PRINTER'S NO. 2617

THE GENERAL ASSEMBLY OF PENNSYLVANIA

HOUSE BILL

No.

2257

Session of

2022

INTRODUCED BY KENYATTA, SHUSTERMAN, GUENST, GALLOWAY, HILL-

EVANS, BENHAM, SCHLOSSBERG, KINSEY, SAMUELSON, FREEMAN,

SANCHEZ, HOWARD, ISAACSON, PARKER, MADDEN, O'MARA, NEILSON,

data of consumers; providing for enforcement; prescribing

penalties; and establishing the Consumer Privacy Fund.

Chapter 1. Preliminary Provisions

Section 101. Short title.

Section 102. Definitions.

Section 103. Applicability.

Chapter 3. Enumeration of Rights and Responsibilities

Section 301. Rights of consumers and controllers.

Section 302. Controller responsibilities.

Section 502. Enforcement procedure.

Section 503. Consumer Privacy Fund.

Chapter 7. Miscellaneous Provisions

Section 701. (Reserved).

Section 702. Effective date.

The General Assembly of the Commonwealth of Pennsylvania

hereby enacts as follows:

CHAPTER 1

Section 101. Short title.

"Affiliate," "affiliate of" or "person affiliated with." A

person that directly or indirectly, through one or more

intermediaries, controls, is controlled by or is under common

control with a specified person. For the purposes of this

definition, "control" or "controlled" means:

(1) ownership of, or the power to vote, more than 50% of

the outstanding shares of any class of voting security of a

company;

(2) control in any manner over the election of a

majority of the directors or of individuals exercising

consumer, entitled to exercise the consumer rights under this

act, is the same consumer exercising the consumer rights with

respect to the personal data at issue.

"Automated means." A computer program or an electronic or

other automated means used independently to initiate an action

or respond to electronic records or performances, in whole or in

part, without review or action by an individual.

"Biometric data." Data generated by automatic measurements

of an individual's biological characteristics, such as a

fingerprint, voiceprint, eye retinas, irises or other unique

unauthorized access and acquisition of unencrypted data, or

encrypted data with the confidential process or key required to

decrypt the data, that is likely to compromise the security or

confidentiality of personal information maintained by the entity

as part of a database of personal information regarding multiple

individuals that causes or the entity reasonably believes has

caused or will cause loss or injury to any resident of this

Commonwealth. Good faith acquisition of personal information by

an employee or agent of the entity for the purposes of the

entity is not a breach of the security of the system if the

(1) Except as provided in paragraph (4), business

associate means, with respect to a covered entity, a person

who:

(i) on behalf of such covered entity or of an

organized health care arrangement in which the covered

entity participates, but other than in the capacity of a

member of the workforce of the covered entity or

arrangement, creates, receives, maintains or transmits

protected health information for a function or activity

regulated by this chapter, including claims processing or

member of the workforce of the covered entity, legal,

actuarial, accounting, consulting, data aggregation,

management, administrative, accreditation, or financial

services to or for such covered entity, or to or for an

organized health care arrangement in which the covered

entity participates, where the provision of the service

involves the disclosure of protected health information

from such covered entity or arrangement, or from another

business associate of such covered entity or arrangement,

to the person.

Gateway or other person that provides data transmission

services with respect to protected health information to

a covered entity and that requires access on a routine

basis to such protected health information.

(ii) Offers a personal health record to one or more

individuals on behalf of a covered entity.

(iii) A subcontractor that creates, receives,

maintains or transmits protected health information on

behalf of the business associate.

(4) The term does not include:

sponsor.

(iii) A government agency, with respect to

determining eligibility for, or enrollment in, a

government health plan that provides public benefits and

is administered by another government agency, or

collecting protected health information for such

purposes, to the extent the activities are authorized by

law.

(iv) A covered entity participating in an organized

health care arrangement that performs a function or

the activities or services.

"Child." An individual who is younger than 13 years of age.

"Consent." A clear affirmative act signifying a consumer's

freely given, specific, informed and unambiguous agreement to

process personal data relating to the consumer. The act may

include a written statement, including a statement written by

electronic means, or any other unambiguous affirmative action.

"Consumer." A natural person who is a resident of this

Commonwealth acting only in a personal or household context. The

term does not include a natural person who acts in a commercial

(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider that transmits health

information in electronic form in connection with a

transaction covered by this chapter.

