How to Comply With Pennsylvania’s Impending Data Privacy Act

Data PrivacyPennsylvaniaState Laws
Written By Jason Shoup

Pennsylvania legislators last month introduced the Consumer Data Privacy Act (CDPA)– which resembles California’s Consumer Privacy Act (CCPA). And this month, a breach of the Pennsylvania Department of Health led to the Pennsylvania Senate unanimously approving a proposal to strengthen the state’s breach notification law, suggesting that Pennsylvania legislators are motivated to implement stronger data privacy laws.

While the contents of CDPA will probably not surprise anyone familiar with similar state-level acts, it’s important to have this bill on your radar in case it applies to your organization. Here’s what you need to know:

Applicability

CDPA applies to businesses that collect consumers’ personal information–either directly or through a mediating entity, such as a processor–and do business in Pennsylvania, if one of the following thresholds is satisfied:

  • Has a gross revenue of over $10 million

  • Buys, receives for commercial purposes, sells or shares the personal information of 50,000 or more consumers, households or devices

  • Derives 50 percent or more of its annual revenue from selling consumers’ personal information

The law would also apply to any organization that shares common branding with a business that meets the criteria, or “controls” such a business, which means it either:

  • Owns the company

  • Has the power to vote on more than 50 percent of its outstanding shares

  • Has control overs the election of its directors or board members

  • Has the power to exercise a controlling influence over its management

Personal information is information that relates to, describes or could be reasonably linked to a specific individual such as name, identification numbers, records of personal property or geolocation data. This does not include information that is lawfully made publicly-available by a government.

No attempt to comply with CDPA should impede an organization’s ability to:

  • Comply with any other laws

  • Comply with legal inquiries or investigations

  • Cooperate with law enforcement

  • Exercise or defend legal claims

  • Conduct activity involving de-identified data

Consumer Rights

The basic rights established by CDPA are consumers’ rights to:

  • Know what data is being collected about them

  • Access data collected about them

  • Know whether their data is being sold and, if so, to whom

  • Opt-out of the sale of their data

  • Not be denied a good or service, charged a different price or provided a different level of quality for exercising their rights

Regarding the latter right, businesses can still charge a different price or provide a different level of quality if that difference is reasonably related to the value provided to the consumer by their data.

Businesses must make available two or more reasonably accessible methods for submitting requests including a toll-free telephone and a website address. Requests must be fulfilled within 45 days of being sent, which can be extended to 90 days when reasonably necessary. In the case of an extension, the business must notify the consumer.

Businesses are required to provide a clear and conspicuous link reading, “Do Not Sell My Personal Information” on their website, allowing the consumer to submit opt-out requests. Consumers may not be forced to create an account in order to submit such requests.

An additional link must be established through which the consumer can access a description of their rights and the business’s privacy policy, if it has one.

Business Obligations

Upon receiving a verifiable request to know, businesses must disclose:

  • The categories of data collected about the consumer

  • The categories of the sources from which the data was collected

  • The categories of third-parties with whom the data is shared

  • The purposes of collection or sale

  • The specific pieces of the consumer’s personal information the business has collected

For requests to delete, businesses must delete the data from its records and direct its service providers to do the same. Service providers must heed this request, unless the data is necessary to:

  • Complete a transaction requested by the consumers

  • Comply with a legal obligation

  • Protect against security incidents or fraud

  • Identify or repair errors that impair existing functionality

  • Exercise free speech or another right provided by law

  • Engage in public or peer-reviewed scientific or historical research that the consumer has provided informed consent to, if the deletion of the data will seriously impede the research

The bill is careful to note that these obligations should not be construed as requiring the business to unnecessarily retain any data collected for a one-time transaction, or reidentify deidentified data. In short, businesses need only disclose data collected in their standard course of business.

Data Sale

Any business that sells personal data to third parties must notify consumers that their information may be sold and inform them of their right to opt-out of the sale. Businesses must wait at least 12 months after the opt-out request before requesting that a consumer authorize the sale of their data.

Concerning third parties, the bill includes a clause that third parties may not resell personal data that has been sold to them unless they notify the subject and give them an opportunity to opt-out of the sale.

If a business receives direction for a consumer not to sell their information, they must adhere to it, unless the consumer subsequently provides express authorization of the sale. In the case of consumers under 16, personal data may not be sold without their consent. Consumers under 13 must seek the consent of their parents or guardian.

Enforcement

The bill includes a private right of action allowing consumers whose “non-encrypted and non-redacted personal information is subject to an unauthorized access and exfiltration, theft or disclosure” as a result of a business’s violation of CPA to seek any of the following:

  • Statutory damages between $100 and $750 per incident or actual damages, whichever is greater

  • Injunctive relief, declaratory relief or any other relief deemed appropriate by the court

The amount of statutory damages must consider the nature, severity, prevalence and persistence of the violation, as well as the length of time over which it occurred. The willfulness, assets, liabilities and net worth of the violator may also be taken into account.

Upon the initiation of a civil action, the business has 30 days to cure the violations, in which case it can avoid punishment as long as it notifies the consumers that the violations have been cured and no further violations should occur.

If the violation continues beyond 30 days, the business is liable to pay damages to the consumers as well as a civil penalty to the Attorney General of up to $7,500 per violation.

If passed, the act will become effective immediately.

Jason Shoup
Previous

Key Takeaways From Verizon’s 2021 Data Breach Report
Next

How New Technology is Changing Data Ownership