See other bills
under the
same topic
PRINTER'S NO. 1212
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
1049
Session of
2019
INTRODUCED BY NEILSON, McNEILL, BOBACK, HILL-EVANS, ZIMMERMAN,
MURT, CALTAGIRONE, BROWN, FREEMAN, YOUNGBLOOD, READSHAW,
SOLOMON AND DeLUCA, APRIL 5, 2019
REFERRED TO COMMITTEE ON CONSUMER AFFAIRS, APRIL 5, 2019
AN ACT
Providing for consumer data privacy, for rights of consumers and
duties of businesses relating to the collection of personal
information and for duties of the Attorney General.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Short title.
This act shall be known and may be cited as the Consumer Data
Privacy Act.
Section 2. Legislative findings.
The General Assembly finds and declares as follows:
(1) That it is an important and substantial State
interest to protect the private, personal data in this
Commonwealth.
(2) That with the increasing use of technology and data
in everyday life, there is an increasing amount of private,
personal data being shared by consumers with businesses as a
part of everyday transactions and online and other
activities.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
(3) That the increasing collection, storage, use and
sale of personal data creates increased risks of identity
theft, financial loss and other misuse of private personal
data.
(4) That many consumers do not know, understand or have
appropriate authority over the distribution, use, sale or
disclosure of their personal data.
Section 3. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Business." The following:
(1) A sole proprietorship, partnership, limited
liability company, corporation, association or other legal
entity that is organized or operated for the profit or
financial benefit of its shareholders or other owners, that
collects consumers' personal information, or on the behalf of
which such information is collected and that alone, or
jointly with others, determines the purposes and means of the
processing of consumers' personal information, that does
business in this Commonwealth and that satisfies one or more
of the following thresholds:
(i) Has annual gross revenues in excess of
$10,000,000.
(ii) Alone or in combination, annually buys,
receives for the business' commercial purposes, sells or
shares for commercial purposes, alone or in combination,
the personal information of 50,000 or more consumers,
households or devices.
(iii) Derives 50% or more of annual revenues from
20190HB1049PN1212 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
selling consumers' personal information.
(2) An entity that controls a business under paragraph
(1) and shares common branding with the business.
"Common branding." A shared name, servicemark or trademark.
"Control." Ownership of or the power to vote on more than
50% of the outstanding shares of any class of voting security of
a business, control in any manner over the election of a
majority of the directors, or of individuals exercising similar
functions, or the power to exercise a controlling influence over
the management of a company.
"Personal information." Information that identifies, relates
to, describes, is capable of being associated with or could
reasonably be linked, directly or indirectly, with a particular
consumer or household, including, but not limited to:
(1) Identifiers such as a real name, alias, postal
address, unique personal identifier, online identifier,
including an Internet website protocol address, e-mail
address, account name, Social Security number, driver's
license number, passport number or other similar identifiers.
(2) Characteristics of protected classifications under
Federal or State law.
(3) Commercial information, including records of
personal property, products or services purchased, obtained
or considered or other purchasing or consuming histories or
tendencies.
(4) Biometric information.
(5) Internet or other electronic network activity
information, including, but not limited to, browser history,
search history and information regarding a consumer's
interaction with an Internet website, application or
20190HB1049PN1212 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
advertisement.
(6) Geolocation data.
(7) Audio, electronic, visual, thermal, olfactory or
similar information.
(8) Professional or employment-related information.
(9) Education information, defined as information that
is not publicly available personally identifiable information
under the Family Educational Rights and Privacy Act of 1974
(Public Law 90-247, 20 U.S.C. ยง 1232g).
(10) Inferences drawn from any of the information
identified under this definition to create a profile about a
consumer reflecting the consumer's preferences,
characteristics, psychological trends, predispositions,
behaviors, attitudes, intelligence, abilities and aptitudes.
(11) The term does not include publicly available
information.
"Publicly available." Information that is lawfully made
available from Federal, State or local government records, as
restricted by any conditions associated with such information.
