A Guide To Pennsylvania’s Consumer Data Privacy Act (PCDPA)

PCDPA Overview

Pennsylvania is currently considering two privacy bills: the Pennsylvania Consumer Data Privacy Act (PCDPA) (House Bill 1201) and the Pennsylvania Consumer Data Protection Act (House Bill 708). The PCDPA, introduced on May 19, 2023, would take effect immediately upon passing. The PCDPA is the first law of its kind in Pennsylvania, currently progressing through the state’s legislative process. It has recently advanced from the House of Representatives to the Senate for further review. While not yet finalized, the bill aims to safeguard consumer data by granting individuals specific rights and imposing obligations on businesses regarding data collection and usage limitations. 

If enacted, the PCDPA would empower the Attorney General (AG) to enforce compliance and penalize violators. Once approved, it would serve as Pennsylvania’s inaugural and comprehensive consumer data protection law, effective immediately upon passage.

Recent Developments

On December 13, 2023, the bill was amended for clarity regarding the definition of a controller and referred back to the Committee of Appropriations. It passed the House on March 18, 2024, and is currently under review by the Senate Communications and Technology Committee. These developments highlight the dynamic nature of data privacy legislation in Pennsylvania, aiming to address concerns while ensuring clarity and effectiveness in regulation.

Key Terms & Definitions

Understanding Pennsylvania’s data privacy bill requires clarity on essential terms:

• Consent: Signifies a consumer’s clear agreement for personal data processing, given freely, specifically, and informedly. It includes written or electronic statements but excludes broad terms or actions induced by deceptive practices.
• Consumer: Refers to Pennsylvania residents, excluding those in commercial or employment contexts.
• Controller: Entities determining personal data processing purposes and means, meeting specified criteria like profit orientation, data collection, and business presence in Pennsylvania.
• Personal data: Information identifying or linked to a consumer, encompassing identifiers, characteristics, biometric data, and more. It excludes publicly available data.
• Process/Processing: Operations on personal data, including collection, storage, and modification, whether manual or automated.
• Processor: Individuals or entities processing personal data on a controller’s behalf.
• Sensitive data: Includes personal data revealing racial or ethnic origin, health conditions, or other sensitive aspects.

These definitions are integral to understanding and complying with the PCDPA’s provisions, safeguarding consumer privacy in Pennsylvania.

Who Does the PCDPA Apply To?

This legislation pertains to legal entities operating in Pennsylvania and dictating how consumer personal information is processed. It applies to entities meeting any of the following criteria:

1. Annual gross revenue exceeding $10 million.
2. Acquisition of personal information from at least 50,000 consumers for commercial purposes.
3. Derivation of at least 50% of annual revenue from selling consumer personal information.

Moreover, the law extends to entities controlling other legal bodies meeting these standards. Personal data under the PCDPA includes any information reasonably linked to an identifiable individual, excluding publicly available or mathematically transformed data. The scope of the PCDPA encompasses the personal information of Pennsylvania residents, excluding those engaged in employment or commercial activities.

Specifically, it exempts individuals involved in transactions with a controller solely within their organizational roles, such as employees, owners, directors, officers, contractors, partnerships, sole proprietorships, nonprofits, and government agencies.

Exemptions

Certain entities are exempt from the provisions of the PCDPA as currently written. These exemptions include the following:

1. Pennsylvania government and subdivisions,
2. Higher education institutions,
3. Nonprofits,
4. Registered National Securities Associations,
5. Financial institutions under specific regulations,
6. Covered entities or business associates,
7. Protected health information governed by HIPAA.

PCDPA’s Impact

On Consumers

If PCDPA is enacted, it will grant consumers in the Commonwealth several new rights regarding their personal data. Under Section 3 of the PCDPA, consumers will have the right to:

• Confirm whether a controller is processing their personal data.
• Rectify errors in their data, considering its nature and processing purposes.
• Erase their data, whether collected directly or from other sources.
• Receive a copy of their data in a portable, easy-to-use format for seamless transfer to another controller.
• Opt out of targeted advertising and the sale of their personal data.
• Opt out of automated decision-making processes that significantly affect their legal rights, such as those related to finance, housing, education, employment, criminal justice, healthcare, or access to essentials.

