In 2023, lawmakers considered House Bill No. 1201 — the Pennsylvania Consumer Data Privacy Act — which described business requirements for processing personal data and would have granted consumers rights regarding their information.
In this guide, learn about Pennsylvania’s proposed but failed data privacy bill, who it would have applied to, and its implications on businesses if it has passed into law.
UPDATE: House Bill No. 1201 did not pass and Pennsylvania currently does not have a comprehensive state-wide consumer privacy law in place.
- What Was the Pennsylvania Consumer Data Privacy Act (PCDPA)?
- What Does the Pennsylvania Consumer Data Privacy Act Cover?
- Requirements of the PCDPA
- Pennsylvania’s Data Privacy Bill vs. Other State Laws: Similarities and Differences
- How Would Consumers Be Impacted by the PCDPA?
- How Would Businesses Have Been Impacted by the Pennsylvania Consumer Data Privacy Act?
- Who Must Comply With Pennsylvania's Data Privacy Bill?
- How Would the PCDPA Be Enforced?
- Fines and Penalties Under the Pennsylvania Consumer Data Privacy Act
- How Termly Helps With Compliance
- Are There Other Privacy Related Laws in Pennsylvania?
- Summary
What Was the Pennsylvania Consumer Data Privacy Act (PCDPA)?
The Pennsylvania Consumer Data Privacy Act (PCDPA) was a bill moving through the House of Representatives in Pennsylvania.
It would have become the state’s first comprehensive consumer data protection law, but it did not pass.
It outlined requirements for entities who want to collect, process, and use personal information about residents of Pennsylvania, and granted individuals rights and some control over their information.
PCDPA Key Terms and Definitions
To get a better understanding of Pennsylvania’s failed data privacy bill, let’s look at some key terms and definitions exactly as they appeared in the text of the bill:
What Does the Pennsylvania Consumer Data Privacy Act Cover?
The PCDPA would have covered the personal information of residents of the state of Pennsylvania.
It didn’t include anyone in the state acting in an employment or commercial context.
In particular, if transactions with a controller occurred solely within a person’s role with a company or other entity, it also excluded:
- Employees
- Owners
- Directors
- Officers
- Contractors of a company
- Partnerships
- Sole proprietorships
- Nonprofits
- Government agencies
Requirements of the PCDPA
Businesses that would have qualified as data controllers under the PCDPA would have been subject to following several requirements, which I cover in detail below.
Duties of Data Controllers
Under Section 5 of Pennsylvania’s data privacy bill, controllers would have been instructed to limit the collection of personal data to what is considered reasonably necessary for the purposes of processing disclosed to the consumer.
If a controller wanted to collect additional information that falls outside this scope, they would have needed to obtain consent from the consumer.
Consent would have also been required to process sensitive personal data or information about a known child.
Consent
The PCDPA clearly defined consent in Section 2 of the bill.
It stated it must be a clear, affirmative action from a consumer that they freely give for a specific, unambiguous purpose.
Consent under this bill could include a written statement, including by electronic means.
However, it could not include the acceptance of very general or broad terms or deceptive practices like:
- Hovering over content
- Muting something
- Pausing content
- Closing a pop-up
Contractual Obligations Between Data Controllers and Processors
According to Section 6 of the PCDPA, controllers and processors would have to sign specific contracts governing the processor’s activities, which included:
- Ensuring the processor is subject to a duty of confidentiality regarding the personal data
- Requiring the processor to delete or return all data at the controller’s direction unless retention is required by law
- Making all data available to the controller to demonstrate compliance with the bill upon reasonable request
- Requiring any subcontractors to sign a contract outlining similar obligations
- Mandating that the processor must allow for and cooperate with reasonable assessments by the controller or designated assessor to ensure processing meets PCDPA standards
Data Protection Assessments
The PCDPA also detailed the requirements for performing data protection assessments in Section 7 of the bill.
It stated that controllers must conduct and document one of these assessments if their processing activities presented a heightened risk of harm to consumers.
