reasonable care for the protection of personal data in a landmark decision that promises further expansion into rights of data security. Statutes prohibiting unlawful wiretapping and identity theft provide both criminal and civil causes of action. The state's consumer protection law, the Unfair Trade Practices and Consumer Protection Law ('the Unfair Trade Practices Law') (under §201-1 et seq. of Chapter 4 of Title 73 of the Unconsolidated Pennsylvania Statutes ('Pa. Stat), has provided the Pennsylvania Attorney General ('AG') the authority to commence enforcement actions against companies sustaining large data breaches due to inadequate cybersecurity practices. The statute also creates a private cause of action with a fee shifting component; although to date, plaintiffs' attorneys have been unsuccessful in maintaining a data breach class action under the statute.

1.2. Constitutional Right to Privacy

The Constitution of the Commonwealth of Pennsylvania ('the Pennsylvania Constitution') grants individuals limited rights against state and local governments in Pennsylvania. The right to privacy is a keystone provision. Article I, §8 of the Pennsylvania Constitution provides protection against unreasonable searches and seizures. It states: 'The people shall be secure in their persons, houses, papers and possessions from unreasonable searches and seizures, and no warrant to search any place or to seize any person or things shall issue without describing them as nearly as may be, nor without probable cause, supported by oath or affirmation subscribed to by the affiant.'

In 2016, the PA Supreme Court, held: '[t]his right of privacy typically arises when the government seeks information related to persons accused of crimes or other malfeasance, and requires an assessment of the extent to which the government's demands invade the bounds of the person's subjective privacy interest, which in turn requires consideration of the extent to which the person's privacy interests are reasonable1.'

When weighing the strength of a citizen's right of privacy against a government search and seizure, Pennsylvania courts require 'a factual examination of whether (1) the person has exhibited an actual (subjective) expectation of privacy in the items to be searched or disclosed, and (2) whether society is prepared to recognize this expectation as reasonable and protectable2.'

Pennsylvania constitutional rights to privacy are not limited to government searches or persons accused of or associated with criminal activity. The PA Supreme Court has stated that the 'right to informational privacy' is a constitutional right and includes the right of an individual to control the access to, or the dissemination of, his or her personal information3. The PA Supreme Court has further stated that Article I, §1 of the Pennsylvania Constitution provides the basis for individual rights to informational privacy. Specifically, the PA Supreme Court has stated that Article I, §1 of the Pennsylvania Constitution provides a 'broader array of rights granted to citizens' than §8 addressing government searches and seizures4. Titled 'Inherent Rights of Mankind', Article I, §1 of the Pennsylvania Constitution states, 'All men are born and equally free and independent, and have certain inherent and indefeasible rights, among which are those of enjoying and defending life and liberty, of acquiring, possessing and protecting property and reputation, and of pursuing their own happiness.' The PA Supreme Court has reasoned that the right to happiness referenced in §1 includes a right to privacy, concluding that, '[o]ne of the pursuits of happiness is privacy5'.

As more recently stated by the PA Supreme Court, '[t]here is no longer any question that the United States Constitution and the Pennsylvania Constitution provide protections for an individual's right to privacy,' including 'the individual's interest in avoiding disclosure of personal matters6.'

The right to informational privacy guaranteed by Article I, §1 of the Pennsylvania Constitution may not be violated by the government 'unless outweighed by a public interest favouring disclosure7.' Pennsylvania's Right-to-Know Law ('RTKL') (under §67.101 et seq. of Chapter 3A of Title 65 of the Pa. Stat.) grants public access to certain governmental records through the use of a Right-to-Know Request ('RTKR'). RTKRs are often filed with the Open Records Officer in the Office of Consumer Advocates, but they may also be directed to the agency or government office that holds the records. Under §708(b) of the RTKL, 30 exceptions that are exempt from access through a RTKR are provided. The exceptions are intended to balance an individual's right of privacy with the public's right to know how government agencies conduct business and make decisions on its behalf (§67.708 of the RTKL). 'Records in an agency's possession are presumed public unless exempt under an exception in the RTKL, a privilege, or another law.'8 '[T]he RTKL does not supersede the public nature of a record established by statute or regulation.'9

Court records are also subject to RTKRs. Litigants using pseudonyms to protect their privacy may face challenges to their anonymity under the RTKL. In Doe v. Triangle Doughnuts, LLC, the U.S. District Court for the Eastern District of Pennsylvania ('the Eastern District Court') recognised that while the public's 'right to know who is using their courts […] is deeply rooted in the common law and predates even the Constitution', encroachment into a plaintiff's closely guarded privacy may under certain circumstances outweigh the necessity of having a public trial10. Balancing the need for a public trial and for allowing plaintiff to remain anonymous as Jane Doe, a transgender female, for purposes of conducting discovery and depositions instead of disclosing his or her legal name, the court held that 'the public interest for maintaining the confidentiality of the litigant's identity outweighs the need for a public judicial proceeding'. The court concluded that 'because forcing Plaintiff to reveal her identity risks putting her in danger of physical harm […], it is likely that Plaintiff would choose not to continue pursuing her claim […] [and i]t is also likely that other similarly situated litigants would also be deterred from litigating these types of claims for the same reasons.'11

RTKRs also may require careful review and balancing of state privacy rights granted under §67.708 of the RTKL, and other applicable statutes such as the Family Education Rights and Privacy Act of 1974 ('FERPA')12. For instance, in West Chester University of Pa. v. Rodriguez, the Commonwealth Court of Pennsylvania noted in its remand order directed to the Pennsylvania Office of Open Records ('OOR') that, 'to the extent this matter involves direct, third-party interests in nondisclosure of the requested records, it may be appropriate for the OOR to require notice to parties so interested and allow their participation pursuant to §1101(c)(2) of the RTKL'.13

1.3. Common law right to privacy

Pennsylvania also recognises a common law right to privacy that individuals enforce against companies and other individuals by filing causes of action in civil court. The common law invasion of privacy claim is comprised of four distinct, yet interrelated torts14. Those torts are15:

  • intrusion upon seclusion;
  • appropriation of name or likeness;
  • publicity given to private life; and
  • placing a person in a false light.

Recently, the PA Supreme Court referenced a general right to privacy in their opinions. In Pennsylvania State Education Association v. Commonwealth of Pennsylvania Dept. of Community and Economic Development, the court held that the public's interest in information dissemination under the state's RTKL did not outweigh the constitutional privacy interests of public school employees and their right to privacy in their own home16. In its analysis, the PA Supreme Court confirmed that the right to informational privacy in the Pennsylvania Constitution is related to a broad array of rights and confirmed that the Pennsylvania Constitution provides even 'more rigorous and explicit protection for a person's right to privacy than does the United States Constitution.' 17

Intrusion upon seclusion

A claim for intrusion upon seclusion may be asserted when '[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person18.' The claim may be based upon a physical intrusion into a place where the plaintiff has secluded himself; the use of the defendant's senses to oversee or overhear the plaintiff's private affairs; or some other form of investigation or examination into plaintiff's private concerns19.

The cause of action cannot survive if the defendant investigated the claimant or otherwise obtained the information through legitimate means. For example, in Burger v. Blair Med. Assocs., the intrusion upon seclusion claim could not stand where defendant obtained claimant's medical records through executed medical release20.

Publicity given to private life

A claim for publicity given to private life may be asserted when '[o]ne who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter published is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public21.' The elements for the claim are22:

  1. publicity, given to;
  2. private facts;
  3. which would be highly offensive to a reasonable person; and
  4. is not of legitimate concern to the public.

The element of 'publicity' requires that 'the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge23.' Notably, the cause of action for publicity given to private life is separate and distinct from a cause of action for breach of physician-patient confidentiality, and is governed by different statutes of limitations24.

False light

A claim for false light involves 'publicity that unreasonably places the other in a false light before the public25.' In a claim for false light, the claimant must show both 'publicity, given to private facts, which would be highly offensive to reasonable person and which are not of legitimate concern to the public26.' A claim for false light 'will be found where a major misrepresentation of a person's character, history, activities or beliefs is made that could reasonably be expected to cause a reasonable man to take serious offense27.'