"Data protection assessment." A process to identify and

minimize the data protection risks of a project by:

(1) Describing the nature, scope, context and purpose of

processing.

(2) Assessing necessity, proportionality and compliance

"Decision of the controller." A decision made by a

controller to provide or deny a consumer's request for

financial or lending services, housing, insurance, education

enrollment, criminal justice, an employment opportunity, health

care services or access to a basic necessity, such as food and

water.

"De-identified data." Data that cannot reasonably be linked

to an identified or identifiable individual or data on a device

linked to the individual.

"Entity." An individual or business conducting business or

successor or an affiliate of the financial institution.

"Fund." The Consumer Privacy Fund established under section

503.

"Health care practitioner." An individual who is authorized

to practice some component of the healing arts by a license,

permit, certificate or registration issued by a Commonwealth

licensing agency or board.

"Health care provider" or "provider." An individual, trust

or estate, partnership, corporation (including associations,

joint stock companies and insurance companies) or the

recorded material maintained by a health care entity in the

course of providing health services to an individual concerning

the individual and the services provided. The term includes the

substance of a communication made by an individual to a health

care entity in confidence during or in connection with the

provision of health services or information otherwise acquired

by the health care entity about an individual in confidence and

in connection with the provision of health services to the

individual.

"HIPAA." The Health Insurance Portability and Accountability

(i) Social Security number;

(ii) driver's license number;

(iii) State identification card number issued in

lieu of a driver's license;

(iv) passport number;

(v) taxpayer identification number;

(vi) medical information;

(vii) health insurance information;

(viii) biometric data; or

(ix) a financial account number or a credit or debit

information would reasonably permit the fraudulent assumption

of the identity of an individual.

(3) An individual's username or e-mail address in

combination with a password or security question and answer,

biometric information or other information that would permit

access to an online account.

(4) The term does not include information that an

individual has made public himself or herself, information

that the individual has consented in writing to be made

public or information that was lawfully made public under

the act of March 10, 1949 (P.L.30, No.14), known as the

Public School Code of 1949.

(2) A university within the State System of Higher

Education.

(3) The Pennsylvania State University.

(4) The University of Pittsburgh.

(5) Temple University.

(6) Lincoln University.

(7) Another institution that is designated as "State-

related" by the Commonwealth.

(9) Information used only for public health activities

and purposes as authorized by HIPAA.

(10) The collection, maintenance, disclosure, sale,

communication or use of personal information bearing on a

consumer's credit worthiness, credit standing, credit

capacity, character, general reputation, personal

characteristics or mode of living by a consumer reporting

agency, business or public utility that provides information

for use in a consumer report, and by a user of a consumer

report, but only to the extent that the activity is regulated

(12) Personal data regulated by the Family Educational

Rights and Privacy Act of 1974 (Public Law 90-247, 20 U.S.C.

§ 1232g).

(13) Personal data collected, processed, sold or

disclosed in compliance with the Farm Credit Act of 1971

(Public Law 92-181, 12 U.S.C. § 2001 et seq.).

(14) Data processed or maintained:

(i) to the extent that data is collected and used in

the course of employment with, or the performance of, a

contract for a controller, processor or third party;

for another individual relating to the individual under

subparagraph (i) and used for the purposes of

administering those benefits.

(d) Compliance under other Federal law.--A controller or

processor that complies with the verifiable parental consent

requirements of the Children's Online Privacy Protection Act

(Public Law 105-277, 15 U.S.C. § 6501 et seq.) shall be deemed

compliant with any obligation to obtain parental consent under

this act.

CHAPTER 3

legal guardian may invoke the consumer rights on behalf of the

child regarding processing personal data belonging to the known

child. The consumer may invoke the right:

(1) To confirm whether or not the controller is

processing the consumer's personal data and to access the

personal data.

(2) To correct inaccuracies in the consumer's personal

data.

(3) To delete personal data provided by the consumer or

obtained by the controller about the consumer.

to another controller without hindrance, where the processing

is carried out by automated means.

(5) To opt out of the processing of the personal data

for purposes of:

(i) targeted advertising;

(ii) the sale of personal data; or

(iii) profiling in furtherance of decisions that

produce legal or similarly significant effects concerning

the consumer.

