Pennsylvania is considering its own state privacy law, joining California and a host of other U.S. states.
Rep. Edward Neilson (D-174) is sponsoring H.B 1201. The bill was referred to the Pennsylvania House of Representatives’ Commerce committee on May 19 and discussed on September 7.
Some key points:
- Scope thresholds are revenue of $10 million (lower than the other laws), 50,000 users or 50% of revenues from sale.
- Standard carve outs include entity exemption to financial institutions
- Data minimization, purpose specification, information security obligations are included
- Employment-related data is included in personal information and employment opportunities are included as a legal or similarly significant effect requirement for DPIA (if impacted by automated decision making). However, data processed or maintained in the contact of employment – is carved out
- Publicly available information is excluded, but it can only be used for a purpose compatible with that for which the data is maintained and made available.
- Sale: for monetary or other valuable consideration
- Sensitive information concept similar to the other state laws and requires consent
- Third party includes public authority or agency
- Similar consumer rights as under other state laws (access, rectification, deletion, opt out)
- Targeted advertising to under 16’s or selling their data requires consent
- Required privacy notice
- Honoring opt out preference signals (starting 1/1/26)
- Detailed requirements for controller to processor contract (DPA)
- Required data protection assessment for activities with heightened risk of harm
- Specifically addresses pseudonymized data
- Enforced by Pennsylvania Attorney General and an unfair or deceptive act/practice with mandatory 60 day cure until December 31, 202512/31/25
- AG can provide guidance and will promulgate regulations