Pennsylvania Consumer Data Privacy Act: First Look & Summary

Could Pennsylvania be the latest state to pass a comprehensive consumer data privacy law?

Lawmakers are considering House Bill No. 1201 — the Pennsylvania Consumer Data Privacy Act — which describes business requirements for processing personal data and grants consumers rights regarding their information.

In this guide, learn about Pennsylvania’s data privacy bill, who it might apply to, and its implications on businesses if it passes into law.

Table of Contents

What Is the Pennsylvania Consumer Data Privacy Act (PCDPA)?
PCDPA Key Terms and Definitions
What Does the Pennsylvania Consumer Data Privacy Act Cover?
Requirements of the PCDPA
Pennsylvania’s Data Privacy Bill vs. Other State Laws: Similarities and Differences
How Will Consumers Be Impacted by the PCDPA?
How Will Businesses Be Impacted by the Pennsylvania Consumer Data Privacy Act?
Who Must Comply With Pennsylvania's Data Privacy Bill?
How Can Businesses Prepare for the PCDPA?
How Would the PCDPA Be Enforced?
Fines and Penalties Under the Pennsylvania Consumer Data Privacy Act
How Will Termly Help With PCDPA Compliance?
Are There Other Privacy Related Laws in Pennsylvania?
Summary

What Is the Pennsylvania Consumer Data Privacy Act (PCDPA)?

The Pennsylvania Consumer Data Privacy Act (PCDPA) is currently a bill moving through the House of Representatives in Pennsylvania.

If passed, it would become the state’s first comprehensive consumer data protection law.

The law outlines requirements for entities who want to collect, process, and use personal information about residents of Pennsylvania.

Additionally, it grants individuals rights and some control over how their information gets used.

Will the Pennsylvania Consumer Data Privacy Act Become a Law?

While the PCDPA won’t become a law before the end of 2023, this bill gives good insight into what a future data privacy law might look like in the state.

As currently written, Section 12 of the bill doesn’t list a potential effective date but instead says it would be “effective immediately.”

The PCDPA is currently up against a similar bill, the Pennsylvania Consumer Data Protection Act (House Bill 708), which varies slightly in scope and scale.

PCDPA Key Terms and Definitions

To get a better understanding of the expectations of Pennsylvania’s data privacy bill, let’s look at some key terms and definitions exactly as they appear in the text of the potential law:

Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The term includes a written statement, including by electronic means or any other unambiguous affirmative action specified in this definition.
- The term does not include acceptance of general or broad terms of use or a similar document that contains descriptions of personal data processing along with other unrelated information, hovering over, muting, pausing, or closing a given piece of content, or an agreement obtained through the use of dark patterns.
Consumer: An individual who is a resident of this Commonwealth. The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with a controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency.
Controller: A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that meets all of the following criteria:
- (i) Is organized or operated for the profit or financial benefit of its shareholders or other owners.
- (ii) Collects consumers’ personal information or on behalf of which consumers’ personal information is collected, and that, alone or jointly with others, determines the purposes and means of the processing of consumers’ personal information.
- (iii) Does business in this Commonwealth.
- (iv) Satisfies any of the following thresholds:
  - (A) Has annual gross revenues in excess of $10,000,000.
  - (B) Alone or in combination, annually buys or receives, sells or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households or devices.
  - (C) Derives at least 50% of annual revenues from selling consumers’ personal information. (2) An entity that controls a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity under paragraph (1) and shares common branding with the sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity.
Personal data: Information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household, including any of the following:
- (i) An identifier, including a real name, alias, postal address, unique personal identifier, online identifier, including an Internet website protocol address, email address or account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- (ii) Characteristics of protected classifications under Federal or State law.
- (iii) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- (iv) Biometric data.
- (v) Internet or other electronic network activity information, including browser history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.
- (vi) Precise geolocation data.
- (vii) Audio, electronic, visual, thermal, olfactory, or similar information.
- (viii) Professional or employment-related information.
- (ix) Education information that is not publicly available personally identifiable information under 20 U.S.C. § 1232g (relating to family educational and privacy rights).
- (x) An inference drawn from any of the information identified under this definition to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, abilities, or aptitudes.
- The term does not include publicly available information.
Process/Processing: Any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, including the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
Processor: An individual who, or legal entity that, processes personal data on behalf of a controller.
Sensitive data: Personal data that includes data revealing any of the following:
- (1) A racial or ethnic origin.
- (2) Religious beliefs.
- (3) Mental or physical health condition or diagnosis.
- (4) Sex life or sexual orientation.
- (5) Citizenship or immigration status.
- (6) The processing of genetic or biometric data for the purpose of uniquely identifying an individual.
- (7) Personal data collected from a known child.
- (8) Precise geolocation data.