The controller would need to identify and weigh the benefits and risks that may impact consumer rights and any safeguards that are in place to mitigate or reduce those risks.
Entities would have been required to factor all of the following into the assessment:
- The use of de-identified data
- The consumer’s reasonable expectations
- The context of the data processing and relationship between controllers and consumers
Universal Opt-Out Mechanisms
If the has PCDPA become a law, covered entities would have been required to honor universal opt-out mechanisms (UooMs) as designated by consumers’ browsers by 2026.
The bill stated that approved UooM technology, like Global Privacy Control (GPC), needed to meet the following criteria:
- Not unfairly disadvantage another controller
- Not make use of a default setting, but instead require the consumer to freely choose to opt out of the processing or sale of their data.
- Be consumer-friendly and easy to use
- Be consistent with other similar platforms, technologies, or mechanisms.
- Enable the controller to determine if the consumer is a resident of Pennsylvania or not.
Pennsylvania’s Data Privacy Bill vs. Other State Laws: Similarities and Differences
Pennsylvania’s privacy bill didn’t pass into law, but these other state laws are currently in force or will take effect in the near future:
- California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Delaware Personal Data Privacy Act (DPDPA) — currently in force
- Florida Digital Bill of Rights (FDBR) — currently in force
- Iowa Consumer Data Protection Act (Iowa CDPA) — currently in force
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective Jan 1, 2026
- Kentucky Consumer Data Protection Act (KCDPA) — effective Jan. 1, 2026
- Minnesota Consumer Data Privacy Act (MCDPA) — effective July 31, 2025
- Maryland Online Data Protection Act (MODPA) — effective October 1, 2025
- Montana Consumer Data Privacy Act (MCDPA) — currently in force
- Nebraska Data Privacy Act (NDPA) — currently in force
- New Hampshire Data Privacy Law (NHDPL) — currently in force
- New Jersey Data Privacy Act (NJDPA) — currently in force
- Oregon Consumer Privacy Act (OCPA) — currently in force
- Tennessee Information Protection Act (TIPA) — effective July 1, 2025
- Texas Data Privacy and Security Act (TDPSA) — currently in force
- Utah Consumer Privacy Act (UCPA) — currently in force
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
You can compare some of these laws to the PCDPA in the table below.
| State Law | Opt-in consent for certain types of data processing | Opt-out consent for certain types of data processing | Must present users with a privacy policy (or notice) | Requires Data Protection Assessments | Outlines Contractual Obligation with Third-Party Processors | Allows for civil lawsuits or private right of action | Must honor Global Privacy Controls/browser privacy settings |
|
PCDPA (bill)
|
✓ | ✓ | ✓ | ✓ | ✓ | ||
| CCPA/CPRA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| CPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| CTDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| DPDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| FDBR | ✓ | ✓ | ✓ | ✓ | |||
| Indiana CDPA | ✓ | ✓ | ✓ | ✓ | |||
| Iowa CDPA | ✓ | ✓ | ✓ | ||||
| MCDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| ODPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| TIPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| TDPSA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| UCPA | ✓ | ✓ | ✓ | ||||
| VCDPA | ✓ | ✓ | ✓ | ✓ |
How Would Consumers Be Impacted by the PCDPA?
If the Pennsylvania Consumer Data Privacy Act has passed into law, it would have granted residents of the state certain rights over how their information got processed and used.
Notably, under Section 3 of the bill, consumers would have been able to:
- Confirm if a controller is processing their data.
- Correct inaccuracies in their data.
- Delete their personal data.
- Obtain a copy of their data in a portable format.
- Opt-out of the processing of data for target advertising.
- Opt-out of the sale of their personal data.
- Opt-out of profiling in the furtherance of solely automated decisions that produce legal or similarly significant effects.
They could have acted on these rights by using a secure method established by the controller and described in their privacy notice.
Who Does the PCDPA Apply To?
The PCDPA would have only applied to residents of the state of Pennsylvania acting in a personal or household context.
It would not have applied to anyone in the state acting in a commercial or employment capacity.
