PRINTER'S NO. 215
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
246
Session of
2019
INTRODUCED BY KENYATTA, JANUARY 28, 2019
REFERRED TO COMMITTEE ON COMMERCE, JANUARY 28, 2019
AN ACT
Regulating electronic mail solicitations; protecting privacy of
Internet consumers; regulating use of data about Internet
users; and prescribing penalties.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
CHAPTER 1
PRELIMINARY PROVISIONS
Section 101. Short title.
This act shall be known and may be cited as the Internet
Privacy and Consumer Protection Act (IPCPA).
Section 102. Definitions.
The following words and phrases when used in this chapter
shall have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Consumer." A person who agrees to pay a fee to an Internet
service provider for access to the Internet for personal, family
or household purposes and who does not resell access.
"Internet service provider." A business or person who
provides consumers authenticated access to, or presence on, the
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Internet by means of a switched or dedicated telecommunications
channel upon which the business or person provides transit
routing of Internet Protocol (IP) packets for and on behalf of
consumers. The term does not include the offering, on a common
carrier basis, of telecommunications facilities or of
telecommunications by means of those facilities.
"Ordinary course of business." Debt collection activities,
order fulfillment, request processing or the transfer of
ownership.
"Personally identifiable information." Information that
identifies:
(1) a consumer by physical or electronic address or
telephone number;
(2) a consumer as having requested or obtained specific
materials or services from an Internet service provider;
(3) Internet or online sites visited by a consumer; or
(4) the contents of a consumer's data storage devices.
CHAPTER 3
DISCLOSURE OF PERSONAL INFORMATION
Section 301. When disclosure of personal information
prohibited.
Except as provided in sections 302 and 303, no Internet
service provider may knowingly disclose personally identifiable
information concerning a consumer of the Internet service
provider.
Section 302. When disclosure of personal information required.
An Internet service provider shall disclose personally
identifiable information concerning a consumer:
(1) to an investigative or law enforcement officer while
acting as authorized by law;
20190HB0246PN0215 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(2) pursuant to a court order in a civil proceeding upon
a showing of compelling need for the information that cannot
be accommodated by other means;
(3) to a court in a civil action commenced by the
Internet service provider to enforce collection of unpaid
subscription fees or purchase amounts, and then only to the
extent necessary to establish the fact of the subscription
delinquency or purchase agreement, and with appropriate
safeguards against unauthorized disclosure;
(4) to the consumer who is the subject of the
information, upon written or electronic request and upon
payment of a fee not to exceed the actual cost of retrieving
the information; or
(5) pursuant to subpoena, including an administrative
subpoena, issued under authority of a law of this State or
another state or the United States.
Section 303. When disclosure of personal information permitted.
(a) Conditions of disclosure.--An Internet service provider
may disclose personally identifiable information concerning a
consumer to:
(1) a person if the disclosure is incident to the
ordinary course of business of the Internet service provider;
(2) another Internet service provider for purposes of
reporting or preventing violations of the published
acceptable use policy or consumer service agreement of the
Internet service provider, except that the recipient may
further disclose the personally identifiable information only
as provided by this act; or
(3) a person with the authorization of the consumer.
(b) Authorization.--
20190HB0246PN0215 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(1) An Internet service provider may obtain a consumer's
authorization of the disclosure of personally identifiable
information in writing or by electronic means. The request
for authorization must reasonably describe the type of person
to whom personally identifiable information may be disclosed
and the anticipated uses of the information.
(2) In order for an authorization to be effective, a
contract between an Internet service provider and the
consumer must state either that the authorization will be
obtained by an affirmative act of the consumer or that
failure of the consumer to object after the request has been
made constitutes authorization of disclosure. The provision
in the contract must be conspicuous.
(3) Authorization may be obtained in a manner consistent
with self-regulating guidelines issued by representatives of
the Internet service provider or online industry or in any
other manner reasonably designed to comply with this act.
(4) The authorization must be written in plain language
that can easily be understood by consumers.
Section 304. Security of information.