For the publicity element of a false light claim, '[i]t is enough [for the plaintiff] that the defendant has given publicity to any matter concerning the plaintiff that creates a 'highly offensive' false impression about the plaintiff28.' However, if the matter is of legitimate public concern, a claim for false light will fail and be dismissed29.

Misappropriation of name or likeness

A claim for misappropriation of name or likeness involves instances where a defendant appropriated to his or her own use or benefit the reputation, prestige, social, or commercial standing, public interest, or other values of the claimant's name or likeness30. In Eagle v. Morgan, the Eastern District Court held that an employer's use of a former employee's LinkedIn account constituted invasion of privacy by appropriation of name or likeness31. In addition, the Eastern District Court noted, 'The Restatement (Second) of Torts describes a tortfeasor who has committed an invasion of privacy by appropriation of name or likeness as '[o]ne who appropriates to his own use or benefit the name or likeness of another32.''

To be liable for misappropriation of name or likeness, the defendant must have appropriated to their own use or benefit the reputation, prestige, social or commercial standing, public interest, or other values of the plaintiff's name or likeness. Until the value of the name has in some way been appropriated, there is no tort33. Thus, incidental use without the purpose of taking advantage of the value of the claimant's name or likeness is not misappropriation34. Rather, '[w]hen the publicity is given for the purpose of appropriating to the defendant's benefit the commercial or other values associated with the name or the likeness the right of privacy is invaded35.' Invasion of privacy by appropriation of name or likeness does not require the appropriation to be done commercially36.

Right of publicity

Under Pennsylvania law, the right of publicity is a separate and distinct cause of action from invasion of privacy that is based on principles of property rights. However, because the cause of action often is confused with invasion of privacy, misappropriation of name or likeness, by litigants (and sometimes by courts), this overview touches upon the claim. Pennsylvania law recognises both a common law and statutory claim.

The common law right of publicity grants a person an exclusive entitlement to control the commercial value of his or her name or likeness and to prevent others from exploiting it without permission37. A defendant invades this right by 'appropriating its valuable name or likeness, without authorization, [and using] it to the defendant's commercial advantage38.' The right of publicity protects against commercial loss caused by appropriation of a name or likeness, and thus more closely resembles a property right created to protect commercial value39. Consequently, whereas invasion of privacy by appropriation of name or likeness does not require the appropriation to be done for commercial purposes, violation of the right of publicity requires it40.

Pennsylvania law also has a statutory claim for unauthorised use of name or likeness, under §8316 of Subchapter A  of Chapter 83 of Title 42 of the Pennsylvania Consolidated Statutes ('Pa. C.S.'). The statute creates a private cause of action, stating that, '[a]ny natural person whose name or likeness has commercial value and is used for any commercial or advertising purpose without the written consent of such natural person or the written consent of any of the parties authorized in subsection (b) may bring an action to enjoin such unauthorized use and to recover damages for any loss or injury sustained by such use' (42 Pa. C.S. §8316(a)). The person whose name has been appropriated, his or her parent or guardian, if a minor, or any person or entity with written license to use the person's likeness for commercial or advertising purposes, may commence a claim under the statute (42 Pa. C.S. §8316(b)). If the person is deceased, any person, firm, or corporation with a proper written license, as detailed in the statute, to the commercial or advertising use of the person's name or likeness, also may bring an action (42 Pa. C.S. §8316(b)).

The statute defines 'name' or 'likeness' as '[a]ny attribute of a natural person that serves to identify that natural person to an ordinary, reasonable viewer or listener, including, but not limited to, name, signature, photograph, image, likeness, voice or a substantially similar imitation of one or more thereof' (42 Pa. C.S. §8316(e)). The statute defines 'commercial or advertising purpose' to include 'the public use or holding out of a natural person's name or likeness: (i) on or in connection with the offering for sale or sale of a product, merchandise, goods, services or businesses; (ii) for the purpose of advertising or promoting products, merchandise, goods or services of a business; or (iii) for the purpose of fundraising' (42 Pa. C.S. §8316(e)). The term does not include the public use of a natural person's name or likeness in a communication when the person appears as a member of the public and the person is not named or otherwise identified; the purpose is associated with a news report or news presentation having public interest; is an expressive work or an original work of fine art; or is associated with the identification of a person as the author of or contributor to a written work, a performer of a recorded performance, where the written work or the performance is lawfully produced, reproduced, exhibited, or broadcast (42 Pa. C.S. §8316(e)).

The statute has a safe harbour for unknowing violations. It provides that '[n]o person, firm or corporation, including their employees and agents, in the business of producing, manufacturing, publishing or disseminating material for commercial or advertising purposes by any communications medium shall be held liable under this section unless they had actual knowledge of the unauthorized use of the name or likeness of a natural person as prohibited by this section' (42 Pa. C.S. §8316(d)).

Common law right to data security

The PA Supreme Court recognised the right in the common law to have one's data kept secure. Dittman v. UPMC held that 'an employer has a legal duty to exercise reasonable care to safeguard its employees' sensitive personal information stored by the employer on an internet-accessible computer system41.' Although the PA Supreme Court rendered the decision in the context of an employer-employee relationship, because it relied upon longstanding principles of common law, many anticipate that the decision will apply to contexts outside the employment relationship. Unlike invasion of privacy claims, this court-recognised cause of action is based solely on underlying tort principles of duty of care.

In Dittman, former and current employees of the University of Pittsburgh Medical Center ('UPMC') commenced a class action lawsuit after the UPMC sustained a data breach compromising employee personal information. Plaintiffs asserted that the UPMC failed to implement adequate security measures to protect the data, including early detection, proper encryption, and authentication protocols42. Applying the tort principle that a person who undertakes an affirmative act must exercise reasonable care, the PA Supreme Court concluded that the UPMC's collection of employee data was an affirmative act to trigger such a duty43.

Although wrongdoing of a third-party acts as a superseding event to absolve the affirmative actor of liability, the PA Supreme Court concluded that the exception did not apply in the case before it. Instead, because the UPMC collected plaintiffs' personal data, it knew or should have known that a third party might try to hack into its alleged inadequately secured network to steal the data. Thus, 'the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [plaintiffs'] personal and financial information from that breach44.' It is important to note that Dittman was decided at the dismissal stage, where courts are required to treat the allegations in a complaint as true.

By recognising a common law duty of care to protect data independent of any statute or regulation, Dittman represents a flagship decision in the US, and it will be interesting to see whether appellate courts in other states follow Pennsylvania's lead. The Eastern District Court, in analysing Wawa's affirmative duty related to collecting payment card information, held that post-Dittman state law imparts an independent duty on companies to reasonably secure their payment systems45. In that case, hackers accessed Wawa's point of sale systems, installed malware and were able to obtain millions of customer payment card numbers. There were three litigation tracks born out of the hundreds of suits filed against Wawa; the 'Consumer Track', the 'Employee Track', and the 'Financial Institution Track'. In the Financial Institution Track, the Eastern District Court accepted the financial institution's argument that because Wawa accepted payment cards, they had a duty, independent of any contract, to comply with the financial institution's rules and standard for consumer data, and that additionally, Wawa was on notice of the potential security concerns related to other recent retail point of sale hacking46. However, the court noted that where parties have specifically contracted to certain data privacy and security requirements, a court – using the gist of the action doctrine – will look to the contractual nature of those requirements as superseding any common law right47.

2. KEY PRIVACY LAWS

2.1. The Wiretapping and Electronic Surveillance Control Act

The Pennsylvania Wiretapping and Electronic Surveillance Control Act ('the Wiretapping Act') (under §5701 et seq. of Chapter 57 of Title 18 of the Pa. C.S.) restricts a person's ability to monitor another. Under the Wiretapping Act, a person is guilty of a felony of the third degree if he or she (18 Pa. C.S. §5703):

  • intentionally intercepts, endeavours to intercept, or procures any other person to intercept or endeavour to intercept any wire, electronic, or oral communication;
  • intentionally discloses or endeavours to disclose to any other person the contents of any wire, electronic, or oral communication, or evidence derived therefrom, knowing or having reason to know that the information was obtained through the interception of a wire, electronic, or oral communication; or
  • intentionally uses or endeavours to use the contents of any wire, electronic, or oral communication, or evidence derived therefrom, knowing or having reason to know, that the information was obtained through the interception of a wire, electronic, or oral communication.