The term does not include biometric information collected by a
business about a consumer without the consumer's knowledge or
consumer information that is deidentified or aggregate consumer
information. Information is not publicly available if the data
is used for a purpose that is not compatible with the purpose
for which the data is maintained and made available in the
government records or for which it is publicly maintained.
Section 4. Consumer data privacy.
(a) General rule.--A consumer shall have the right to:
(1) Know what personal information is being collected
about the consumer.
20190HB1049PN1212 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(2) Know whether the consumer's personal information is
sold or disclosed and to whom.
(3) Decline or opt out of the sale of the consumer's
personal information.
(4) Access the consumer's personal information that has
been collected.
(5) Equal service and price, even if a consumer
exercises their rights under this subsection.
(b) Disclosure by businesses.--A consumer shall have the
right to request that a business which collects personal
information about the consumer disclose to the consumer the
following:
(1) The categories of personal information the business
has collected about the consumer.
(2) The categories of sources from which the personal
information is collected.
(3) The business or commercial purpose for collecting or
selling personal information.
(4) The categories of third parties with whom the
business shares personal information.
(5) The specific pieces of personal information the
business has collected about the consumer.
(c) Request from consumer.--A business which collects
personal information about a consumer shall disclose to the
consumer the information specified under subsection (b) upon
receipt of a verifiable request from a consumer. This subsection
does not require a business to:
(1) retain any personal information about a consumer
collected for a single one-time transaction if, in the
ordinary course of business, that information about the
20190HB1049PN1212 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
consumer is not retained; or
(2) reidentify or otherwise link any data that, in the
ordinary course of business, is not maintained in a manner
that would be considered personal information.
(d) Request for information sold or used for business
purposes.--A consumer shall have the right to request that a
business which sells the consumer's personal information, or
that discloses it for a business purpose, disclose to the
consumer:
(1) The categories of personal information that the
business collected about the consumer.
(2) The categories of personal information that the
business sold about the consumer and the categories of third
parties to whom the personal information was sold, by
category or categories of personal information for each third
party to whom the personal information was sold.
(3) The categories of personal information that the
business disclosed about the consumer for a business purpose.
(e) Request to delete personal information.--A consumer
shall have the right to request that a business delete any
personal information about the consumer which the business has
collected from the consumer. The following shall apply:
(1) A business that collects personal information about
consumers shall disclose under subsection (l) the consumer's
rights to request the deletion of the consumer's personal
information.
(2) A business that receives a verifiable request from a
consumer to delete the consumer's personal information shall
delete the consumer's personal information from its records
and direct any service providers to delete the consumer's
20190HB1049PN1212 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
personal information from the service provider's records.
(3) A business or a service provider shall not be
required to comply with a consumer's request to delete the
consumer's personal information if it is necessary for the
business or service provider to maintain the consumer's
personal information in order to:
(i) Complete the transaction for which the personal
information was collected, provide a good or service
requested by the consumer or reasonably anticipated
within the context of a business's ongoing business
relationship with the consumer or otherwise perform a
contract between the business and the consumer.
(ii) Detect security incidents, protect against
malicious, deceptive, fraudulent or illegal activity or
prosecute those responsible for that activity.
(iii) Debug to identify and repair errors that
impair existing intended functionality.
(iv) Exercise free speech, ensure the right of
another consumer to exercise the consumer's right of free
speech or exercise another right provided under Federal
or State law.
(v) Engage in public or peer-reviewed scientific,
historical or statistical research in the public interest
that adheres to all other applicable Federal and State
ethics and privacy laws, when the business's deletion of
the information is likely to render impossible or
seriously impair the achievement of the research, if the
consumer has provided informed consent.
(vi) To enable solely internal uses that are
reasonably aligned with the expectations of the consumer
20190HB1049PN1212 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
based on the consumer's relationship with the business.
(vii) Comply with a legal obligation.
(f) Compliance with request.--A business that sells personal
information about a consumer, or that discloses a consumer's
personal information for a business purpose, shall disclose the
information specified under subsection (d) to the consumer upon
receipt of a verifiable request from the consumer.
(g) Third parties.--A third party shall not sell personal
information about a consumer that has been sold to the third
party by a business unless the consumer has received explicit
notice and is provided an opportunity to exercise the right to
opt out.
