An Overview of Pennsylvania’s Consumer Data Privacy Act (PCDPA) - House Bill 1947 -

Introduction

In a data-driven and ever-evolving data privacy landscape, states across the United States are introducing and enacting their own data privacy laws. In a recent development, Pennsylvania has taken a significant step with the introduction of House Bill 1947, known as the Pennsylvania Consumer Data Privacy Act (PCDPA).

The PCDPA lays out new guidelines and regulations for data handling by state-based organizations, emerging as a critical response to the growing prevalence of privacy violations and data misuse. This guide provides a comprehensive analysis of House Bill 1947, exploring its key provisions, the rights it extends to consumers, and the obligations it imposes on businesses.

Who Needs to Comply with PCDPA

a. Material Scope

The PCDPA applies to a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is structured or operated for the financial gain of its owners or shareholders that:

• Gathers personal information about consumers or on their behalf;
• Determines, alone or in tandem with others, the purpose and means of the processing of consumer’s personal information;
• Conducts business in this Commonwealth; and
• Meets one or more of the following requirements:
  • Has annual gross revenues in excess of $25,000,000.
  • Alone or in combination, annually buys, receives for the business's commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 100,000 or more consumers.
  • Derives 50% or more of annual revenues from selling consumers' personal information.

Notably, the law does not apply to data governed by the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA), which have their own regulatory frameworks.

Definitions of Key Terms

A. Consumer

An individual who is a resident of Pennsylvania and acting only in the context of the individual or the individual's household. The term does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of an individual acting in an employment context.

B. Biometric Information

Personal information generated from the measurement or specific technological processing of an individual's unique biological, physical, or physiological characteristics, including any fingerprint, voice print, iris or retina scan, facial scan or template, deoxyribonucleic acid (DNA) information, or gait. Biometric information does not include any writing sample, written signature, photograph, voice recording, video, demographic data, or physical characteristics, including height, weight, hair color, or eye color if the information is not used for the purpose of identifying an individual's unique biological, physical or physiological characteristics.

C. Personal Information

Information that identifies or could reasonably be linked, directly or indirectly, with a particular consumer, household, or consumer device. Personal information does not include any of the following:

• Information that is lawfully made available from Federal, State or local government records.
• Consumer information that is deidentified or aggregate consumer information.

D. Deidentified Data

Data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual or a device linked to the individual and is possessed by a business that:

• takes reasonable measures to ensure that the data cannot be associated with the individual;
• publicly commits to maintain and use the data only in a deidentified manner and not attempt to reidentify the data; and
• contractually obligates a recipient of the data to meet the criteria specified in the law.

E. Sale of Personal Data

The sale of personal data refers to a controller exchanging personal data with a third party for monetary or other valuable consideration. However, this definition specifically excludes:

• Sharing personal information with a service provider acting on the business’s behalf.
• Disclosing personal information to third parties to fulfill a consumer-requested product or service.
• Transferring personal data to an affiliate of the business.
• Transferring personal information as part of a merger, acquisition, bankruptcy, or similar transaction where a third party takes control of the business’s assets.
• Disclosing personal information when:

1. Directed by the consumer or when the consumer uses the business to interact with a third party.
2. The consumer intentionally makes the information public through mass media without audience restrictions.

F. Service Provider

A person who processes personal information on behalf of a business.

Obligations for Organizations Under PCDPA

Under the law, businesses have multiple obligations, such as:

A. Data Collection and Processing

The law mandates that businesses to ensure:

• The personal information they collect is strictly limited to what is necessary, relevant, and directly related to the purposes for which it is processed.
• Processing is necessary, reasonable and proportionate for the purpose authorized by law.
• A business must not process personal information for purposes that are not reasonably necessary or compatible with the original processing purpose unless it receives consent from the consumer.
• Processing should, as much as possible, follow reasonable administrative, technical, and physical safeguards to maintain the personal information's confidentiality, integrity, and accessibility, minimizing foreseeable harm to the consumer.

B. Consent Requirements

Businesses are prohibited from processing personal information of consumers under 16 for targeted advertising or selling their information. If the consumer is between 13 and 16, they must give consent; if under 13, consent must come from a parent or guardian. A business that ignores a consumer's age is considered to be aware of it. This provision applies specifically when the controller is aware of the consumer's age and intentionally ignores it.

C. Non-Discrimination Requirements

A business is not allowed to process personal information in a way that violates federal or state legislation that prohibits unlawful consumer discrimination.

Businesses are not allowed to discriminate against customers unfairly because they exercise any of their rights, including but not limited to:

• Denying goods or services to the consumer.
•   Charging varying rates or prices for the same products or services, or imposing penalties.
• Providing consumers products or services of a different level or quality to the consumer.
• Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

However, the law does not prohibit a business from charging varied prices or rates or from providing different quality products or services as part of voluntary consumer participation in loyalty, rewards, or other similar programs.

D. Disclosure Requirements

Businesses must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following:

• The categories of personal data processed by the controller;
• The categories of sources from which personal data is collected;
• The purpose for processing personal data;
• The specific pieces of personal information the business has collected about the consumer;
• Instructions for consumers on how to exercise their rights and appeal decisions related to their data;
• The categories of personal data that the controller shares with each third party;
• The categories of each third party with which the controller shares personal data; and
• If the business sells personal information to a third party or processes personal information for targeted advertising, the sale or processing and the manner in which a consumer may exercise the consumer's right to opt out of the sale or processing.