Subject to certain exceptions, it also is unlawful to manufacture, advertise, sell, or possess devices primarily designed to surreptitiously intercept wire, electronic, or oral communications (18 Pa. C.S. §5705).

Private cause of action

Although a penal statute, the Wiretapping Act also recognises a private cause of action. It provides that '[a]ny person whose wire, electronic or oral communication is intercepted, disclosed or used in violation of this chapter shall have a civil cause of action against any person who intercepts, discloses or uses or procures any other person to intercept, disclose or use, such communication; and shall be entitled to recover from any such person' (18 Pa. C.S. §5725(a)(1)). The U.S. Court of Appeals for the Third Circuit has adopted a four-part test to establish a prima facie claim under 18 Pa. C.S. §5725. The test is whether: '(1) Plaintiff engaged in [an oral] communication; (2) Plaintiff possessed an expectation that the communication would not be intercepted; (3) Plaintiff's his expectation was justifiable under the circumstances; and (4) Defendant attempted to, or successfully intercepted the communication, or encouraged another to do so48.' Importantly, only the sender of the communication has standing to sue – the intended recipient of the communication has no standing to asset a claim under the Wiretapping Act49.

Criminal conviction under the Wiretapping Act is not a condition precedent to civil liability50. In Marks, the PA Supreme Court remarked that because 'the purpose of the damage provision [in the Wiretapping Act] is to encourage civil enforcement of the [the Wiretapping Act], all that is required to make the damage provision of the [the Wiretapping Act] operative is a determination by the [trial] court [...] that the [the Wiretapping Act] was violated51.' Consent is a defence to such a claim. The Wiretapping Act is not violated where 'all parties to the communication have given prior consent to' interception of the communication (18 Pa. C.S. §5704(4)). If all parties to a communication have not consented to the interception, there is a violation of the Wiretapping Act52. Additional defences/exceptions to the Wiretapping Act are provided under 18 Pa. C.S. §5704.

A successful claimant may recover (18 Pa. C.S. §5725(a)(2)):

  • actual damages, but not less than liquidated damages computed at the rate of $100 a day for each day of violation, or $ 1,000 per day, whichever is higher;
  • punitive damages; and
  • reasonable attorney's fees.

Recently, in Popa v. Harriet Carter Gifts, Inc., the U.S. Federal District Court for the Western District of Pennsylvania, granted summary judgment to the defendants, and concluded that an online data collection company and an online merchant did not violate the Wiretapping Act when they collected data related to Plaintiff’s online browsing. 53 The court noted that no prior case law had examined communications sent and received between a user's web browser, a website server and third-party servers in the context of the Wiretapping Act, and used the holding rendered by the U.S. Court of Appeals for the Third Circuit in the case In re Google to guide their analysis of online communications between servers and web browsers.54 Ultimately, the court found that the third-party data collection defendant and the plaintiff were both parties to the communication and therefore there was no interception, stating "[b]y choosing to visit the website, [Plaintiff] initiated the underlying communications between her web browser, [Defendant retailer's] web server and [Defendant data collector's] servers ." 55 The court noted that Plaintiff was unaware of the nuanced intricacies of the background communications, but held that Plaintiff directly communicated with both Defendants by visiting the online retailer website56.

The Popa holding has broad implications for consumer privacy and leaves little room for the use of the Wiretapping Act in litigation related to online data collection from consumer browsing.

2.2. Identity theft

Under Chapter 41 of Title 18 of the Pa. C.S., a person commits the criminal offence of 'identity theft' of another person if he or she 'possesses or uses, through any means, identifying information of another person without the consent of that other person to further any unlawful purpose' (18 Pa. C.S. §4120(a)).

The law defines 'identifying information' as '[a]ny document, photographic, pictorial or computer image of another person, or any fact used to establish identity, including, but not limited to, a name, birth date, Social Security number, driver's license number, nondriver governmental identification number, telephone number, checking account number, savings account number, student identification number, employee or payroll number or electronic signature' (18 Pa. C.S. §4120(f)). The law defines 'document' as '[a]ny writing, including, but not limited to, birth certificate, Social Security card, driver's license, nondriver government-issued identification card, baptismal certificate, access device card, employee identification card, school identification card or other identifying information recorded by any other method, including, but not limited to, information stored on any computer, computer disc, computer printout, computer system, or part thereof, or by any other mechanical or electronic means' (18 Pa. C.S. §4120(f)).

A conviction for identity theft in which the defendant convicted of forgery, identity theft, and fraudulently obtaining public assistance, was affirmed by the Superior Court of Pennsylvania where the defendant used his brother's name and identifying information to obtain medical services and Medicaid benefits as a result of receiving open heart surgery57. The defendant admitted to using his brother's name and had signed his brother's name to various documents to obtain medical services and to obtain public assistance as an unemployed and uninsured person.

Each time a person possesses or uses identifying information in violation of 18 Pa. C.S. §4120(a), it constitutes a separate offence (18 Pa. C.S. §4120(b)). Further, the total values involved in offences under this section committed pursuant to one scheme or course of conduct, whether from the same victim or several victims, may be aggregated in determining the grade of the offence (18 Pa. C.S. §4120(b)). The degree of felony and fine depends upon the value of any property or whether it was committed in furtherance of a criminal conspiracy (18 Pa. C.S. §4120(c)(1)). When a person commits identity theft and the victim is 60 years of age or older, a care-dependent person, as defined in §2713 of Chapter 27 of Title 18 of the Pa. C.S. (relating to neglect of care-dependent person), or an individual under 18 years of age, the grading of the offence is elevated one grade higher than the above-values specified to permit a more severe sentence (18 Pa. C.S. §4120(c)(2)).

Separately, a person commits the offence of 'falsely impersonating persons privately employed' if he or she pretends or holds himself or herself out, 'without due authority,' to anyone as an employee of any person for the purpose of gaining access to any premises (18 Pa. C.S. §4115). The offence is a misdemeanour of the second degree (18 Pa. C.S. §4115).

Private cause of action

Subchapter A of Chapter 83 of Title 42 of the Pa. C.S. also recognises a private cause of action for identity theft, and a claimant may seek the following damages for identity theft (42 Pa. C.S. §8315):

  • actual damages arising from the incident or $500, whichever is greater. Damages include loss of money, reputation, or property, whether real or personal. The court may, in its discretion, award up to three times the actual damages sustained, but not less than $500;
  • reasonable attorney fees and court costs; and/or
  • additional relief the court deems necessary and proper.

2.3. Unlawful dissemination of an intimate image

Pennsylvania law recognises a private cause of action for unlawful dissemination of an intimate image in order to recover damages for any loss or injury sustained as a result of the violation (42 Pa. C.S. §8316.1(a)). The claim may be brought by the person, or guardian if the person is incompetent or a minor (42 Pa. C.S. §8316.1(b)).

Damages include (42 Pa. C.S. §8316.1(c)(1)):

  • actual damages arising from the incident or $500, whichever is greater;
  • loss of money, reputation or property, whether real or personal; and
  • an award, at the court's discretion, of up to three times the actual damages sustained, but not less than $500.

A court also may award reasonable attorney fees, court costs, and additional relief the court deems necessary and proper (42 Pa. C.S. §8316.1(c)(2)). A court awarding damages must consider whether the dissemination of the intimate image may cause long-term or permanent injury (42 Pa. C.S. §8316.1(c)). An award of damage under the Pa. C.S. may limit the ability of the victim to obtain restitution from a defendant convicted of a crime under 18 Pa. C.S. §1106 (42 Pa. C.S. §8316.1(d)).

2.4. Possession of unlawful devices

Under Pennsylvania penal law, a person commits the criminal offence of possession of an unlawful device if that person, with the intent to defraud another person, either '(i) uses a device to access, read, obtain, memorize or store, temporarily or permanently, information encoded on the computer chip, magnetic strip or stripe or other storage mechanism of a payment card or possesses a device capable of doing so; or (ii) places information encoded on the computer chip, magnetic strip or stripe or other storage mechanism of a payment card onto the computer chip, magnetic strip or stripe or other storage mechanism of a different card or possesses a device capable of doing so' (18 Pa. C.S. §4121(a)(1)).

