U.S. State Data Privacy Laws Directory
U.S. State Data Privacy Laws Directory
Create a tailored Privacy Policy, Terms & more in under 5 minutes.
Lawmakers are currently reviewing House Bill No. 1201, also known as the Pennsylvania Consumer Data Privacy Act (PCDPA). Introduced on May 19, 2023, this bill will take effect immediately if approved. It’s part of Pennsylvania’s efforts to regulate how businesses handle personal data and give consumers more control over their information. If passed, it will become Pennsylvania’s main data protection law, similar to those in other states like California and Virginia.
In this article, we will explore details of the PCDPA, including who it applies to, compliance requirements, and its impact on businesses and consumers.
Pennsylvania is currently considering two privacy bills: the Pennsylvania Consumer Data Privacy Act (PCDPA) (House Bill 1201) and the Pennsylvania Consumer Data Protection Act (House Bill 708). The PCDPA, introduced on May 19, 2023, would take effect immediately upon passing. The PCDPA is the first law of its kind in Pennsylvania, currently progressing through the state’s legislative process. It has recently advanced from the House of Representatives to the Senate for further review. While not yet finalized, the bill aims to safeguard consumer data by granting individuals specific rights and imposing obligations on businesses regarding data collection and usage limitations.
If enacted, the PCDPA would empower the Attorney General (AG) to enforce compliance and penalize violators. Once approved, it would serve as Pennsylvania’s inaugural and comprehensive consumer data protection law, effective immediately upon passage.
On December 13, 2023, the bill was amended for clarity regarding the definition of a controller and referred back to the Committee of Appropriations. It passed the House on March 18, 2024, and is currently under review by the Senate Communications and Technology Committee. These developments highlight the dynamic nature of data privacy legislation in Pennsylvania, aiming to address concerns while ensuring clarity and effectiveness in regulation.
Understanding Pennsylvania’s data privacy bill requires clarity on essential terms:
These definitions are integral to understanding and complying with the PCDPA’s provisions, safeguarding consumer privacy in Pennsylvania.
This legislation pertains to legal entities operating in Pennsylvania and dictating how consumer personal information is processed. It applies to entities meeting any of the following criteria:
Moreover, the law extends to entities controlling other legal bodies meeting these standards. Personal data under the PCDPA includes any information reasonably linked to an identifiable individual, excluding publicly available or mathematically transformed data. The scope of the PCDPA encompasses the personal information of Pennsylvania residents, excluding those engaged in employment or commercial activities.
Specifically, it exempts individuals involved in transactions with a controller solely within their organizational roles, such as employees, owners, directors, officers, contractors, partnerships, sole proprietorships, nonprofits, and government agencies.
Exemptions
Certain entities are exempt from the provisions of the PCDPA as currently written. These exemptions include the following:
On Consumers
If PCDPA is enacted, it will grant consumers in the Commonwealth several new rights regarding their personal data. Under Section 3 of the PCDPA, consumers will have the right to:
To exercise these rights, the PCDPA mandates that controllers establish a secure and reliable method within their Privacy Policy. Additionally, parents or legal guardians can act on behalf of children to enforce these rights.
On Businesses
Businesses subject to PCDPA would need to adhere to various data privacy obligations if the legislation passes. These requirements include the following:
On Privacy Policy
The PCDPA introduces notice requirements that could impact the content of your privacy policy. Under this law, controllers are obligated to provide consumers with a notice detailing:
Additionally, controllers must disclose any intentions to sell personal data to third parties or use it for targeted advertising, along with explaining how consumers can opt-out.
If PCDPA becomes law, you’ll need to follow certain steps to make sure your business complies with its requirements.
1. Update Your Privacy Policy
Review and update your Privacy Policy to include specific details required by the PCDPA. This means clearly stating:
2. Handle Consumer Requests
Under the PCDPA, you’ll need to respond to consumer requests within 45 days. If you need more time for complex requests, you must inform the consumer within the initial 45-day period. Consumers have the right to access their data once per year at no cost.
3. Data Protection Assessments
Starting July 1, 2024, you’ll need to conduct and document assessments for high-risk data processing activities. Consider factors like whether the data is anonymous, consumer expectations, and your relationship with consumers.
4. Establish Data Processing Contracts
Maintain contracts with any third parties processing personal data on your behalf. These contracts, also known as processing agreements, should outline responsibilities such as data confidentiality and cooperation with assessments.
5. Respect Universal Opt-Out Mechanisms
From January 1, 2026, you must honor universal opt-out signals like Global Privacy Control (GPC). Ensure these mechanisms are easy to use and consistent with PCDPA standards.
Following these steps will help ensure that your business complies with the PCDPA and respects consumer privacy rights.
Enforcement of the PCDPA will solely be in the hands of the Pennsylvania Attorney General (AG). This means Pennsylvania residents cannot sue businesses for alleged violations directly. From July 1, 2024, to December 31, 2025, businesses will have a 60-day “cure period” to correct identified violations. Starting January 1, 2026, cure periods will be at the discretion of the AG, taking into account factors such as:
The Pennsylvania Consumer Data Privacy Act (PCDPA) aims to protect consumer data in the state. Businesses need to update their policies, handle consumer requests promptly, conduct assessments, establish contracts, and respect opt-out mechanisms to comply. Consumers gain control over their data with rights to confirm, correct, and erase information, among others.
While the PCDPA marks progress in data protection, its final enactment and enforcement depend on legislative decisions. Stay informed to adapt and ensure compliance, maintaining trust in the digital age.
GetTerms can simplify the complicated task of compliance and allow you to get back to business by addressing multiple items on your compliance checklist, including a cookie policy tailored to your business needs and generating cookie consent banners, we can help. Please take advantage of our services today. Create an account and get started in 5 minutes.