See other bills
under the
same topic
PRINTER'S NO. 1174
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
1126
Session of
2021
INTRODUCED BY NEILSON, KINSEY, SCHLOSSBERG, SANCHEZ, GALLOWAY,
McNEILL, PARKER, FREEMAN, CIRESI, DELLOSO, WARREN, THOMAS,
SCHLEGEL CULVER, PISCIOTTANO, KINKEAD AND ROZZI,
APRIL 7, 2021
REFERRED TO COMMITTEE ON CONSUMER AFFAIRS, APRIL 7, 2021
AN ACT
Providing for consumer data privacy, for rights of consumers and
duties of businesses relating to the collection of personal
information and for duties of the Attorney General.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Short title.
This act shall be known and may be cited as the Consumer Data
Privacy Act.
Section 2. Legislative findings.
The General Assembly finds and declares as follows:
(1) It is an important and substantial State interest to
protect the private, personal data in this Commonwealth.
(2) With the increasing use of technology and data in
everyday life, there is an increasing amount of private,
personal data being shared by consumers with businesses as a
part of everyday transactions and online and other
activities.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
(3) The increasing collection, storage, use and sale of
personal data creates increased risks of identity theft,
financial loss and other misuse of private personal data.
(4) Many consumers do not know, understand or have
appropriate authority over the distribution, use, sale or
disclosure of their personal data.
Section 3. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Business." As follows:
(1) A sole proprietorship, partnership, limited
liability company, corporation, association or other legal
entity:
(i) That is organized or operated for the profit or
financial benefit of its shareholders or other owners.
(ii) That collects consumers' personal information,
or on behalf of which consumers' personal information is
collected and that alone, or jointly with others,
determines the purposes and means of the processing of
consumers' personal information.
(iii) That does business in this Commonwealth.
(iv) That satisfies one or more of the following
thresholds:
(A) Has annual gross revenues in excess of
$10,000,000.
(B) Alone or in combination, annually buys,
receives for the business' commercial purposes, sells
or shares for commercial purposes, alone or in
combination, the personal information of 50,000 or
20210HB1126PN1174 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
more consumers, households or devices.
(C) Derives 50% or more of annual revenues from
selling consumers' personal information.
(2) An entity that controls a business under paragraph
(1) and shares common branding with the business.
"Common branding." A shared name, servicemark or trademark.
"Control." Any of the following:
(1) Ownership of or the power to vote on more than 50%
of the outstanding shares of any class of voting security of
a business.
(2) Control in any manner over the election of a
majority of the directors or of individuals exercising
similar functions.
(3) The power to exercise a controlling influence over
the management of a company.
"Personal information." As follows:
(1) Information that identifies, relates to, describes,
is capable of being associated with or could reasonably be
linked, directly or indirectly, with a particular consumer or
household, including:
(i) Identifiers such as a real name, alias, postal
address, unique personal identifier, online identifier,
including an Internet website protocol address, e-mail
address, account name, Social Security number, driver's
license number, passport number or other similar
identifiers.
(ii) Characteristics of protected classifications
under Federal or State law.
(iii) Commercial information, including records of
personal property, products or services purchased,
20210HB1126PN1174 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
obtained or considered or other purchasing or consuming
histories or tendencies.
(iv) Biometric information.
(v) Internet or other electronic network activity
information, including browser history, search history
and information regarding a consumer's interaction with
an Internet website, application or advertisement.
(vi) Geolocation data.
(vii) Audio, electronic, visual, thermal, olfactory
or similar information.
(viii) Professional or employment-related
information.
(ix) Education information, defined as information
that is not publicly available personally identifiable
information under the Family Educational Rights and
Privacy Act of 1974 (Public Law 90-247, 20 U.S.C. ยง
1232g).
(x) Inferences drawn from any of the information
identified under this definition to create a profile
about a consumer reflecting the consumer's preferences,
characteristics, psychological trends, predispositions,
behaviors, attitudes, intelligence, abilities and
aptitudes.
(2) The term does not include publicly available
information.
"Publicly available." As follows:
(1) Information that is lawfully made available from
Federal, State or local government records, as restricted by
any conditions associated with the information.
(2) The term does not include biometric information
20210HB1126PN1174 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
collected by a business about a consumer without the
consumer's knowledge or consumer information that is
deidentified or aggregate consumer information.