In addition, a person violates the statute if he or she 'knowingly possesses, sells or delivers a device which is designed to read and store in the device's internal memory information encoded on a computer chip, magnetic strip or stripe or other storage mechanism of a payment card other than for the purpose of processing the information to facilitate a financial transaction' (18 Pa. C.S. §4121(a)(2)). The law defines 'payment card' as a 'credit card, a charge card, a debit card or another card which is issued to an authorized card user to purchase or obtain goods, services, money or another thing of value' (18 Pa. C.S. §4121(c)).

A first offence constitutes a felony of the third degree. A second or subsequent offence constitutes a felony of the second degree (18 Pa. C.S. §4121(b)).

2.5. Privacy of social security numbers

Under the Privacy of Social Security Numbers Law ('the Social Security Numbers Law') (under §201 et seq. of Chapter 5 of Title 74 of the Pa. Stat.) social security numbers are entitled to confidentiality. The Social Security Numbers Law further prohibits a person or entity, or state agency or political subdivision, from (74 Pa. Stat. §201(a)):

  • publicly displaying a person's social security number;
  • printing the number on a card required to access products or services, or requiring an individual to transmit his or her social security number over the internet in absence of encryption;
  • requiring an individual to use his or her social security number to access an internet website unless a password or unique personal identification number or another authentication device is also required;
  • printing an individual's social security number on any materials that are mailed to the individual unless federal or state law requires the social security number to be on the document to be mailed; or
  • disclosing in any manner, except to the agency issuing the license, the social security number of an individual who applies for a recreational license.

Lawsuits for violations of the Social Security Numbers Law may be brought by the AG. A violation of the law is deemed a summary offence and is punishable by a fine of not less than $50 and not more than $500, and for every second or subsequent violation, by a fine of not less than $500 and not more than $5,000 may be assessed (74 Pa. Stat. §201(g)). The law is also subject to criminal enforcement (74 Pa. Stat. §202). The law does not apply to financial institutions, as defined by the Gramm-Leach-Bliley Act of 1999 ('GLBA'), 'covered entities' under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), or an entity subject to the Fair Credit Reporting Act of 1970 (74 Pa. Stat. §204).

2.6. Consumer Protection

The purpose of the Unfair Trade Practices Law is to protect the consumer public and eradicate unfair or deceptive business practices58. The PA Supreme Court has instructed that courts should construe the Unfair Trade Practices Law liberally in order to affect the legislative goal of consumer protection59. The Unfair Trade Practices Law lists 21 acts that are deemed unfair and deceptive in commerce. In recent years, the AG has used the Unfair Trade Practices Law to commence enforcement actions against companies failing to adequately protect consumer data, citing the catch-all provision in the law, which prohibits 'fraudulent or deceptive conduct which creates a likelihood of confusion or of misunderstanding' (73 Pa. Stat. §201-2(4)(xxi))60. In the aftermath of recent high-profile data breaches, such as Orbitz, Neiman Marcus and Target, the AG has used the Unfair Trade Practices Law (together with attorneys general in other states using similar state consumer protection statutes) to commence enforcement actions against those companies and to negotiate 'Assurances of Voluntary Compliance' with them. These settlement agreements require companies sustaining the data breaches to develop and implement policies and procedures to better protect consumers personal information61.

Private cause of action

The Unfair Trade Practices Law also creates a private cause of action. To date, plaintiffs have tried unsuccessfully to obtain class certification for private causes of action brought under 73 Pa. Stat. §201-2(4)(xxi) based on the alleged mismanagement of personal health information62.

The Unfair Trade Practices Law has a fee-shifting component which allows successful claimants and their attorneys to recoup attorneys' fees expanded in the action, even if such fees are in excess of the damages awarded. As a result, this law has attracted plaintiffs' attorneys to bring even de minimus cases in hope of obtaining significant awards for fees. For fee-shifting under the Unfair Trade Practices Law, courts look to the benefits provided to the claimants by their attorneys, and have noted that 'the fee-shifting statutory provision of [the Unfair Trade Practices Law] is designed to promote its purpose of punishing and deterring unfair and deceptive business practices and to encourage experienced attorneys to litigate such cases, even where recovery is uncertain63.' Additionally, the PA Supreme Court recently held that a business' state of mind is irrelevant for a private cause of action brought under the Unfair Trade Practices Law 'catch-all' provision, effectively transforming the statute into a strict-liability one, and confirming that the Unfair Trade Practice Law should be 'construed broadly in order to comport with the legislative will to eradicate unscrupulous business practices.' 64  

2.7. Invasion of Privacy

Under Chapter 75 of Title 18 of the Pa C.S., invasion of privacy is also a criminal offence. A person may be convicted of invasion of privacy if the offender, for the purpose of arousing or gratifying the sexual desire of any person, knowingly does any of the following (18 Pa. C.S. §7507.1(a)):

  • views, photographs, videotapes, electronically depicts, films, or otherwise records another person without that person's knowledge and consent while that person is in a state of full or partial nudity and is in a place where that person would have a reasonable expectation of privacy;
  • photographs, videotapes, electronically depicts, films, or otherwise records or personally views the intimate parts, whether or not covered by clothing, of another person without that person's knowledge and consent, and which intimate parts that person does not intend to be visible by normal public observation; and
  • transfers or transmits an image obtained in violation of the first or second points above by live or recorded telephone message, electronic mail, or the internet, or by any other transfer of the medium on which the image is stored.

The law defines 'full or partial nudity' as a '[d]isplay of all or any part of the human genitals or pubic area or buttocks, or any part of the nipple of the breast of any female person, with less than a fully opaque covering' and defines 'intimate part' as any part of human genitals, pubic area, or buttocks, or the nipple of a female breast (18 Pa. C.S. §7507.1(e)). A 'place where a person would have a reasonable expectation of privacy' is defined as '[a] location where a reasonable person would believe that he could disrobe in privacy without being concerned that his undressing was being viewed, photographed or filmed by another' (18 Pa. C.S. §7507.1(e)).

The law recognises separate violations for each victim of an offence under the same or similar circumstances, such as a scheme or course of conduct, whether at the same or different times; or if a person is a victim on multiple occasions during a separate courses of conduct (18 Pa. C.S. §7507.1(a.1)). An offence for invasion of privacy constitutes a misdemeanour of the third degree; however, if there are multiple offences, the offence constitutes a misdemeanour of the second degree (18 Pa. C.S. §7507.1(b)). There is no private cause of action under the law against a manufacturer of a device or a provider of a product or service that is used to commit a violation of 18 Pa. C.S. §7507.1 (42 Pa. C.S. §8317).

3. HEALTH DATA

3.1. Key Laws

The protection of health data under Pennsylvania law is a patchwork. Chapter 146b of Title 31 of the Pennsylvania Code ('Pa. Code') governs the privacy of consumer health information (31 Pa. Code. §146b.1). However, the law applies to insurers only. Safeguards for protecting health data under 31 Pa. Code. §146b.1 are governed under §146c.1 et seq. of Chapter 146c of Title 31 of the Pa. Code, which establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of consumer information (see section 10 of the Guidance Note). Data security of health data implicates some common law duties of care recently recognised by the PA Supreme Court under Dittman v. UPMC (see section 1.3. of the Guidance Note above). Pennsylvania also recognises a common law right for physician-patient confidentiality separate and distinct from an invasion of privacy claim65.

In addition, Chapter 115 of Title 28 of the Pa. Code requires that medical records be stored 'in such a manner as to provide protection from loss, damage and unauthorized access' (28 Pa. Code §115.22). All medical records must be treated as confidential (28 Pa. Code §115.27; see also §5.53 of Chapter 5 of Title 28 of the Pa. Code; and §563.9 of Chapter 563 of Title 28 of the Pa. Code). As such, '[o]nly authorized personnel' may have access to medical records, and 'written authorization of the patient' must be presented and maintained in the original record as authority for release of medical information outside the hospital (28 Pa. Code §115.27). The law treats medical records as 'the property of the hospital,' but prohibits their removal from a hospital premises, except for court purposes (28 Pa. Code §115.28). Copies of such records may be made for authorised appropriate purposes such as insurance claims, and physician review, that are consistent with the confidentiality requirements under 28 Pa. Code §115.27 (28 Pa. Code §115.28; see also §7111 of Article 1 of Chapter 15 of Title 50 of the Pa. Stat.).

