Privacy Bill Essentials: Pennsylvania Consumer Data Privacy Act (HB 1126)

April 22, 2021
Hinshaw Privacy & Cyber Bytes

A new data protection and privacy bill (HB 1126) was recently introduced in Pennsylvania. Although not as robust as the California Consumer Privacy Act (CCPA), the proposed Consumer Data Privacy Act (the Act) would similarly give consumers in Pennsylvania more control over their personal information. It would also impose a series of requirements on covered businesses and create a private right of action following a 30-day cure period. If approved, the Act would go into effect immediately. 

To whom would it apply?

The Act would apply to for-profit businesses that: 

  1.  Have an annual gross revenue of at least $10 million;
  2. Annually buys, sells, or shares, alone or in combination, the personal information of 50,000 consumers, households, or devices; or
  3. Derives 50% of its annual revenues from the sale of consumers' personal information.

What types of information would it cover?

Under the Act, personal information would include: 

The following publicly available information would not be considered personal information: 

However, to maintain the "publicly available" meaning, the information could not be used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.

What rights would it create?

The Act would create various consumer rights, including the right to: 

What obligations would it impose?

Upon request from a consumer, the Act would require a business that collects personal information about a consumer to disclose the:

Upon request from a consumer, a business that sells or discloses the personal information of consumers will be required to disclose the:

A business that sells the personal information of consumers must notify them that their personal information may be sold and give them the option to opt-out of a sale. Relatedly, a third-party who purchases consumers' personal information may not sell that information unless consumers have been provided with notice that their personal information may be sold and have been given the option of opting out of a sale.

To comply with its notice obligations, a business that collects or sells the personal information of consumers must provide two or more methods for consumers to submit requests, including, at a minimum, a toll-free telephone number and website address if the business maintains a publicly accessible website. If the business maintains a website, it must provide:

A business that collects personal information must notify consumers of their right to request deletion. Upon request from a consumer, a business must delete the personal information of the consumer that it has collected.

In addition, a business must ensure that all employees who handle consumer inquiries about the business's privacy practices know how to direct a consumer to exercise their rights.

Like other similar legislation, the Act does not restrict a business's ability to:

How would it be enforced?

The Attorney General's Office would enforce the Act. A business violates the Act if it fails to cure an alleged violation within 30 days after being notified of the violation. A violation may result in a civil penalty of up to $7,500 per violation.

The Act also creates a private right of action for violations that result in unauthorized access and exfiltration, theft, or disclosure of a consumer's nonencrypted or nonredacted personal information. The consumer must provide a 30 day notice setting forth the specific provision(s) of the Act allegedly violated. If the business fails to cure, money damages—totaling no more than $750 or actual damages per consumer—may be recovered, injunctive relief, or any other relief the court deems appropriate.

Where does it stand?

The Act was introduced to the House on April 7, 2021. It was subsequently referred to the Committee on Consumer Affairs.