What Does the Pennsylvania Consumer Data Privacy Act Cover?

The PCDPA would cover the personal information of residents of the state of Pennsylvania.

It does not include anyone in the state acting in an employment or commercial context.

In particular, if transactions with a controller occur solely within a person’s role with a company or other entity, it also excludes:

Employees
Owners
Directors
Officers
Contractors of a company
Partnerships
Sole proprietorships
Nonprofits
Government agencies

Requirements of the PCDPA

Businesses that qualify as data controllers under the PCDPA must follow several requirements, which I cover in detail in the following section.

Duties of Data Controllers

Under Section 5 of Pennsylvania’s data privacy bill, controllers must limit the collection of personal data to what is considered reasonably necessary for the purposes of processing disclosed to the consumer.

If a controller wants to collect additional information that falls outside this scope, they must obtain consent from the consumer.

Consent is also required to process sensitive personal data or information about a known child.

Consent

The PCDPA clearly defines consent in Section 2 of the bill.

It must be a clear, affirmative action from a consumer that they freely give for a specific, unambiguous purpose.

Consent may include a written statement, including by electronic means.

However, it cannot include the acceptance of very general or broad terms or deceptive practices like:

Hovering over content
Muting something
Pausing content
Closing a pop-up

Contractual Obligations Between Data Controllers and Processors

According to Section 6 of the PCDPA, controllers and processors must sign specific contracts governing the processor’s activities, which include:

Ensuring the processor is subject to a duty of confidentiality regarding the personal data
Requiring the processor to delete or return all data at the controller’s direction unless retention is required by law
Making all data available to the controller to demonstrate compliance with the bill upon reasonable request
Requiring any subcontractors to sign a contract outlining similar obligations
Mandating that the processor must allow for and cooperate with reasonable assessments by the controller or designated assessor to ensure processing meets PCDPA standards

Data Protection Assessments

The PCDPA also details the requirements for performing data protection assessments in Section 7 of the bill.

It states that controllers must conduct and document one of these assessments if their processing activities present a heightened risk of harm to consumers.

The controller must identify and weigh the benefits and risks that may impact consumer rights and any safeguards that are in place to mitigate or reduce those risks.

Entities must factor all of the following into the assessment:

The use of de-identified data
The consumer’s reasonable expectations
The context of the data processing and relationship between controllers and consumers

If the controller must perform a data processing assessment to comply with another law with similar guidelines to the PCDPA, they can use the same assessment to meet this requirement.

Universal Opt-Out Mechanisms

If the PCDPA becomes a law, covered entities would be required to honor universal opt-out mechanisms (UooMs) as designated by consumers’ browsers by Jan. 1, 2026.

The bill states that approved UooM technology, like Global Privacy Control (GPC), must meet the following criteria:

Not unfairly disadvantage another controller
Not make use of a default setting, but instead require the consumer to freely choose to opt out of the processing or sale of their data.
Be consumer-friendly and easy to use
Be consistent with other similar platforms, technologies, or mechanisms.
Enable the controller to determine if the consumer is a resident of Pennsylvania or not.

