Could Pennsylvania be the latest state to pass a comprehensive consumer data privacy law?
Lawmakers are considering House Bill No. 1201 — the Pennsylvania Consumer Data Privacy Act — which describes business requirements for processing personal data and grants consumers rights regarding their information.
In this guide, learn about Pennsylvania’s data privacy bill, who it might apply to, and its implications on businesses if it passes into law.
- What Is the Pennsylvania Consumer Data Privacy Act (PCDPA)?
- PCDPA Key Terms and Definitions
- What Does the Pennsylvania Consumer Data Privacy Act Cover?
- Requirements of the PCDPA
- Pennsylvania’s Data Privacy Bill vs. Other State Laws: Similarities and Differences
- How Will Consumers Be Impacted by the PCDPA?
- How Will Businesses Be Impacted by the Pennsylvania Consumer Data Privacy Act?
- Who Must Comply With Pennsylvania's Data Privacy Bill?
- How Can Businesses Prepare for the PCDPA?
- How Would the PCDPA Be Enforced?
- Fines and Penalties Under the Pennsylvania Consumer Data Privacy Act
- How Will Termly Help With PCDPA Compliance?
- Are There Other Privacy Related Laws in Pennsylvania?
- Summary
What Is the Pennsylvania Consumer Data Privacy Act (PCDPA)?
The Pennsylvania Consumer Data Privacy Act (PCDPA) is currently a bill moving through the House of Representatives in Pennsylvania.
If passed, it would become the state’s first comprehensive consumer data protection law.
The law outlines requirements for entities who want to collect, process, and use personal information about residents of Pennsylvania.
Additionally, it grants individuals rights and some control over how their information gets used.
Will the Pennsylvania Consumer Data Privacy Act Become a Law?
While the PCDPA won’t become a law before the end of 2023, this bill gives good insight into what a future data privacy law might look like in the state.
As currently written, Section 12 of the bill doesn’t list a potential effective date but instead says it would be “effective immediately.”
The PCDPA is currently up against a similar bill, the Pennsylvania Consumer Data Protection Act (House Bill 708), which varies slightly in scope and scale.
PCDPA Key Terms and Definitions
To get a better understanding of the expectations of Pennsylvania’s data privacy bill, let’s look at some key terms and definitions exactly as they appear in the text of the potential law:
What Does the Pennsylvania Consumer Data Privacy Act Cover?
The PCDPA would cover the personal information of residents of the state of Pennsylvania.
It does not include anyone in the state acting in an employment or commercial context.
In particular, if transactions with a controller occur solely within a person’s role with a company or other entity, it also excludes:
- Employees
- Owners
- Directors
- Officers
- Contractors of a company
- Partnerships
- Sole proprietorships
- Nonprofits
- Government agencies
Requirements of the PCDPA
Businesses that qualify as data controllers under the PCDPA must follow several requirements, which I cover in detail in the following section.
Duties of Data Controllers
Under Section 5 of Pennsylvania’s data privacy bill, controllers must limit the collection of personal data to what is considered reasonably necessary for the purposes of processing disclosed to the consumer.
If a controller wants to collect additional information that falls outside this scope, they must obtain consent from the consumer.
Consent is also required to process sensitive personal data or information about a known child.
Consent
The PCDPA clearly defines consent in Section 2 of the bill.
It must be a clear, affirmative action from a consumer that they freely give for a specific, unambiguous purpose.
Consent may include a written statement, including by electronic means.
However, it cannot include the acceptance of very general or broad terms or deceptive practices like:
- Hovering over content
- Muting something
- Pausing content
- Closing a pop-up
Contractual Obligations Between Data Controllers and Processors
According to Section 6 of the PCDPA, controllers and processors must sign specific contracts governing the processor’s activities, which include:
- Ensuring the processor is subject to a duty of confidentiality regarding the personal data
- Requiring the processor to delete or return all data at the controller’s direction unless retention is required by law
- Making all data available to the controller to demonstrate compliance with the bill upon reasonable request
- Requiring any subcontractors to sign a contract outlining similar obligations
- Mandating that the processor must allow for and cooperate with reasonable assessments by the controller or designated assessor to ensure processing meets PCDPA standards
Data Protection Assessments
The PCDPA also details the requirements for performing data protection assessments in Section 7 of the bill.