To exercise these rights, the PCDPA mandates that controllers establish a secure and reliable method within their Privacy Policy. Additionally, parents or legal guardians can act on behalf of children to enforce these rights.

On Businesses

Businesses subject to PCDPA would need to adhere to various data privacy obligations if the legislation passes. These requirements include the following:

• • Maintaining a transparent Privacy Policy.
  • Conducting data protection assessments.; and 
  • Appropriately addressing consumer inquiries and requests.

On Privacy Policy

The PCDPA introduces notice requirements that could impact the content of your privacy policy. Under this law, controllers are obligated to provide consumers with a notice detailing:

• • The types of personal data being processed
  • The purposes for processing this data
  • Procedures for consumers to exercise their privacy rights and challenge the controller’s decisions
  • Categories of personal data shared with third parties
  • The types of third parties with whom the controller shares data
  • An active email address or online means to contact the controller

Additionally, controllers must disclose any intentions to sell personal data to third parties or use it for targeted advertising, along with explaining how consumers can opt-out.

PCDPA Compliance & Preparation

If PCDPA becomes law, you’ll need to follow certain steps to make sure your business complies with its requirements.

1. Update Your Privacy Policy
Review and update your Privacy Policy to include specific details required by the PCDPA. This means clearly stating:

• • a. What personal data you collect and why.
  • b. How consumers can exercise their rights regarding their data.
  • c. Who you share personal data with and why.
  • d. How consumers can contact you with privacy concerns.

2. Handle Consumer Requests
Under the PCDPA, you’ll need to respond to consumer requests within 45 days. If you need more time for complex requests, you must inform the consumer within the initial 45-day period. Consumers have the right to access their data once per year at no cost.

3. Data Protection Assessments
Starting July 1, 2024, you’ll need to conduct and document assessments for high-risk data processing activities. Consider factors like whether the data is anonymous, consumer expectations, and your relationship with consumers.

4. Establish Data Processing Contracts
Maintain contracts with any third parties processing personal data on your behalf. These contracts, also known as processing agreements, should outline responsibilities such as data confidentiality and cooperation with assessments.

5. Respect Universal Opt-Out Mechanisms
From January 1, 2026, you must honor universal opt-out signals like Global Privacy Control (GPC). Ensure these mechanisms are easy to use and consistent with PCDPA standards.

Following these steps will help ensure that your business complies with the PCDPA and respects consumer privacy rights.

Enforcement

Enforcement of the PCDPA will solely be in the hands of the Pennsylvania Attorney General (AG). This means Pennsylvania residents cannot sue businesses for alleged violations directly. From July 1, 2024, to December 31, 2025, businesses will have a 60-day “cure period” to correct identified violations. Starting January 1, 2026, cure periods will be at the discretion of the AG, taking into account factors such as:

• The number of violations
• The size and complexity of the business
• Potential harm to the public
• The nature and extent of the business’s data processing activities
• The impact on individuals or property
• Whether the violation resulted from human error or technical issues.

Wrapping Up

The Pennsylvania Consumer Data Privacy Act (PCDPA) aims to protect consumer data in the state. Businesses need to update their policies, handle consumer requests promptly, conduct assessments, establish contracts, and respect opt-out mechanisms to comply. Consumers gain control over their data with rights to confirm, correct, and erase information, among others.

While the PCDPA marks progress in data protection, its final enactment and enforcement depend on legislative decisions. Stay informed to adapt and ensure compliance, maintaining trust in the digital age.

GetTerms can simplify the complicated task of compliance and allow you to get back to business by addressing multiple items on your compliance checklist, including a cookie policy tailored to your business needs and generating cookie consent banners, we can help. Please take advantage of our services today. Create an account and get started in 5 minutes.