An Internet service provider shall take reasonable steps to
maintain security and privacy of a consumer's personally
identifiable information.
Section 305. Exclusion from evidence.
Except for purposes of establishing a violation of this act,
personally identifiable information obtained in a manner other
than as provided in this act may not be admitted as evidence in
a civil action.
Section 306. Enforcement.
(a) General rule.--A consumer who prevails or substantially
20190HB0246PN0215 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
prevails in an action brought under this act shall be entitled
to recover to the greater of $500 or actual damages. Costs,
disbursements and reasonable attorney fees may be awarded to a
party awarded damages for a violation of this act.
(b) Defense.--In an action under this act, it is a defense
that the defendant has established and implemented reasonable
practices and procedures to prevent violations of this act.
Section 307. Construction.
Nothing in this chapter may be construed to limit any greater
protection of the privacy of information under other law, except
that:
(1) nothing in this act may limit the authority under
other Federal or State law of law enforcement or prosecuting
authorities to obtain information; and
(2) if Federal law is enacted that regulates the release
of personally identifiable information by Internet service
providers, but does not preempt State law on the subject, the
Federal law supersedes any conflicting provisions of this
act.
CHAPTER 5
RECORDS
Section 501. Records concerning electronic communication
service or remote computing service.
(a) General rule.--Except as provided in subsection (b), a
provider of electronic communication service or remote computing
service may disclose a record or other information pertaining to
a subscriber to or customer of the service to any person other
than a governmental entity.
(b) Exception.--A provider of electronic communication
service or remote computing service may disclose a record or
20190HB0246PN0215 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
other information pertaining to a subscriber to or customer of
the service to a governmental entity only when the governmental
entity:
(1) uses an administrative subpoena authorized by
statute;
(2) obtains a warrant;
(3) obtains a court order for the disclosure under this
act; or
(4) has the consent of the subscriber or customer to the
disclosure.
(c) Governmental entities.--A governmental entity receiving
records or information under this section need not provide
notice to a subscriber or customer.
CHAPTER 7
COMMERCIAL ELECTRONIC MAIL SOLICITATION
Section 701. Definitions.
The following words and phrases when used in this chapter
shall have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Commercial electronic mail message." An electronic mail
message sent through an Internet service provider's facilities
located in this Commonwealth to a resident of this Commonwealth
for promoting real property, goods or services for sale or
lease.
"Electronic mail address." A destination, commonly expressed
as a string of characters, to which electronic mail may be sent
or delivered.
"Electronic mail service provider." A business, nonprofit
organization, educational institution, library or governmental
entity that provides a set of users the ability to send or
20190HB0246PN0215 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
receive electronic mail messages through the Internet.
"Initiate the transmission." In relation to the action by
the original sender of an electronic mail message, not to the
action by an intervening Internet service provider or electronic
mail service provider that may handle or retransmit the message.
"Internet domain name." A globally unique, hierarchical
reference to an Internet host or service, assigned through
centralized Internet naming authorities, comprising a series of
character strings separated by periods with the rightmost string
specifying the top of the hierarchy.
Section 702. False or misleading messages prohibited.
No person may initiate the transmission of a commercial
electronic mail message that:
(1) uses a third party's Internet domain name without
permission of the third party or otherwise misrepresents
information in identifying the point of origin or the
transmission path of a commercial electronic mail message; or
(2) contains false or misleading information in the
subject line.
Section 703. Subject disclosure.
(a) General rule.--The subject line of a commercial
electronic mail message shall include "ADV" as the first
characters. If the message contains information that consists of
material of a sexual nature that may only be viewed by an
individual 18 years of age and older, the subject line of the
message must include "ADV-ADULT" as the first characters.
(b) Definitions.--As used in this section, the following
words and phrases shall have the meanings given to them in this
subsection unless the context clearly indicates otherwise:
"Affiliate." A person that directly or indirectly controls,
20190HB0246PN0215 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
is controlled by or is under common control with a specified
person.
