Preparing for Pennsylvania's Consumer Privacy Legislation
House Bill 1049, modeled after the CCPA, addresses consumer data privacy by setting forth the rights of consumers as well as the duties of companies relating to the collection of consumer personal information.
August 23, 2019 at 12:55 PM
7 minute read
In the wake of several massive data breaches, consumer privacy (or lack thereof) has become a growing concern. For some, more surprising than the breaches was learning how much personal information companies collect from consumers—everything from Social Security numbers and email addresses to location data and demographics—and how much personal information is being sold or otherwise disseminated. As a result, legislation is being enacted around the world requiring companies to inform consumers about the collection and use of their personal information. Most notably in 2018, the European Union's General Data Protection Regulation, commonly referred to as the GDPR, established groundbreaking consumer rights over the collection, retention and dissemination of personal information. In the United States, in the absence of federal consumer privacy law, states are enacting privacy legislation focusing upon: requiring transparency around the consumer personal information that companies are collecting and using; and providing consumers with control over the personal information. For example, California enacted the California Consumer Privacy Act (CCPA), which takes effect on Jan. 1, 2020.
Now, Pennsylvania is following suit. On April 5, Pennsylvania introduced House Bill 1049, which is currently pending before the Committee on Consumer Affairs. House Bill 1049, modeled after the CCPA, addresses consumer data privacy by setting forth the rights of consumers as well as the duties of companies relating to the collection of consumer personal information. Therefore, companies doing business in Pennsylvania should familiarize themselves with its key provisions and prepare for its enactment.
|Important Provisions
Even though House Bill 1049 is in committee and will likely be amended prior to its enactment, the are several provisions of the current bill that are the cornerstones of recent consumer privacy legislation and are likely to remain in the final bill. These are:
- Narrow definition of "businesses" subject to compliance—House Bill 1049 applies to companies doing business in Pennsylvania satisfying one or more of the following requirements: companies with an annual gross revenue exceeding $10 million; companies that annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers; or companies that derive 50% or more of their annual revenue from selling consumers' personal information.
- Comprehensive definition of "personal information"—Most of the information that consumers regularly give to companies in the regular course of business is deemed "personal information," such as:
- Identifiers like names, aliases, postal addresses, email addresses, account names, Social Security numbers, etc.;
- Protected characteristics under federal or state law;
- Commercial information like records of personal property or products or services purchased, obtained or considered;
- Biometric information;
- Internet or other electronics network activity like browser and search history;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory or similar information;
- Professional or employment-related information;
- Education information; and
- Inferences drawn from any of the information above to create a consumer profile reflecting a consumer's preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, and abilities and aptitudes.
House Bill 1049 explicitly excludes information that is publicly available, even if it fits into any of the above categories of protected personal information.
- Empowering consumer rights—Consistent with other consumer privacy legislation, House Bill 1049 provides consumer control over personal data. Such provisions will require companies to review policies and internal controls to determine whether current data collection and retention practices comply. These include:
- Notice and access—Consumers will have the right to know and access what personal information a company collects and whether that company sells or discloses personal information to another party. Companies must give consumers at least two methods of submitting requests for information, and the requested information must be provided to consumers within 45 days of receiving a request.
- Deletion—Consumers will have the right to request that a company delete personal information from their system entirely. A deletion request does not apply solely to the company that initially collected the information—if a consumer's personal information was sold or disseminated to another party, companies must direct that party to delete the information as well. Thus, companies must keep track of how it sells and disseminates personal information. Companies that receive deletion requests may retain the data under prescribed circumstances, such as to complete a transaction, detect security incidents, debug to repair errors, exercise free speech, engage in public of peer-reviewed research, comply with legal obligations, and enable solely internal uses that are reasonably aligned with the expectations of the consumer.
- Opt-out—Consumers will have the right to decline or opt-out of the sale of their personal information. Companies must provide notice of the possibility of sale before collecting consumer personal information. Additionally, companies must publicly offer a "Do Not Sell My Personal Information" form, which, if submitted, prohibits a company from selling the consumer's personal information. Once a consumer opts-out, a company must give the consumer at least 12 months before requesting that the consumer agree to a sale of his or her personal data.
- Private right of action—Consumers have the right to individually sue a company in the event their nonencrypted or nonredacted personal information is subject to a breach. Damages are capped at $100-$750 per consumer per incident or actual damages, whichever is greater. Additionally, injunctive or declaratory relief, and any other relief a court deems appropriate, is available. Companies must be given an opportunity to cure the violation within 30 days of receiving written notice before a consumer can sue.
- Protection for minors—Under House Bill 1049, companies cannot sell personal information of consumers under age 16 without affirmative authorization by a minor aged 13 to 16 or a parent for children under 13.
- Anti-discrimination provision—Companies cannot discriminate against consumers for exercising rights enumerated under House Bill 1049. Yet companies can offer a different price for goods or services based upon the value derived from a consumer's data.
- Civil penalties—If a company violates any provision under House Bill 1049, the attorney general can bring a civil action against the company, with potential liability capped at $7,500 per violation. Prior to initiating an action, however, companies must be given an opportunity to cure the violation within 30 days of notification.
The Takeaway
Data privacy legislation is coming to Pennsylvania. Companies doing business in Pennsylvania must begin to examine critically their data collection, retention and dissemination practices to ensure compliance. Companies should analyze: what personal information they collect; how the personal information is being collected; why the personal information is being collected; how are they using the personal information; how the personal information is protected; and who has access to the personal information. Companies should also examine what personal information is being sold or disseminated to third parties and whether the third parties have systems in place for privacy compliance. Additionally, companies should develop policies and procedures that comply with the law, and should ensure that all employees are trained properly regarding the privacy obligations.
Christopher A. Iacono is a partner in the government enforcement, compliance and white-collar litigation; health care; and litigation practice groups of Pietragallo Gordon Alfano Bosick & Raspanti. Iacono focuses his practice on commercial litigation, white-collar criminal defense, internal investigations, compliance, health care litigation and professional licensing litigation.
Gabrielle I. Weiss is an associate at the firm. She is a member of the employment and labor group where she focuses on a variety of issues including defending discrimination claims and conducting internal investigations. Weiss also works on white collar and general litigation matters.
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllThe Testamentary Exception Does Not Permit a Decedent to Impliedly Waive a Survivor’s Attorney-Client Privilege
6 minute readMatt's Corner: Contributory Negligence Can Be a Bar to Legal Malpractice Recovery
2 minute readTrending Stories
- 1The Pusillanimous Press
- 2Contract Lifecycle Management Company ContractPodAi Unveils Leah Drive
- 3'Great News' for Businesses? Judge Halts Transparency Mandate
- 4Consilio Announces ‘Native AI Review,’ Expanding Its Gen AI E-Discovery Offerings
- 5Federal Judge Hits US With $227,000 Sanction for Discovery Misconduct
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250