Pennsylvania’s Data Privacy Bill vs. Other State Laws: Similarities and Differences

Pennsylvania’s privacy bill is very similar to several state laws that have passed or recently entered into force, including the following:

California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
Colorado Privacy Act (CPA) — currently in force
Connecticut Data Privacy Act (CTDPA) — currently in force
Delaware Personal Data Privacy Act (DPDPA) — effective Jan. 1, 2025
Florida Digital Bill of Rights (FDPR) — effective July 1, 2024
Indiana Consumer Data Protection Act (Indiana CDPA) — effective Jan. 1, 2026
Iowa Consumer Data Protection Act (Iowa CDPA) — effective Jan. 1, 2025
Montana Consumer Data Privacy Act (MCDPA) — effective Oct. 1, 2024
Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
Tennessee Information Protection Act (TIPA) — effective Jul. 1, 2024
Texas Data Privacy And Security Act (TDPSA) — effective Jul. 1, 2024
Utah Consumer Privacy Act (UCPA) — effective Dec. 31, 2023
Virginia Consumer Data Protection Act (VCDPA) — currently in force

Compare these laws to the PCDPA in the table below.

State Law	Opt-in consent for certain types of data processing	Opt-out consent for certain types of data processing	Must present users with a privacy policy (or notice)	Requires Data Protection Assessments	Outlines Contractual Obligation with Third-Party Processors	Allows for civil lawsuits or private right of action	Must honor Global Privacy Controls/browser privacy settings
PCDPA (bill)		✓	✓	✓	✓		✓
CCPA/CPRA	✓	✓	✓	✓	✓	✓	✓
CPA		✓	✓	✓	✓		✓
CTDPA		✓	✓	✓	✓		✓
DPDPA	✓	✓	✓	✓	✓		✓
FDBR		✓	✓	✓	✓
Indiana CDPA		✓	✓	✓	✓
Iowa CDPA		✓	✓		✓
MCDPA		✓	✓	✓	✓		✓
ODPA		✓	✓	✓	✓		✓
TIPA	✓	✓	✓	✓	✓
TDPSA		✓	✓	✓	✓		✓
UCPA		✓	✓		✓
VCDPA		✓	✓	✓	✓

How Will Consumers Be Impacted by the PCDPA?

If the Pennsylvania Consumer Data Privacy Act passes into law, it would grant residents of the states certain rights over how their information gets processed and used.

Notably, under Section 3 of the bill, consumers would be able to:

Confirm if a controller is processing their data.
Correct inaccuracies in their data.
Delete their personal data.
Obtain a copy of their data in a portable format.
Opt-out of the processing of data for target advertising.
Opt-out of the sale of their personal data.
Opt-out of profiling in the furtherance of solely automated decisions that produce legal or similarly significant effects.

They can act on these rights by using a secure method established by the controller and described in their privacy notice.

Who Does the PCDPA Apply To?

The PCDPA only applies to residents of the state of Pennsylvania acting in a personal or household context.

It does not apply to anyone in the state acting in a commercial or employment capacity.

How Will Businesses Be Impacted by the Pennsylvania Consumer Data Privacy Act?

If the PCDPA becomes a law, it will impact businesses beyond the contractual obligations and data impact assessments we previously covered.

It also describes guidelines that might affect your privacy and cookie policies.

How Will the PCDPA Affect My Privacy Policy?

The PCDPA outlines notice requirements that may impact the contents of your privacy policy.

Controllers under this bill must provide a notice to consumers describing:

The categories of personal data processed
The purpose of processing the data
How consumers can act on their privacy rights and appeal the controller’s decisions
Categories of personal data shared with each third party
The categories of each third party the controller shares data with
An active email address or online mechanisms to contact the controller

In addition, controllers must disclose if they plan to sell personal data to a third party or use the information for targeted advertising and describe how consumers may opt out.

How Will the PCDPA Affect My Cookie Policy?

The PCDPA may affect your cookie policy if you sell personal data collected through internet cookies or use them for targeted advertising.

Under this bill, consumers have the right to opt out of those data processing activities, and controllers must disclose this information to their consumers.

So, you’d need to update your cookie policy to meet these obligations outlined by the PCDPA.

Who Must Comply With Pennsylvania’s Data Privacy Bill?

Your business would need to comply with the potential law if you’re a for-profit entity that does business in the state and meets one of the following standards:

Earns a gross annual revenue of $10,000,000 or more
Sells or shares for commercial purposes the personal information of at least 50,000 consumers, households, or devices
Derives at least 50% of your annual revenue from selling personal data

Who Is Exempt From the PCDPA?