3.2. Key Definitions for 31 Pa. Code §146b

31 Pa. Code. §146b has many key definitions, and defines 'consumer' as an 'individual, or that individual's legal representative, who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal health information' (31 Pa. Code §146b.2). The definition also provides examples and illustrations of 'consumers' (31 Pa. Code §146b.2).

31 Pa. Code. §146b defines 'licensee' as a licensed insurer, a producer, and other persons or entity licensed or required to be licensed under Pennsylvania insurance law, including health maintenance organisations. The term licensee also includes a licensee that enrols, insures, or otherwise provides an insurance related service to participants that procure health insurance through a governmental health insurance program, and a non-admitted insurer that accepts business placed through a surplus lines licensee in Pennsylvania (31 Pa. Code §146b.2).

The term 'non-public personal health information' means either health information that identifies an individual who is the subject of the information, or health information that there is a reasonable basis to believe could be used to identify an individual (31 Pa. Code §146b.2). The term does not include 'non-public personal financial information' (31 Pa. Code §146b.2).

4. FINANCIAL DATA

4.1. Key Laws

Chapter 146a of Title 31 of the Pa. Code otherwise governs the privacy of consumer financial information (31 Pa. Code. §146a.1). Similar to Chapter 146b of the Pa. Code, the statute limits the definition for licensees to insurers and thus is limited in scope. Safeguards for protecting consumer financial data are governed under 31 Pa. Code §§146c.1-.11, which establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information (see section 10 of the Guidance Note below). In addition, data security of financial data implicates common law duties of care recently recognised by the PA Supreme Court under Dittman v. UPMC (see section 1.3. of the Guidance Note)66.

4.2. Key Definitions for 31 Pa. Code §146a

The law defines a 'consumer' as an 'individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal financial information, or that individual's legal representative' (31 Pa. Code §146a.2). Like the definition for consumer health data under 31 Pa. Code §146b.2, the definition of consumer under 31 Pa. Code §146a.2 provides examples and illustrations of 'consumers.'

A 'customer' is defined as a 'consumer who has a customer relationship with a licensee' (31 Pa. Code §146a.2). A 'customer relationship' is defined as a 'continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes' (31 Pa. Code §146a.2).

31 Pa. Code §146a.2 defines licensee as an insurer, a producer, or other persons or entities licensed or required to be licensed under Pennsylvania insurance law, including health maintenance organisations. The term also includes a licensee that enrols, insures, or otherwise provides insurance related services to participants that procure health insurance through a governmental health insurance program, and a non-admitted insurer that accepts business placed through a surplus lines licensee in Pennsylvania (31 Pa. Code §146a.2).

The term 'personally identifiable financial information' is defined to mean '(A) Information that a consumer provides to a licensee to obtain an insurance product or service from the licensee; (B) Information about a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer, and (C) Information that the licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer' (31 Pa. Code §146a.2). The term does not include publicly available information, any list, description or other grouping of consumers derived without using any personally identifiable financial information that is not publicly available, and health information (31 Pa. Code §146a.2).

5. EMPLOYMENT DATA

The PA Supreme Court held that employers have a common law right duty of reasonable care to safeguard the sensitive personal information data of their current and former employees stored in internet-accessible information systems (see section 1.3. of the Guidance Note)67.

There have been no subsequent significant decisions addressing the Court's recognition of the common law duty; although, one decision rendered by the U.S. Court of Appeals for the Third Circuit recently vacated the dismissal of a lawsuit brought by a federal employee whose personal information inadvertently was disclosed by the U.S. Department of Justice in response to a FOIA requested filed by a federal inmate (Spade v. United States, 763 Fed. App'x 294, 295 (3d Cir 2019)). However, the District Court ultimately dismissed the case as the U.S. Department of Labor determined that plaintiff's claim was covered by the Federal Employees' Compensation Act of 1916 ('FECA') and therefore prohibited any Dittman determination68.

6. ONLINE PRIVACY

While Pennsylvania does not have a law specifically addressing online privacy, 18 Pa. C.S. §4107, which addresses deceptive or fraudulent business practices, includes as an offense to knowingly make false or misleading statements in a privacy policy, published on the internet, regarding the use of personal information submitted by members of the public (18 Pa. C.S. §4107(a)(10)) (see section 8 below on privacy policies).

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

Under Pennsylvania's Unsolicited Telecommunication Advertisement Act ('UTAA') (under §2250.1 et seq. of Chapter 40A of Title 73 of the Pa. Stat.) it is unlawful to send an unsolicited commercial email or facsimile (from a computer or fax machine) located in Pennsylvania, or to send email to addresses, that (73 Pa. Stat. §2250.3(a)):

  • uses a third party's internet domain name in the return electronic mail message without permission of the third party;
  • includes false or misleading information in the return address portion of the electronic mail, facsimile, or wireless advertisement such that the recipient would be unable to send a reply message to the original authentic sender;
  • contains false or misleading information in the subject line; or
  • fails to operate a valid sender-operated return email address or toll-free telephone number that the recipient of the unsolicited documents may email or call to notify the sender not to transmit further unsolicited documents.

It also unlawful to use a covered mobile telephone messaging system to transmit an unsolicited commercial email (73 Pa. Stat. §2550.3(b)).

The UTAA also prohibits a person to (73 Pa. Stat. §2250.4):

  • conspire with another person to initiate the transmission of a commercial electronic mail message, fax, or wireless advertisement that uses a third party's internet domain name without permission of the third party or to otherwise misrepresent or obscure any information identifying the point of origin or the transmission path of a commercial electronic mail message;
  • falsify or forge commercial electronic mail, fax, or wireless transmission or other routing information in any manner in connection with the transmission of unsolicited commercial electronic mail or wireless advertisement;
  • assist in the transmission of a commercial electronic mail message, fax, or wireless advertisement when the person providing the assistance knows or consciously avoids knowing that the initiator of the commercial electronic mail message or fax is engaged or intends to engage in any act or practice that violates the provisions of this act;
  • temporarily or permanently remove, alter, halt, or otherwise disable any computer or wireless data, programs software or network to initiate a commercial electronic mail message, fax, or wireless advertisement; and
  • sell, give, or otherwise distribute or possess with the intent to sell, give, or distribute software that is primarily designed or produced for the purposes of facilitating or enabling falsification of commercial electronic mail, fax, or wireless advertisement transmissions.

A violation of the UTAA constitutes a violation of the Unfair Trade Practices Law (73 Pa. Stat. §2250.5(a)) (see section 2.6. of the Guidance Note)). Thus, a private action brought under the statute may be based on any of twenty-one unfair practices described in the Unfair Trade Practices Law (73 Pa. Stat. §201-2(4)).

Under the UTAA, persons who provide an email service, or wireless telecommunications companies, have the discretion to block or filter the receipt or transmission of any commercial email or wireless advertisement that it reasonably believes is or may be sent in violation of the UTAA (73 Pa. Stat. §2250.6(a)(1)). Moreover, the UTAA does not prevent or limit a person who provides internet access or an email service, or a wireless telecommunications company, from (73 Pa. Stat. §2250.6(a)(2)):

  • adopting a policy regarding commercial or other electronic mail, including a policy of blocking, filtering, or declining to transmit certain types of electronic mail messages;
  • suspending or terminating the services or accounts of any person deemed in violation of this act; or
  • enforcing such policy through technology, contract or pursuant to any remedy available under any provision of law.

No person who provides internet access or an email service, or a wireless telecommunication company, may be held liable for any action voluntarily taken in good faith to block the receipt or transmission through its service of any commercial email which it reasonably believes is or may be sent in violation of the UTAA (73 Pa. Stat. §2250.6(b)).