(h) Notice.--A business that sells consumers' personal
information to third parties shall provide notice to consumers
that this information may be sold and that a consumer has the
right to opt out of the sale of their personal information at
any time.
(i) Prohibition on sale of personal information.--A business
which has received direction from a consumer not to sell the
consumer's personal information or, in the case of a minor
consumer's personal information has not received consent to sell
the minor consumer's personal information, shall be prohibited
from selling the consumer's personal information after its
receipt of the consumer's direction, unless the consumer
subsequently provides express authorization for the sale of the
consumer's personal information.
(j) Consumers of young age.--Notwithstanding subsection (i),
a business may not sell the personal information of a consumer
if the business has actual knowledge that the consumer is less
than 16 years of age, unless the consumer, in the case of a
20190HB1049PN1212 - 8 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
consumer who is between 13 and 16 years of age, or the
consumer's parent or guardian, in the case of a consumer who is
less than 13 years of age, has affirmatively authorized the sale
of the consumer's personal information. A business that
willfully disregards the consumer's age shall be deemed to have
had actual knowledge of the consumer's age.
(k) Discrimination prohibited.--
(1) A business shall not discriminate against a consumer
because the consumer exercised any of the consumer's rights
under this section, including, but not limited to, by:
(i) Denying goods or services to the consumer.
(ii) Charging different prices or rates for goods or
services, including through the use of discounts or other
benefits or imposing penalties.
(iii) Providing a different level or quality of
goods or services to the consumer.
(iv) Suggesting that the consumer will receive a
different price or rate for goods or services or a
different level or quality of goods or services.
(2) Nothing in this subsection shall prohibit a business
from charging a consumer a different price or rate, or from
providing a different level or quality of goods or services
to the consumer, if that difference is reasonably related to
the value provided to the consumer by the consumer's data.
(l) Compliance with notice requirements.--In order to comply
with the notice requirements under this section, a business
shall:
(1) In a form that is reasonably accessible to
consumers, make available to consumers two or more designated
methods for submitting requests for information required to
20190HB1049PN1212 - 9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
be disclosed, including, at a minimum, a toll-free telephone
number, and if the business maintains a publicly accessible
Internet website, the website address.
(2) In a form that is reasonably accessible to
consumers, disclose and deliver the required information to a
consumer free of charge within 45 days of receiving a
verifiable request from the consumer. The time period to
provide the required information may be extended once by an
additional 45 days when reasonably necessary, provided the
consumer is provided notice of the extension within the first
45-day period.
(3) In a form that is reasonably accessible to
consumers, provide a clear and conspicuous link on the
business's publicly accessible Internet website, titled "Do
Not Sell My Personal Information," to a publicly accessible
Internet website that enables a consumer, or a person
authorized by the consumer, to opt out of the sale of the
consumer's personal information. A business shall not require
a consumer to create an account in order to direct the
business not to sell the consumer's personal information.
(4) Include a description of a consumer's rights along
with a separate link to the "Do Not Sell My Personal
Information" publicly accessible Internet website required
under paragraph (3) in the following:
(i) The business's online privacy policy or policies
if the business has an online privacy policy or policies.
(ii) A description of consumers' privacy rights
under the laws of this Commonwealth.
(5) Ensure that all individuals responsible for handling
consumer inquiries about the business's privacy practices are
20190HB1049PN1212 - 10 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
informed of the requirements of this section and how to
direct consumers to exercise their rights.
(6) For consumers who exercise their right to opt out of
the sale of their personal information, refrain from selling
personal information collected by the business about the
consumer.
(7) For a consumer who has opted out of the sale of the
consumer's personal information, respect the consumer's
decision to opt out for at least 12 months before requesting
that the consumer authorize the sale of the consumer's
personal information.
(8) Use any personal information collected from the
consumer in connection with the submission of the consumer's
opt-out request solely for the purposes of complying with the
opt-out request.