How Would Businesses Have Been Impacted by the Pennsylvania Consumer Data Privacy Act?
If the PCDPA had become a law, it would have impacted businesses beyond the contractual obligations and data impact assessments we previously covered.
It also described guidelines that would have affected privacy and cookie policies.
How Would the PCDPA Affect My Privacy Policy?
The PCDPA outlined notice requirements that would have impacted the contents of businesses privacy policy.
Controllers under this bill were required to provide a notice to consumers describing:
- The categories of personal data processed
- The purpose of processing the data
- How consumers can act on their privacy rights and appeal the controller’s decisions
- Categories of personal data shared with each third party
- The categories of each third party the controller shares data with
- An active email address or online mechanisms to contact the controller
In addition, controllers were required to disclose if they planned to sell personal data to a third party or use the information for targeted advertising and describe how consumers may opt out.
How Would the PCDPA Affect My Cookie Policy?
The PCDPA would have also affected businesses cookie policies if they sold personal data collected through internet cookies or used them for targeted advertising.
Under this bill, consumers would have had the right to opt out of those data processing activities, and controllers would have been required to disclose this information to their consumers.
Who Must Comply With Pennsylvania’s Data Privacy Bill?
If the PCDPA passed into law, it would apply to businesses that are for-profit entity that do business in the state and meet one of the following standards:
- Earned a gross annual revenue of $10,000,000 or more
- Sold or shared for commercial purposes the personal information of at least 50,000 consumers, households, or devices
- Derived at least 50% of annual revenue from selling personal data
Who Was Exempt From the PCDPA?
The following entities were exempt from the PCDPA, as it was written:
- Pennsylvania state government subdivisions
- Nonprofit organizations
- Institutions of higher education
- National securities associations
- Financial institutions
- Covered entity or business associate
How Would the PCDPA Be Enforced?
According to Section 10 of the PCDPA, the Attorney General would have had the exclusive right to enforce the potential law.
Fines and Penalties Under the Pennsylvania Consumer Data Privacy Act
The bill version of the PCDPA did not describe a dollar amount or limit regarding fines under the bill.
However, it did clarify that Pennsylvania residents would not have a private right of action.
How Termly Helps With Compliance
Termly offers compliance solutions to help businesses easily meet requirements outlined by the U.S. state-level laws that did pass and are currently in force.
While the PCDPA is no longer being debated, over twenty other states do have laws in place. Termly’s Privacy Policy Generator currently features the necessary clauses and information to help you meet the obligations of these and other data privacy laws from around the globe.
See what it looks like in the screenshot below.
We also provide a Consent Management Platform (CMP) configurable to meet opt-out requirements in over 70 regions globally.
Check it out in the screenshot below.
Are There Other Privacy Related Laws in Pennsylvania?
While lawmakers in Pennsylvania are still debating passing a comprehensive data protection law, other related pieces of privacy legislation exist in the state, like the:
- Pennsylvania Breach of Personal Information Notification Act: Requires entities to notify consumers if their data is breached or accessed by an unauthorized person.
- Right to Know Law (RTKL): Grants residents the right to access certain documents held by state or local government agencies, which is intended to promote transparency.
Summary
The PCDPA is now just a failed data privacy bill, but we’ll keep watching to see if any other relevant laws move through the Pennsylvania state government.
Several other U.S. state-level privacy laws are currently in force, and most of them impact businesses privacy and cookie policies and consent management.
Solutions like Termly help make complying with current and future laws quick, easy, and seamless.
More about the author
Written by Stefani Schmidt, M.S., CIPM, CIPP-US
Stefani is a data privacy, risk, compliance, and program management professional with experience in the communications, financial, and adtech industries. Stefani’s previous experience includes working closely with stakeholders from different departments to push forward privacy initiatives across corporations, including working on privacy and security reviews of new business initiatives and vendors. Stefani has an M.S. in Security Technologies from the University of Minnesota – Twin Cities and a B.A. in Journalism and Political Science. More about the author