Please note that most litigation in Pennsylvania for unsolicited communications is brought under the Telephone Consumer Protection Act of 1991 ('TCPA'), a federal statute69.

8. PRIVACY POLICIES

While Pennsylvania does not have a law specifically addressing privacy policies, the Unfair Trade Practices Law, 18 Pa. C.S. §4107, includes as an offense, under deceptive or fraudulent business practices, to knowingly make false or misleading statements in a privacy policy, published on the internet, regarding the use of personal information submitted by members of the public (18 Pa. C.S. §4107(a)(10)).

A recent development in Pennsylvania case law with broad consequences for consumer litigation related to the Unfair Trade Practices Law and privacy policies, is the previously mentioned holding of the PA Supreme Court in Gregg v. Ameriprise Financial, Inc70. In Gregg, where plaintiffs brought suit for negligent misrepresentation and violation of the law's catchall provision, the Court held that 'deceptive conduct under the [Unfair Trade Practices Law] is not dependent in any  respect upon proof of the actor's state of mind71.' The Court affirmed the Superior Court's holding that the test for deceptive conduct is whether the conduct has the tendency or capacity to deceive, and stressed that the Unfair Trade Practices Law 'should be construed broadly in order to comport with the legislative will to eradicate unscrupulous business practices72.' With regards to privacy policies, this holding allows consumers to bring an action under Unfair Trade Practices Law for any privacy policy that has the tendency to deceive, regardless of the business entity's intent when crafting the policy. Without many other avenues for claims regarding privacy policies, claims under the Unfair Trade Practices Law will likely become more common for privacy policy language.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

9.1. Standards for Safeguarding Customer Information

9.1.1. Key Provisions

The Unfair Insurance Practices Act ('the Insurance Act') (under §146.1 et seq. on Chapter 146 of Title 31 of the Pa. Code) sets standards for safeguarding consumer information for licensees under Chapters 146a (financial data) and 146b (health data) of Title 31 of the Pa. Code (31 Pa. Code §§146c.1-.11). The law establishes standards that licensees must adhere to (31 Pa. Code §146c.1):

  • for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information, under §§501, 505(b) and 507 of the GLBA (15 U.S.C. §§6801, 6805(b), and 6807);
  • for ensuring the security and confidentiality of customer records and information;
  • to protect against any reasonably anticipated threats or hazards to the security or integrity of the records;
  • to protect against unauthorised access to or use of records or information that could result in substantial harm or inconvenience to a customer; and
  • that apply to non-public personal information, including non-public personal financial information and non-public personal health information.

The Pa. Code requires that licensees (see definitions in sections 3.2. and 4.2. of the Guidance Note) to 'implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information' (31 Pa. Code §146c.3). Recognising that a one-size-fits-all approach is unworkable, the law further provides that '[t]he administrative, technical and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities' (31 Pa. Code §146c.3). The information security program must be designed to (31 Pa. Code §146c.4):

  • safeguard the security and confidentiality of customer information;
  • protect against any reasonably anticipated threats or hazards to the security or integrity of the information; and
  • protect against unauthorised access to or use of the information that could result in substantial harm or inconvenience to any customer.

Furthermore, 31 Pa. Code §§146c.6 to 146c.9 provide non-exclusive illustrations and methods by which a licensee may implement an adequate comprehensive written information security program designed to satisfy required safeguards (31 Pa. Code §146c.5). The illustrated methods and procedures are:

  • conducting risk assessments that (31 Pa. Code §146c.6):
    • identify reasonably foreseeable internal or external threats that could result in unauthorised disclosure, misuse, alteration, or destruction of customer information or customer information systems;
    • assesses the likelihood and potential damage of such threats, taking into consideration the sensitivity of customer information at issue; and
    • assess the sufficiency of policies, procedures, information systems, and other safeguards already in place to mitigate the identified risks;
  • manage and control the risk by (31 Pa. Code §146c.7):
    • designing the information security program to control the identified risks in a manner commensurate with the sensitivity of the information and the complexity and scope of the licensee's activities;
    • training staff to implement the information security program; and
    • regularly monitoring and testing key controls, systems, and procedures of the information security program based on the licensee's risk assessment;
  • manage security risks created through the use of third-party service providers by (31 Pa. Code §146c.8):
    • exercising 'appropriate due diligence' in selecting service providers;
    • requiring service providers to implement 'appropriate measures' designed to meet the objectives of the data security standards; and
    • when indicated by its risk assessment, to take appropriate steps to confirm that the service providers have satisfied its data security obligations; and
  • adjusting the information security program based upon relevant changes in technology, the sensitivity of customer information, identified threats, and/or the licensee's own changing business arrangements (31 Pa. Code §146c.9).

A licensee violates Title 31 of the Pa. Code when (31 Pa. Code §146c.10(b)):

  • it 'knew or reasonably should have known' of a pattern of activity, or of a practice of a service provider, that constitutes either a violation of 31 Pa. Code §146a or 31 Pa. Code §146b;
  • it 'knew or reasonably should have known' of a pattern of activity, or of a practice of a service provider, that constitutes a violation of the safeguard standards; and/or
  • it knew or reasonably should have known of a 'material breach' of the contract or other arrangement between the licensee and the service provider, unless the licensee took reasonable steps to cure the breach or end the violation.

Violations under 31 Pa. Code §§146c.3 and 146c.4, which address the implementation of an adequate comprehensive written information security program designed to satisfy required safeguards, are deemed by the Pennsylvania Insurance Department ('the Department') to be an unfair method of competition and an unfair or deceptive act or practice, and thus are subject to applicable penalties or remedies under the Insurance Act (31 Pa. Code §146c.10(a)). In addition to injunctive relief (§1171.10 of Chapter 4 of Title 40 of the Pa. Stat.), civil penalties that may be imposed by the Department under the Insurance Act are (40 Pa. Stat. §1171.11):

  • for each method of competition, act, or practice defined in § 5 of the Insurance Act and in violation of the Insurance Act, which the person knew or reasonably should have known was such a violation, a penalty of not more than $5,000 for each violation but not to exceed and aggregate penalty of $50,000 in any six-month period;
  • for each method of competition, act, or practice defined in § 5 of the Insurance Act and in violation of the Insurance Act, which the person did not know nor reasonably should have known was such a violation, a penalty of not more than $1,000 for each violation but not to exceed an aggregate penalty of $10,000 in any six-month period; and
  • for each violation of an order issued by the Insurance Commissioner of Pennsylvania pursuant to §9 of the Insurance Act, while such order is in effect, a penalty of not more than $10,000.

9.1.2. Key Definitions

Licensee: Has the same limited definition of an insurer, as defined under 31 Pa. Code §§146a.2 and 146b.2, except that the term does not include a purchasing group or a non-admitted insurer in regard to the surplus lines business (31 Pa. Code §146c.2).

Customer: Means either a 'customer,' as defined in 31 Pa. Code §146a.2 (relating to definitions) or a 'consumer' as defined in 31 Pa. Code §146b.2 (relating to definitions).

Customer information systems: The 'electronic or physical methods used to access, collect, store, use, transmit, protect or dispose of customer information' (31 Pa. Code §146c.2).

Customer information: Means either 'nonpublic personal financial information,' as defined in 31 Pa. Code §146a.2, or 'nonpublic personal health information,' as defined in 31 Pa. Code §146b.2, about a customer, whether in paper, electronic, or other form that is maintained by or on behalf of the licensee (31 Pa. Code §146c.2).

Service provider: A 'person that maintains, processes or otherwise is permitted access to customer information through its provision of services directly to the licensee' (31 Pa. Code §146c.2).

9.2. The Consumer Protection Against Computer Spyware Act

Under the Consumer Protection Against Computer Spyware Act ('the Computer Spyware Act') (§2330.1 et seq. of Chapter 43A of Title 73 of the Pa. Stat), it is unlawful to install, or caused to be installed, computer software on a user's computer that deceptively modifies the computer's functions or acquires information. The Computer Spyware Act prohibits a person or entity from inducing a user to install software by misrepresenting that installing software is necessary for security or privacy reasons, or in order to open, view or play a particular type of content; or causing the execution of software in violation of the Computer Spyware Act (73 Pa. Stat. §2330.5).