(9) Nothing in this subsection shall be construed to
require a business to comply with this subsection by
including the required links and text on its publicly
accessible Internet website that the business makes available
to the public generally, if the business maintains a separate
and additional publicly accessible Internet website that is
dedicated to consumers in this Commonwealth and that includes
the required links and text, and the business takes
reasonable steps to ensure that consumers in this
Commonwealth are directed to the publicly accessible Internet
website for consumers in this Commonwealth and not the
publicly accessible Internet website made available to the
public generally.
(m) Obligations on business.--The obligations imposed on a
business under this section shall not restrict a business's
20190HB1049PN1212 - 11 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
ability to:
(1) Comply with Federal, State or local laws.
(2) Comply with a civil, criminal or regulatory inquiry,
investigation, subpoena or summons by Federal, State or local
authorities.
(3) Cooperate with law enforcement agencies concerning
conduct or activity that the business, service provider or
third party reasonably and in good faith believes may violate
Federal, State or local laws.
(4) Exercise or defend legal claims.
(5) Collect, use, retain, sell or disclose consumer
information that is deidentified or in the aggregate consumer
information.
(6) Collect or sell a consumer's personal information if
every aspect of that commercial conduct takes place wholly
outside of this Commonwealth. For purposes of this section,
commercial conduct takes place wholly outside of this
Commonwealth if the business collected that information while
the consumer was outside of this Commonwealth, no part of the
sale of the consumer's personal information occurred in this
Commonwealth and no personal information collected while the
consumer was in this Commonwealth is sold. This paragraph
shall not permit a business from storing, including on a
device, personal information about a consumer when the
consumer is in this Commonwealth and then collecting that
personal information when the consumer and stored personal
information is outside of this Commonwealth.
(n) Civil action by consumer.--
(1) A consumer whose nonencrypted or nonredacted
personal information is subject to an unauthorized access and
20190HB1049PN1212 - 12 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
exfiltration, theft or disclosure as a result of the
business's violation of the duty to implement and maintain
reasonable security procedures and practices appropriate to
the nature of the information to protect the personal
information may institute a civil action for any of the
following:
(i) To recover damages in an amount not less than
$100 and not more than $750 per consumer per incident or
actual damages, whichever is greater.
(ii) Injunctive or declaratory relief.
(iii) Any other relief the court deems appropriate.
(2) In assessing the amount of statutory damages, a
court shall consider any one or more of the relevant
circumstances presented by any of the parties to the case,
including, but not limited to, the nature and seriousness of
the misconduct, the number of violations, the persistence of
the misconduct, the length of time over which the misconduct
occurred, the willfulness of the defendant's misconduct and
the defendant's assets, liabilities and net worth.
(3) An action under this section may be brought by a
consumer if, prior to initiating any action against a
business for statutory damages on an individual or classwide
basis, a consumer provides a business 30 days' written notice
identifying the specific provisions of this act the consumer
alleges have been or are being violated. In the event a cure
is possible, if, within the 30 days the business actually
cures the noticed violation and provides the consumer an
express written statement that the violations have been cured
and that no further violations shall occur, no action for
individual statutory damages or classwide statutory damages
20190HB1049PN1212 - 13 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
may be initiated against the business. No notice shall be
required prior to an individual consumer initiating an action
solely for actual pecuniary damages suffered as a result of
the alleged violations of this act. If a business continues
to violate this act in breach of the express written
statement provided to the consumer under this paragraph, the
consumer may initiate an action against the business to
enforce the written statement and may pursue statutory
damages for each breach of the express written statement, as
well as any other violation of this act that postdates the
written statement.
(o) Violation.--A business shall be in violation of this
section if the business fails to cure an alleged violation
within 30 days after being notified of alleged noncompliance. A
business, service provider or other person that violates this
section shall be liable for a civil penalty in a civil action
brought by the Attorney General of up to $7,500 for each
violation.
(p) Opinion of Attorney General.--A business or third party
may seek the opinion of the Attorney General for guidance on how
to comply with the provisions of this act.
(q) Rules and regulations.--The Attorney General shall
promulgate rules and regulations to implement this section.
Section 5. Effective date.
This act shall take effect immediately.
20190HB1049PN1212 - 14 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25