E. Security Requirements

Businesses and service providers are required to implement and maintain reasonable security measures, such as administrative, physical, and technical safeguards, suitable for the type of personal information they handle and its intended uses. This is necessary to prevent the unauthorized use, disclosure, access, destruction, or modification of consumers' personal information.

Additionally, to maintain the integrity or security of the system, businesses must take steps to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity. They must also investigate, report, or prosecute those responsible for such activity.

F. Service Provider Agreements

The law requires businesses to enter into contracts with service providers that govern the nature, purpose, and duration of the processing of personal data, the type of data subject to processing, and the rights and obligations of parties. Also, these contracts should also bind the processor to a duty of confidentiality pertaining to the processing of personal data.

Moreover, any subcontractor engaged by a processor pursuant to a written contract is also bound by the same obligations. Processors must follow the controller's instructions and assist the controller in fulfilling his or her obligations, including those relating to the security of personal data processing and security breach notifications.

Data Subject Rights

A. Right to Information

Consumers have the right to know whether a business is processing their personal information and whether the processing is for the sale of such data or for the purpose of targeted advertising.

B. Right to Opt-Out of Processing

Consumers have the right to decline or opt out of the processing of the consumer's personal information for the purpose of any of the following:

• Targeted advertising.
• The sale of personal information.
• Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

C. Right to Access

Consumers have the right to access their personal information.

D. Right to Correct Inaccurate Data

Consumers have the right to correct any inaccurate personal information obtained by a business, regardless of the kind of information or the reason it is being processed.

E. Right to Delete

Consumers have the right to request businesses to delete their personal information. Businesses that obtain a consumer’s personal information are required to notify the consumer of their right to have that information deleted. Upon a verifiable deletion request, businesses must erase the consumer's data from their records and direct any service providers to do the same within 45 days.

F. Right to Portability

Consumers have the right to obtain personal information previously provided by the consumer to the business in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal information to another business without hindrance, when the processing of the personal information is carried out by automated means.

How Businesses Should Handle DSRs

Businesses are required to uphold consumer privacy rights by implementing the following measures:

• Provide at least two accessible ways for consumers to submit verifiable requests regarding their rights, including an online platform.
• Respond to DSR requests within 45 days without charge, with a possible one-time extension of another 45 days if necessary, informing the consumer of such extension within the initial period. A business is not obliged to fulfill the same request from a consumer more than once in a 12-month span.
• Ensure that staff handling privacy inquiries are knowledgeable about these obligations and can guide consumers on how to exercise their rights.
• If a consumer opts out of having their personal information used for targeted advertising or sold, the business must comply unless the consumer later provides consent. This includes respecting opt-out signals sent through user-enabled privacy controls.
• Honor a consumer's opt-out decision for at least 12 months before requesting their consent again for processing personal information for targeted advertising or sale.

Limitations

The obligations imposed on a business or service provider under the law should not restrict the ability of a business or service provider to:

• Comply with other applicable laws, asserting or defending legal claims, or cooperating with government authorities or investigations.
• Collect, use, retain, sell, or disclose consumer information that is de-identified.
• Collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of this Commonwealth.
• Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, or take steps at the request of the consumer before entering into the contract or offer a voluntary bona fide loyalty or rewards program.
• Take necessary steps to safeguard vital interests crucial for the life or safety of the consumer or others when such processing is not otherwise authorized.
• Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; maintain the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
• Conduct internal research to identify, improve, or repair products, services, or technology, including technical errors that impair existing or intended functionality, or undertake internal operations reasonably aligned with the consumer’s expectations for the performance of a service or provision of a product.
• Engage in public or peer-reviewed scientific, historical, or statistical research that benefits the public, provided that it adheres to relevant laws and has been approved by an appropriate ethics review board. Balance benefits against privacy risks and implement safeguards.
• Process information outside the jurisdiction if all commercial conduct occurs wholly outside.

Regulatory Authority

Once enacted, the state's Attorney General would be responsible for enforcing this law.

Penalties for Non-compliance

A business would be in violation of the PCDPA if it fails to cure the alleged violation within 60 days of the notification of the violation.  Both businesses and service providers found violating this regulation may face injunctions and incur civil penalties would be subject to a civil penalty of up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation. The PCDPA does not suggest or create a private right of action.

How Can an Organization Operationalize the PCDPA

Organizations can operationalize Pennsylvania’s Consumer Data Privacy Act (PCDPA) by:

• Establishing clearly defined policies and procedures for processing data in compliance with PCDPA’s provisions;
• Developing clear and accessible understandable privacy notices that comply with PCDPA’s requirements;
• Obtaining explicit consent from users before processing their personal information;
• Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
• Train employees who handle the consumer’s data on the organization's policies and procedures and the requirements of the PCDPA.

How Securiti Can Help

Securiti’s Data Command Center enables organizations to comply with Pennsylvania’s Consumer Data Privacy Act (PCDPA) by securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a  demo to learn more.