Pennsylvania is considering its own state privacy law, joining California and a host of other U.S. states.

Rep. Edward Neilson (D-174) is sponsoring H.B 1201. The bill was referred to the Pennsylvania House of Representatives’ Commerce committee on May 19 and discussed on September 7.

Some key points:

  • Scope thresholds are revenue of $10 million (lower than the other laws), 50,000 users or 50% of revenues from sale.
  • Standard carve outs include entity exemption to financial institutions
  • Data minimization, purpose specification, information security obligations are included
  • Employment-related data is included in personal information and employment opportunities are included as a legal or similarly significant effect requirement for DPIA (if impacted by automated decision making). However, data processed or maintained in the contact of employment – is carved out
  • Publicly available information is excluded, but it can only be used for a purpose compatible with that for which the data is maintained and made available.
  • Sale: for monetary or other valuable consideration
  • Sensitive information concept similar to the other state laws and requires consent
  • Third party includes public authority or agency
  • Similar consumer rights as under other state laws (access, rectification, deletion, opt out)
  • Targeted advertising to under 16’s or selling their data requires consent
  • Required privacy notice
  • Honoring opt out preference signals (starting 1/1/26)
  • Detailed requirements for controller to processor contract (DPA)
  • Required data protection assessment for activities with heightened risk of harm
  • Specifically addresses pseudonymized data
  • Enforced by Pennsylvania Attorney General and an unfair or deceptive act/practice with mandatory 60 day cure until December 31, 202512/31/25
  • AG can provide guidance and will promulgate regulations