On July 12, 2024, Senate Bill 1279 for the Consumer Data Privacy Act was referred to the Pennsylvania Senate Communications and Technology Committee.

Scope

The bill applies to legal entities that determine the purpose and means of processing consumer personal information doing business within Pennsylvania, and:

• have an annual gross revenue of more than $10 million;
• buy or receive personal information of at least 50,000 consumers for commercial purposes; or
• derive at least 50% of annual revenue from the sale of consumer personal information.

The bill would also apply to an entity that controls a different legal entity that meets the standards outlined above. The bill defines personal data as any information that is linked or can be reasonably linked to an identifiable individual. Personal data does not include publicly available information, de-identified data, or biometric data converted to a mathematical representation.

Data subject rights

Under the bill, consumers are granted the right to:

• confirm the processing of their data, unless doing so would reveal trade secrets;
• correct inaccuracies of personal data;
• delete personal data;
• obtain copies of personal data processed in a portable, readily usable, and transferrable format; and
• opt out of processing for targeted advertising, sale of personal data, or profiling with automated means.

Controllers are required to comply with consumer requests no later than 45 days after receipt, which can be extended by an additional 45 days when reasonably necessary.

Controller and processor obligations

The bill establishes data processing principles and introduces vendor management requirements as well as an obligation to conduct Data Protection Impact Assessments (DPIAs) in certain circumstances. Regarding sensitive data, the bill confirms such data should not be processed without the consumer's consent, or parental consent in the case of a minor.

Controllers must also provide an effective mechanism for the revocation of consumer consent which is no more difficult than the method through which consent was provided. Once a request to stop processing is received, the controller must no longer process the personal data within 15 days.

In relation to disclosure, a privacy notice must be provided to consumers that includes information regarding the sharing of personal data with third parties or processing of personal data for targeted advertising purposes, the purpose of data processing, and means for the consumers to exercise their rights. The privacy notice also requires the controller to provide an active email address or other online mechanisms that the consumer can use to contact the controller.

The bill also outlines that processors have an obligation to assist and adhere to a controller's instructions and that the processing carried out by the processor on behalf of the controller must be governed by a contract.

Enforcement

The Pennsylvania Attorney General (AG) has the exclusive power to enforce the bill and there is no private right of action. Violations of the bill are provided a 60-day cure period.

The bill would take effect six months from the date of enactment.

You can read the bill here and track its progress here.