It states that controllers must conduct and document one of these assessments if their processing activities present a heightened risk of harm to consumers.
The controller must identify and weigh the benefits and risks that may impact consumer rights and any safeguards that are in place to mitigate or reduce those risks.
Entities must factor all of the following into the assessment:
- The use of de-identified data
- The consumer’s reasonable expectations
- The context of the data processing and relationship between controllers and consumers
If the controller must perform a data processing assessment to comply with another law with similar guidelines to the PCDPA, they can use the same assessment to meet this requirement.
Universal Opt-Out Mechanisms
If the PCDPA becomes a law, covered entities would be required to honor universal opt-out mechanisms (UooMs) as designated by consumers’ browsers by Jan. 1, 2026.
The bill states that approved UooM technology, like Global Privacy Control (GPC), must meet the following criteria:
- Not unfairly disadvantage another controller
- Not make use of a default setting, but instead require the consumer to freely choose to opt out of the processing or sale of their data.
- Be consumer-friendly and easy to use
- Be consistent with other similar platforms, technologies, or mechanisms.
- Enable the controller to determine if the consumer is a resident of Pennsylvania or not.
Pennsylvania’s Data Privacy Bill vs. Other State Laws: Similarities and Differences
Pennsylvania’s privacy bill is very similar to several state laws that have passed or recently entered into force, including the following:
- California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Delaware Personal Data Privacy Act (DPDPA) — effective Jan. 1, 2025
- Florida Digital Bill of Rights (FDPR) — effective July 1, 2024
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective Jan. 1, 2026
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective Jan. 1, 2025
- Montana Consumer Data Privacy Act (MCDPA) — effective Oct. 1, 2024
- Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
- Tennessee Information Protection Act (TIPA) — effective Jul. 1, 2024
- Texas Data Privacy And Security Act (TDPSA) — effective Jul. 1, 2024
- Utah Consumer Privacy Act (UCPA) — effective Dec. 31, 2023
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
Compare these laws to the PCDPA in the table below.
State Law | Opt-in consent for certain types of data processing | Opt-out consent for certain types of data processing | Must present users with a privacy policy (or notice) | Requires Data Protection Assessments | Outlines Contractual Obligation with Third-Party Processors | Allows for civil lawsuits or private right of action | Must honor Global Privacy Controls/browser privacy settings |
PCDPA (bill)
|
✓ | ✓ | ✓ | ✓ | ✓ | ||
CCPA/CPRA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
CPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
CTDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
DPDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
FDBR | ✓ | ✓ | ✓ | ✓ | |||
Indiana CDPA | ✓ | ✓ | ✓ | ✓ | |||
Iowa CDPA | ✓ | ✓ | ✓ | ||||
MCDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
ODPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
TIPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
TDPSA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
UCPA | ✓ | ✓ | ✓ | ||||
VCDPA | ✓ | ✓ | ✓ | ✓ |
How Will Consumers Be Impacted by the PCDPA?
If the Pennsylvania Consumer Data Privacy Act passes into law, it would grant residents of the states certain rights over how their information gets processed and used.
Notably, under Section 3 of the bill, consumers would be able to:
- Confirm if a controller is processing their data.
- Correct inaccuracies in their data.
- Delete their personal data.
- Obtain a copy of their data in a portable format.
- Opt-out of the processing of data for target advertising.
- Opt-out of the sale of their personal data.
- Opt-out of profiling in the furtherance of solely automated decisions that produce legal or similarly significant effects.
They can act on these rights by using a secure method established by the controller and described in their privacy notice.
Who Does the PCDPA Apply To?
The PCDPA only applies to residents of the state of Pennsylvania acting in a personal or household context.
It does not apply to anyone in the state acting in a commercial or employment capacity.
How Will Businesses Be Impacted by the Pennsylvania Consumer Data Privacy Act?
If the PCDPA becomes a law, it will impact businesses beyond the contractual obligations and data impact assessments we previously covered.
It also describes guidelines that might affect your privacy and cookie policies.
How Will the PCDPA Affect My Privacy Policy?
The PCDPA outlines notice requirements that may impact the contents of your privacy policy.