The Computer Spyware Act further provides that a person or entity that is not an authorised user shall not cause computer software to be copied or procure the copying onto the computer of an authorised user in this Commonwealth and use the software to do any of the following acts or any other acts deemed to be deceptive (73 Pa. Stat. §2330.3):

  • modify through deceptive means any of the following settings related to the computer's access to or use of the internet:
    • the page that appears when an authorised user launches an internet browser or similar software program used to access and navigate the internet;
    • the default provider or internet website proxy the authorised user uses to access or search the internet; and
    • the authorised user's list of bookmarks used to access internet website pages;
  • collect through deceptive means personally identifiable information that meets any of the following criteria:
    • it is collected through the use of a keystroke-logging function that records all keystrokes made by an authorised user who uses the computer and transfers that information from the computer to another person;
    • it includes all or substantially all of the Internet websites visited by an authorised user, other than internet websites of the provider of the software, if the computer software was installed in a manner designed to conceal from all authorised users of the computer the fact that the software is being installed; and
    • it is a data element described in paragraphs (2), (3), (4) or (5) (i) or (ii) of the definition of 'personally identifiable information' that is extracted from the authorised user's computer hard drive for a purpose wholly unrelated to any of the purposes of the software or service described to an authorised user;
  • prevent, without the authorisation of an authorised user, through deceptive means an authorised user's reasonable efforts to block the installation of or to disable software by causing software that the authorised user has properly removed or disabled to automatically reinstall or reactivate on the computer without the authorisation of an authorised user;
  • misrepresent that software will be uninstalled or disabled by an authorised user's action with knowledge that the software will not be so uninstalled or disabled; and
  • through deceptive means, remove, disable or render inoperative security, antispyware, or antivirus software installed on the computer.

The Computer Spyware Act also prohibits a person from installing upon a computer software to engage in the following acts, 'or any other acts deemed to be deceptive' (73 Pa. Stat. §2330.4(1)):

  • take control of the authorised user's computer by doing any of the following:
    • transmitting or relaying commercial electronic mail or a computer virus from the authorised user's computer where the transmission or relaying is initiated by a person other than the authorised user and without the authorisation of an authorised user;
    • accessing or using the authorised user's modem or internet service for the purpose of causing damage to the authorised user's computer or of causing an authorised user to incur financial charges for a service that is not authorised by an authorised user;
    • using the authorised user's computer as part of an activity performed by a group of computers for the purpose of causing damage to another computer, including, but not limited to, launching a denial of service attack; and
    • opening a series of stand-alone messages in the authorised user's computer without the authorisation of an authorised user and with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the internet application.

The statute also prohibits a person from installing computer software that modifies an authorised user's security or other settings protecting information in order to steal the user's personal information, or the computer's security settings of the computer for the purpose of causing damage to one or more computers (73 Pa. Stat. §2330.4(2)). The statute also prohibits a person from installing computer software that prevents an authorised user's reasonable efforts to block the installation of or to disable software by doing any of the following (73 Pa. Stat. §2330.4(3)):

  • presenting the user with a fake option to decline installation of software;
  • falsely representing that software has been disabled;
  • requiring the user to access the internet to remove the software when the software frequently operates in a manner that prevents the user from accessing the internet;
  • changing the name, location, or other designation information of the software for the purpose of preventing the user from locating the software to remove it;
  • using randomised or deceptive file names, directory folders, formats or registry entries, or causing installation in a computer's directory or computer memory to evade the software's detection or removal; and
  • requiring that the user obtain a special code or download software from a third party to uninstall the software.

Violation of 73 Pa. Stat. §§2330.3(2) and .4(1)(i), (ii), and (iii), and .4(2) constitutes a felony of the second degree with imprisonment up to ten years and/or a fine of up to $25,000 (73 Pa. Stat. §2330.8). A private cause of action exists under the statute for providers of computer software, internet service providers, and trademark owners whose trademark are used without authorisation (73 Pa. Stat. §2330.9(a)). Relief includes injunctive relief, actual damages, or statutory damages of up to $100,000 for each violation, and costs, including attorneys' fees (73 Pa. Stat. §2330.9(b) and (d)). When considering damages, a court may increase an award to treble damages if the court finds that 'the violations have occurred with a frequency with respect to a group of victims as to constitute a pattern or practice' (73 Pa. Stat. §2330.9(c)).

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

On 20 January 2022, House Bill ('HB') 2257 for the Pennsylvania Consumer Data Protection Act was introduced in the Pennsylvania House of Representatives and referred to the Committee on Consumer Affairs.  If enacted – and similar legislation has been enacted in other US states – Pennsylvania would recognise data subject rights similar to those recognised under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')and UK GDPR. Among other things, the privacy scheme would:

  • provide consumers with rights of access, correction, deletion, opt-out, and portability of their personal data (HB 2257, Section 503(a));
  • require businesses to respond to consumer requests for information, limit the collection of personal data, and abide by data processing principles of data minimisation and purpose specification (HB 2257, Section 301(b));
  • require businesses to implement and maintain reasonable administrative and technical security practices for personal data (HB 2257, Section 302(a)(3);
  • require businesses provide consumers with privacy notices (HB 2257, Section 302(c), (e));
  • require contracts between controllers and processors (HB 2257, Section 303(b));
  • require businesses to conduct and document data protection assessments (HB 2257, Section 304);
  • provide the Pennsylvania AG with enforcement powers (HB 2257, Section 501); and
  • establish a Consumer Privacy Fund in the State Treasury (HB 2257, Section 503).

If enacted, the Consumer Data Protection Act would take effect on 1 January 2023, or in 18 months, whichever is later (HB 2257, Section 702). The Consumer Data Protection Act will not provide for a private right of action. The legislation remains pending in the Pennsylvania Senate.


1. Pennsylvania State Educ. Ass'n v. Commonwealth, 148 A.3d 142, 149-50 (Pa. 2016).

2. Id. at 150; see, e.g., Commonwealth v. Rekasie, 778 A.2d 624, 628 (Pa. 2001).

3. Pa. State Educ. Ass'n, 148 A.3d at 150.

4. Id.

5. Commonwealth v. Murray, 223 A.2d 102, 109 (Pa. 1966). The Pennsylvania Supreme Court outlined, "One of the pursuits of happiness is privacy"; thus, "[t]he right to privacy is as much property of the individual as the land to which he holds title and the clothing he wears on his back."

6. In re T.R., 731 A.2d 1276, 1279 (Pa. 1999).

7. Pa. State Educ. Ass'n, 148 A.3d at 150, holding right of privacy protected from disclosure under Right To Know statute home addresses of public school employees.

8. Pa. Liquor Control Board v. Beh, 215 A.3d 1046, 2019 Pa. Commw. LEXIS 660 **, **16, 2019 WL 3209994 (Pa. Commw. 2019), citing 65 P.S. § 67.305(a); see also Governor's Office of Admin. v. Campbell, 202 A.3d 890, 896 (Pa. Commw. 2019) ('For these reasons, we conclude that the requested Commonwealth employees' counties of residence information is protected by the constitutional right of informational privacy and this right is not outweighed by the public's interest in dissemination in this case. Consequently, OOR erred in ordering the disclosure of Commonwealth employees' counties of residence under the RTKL.').

9. Beh, 215 A.3d at 2019, citing 65 P.S. § 67.306.

10. Doe v. Triangle Doughnuts, LLC, 2020 U.S. Dist. LEXIS 109496, *8, *12 (E.D. Pa. 2020).

11. Id. at *15 and *16.

12. West Chester University of Pa. v. Rodriguez, 216 A.3d 503, 2019 Pa. Commw. LEXIS 690, 2019 WL 3307901 (Pa. Commw. Ct. 2019).

13. Id. 2019 Pa. Commw. LEXIS 690 at **14.

14. E.g., Estate of Rennick v. Universal Credit Servs., LLC, 2019 U.S. Dist. LEXIS 6888 at *16 (E.D. Pa. Jan. 15, 2019).

15. Harris v. Easton Pub. Co., 483 A.2d 1377, 1383 (Pa. Super. Ct. 1984); see also Burger v. Blair Med. Assocs., 964 A.2d 374, 376 (Pa. 2009).