(b) Controller duties.--Except as otherwise provided in this

additional days when reasonably necessary, taking into

account the complexity and number of the consumer's requests,

so long as the controller informs the consumer of the

extension within the initial 45-day response period, together

with the reason for the extension.

(2) If the controller declines to take action regarding

a consumer's request, the controller shall:

(i) inform the consumer within 45 days of receipt of

the request of the justification for declining to take

action; and

except as provided in subparagraph (ii), be provided by

the controller free of charge and up to twice annually

per consumer.

(ii) If a request from a consumer is determined by

the comptroller to be unfounded, excessive or repetitive,

the controller may charge the consumer a reasonable fee

to cover the administrative costs of complying with the

request or decline to act on the request. The controller

shall bear the burden of demonstrating that a consumer's

request under subsection (a) is unfounded, excessive or

authenticate the consumer and the consumer's request.

(c) Appeal process.--

(1) A controller shall establish a process for a

consumer to appeal the controller's refusal to take action on

a request within a reasonable period of time after the

consumer's receipt of the decision.

(2) The appeal process shall be stated in plain

language. The controller shall respond to the consumer within

45 days of receipt of the appeal, notifying the consumer that

the appeal has been received.

(4) If the appeal is denied, the controller shall

provide the consumer with an online form that the consumer

may use to contact the Attorney General to submit a

complaint. Information about the form shall be published on a

publicly accessible Internet website.

Section 302. Controller responsibilities.

(a) General rule.--A controller shall:

(1) Limit the collection of personal data to what is

necessary in relation to the purposes for which the data is

collected, processed and maintained by the controller, as

unless the controller obtains the consumer's prior consent.

(3) Establish, implement and maintain reasonable

administrative, technical data security practices to protect

the confidentiality, integrity and accessibility of personal

data. The data security practices shall be appropriate to the

volume and nature of all consumer personal data collected,

processed and maintained by the controller.

(4) (i) Not process personal data in violation of

Federal and State laws that prohibit unlawful

discrimination against consumers, including the act of

301(a);

(B) denying goods, products or services;

(C) charging different prices or rates for

goods, products or services; or

(D) providing a different level of quality of

goods and services to the consumer.

(ii) Nothing in this paragraph shall be construed to

require a controller to:

(A) provide a good, product or service that

requires the personal data of a consumer that the

the consumer has exercised the right to opt out under

this act or the offer is related to a consumer's

voluntary participation in a bona fide loyalty,

promotional, rewards, premium features, discounts or

club card program or any other similar program.

(5) Not process sensitive data concerning a consumer

without obtaining the consumer's written consent or, in the

case of the processing of sensitive data concerning a known

child, without processing the data in accordance with the

Children's Online Privacy Protection Act (Public Law 105-277,

purposes of this act and shall be void and unenforceable.

(c) Consumer notice from controller.--

(1) A controller shall provide a consumer with an

accessible, clear and meaningful privacy notice that

includes:

(i) The categories of personal data collected,

processed and maintained by the controller.

(ii) The purpose for processing the consumer's

personal data.

(iii) How the consumer may exercise the consumer's

whom the controller shares personal data.

(2) The privacy notice shall be provided to the consumer

by United States Postal Service mail, annually, and shall be

accessible, electronically on the controller's publicly

accessible Internet website.

(d) Disclosure of sale and advertising processes.--If a

controller sells consumer personal data to third parties or

processes consumer personal data for targeted advertising, the

controller shall clearly and conspicuously disclose the sale or

processing, to the affected consumers, as well as the manner in

privacy notice the reliable procedures a consumer may use to

submit a request to exercise the consumer rights under this

act. The procedures shall take into account:

(i) the ways in which a consumer normally

communicates or interacts with the controller;

(ii) the need for secure and reliable communication

of the request; and

(iii) the method the controller will use to

authenticate the identity of the consumer making a

request.

meeting its obligations under this act. The assistance shall

include:

(1) Technical and organizational measures that take into

account the nature of processing consumer personal data and

the information available to the processor, as reasonably

practicable, to fulfill the controller's obligation to

respond to consumer rights requests under section 301.

(2) Security measures that take into account the nature

of processing consumer personal data and the information

available to the processor, in order to assist the controller

(3) Providing necessary information to enable the

controller to conduct and document data protection

assessments.

