Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.


Proposed Pennsylvania Privacy Law

Created on June 22, 2020

Demand Generation Manager, Exterro

Why This Privacy Law is Important: Pennsylvania along with many other states is in the process of enacting privacy legislation focusing on the protection of consumers’ personal data. Currently pending before the Committee on Consumers, the bill addresses consumer data privacy by setting forth the rights of consumers as well as the duties of companies relating to the collection of consumer personal information.

Overview/Status of Bill: This bill provides additional rights and control to consumers over how their personal data is being collected and used. Pennsylvania residents would have the right to know, the right to access, the right to opt-out, and the right to deletion of their personal information. Similar to CCPA the bill also allows for a private right of action.

Need to Know Information:

Who it Applies To: The bill applies to companies doing business in Pennsylvania satisfying one or more of the following requirements: companies with annual gross revenue exceeding $10 million; companies that annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers; or companies that derive 50% or more of their annual revenue from selling consumers’ personal information.

What is Covered: Identifiers like names, aliases, postal addresses, email addresses, account names, Social Security numbers, etc. Protected characteristics under federal or state law. Commercial information like records of personal property or products or services purchased, obtained or considered. Biometric information; internet or other electronic network activity like browser and search history; geolocation data; audio, electronic, visual, thermal, olfactory or similar information; professional or employment-related information. Education information and Inferences drawn from any of the information above to create a consumer profile reflecting a consumer’s preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, and abilities and aptitudes.

How to Comply: Companies must give consumers at least two methods of submitting requests for information, and the requested information must be provided to consumers within 45 days of receiving a request. Additionally, companies must publicly offer a “Do Not Sell My Personal Information” form, which, if submitted, prohibits a company from selling the consumer’s personal information. Once a consumer opts-out, a company must give the consumer at least 12 months before requesting that the consumer agree to a sale of his or her personal data.

Potential Penalties: If a company violates any provision under the proposed bill, the attorney general can bring a civil action against the company, with potential liability capped at $7,500 per violation. Prior to initiating action, however, companies must be given an opportunity to cure the violation within 30 days of notification.