16. Pennsylvania State Education Association v. Commonwealth of Pennsylvania Dept. of Community and Economic Development, 148 A.3d 142 (Pa. 2016).

17. Id. at 151; See also Easton Area School District v. Miller, 232 A.3d 716 (Pa. 2020) (holding that school bus surveillance footage was exempt from the Right To Know Act because it was an educational record and contained personally identifiable information protected by the Pennsylvania right to privacy).

18. Harris, 483 A.2d at 1383, citing Restatement (Second) of Torts § 652B.

19. Id.

20. Burger v. Blair Med. Assocs., 964 A.2d 374, 378 (Pa. 2009).

21. Harris, 483 A.2d at 1384, citing Restatement (Second) of Torts § 652D; see also Burger, 964 A.2d at 379.

22. Harris, 483 A.2d at 1384.

23. Id.; Burger, 964 A.2d at 379, in which the 'publicity' element was unsatisfied where the defendant disclosed the claimant's drug use only to the employer; Vogel v. W.T. Grant Co., 327 A.2d 133, 137 (Pa. 1974), in which the "publicity" element was unsatisfied where the defendant disclosed the claimant's private affairs to employer and three relatives; Burke v. Kubicek, 2021 WL 4307031, at *3 (Pa. Super. Ct. Sept. 22, 2021), in which the 'publicity' element was unsatisfied where the matter was communicated to a small group of third parties. 24. Burger, 964 A.2d at 379.

25. Tanzosh v. InPhoto Surveillance, 2008 U.S. Dist. LEXIS 76022, *17 (M.D. Pa. Sept. 26, 2008); see also Rush v. Philadelphia Newspapers, Inc., 732 A.2d 648, 654 (Pa. Super. Ct. 1999); James v. Cmty, Coll. of Allegheny Cnty., 263 A.3d 68 (Pa. Commw. Ct. 2021).26 Id.

27. Rush, 732 A.2d at 654.

28. Tanzosh, 2008 U.S. Dist. LEXIS 76022 at *17 (quoting Fogel v. Forbes, Inc., 500 F. Supp. 1081, 1087-88 (E.D. Pa. 1980)).

29. Rush, 732 A.2d at 654.

30. Eagle v. Morgan, 2013 U.S. Dist. LEXIS 34220, *20 (E.D. Pa. Mar. 12, 2013).

31. Id.

32. Id. (quoting Restatement (Second) of Torts § 652C).

33. AFL Phila. LLC v. Krause, 639 F. Supp. 2d 512, 530 (E.D. Pa. 2009), quoting Restatement (Second) of Torts § 652C, comment c.

34. Id., at 531.

35. Id.

36. Id.; Rose v. Triple Crown Nutrition, Inc., 2007 U.S. Dist. LEXIS 14785 (M.D. Pa. Mar. 2, 2007); Kelly v. Peerstar, 2020 WL 5077940, at *9 (W.D. Pa. Aug. 26, 2020).

37. Eagle v. Morgan, 2013 U.S. Dist. LEXIS 34220, *20 (E.D. Pa. Mar. 12, 2013); see also World Wrestling Fed. Entm't, Inc. v. Big Dog Holdings, Inc., 280 F. Supp. 2d 413, 443-44 (W.D. Pa. 2003).

38. Eagle, 2013 U.S. Dist. LEXIS 34220 at *20.

39. Id.

40. AFL Phila. LLC v. Krause, 639 F. Supp. 2d 512, 531 (E.D. Pa. 2009).

41. Dittman v. UPMC, 196 A.3d 1036, 1038 (Pa. 2018).

42. Id. at 1038-39.

43. Id. at 1046-47.

44. Id. at 1047-48.

45. In re Wawa, Inc. Data Security Litigation, 2021 WL 1818494, at *5 (E.D. Pa. May 6, 2021).

46. Id.

47. Id.

48. Kine v. Security Guards, Inc., 386 F.3d 246, 257 (3d Cir. 2004).

49. Kump v. Nazareth Area Sch. Dist., 425 F. Supp. 2d 622, 633 (E.D. Pa. 2006) (student whose cell phone was confiscated by teacher and who alleged that teacher and assistant principal intercepted and replied to text messages sent to student's phone lacked standing to bring a claim section 5725 because the student had not engaged in a communication and only was intended recipient of the intercepted communications).

50. Marks v. Bell Tele. Co. of Pa., 331 A.2d 424, 430 n.6 (Pa. 1975).

51. Id.; see also Simmers v. Packer, 36 Pa. D.&C.4th 182, 185 (Pa. Ct. Comm. Pl. 1997).

52. Commonwealth v. Jung, 531 A.2d 498, 503-504 (Pa. Super. Ct. 1987).

53. Popa v. Harriet Carter Gifts, Inc., 544 F.Supp.3d 535, (W.D. Pa. 2021). On June 23, 2021, the plaintiff filed an appeal of the District Court's decision to the United States Court of Appeals for the Third Circuit. 

54. Id at 6; In re Google. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125( 3rd Cir. 2015).

55. Popa v. Harriet Carter Gifts, Inc., 2021 WL 2463304, at *8, (W.D. Pa. 2021).

56. Id.

57. Commonwealth v. Green, 2009 Pa. Dist. & Centy Dec,. LEXIS 270 (Pa. Ct. Comm. P. Oct. 8, 2009), aff'd, 13 A.3d 998 (PA. Super. Ct. 2010).

58. Aberts v. Verna, 2016 Pa. Dist. & Cnty Dec. LEXIS 3028 (Pa. Ct. Comm. Pl. June 27, 2016).

59. Com., by Creamer v. Monumental Properties, Inc., 329 A.2d 812, 816 (Pa. 1974).

60. E.g., Bennett v. A.T. Masterpiece Homes at Broadsprings, LLC, 40 A.3d 145, 151-152 (Pa. Super. Ct. 2012) (describing 73 P.S. § 201-2(4)(xxi) as a "catchall" phrase).

61. See Commonwealth of Pennsylvania v. Orbitz Worldwide, LLC., Case No. 191202510 (Pa. Ct. Comm. Pl. Philadelphia Cty. December 13, 2019; Commonwealth of Pennsylvania v. The Neiman Marcus Group, LLC, Case No. 190100160 (Pa. Ct. Comm. Pl. Philadelphia Cty., Jan. 8, 2019); Commonwealth of Pennsylvania v. Target Corp., Case No. 215-MD-2017 (Pa. Commw. Ct. May 23, 2017); see also 73 P.S. § 201-5 (authorizing the Pennsylvania AG to enter into Assurances of Compliance).

62. E.g., Baum v. Keystone Mercy Health Plan, 116 A.3d 682 (Pa. Super. Dec. 9, 2014).

63. Boehm v. Riversource Life Ins. Co., 117 A.3d 308, 336-37 (Pa. Super. Ct. 2014); see also Krebs v. United Refining Co. of Pennsylvania, 893 A.2d 776, 788 (Pa. Super. Ct. 2006), which stated "these cases hold generally that where the General Assembly has departed from the 'American Rule' (where each party is responsible for his or her own attorneys' fees and costs), by providing a fee-shifting remedy in a remedial statute, the trial court's discretionary award or denial of attorneys' fees must be made in a manner consistent with the aims and purposes of that statute."

64. Gregg v. Ameriprise Financial, Inc., 245 A.3d 637, 641 (Pa. 2021).

65. Burger v. Blair Med. Assocs., 964 A.2d 374, 379 (Pa. 2009).

66. Dittman v. UPMC, 196 A.3d 1036, 1047 (Pa. 2018).

67. Id.

68. Spade v. United States¸ 531 F.Supp.3d 901 (M.D. Pa. 2021), aff’d sub nom, Spade v. United States Dep’t of Just., 2022 WL 444259 (3d Cir. Feb. 14, 2022).

69. 47 U.S.C. § 227, et seq

70. Gregg v. Ameriprise Financial, Inc., 245 A.3d 637, 641 (Pa. 2021).

71. Id at 640.

72. Id.