"Business relationship." A prior or existing relationship
formed between the initiator and the recipient of a commercial
electronic mail message with or without an exchange of
consideration, on the basis of an inquiry, application, purchase
or use by the recipient of or regarding products, information or
services offered by the initiator or an affiliate or agent of
the initiator.
"Commercial electronic mail message." Does not include a
message:
(1) if the recipient of the message has consented to
receive or has solicited electronic mail messages from the
initiator of the message;
(2) from an organization using electronic mail to
communicate exclusively with its members;
(3) from an entity that uses electronic mail to
communicate exclusively with its employees or contractors; or
(4) if there is a business or personal relationship
between the initiator and the recipient.
Section 704. Toll-free number.
(a) Duty of sender to establish.--
(1) A sender initiating the transmission of a commercial
electronic mail message shall establish a toll-free telephone
number, a valid sender-operated return electronic mail
address or another easy-to-use electronic method that the
recipient of the commercial electronic mail message may call
or access by electronic mail or other electronic means to
notify the sender not to transmit by electronic mail any
further unsolicited commercial electronic mail messages.
20190HB0246PN0215 - 8 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(2) The notification process may include the ability for
the commercial electronic mail message recipient to direct
the initiator to transmit or not to transmit particular
commercial electronic mail messages based upon products,
services, divisions, organizations, companies or other
selections of the recipient's choice.
(b) Statement required.--A commercial electronic mail
message shall include a statement informing the recipient of a
toll-free telephone number the recipient may call or a valid
return address to which the recipient may write or access by
electronic mail or another electronic method established by the
initiator:
(1) notifying the sender not to transmit to the
recipient any further unsolicited commercial electronic mail
messages to the electronic mail address or addresses
specified by the recipient; and
(2) explaining the manner in which the recipient may
specify what commercial electronic mail messages the
recipient does and does not wish to receive.
Section 705. Blocking receipt or transmission.
No electronic mail service provider may be held liable in an
action by a recipient for an act voluntarily taken in good faith
to block the receipt or transmission through its service of a
commercial electronic mail message that the electronic mail
service provider reasonably believes is, or will be, sent in
violation of this chapter.
Section 706. Defenses.
A person is not liable for a commercial electronic mail
message sent in violation of this chapter if the person can show
by a preponderance of evidence that:
20190HB0246PN0215 - 9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(1) the commercial electronic mail message was not
initiated by the person or was initiated in a manner and form
not subject to the control of the person; or
(2) the person has established and implemented
reasonable practices and procedures to prevent a violation of
this chapter.
Section 707. Damages.
(a) General rule.--A person injured by a violation of this
chapter may recover damages caused by the violation as specified
in this section.
(b) Recovery permitted.--An injured person, other than an
electronic mail service provider, may recover:
(1) the lesser of $25 for each commercial electronic
mail message received that violates section 702 or $35,000
per day; or
(2) the lesser of $10 for each commercial electronic
mail message received that violates section 703 or $25,000
per day.
(c) Election or recovery.--An injured electronic mail
service provider may recover actual damages or elect, in lieu of
actual damages, to recover:
(1) the lesser of $25 for each commercial electronic
mail message received that violates section 702 or $35,000
per day; or
(2) the lesser of $10 for each commercial electronic
mail message received that violates section 703 or $25,000
per day.
(d) Discretion of court.--At the request of any party to an
action brought under this section, the court may, at its
discretion, conduct all legal proceedings in such a way as to
20190HB0246PN0215 - 10 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
protect the secrecy and security of the computer, computer
network, computer data, computer program and computer software
involved in order to prevent possible recurrence of the same or
similar act by another person and to protect trade secrets of a
party.
(e) Costs and fees.--Costs and reasonable attorney fees may
be awarded to a party awarded damages for a violation of this
chapter.
CHAPTER 9
MISCELLANEOUS PROVISIONS
Section 901. (Reserved).
Section 902. Effective date.
This act shall take effect in 60 days.
20190HB0246PN0215 - 11 -
1
2
3
4
5
6
7
8
9
10
11
12
13