The following entities are exempt from the PCDPA, as it’s currently written:

Pennsylvania state government subdivisions
Nonprofit organizations
Institutions of higher education
National securities associations
Financial institutions
Covered entity or business associate

How Can Businesses Prepare for the PCDPA?

To prepare for the possible Pennsylvania law, businesses should update their privacy policy to meet all notification obligations outlined by the law.

Additionally, they must provide a disclosure and mechanism for users to easily opt out of certain data processing activities, including targeted advertising.

Data controllers and processors should also use and sign contracts that meet the requirements described in Section 6 of the bill.

How Would the PCDPA Be Enforced?

According to Section 10 of the PCDPA, the Attorney General has the exclusive right to enforce the potential law.

A 60-day cure period would exist for entities who violate the PCDPA until December 31, 2025.

After January 1, 2026, the Attorney General would decide if an entity gets a cure period on a case-by-case basis.

Fines and Penalties Under the Pennsylvania Consumer Data Privacy Act

The current version of the PCDPA does not describe a dollar amount or limit regarding fines under the bill.

However, it does clarify that Pennsylvania residents do not have a private right of action.

How Will Termly Help With PCDPA Compliance?

Termly offers compliance solutions to help businesses easily meet requirements outlined by data privacy laws like the PCDPA.

Our Privacy Policy Generator currently features the necessary clauses and information to help you meet the obligations of 15 data privacy laws from around the globe.

We regularly update it to account for new and changing laws with the help of our legal team and data privacy experts.

See what it looks like in the screenshot below.

Termly-Privacy-Policy-Generator

Generate a Free Privacy Policy

We also provide a Consent Management Platform (CMP) configurable to meet opt-out requirements described by laws like the Pennsylvania Consumer Data Privacy Act.

Check it out in the screenshot below.

Termly-Consent-Management-Platform

While lawmakers in Pennsylvania are still debating passing a comprehensive data protection law, other related pieces of privacy legislation exist in the state, like the:

Pennsylvania Breach of Personal Information Notification Act: Requires entities to notify consumers if their data is breached or accessed by an unauthorized person.
Right to Know Law (RTKL): Grants residents the right to access certain documents held by state or local government agencies, which is intended to promote transparency.

The Future of Data Privacy in the US

The U.S. saw a lot of state-level activity regarding data privacy laws and bills over the past year, but is the country getting ready to pass a federal law anytime soon?

In 2022, the American Data Privacy and Protection Act (ADPPA) made it further through the federal government than any other proposed data privacy bill had thus far.

But despite its apparent bipartisan support, it hasn’t moved further or come up for debate.

Summary

While the PCDPA is only a bill, if it passes into law, affected businesses should plan to:

Update their privacy policy and cookie policy
Provide a means for consumers to opt out of certain types of data processing activities
Honor universal opt-out mechanisms by January 1, 2026
Use specific contracts with any data processors
Perform data impact assessments as necessary if processing any higher-risk data

The PCDPA is generally similar to other U.S. laws already in force, which may make compliance easier for businesses under legislation like the CTDPA or the CPA.

In the meantime, Termly will keep watching this bill as it moves through the Pennsylvania government and provide updates if and when anything changes.

More about the author

Written by Stefani Schmidt, M.S., CIPM, CIPP-US

Stefani is a data privacy, risk, compliance, and program management professional with experience in the communications, financial, and adtech industries. Stefani’s previous experience includes working closely with stakeholders from different departments to push forward privacy initiatives across corporations, including working on privacy and security reviews of new business initiatives and vendors. Stefani has an M.S. in Security Technologies from the University of Minnesota – Twin Cities and a B.A. in Journalism and Political Science. More about the author

New Jersey Data Privacy Act: First Look & Summary

What Is the IAB’s Global Privacy Platform (IAB GPP)?

American Privacy Rights Act (APRA): First Look & Summary

109 Biggest Data Breaches, Hacks, and Exposures as of 2024

New Zealand Data Privacy Act 2020 Explained

Cookie Walls: Are They GDPR Compliant?

Personal vs. Sensitive Personal Information

Privacy Policy for Hotel Websites

Privacy Policy for Gym Websites