Controllers under this bill must provide a notice to consumers describing:
- The categories of personal data processed
- The purpose of processing the data
- How consumers can act on their privacy rights and appeal the controller’s decisions
- Categories of personal data shared with each third party
- The categories of each third party the controller shares data with
- An active email address or online mechanisms to contact the controller
In addition, controllers must disclose if they plan to sell personal data to a third party or use the information for targeted advertising and describe how consumers may opt out.
How Will the PCDPA Affect My Cookie Policy?
The PCDPA may affect your cookie policy if you sell personal data collected through internet cookies or use them for targeted advertising.
Under this bill, consumers have the right to opt out of those data processing activities, and controllers must disclose this information to their consumers.
So, you’d need to update your cookie policy to meet these obligations outlined by the PCDPA.
Who Must Comply With Pennsylvania’s Data Privacy Bill?
Your business would need to comply with the potential law if you’re a for-profit entity that does business in the state and meets one of the following standards:
- Earns a gross annual revenue of $10,000,000 or more
- Sells or shares for commercial purposes the personal information of at least 50,000 consumers, households, or devices
- Derives at least 50% of your annual revenue from selling personal data
Who Is Exempt From the PCDPA?
The following entities are exempt from the PCDPA, as it’s currently written:
- Pennsylvania state government subdivisions
- Nonprofit organizations
- Institutions of higher education
- National securities associations
- Financial institutions
- Covered entity or business associate
How Can Businesses Prepare for the PCDPA?
To prepare for the possible Pennsylvania law, businesses should update their privacy policy to meet all notification obligations outlined by the law.
Additionally, they must provide a disclosure and mechanism for users to easily opt out of certain data processing activities, including targeted advertising.
Data controllers and processors should also use and sign contracts that meet the requirements described in Section 6 of the bill.
How Would the PCDPA Be Enforced?
According to Section 10 of the PCDPA, the Attorney General has the exclusive right to enforce the potential law.
A 60-day cure period would exist for entities who violate the PCDPA until December 31, 2025.
After January 1, 2026, the Attorney General would decide if an entity gets a cure period on a case-by-case basis.
Fines and Penalties Under the Pennsylvania Consumer Data Privacy Act
The current version of the PCDPA does not describe a dollar amount or limit regarding fines under the bill.
However, it does clarify that Pennsylvania residents do not have a private right of action.
How Will Termly Help With PCDPA Compliance?
Termly offers compliance solutions to help businesses easily meet requirements outlined by data privacy laws like the PCDPA.
Our Privacy Policy Generator currently features the necessary clauses and information to help you meet the obligations of 15 data privacy laws from around the globe.
We regularly update it to account for new and changing laws with the help of our legal team and data privacy experts.
See what it looks like in the screenshot below.
We also provide a Consent Management Platform (CMP) configurable to meet opt-out requirements described by laws like the Pennsylvania Consumer Data Privacy Act.
Check it out in the screenshot below.
Are There Other Privacy Related Laws in Pennsylvania?
While lawmakers in Pennsylvania are still debating passing a comprehensive data protection law, other related pieces of privacy legislation exist in the state, like the:
- Pennsylvania Breach of Personal Information Notification Act: Requires entities to notify consumers if their data is breached or accessed by an unauthorized person.
- Right to Know Law (RTKL): Grants residents the right to access certain documents held by state or local government agencies, which is intended to promote transparency.
The Future of Data Privacy in the US
The U.S. saw a lot of state-level activity regarding data privacy laws and bills over the past year, but is the country getting ready to pass a federal law anytime soon?
In 2022, the American Data Privacy and Protection Act (ADPPA) made it further through the federal government than any other proposed data privacy bill had thus far.
But despite its apparent bipartisan support, it hasn’t moved further or come up for debate.
Summary
While the PCDPA is only a bill, if it passes into law, affected businesses should plan to:
- Update their privacy policy and cookie policy
- Provide a means for consumers to opt out of certain types of data processing activities
- Honor universal opt-out mechanisms by January 1, 2026
- Use specific contracts with any data processors
- Perform data impact assessments as necessary if processing any higher-risk data
The PCDPA is generally similar to other U.S. laws already in force, which may make compliance easier for businesses under legislation like the CTDPA or the CPA.
In the meantime, Termly will keep watching this bill as it moves through the Pennsylvania government and provide updates if and when anything changes.