Pennsylvania Consumer Data Privacy Act (HB 1201): What you need to know

The Pennsylvania Consumer Data Privacy Act (HB 1201) was recommitted to the state’s Senate Committee on 2 July 2024 – one of the final stages of the legislative process. If the bill is passed and approved, Pennsylvania will join around 20 other US states with a comprehensive privacy law.

Here’s a look at how HB 1201 applies, its key definitions, and the law’s main obligations on controllers.

Application

HB 1201 applies to any company conducting business in Pennsylvania or targeting products or services at Pennsylvania residents that meets one or more of the following thresholds:

• Controls or processes personal data of at least 50,000 Pennsylvania consumers, households, or devices annually.
• Derives 50% or more of its gross revenue from selling Pennsylvania consumers’ personal data.
• Has annual gross revenues exceeding $10 million.

This application threshold mirrors that of the California Consumer Privacy Act (CCPA), in that the law will apply to larger companies with over $10 million (broader than California’s $25 million threshold) regardless of the amount of personal data the company processes.

Exemptions are provided for:

• State agencies.
• Financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA).
• Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA).
• Nonprofits exempt under certain provisions of the Internal Revenue Code.
• Institutions of higher education.

The law also exempts activities such as:

• Preventing fraud or criminal activity, ensuring system security, and investigating illegal activities.
• Conducting internal research to improve products or services.
• Performing contract obligations, such as fulfilling warranties or providing services requested by the consumer.
• Protecting an individual’s health and safety.

Definitions

HB 1201 provides definitions for key terms, including:

• Personal data: Information linked or reasonably linkable to an identified or identifiable individual, excluding publicly available information and de-identified data.
• Processing: Any operation or set of operations performed on personal data, including collection, storage, disclosure, modification, and deletion.
• Controller: A legal entity that determines the purposes and means of processing personal data.
• Processor: An entity that processes personal data on behalf of a controller.
• Consent: A clear, affirmative act signifying a consumer’s freely given, informed, and unambiguous agreement to the processing of personal data.

The law also defines “sensitive data,” which includes:

• Personal data revealing racial or ethnic origin, religious beliefs, or health conditions.
• Biometric or genetic data used to uniquely identify an individual.
• Data related to a child’s personal information.
• Precise geolocation data within a radius of 1,750 feet.

Selling Personal Data and Targeted Advertising

HB 1201 defines the “sale” of personal data as the exchange of personal data for monetary or other valuable consideration to a third party. Exceptions include:

• Disclosure to a processor working on behalf of the controller.
• Sharing information with an affiliate or as part of a merger or acquisition.
• Situations where the consumer has made the data public.

Targeted advertising is also regulated, where an advertisement is displayed to a consumer based on data collected over time across non-affiliated websites or apps. Ads based on first-party data or contextual information are not covered by this provision.

Consumer Rights

Under HB 1201, Pennsylvania consumers are granted specific rights regarding their personal data, including the right to:

• Confirm whether a controller is processing their data and obtain access to it.
• Correct inaccuracies in their personal data.
• Request the deletion of personal data collected about them.
• Receive a portable copy of their data.
• Opt out of the sale of their personal data, targeted advertising, and profiling for significant decisions.

Controllers must respond to these requests within 45 days, with a possible extension of another 45 days. If a consumer’s request is denied, they have the right to appeal, and the controller must respond within 60 days.

Obligations on Controllers

HB 1201 set out several additional obligations on controller, including:

• Limiting data collection to what is necessary and relevant for a specified purpose.
• Implementing reasonable security measures to protect personal data.
• Providing clear and accessible mechanisms for consumers to exercise their rights, including the ability to revoke consent as easily as it was given.
• Displaying a clear privacy notice detailing data practices and consumer rights.

Data Protection Assessments

Before engaging in processing activities that pose a heightened risk to consumer privacy, controllers must conduct a Data Protection Assessment (DPA).

These assessments must weigh the benefits of processing against potential risks to consumers, considering factors like the use of de-identified data and consumer expectations.

The Pennsylvania Attorney General can request access to these assessments as part of an investigation, although they remain confidential.

Obligations on Processors

Processors are required to assist controllers in complying with the law, including helping to facilitate consumer rights requests and maintaining security measures. Processors must also adhere to binding contracts with controllers that outline the nature and purpose of data processing.

Enforcement

Enforcement of HB 1201 is vested exclusively with the Pennsylvania Attorney General, who may impose civil penalties for violations. The law does not provide for a private right of action, and violations are treated as “unfair or deceptive acts or practices” under Pennsylvania’s Unfair Trade Practices and Consumer Protection Law.

The law is set to take effect six months after enactment, with certain provisions phasing in over time.