(b) Contract between controllers and processors.--

(1) A contract between a controller and a processor

shall include provisions to govern the processor's data

processing procedures with respect to the processing of

consumer personal data performed by a processor on behalf of

a controller.

(2) A contract under this subsection shall:

controller and the processor.

(3) The contract shall also include requirements that

the processor shall:

(i) Ensure that a person processing consumer

personal data is informed of and subject to

confidentiality requirements under Federal laws and

regulations and the laws and regulations of this

Commonwealth with respect to the data.

(ii) At the controller's direction, delete and

return all consumer personal data to the controller as

processor's possession necessary to demonstrate the

processor's compliance with the processor's obligations

under this act.

(iv) Allow, and cooperate with, audits by the

controller or the controller's designated assessor or,

alternatively, allow the processor to arrange for a

qualified and independent assessor to conduct an

assessment of the processor's policies and technical and

organizational measures in support of the obligations

under this act using an appropriate and accepted control

requirements of this act. A contract entered into under this

paragraph shall include provisions informing the

subcontractor of the confidentiality requirements under

Federal laws and regulations and State laws and regulations

and making the subcontractor subject to the confidentiality

requirements.

(5) A subcontractor under paragraph (4) shall be subject

to all the requirements that relate to the obligations of a

processor under this act.

(c) Construction.--Nothing in this section shall be

(d) Defenses.--

(1) A controller or processor that discloses personal

data to a third-party controller or processor in compliance

with the requirements of this act is not in violation of this

act if the third-party controller or processor that receives

and processes the personal data is in violation of this act,

provided that, at the time of disclosing the personal data,

the disclosing controller or processor did not have actual

knowledge that the recipient intended to commit a violation.

(2) A third-party controller or processor receiving

adversely affects the right or freedom of a person, such as

exercising the right of free speech pursuant to the First

Amendment to the Constitution of the United States, or applies

to the processing of personal data by a person in the course of

a purely personal or household activity.

(f) Permissible processing.--

(1) Personal data processed by a controller or processor

under contract with a controller under this section shall not

be processed for any purpose other than those expressly

listed in this section unless otherwise allowed by this act.

purposes listed in this section.

(ii) Limited to what is necessary in relation to the

specific purposes listed in this section.

(2) Personal data collected, used or retained under

subsection (b) shall, where applicable, take into account the

nature and purpose or purposes of the collection, use or

retention. The data shall be subject to reasonable

administrative, technical and physical measures to protect

the confidentiality, integrity and accessibility of the

personal data and to reduce reasonably foreseeable risks of

and complies with the requirements of subsection (f).

(h) Status as controller.--Processing personal data for the

purposes expressly identified in subsection (a) shall not solely

make an entity a controller with respect to the processing.

CHAPTER 5

ADMINISTRATION AND ENFORCEMENT

Section 501. Powers and duties of Attorney General.

(a) Administration.--The Attorney General shall administer

and enforce the provisions of this act and may adopt regulations

to carry out the requirements of this act.

Section 502. Enforcement procedure.

(a) Notice of violation.--Prior to initiating an action

under this act, the Attorney General shall provide a controller

or processor 30 days' written notice identifying the specific

provisions of this act that the Attorney General alleges have

been or are being violated.

(b) Cure of violation.--If within the 30-day period

specified under subsection (b), the controller or processor

cures the noticed violation and provides the Attorney General an

express written statement that the alleged violations have been

initiate an action in the name of the Commonwealth and may seek

an injunction to restrain the violation of this act and civil

penalties of up to $7,500 for each violation under this act.

(d) Recovery of reasonable expenses.--The Attorney General

may recover reasonable expenses incurred in investigating and

preparing the case, including attorney fees, in an action

initiated under this act.

(e) Construction.--Nothing in this act shall be construed as

providing the basis for, or be subject to, a private right of

action for violations of this act or under any other law.

attorney fees collected under this act shall be paid into the

State Treasury and credited to the fund. Interest earned on

money in the fund shall remain in the fund and shall be credited

to the fund. Any money remaining in the fund, including

interest, at the end of each fiscal year shall not revert to the

General Fund but shall remain in the fund.

(c) Use of fund.--The money in the fund shall be used by the

Office of the Attorney General to enforce the provisions of this

act.

CHAPTER 7