(3) Information is not publicly available if the data is
used for a purpose that is not compatible with the purpose
for which the data is maintained and made available in the
government records or for which it is publicly maintained.
Section 4. Consumer data privacy.
(a) General rights.--A consumer shall have the right to:
(1) Know what personal information is being collected
about the consumer.
(2) Know whether the consumer's personal information is
sold or disclosed and to whom.
(3) Decline or opt out of the sale of the consumer's
personal information.
(4) Access the consumer's personal information that has
been collected.
(5) Equal service and price, even if a consumer
exercises rights under this subsection.
(b) Disclosure by businesses.--A consumer shall have the
right to request that a business that collects personal
information about the consumer disclose to the consumer the
following:
(1) The categories of personal information the business
has collected about the consumer.
(2) The categories of sources from which the personal
information is collected.
(3) The business or commercial purpose for collecting or
selling personal information.
(4) The categories of third parties with whom the
20210HB1126PN1174 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
business shares personal information.
(5) The specific pieces of personal information the
business has collected about the consumer.
(c) Request from consumer.--A business that collects
personal information about a consumer shall disclose to the
consumer the information specified under subsection (b) upon
receipt of a verifiable request from a consumer. This subsection
does not require a business to:
(1) retain any personal information about a consumer
collected for a single one-time transaction if, in the
ordinary course of business, that information about the
consumer is not retained; or
(2) reidentify or otherwise link any data that, in the
ordinary course of business, is not maintained in a manner
that would be considered personal information.
(d) Request for information sold or used for business
purposes.--A consumer shall have the right to request that a
business that sells the consumer's personal information, or that
discloses it for a business purpose, disclose to the consumer:
(1) The categories of personal information that the
business collected about the consumer.
(2) The categories of personal information that the
business sold about the consumer and the categories of third
parties to whom the personal information was sold, by
category or categories of personal information for each third
party to whom the personal information was sold.
(3) The categories of personal information that the
business disclosed about the consumer for a business purpose.
(e) Request to delete personal information.--A consumer
shall have the right to request that a business delete any
20210HB1126PN1174 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
personal information about the consumer that the business has
collected from the consumer. The following apply:
(1) A business that collects personal information about
consumers shall disclose under subsection (l) the consumer's
rights to request the deletion of the consumer's personal
information.
(2) A business that receives a verifiable request from a
consumer to delete the consumer's personal information shall
delete the consumer's personal information from its records
and direct service providers to delete the consumer's
personal information from the service provider's records.
(3) A business or a service provider shall not be
required to comply with a consumer's request to delete the
consumer's personal information if it is necessary for the
business or service provider to maintain the consumer's
personal information to:
(i) Complete the transaction for which the personal
information was collected, provide a good or service
requested by the consumer or reasonably anticipated
within the context of a business's ongoing business
relationship with the consumer or otherwise perform a
contract between the business and the consumer.
(ii) Detect security incidents, protect against
malicious, deceptive, fraudulent or illegal activity or
prosecute those responsible for that activity.
(iii) Debug to identify and repair errors that
impair existing intended functionality.
(iv) Exercise free speech, ensure the right of
another consumer to exercise the consumer's right of free
speech or exercise another right provided under Federal
20210HB1126PN1174 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
or State law.
(v) Engage in public or peer-reviewed scientific,
historical or statistical research in the public interest
that adheres to all other applicable Federal and State
ethics and privacy laws, when the business's deletion of
the information is likely to render impossible or
seriously impair the achievement of the research, if the
consumer has provided informed consent.
(vi) Enable solely internal uses that are reasonably
aligned with the expectations of the consumer based on
the consumer's relationship with the business.
(vii) Comply with a legal obligation.
(f) Compliance with request.--A business that sells personal
information about a consumer, or that discloses a consumer's
personal information for a business purpose, shall disclose the
information specified under subsection (d) to the consumer upon
receipt of a verifiable request from the consumer.
(g) Third parties.--A third party may not sell personal
information about a consumer that has been sold to the third
party by a business unless the consumer has received explicit
notice and is provided an opportunity to exercise the right to
opt out.
(h) Notice.--A business that sells consumers' personal
information to third parties shall provide notice to consumers
that this information may be sold and that a consumer has the
right to opt out of the sale of their personal information at
any time.
(i) Prohibition on sale of personal information.--A business
that has received direction from a consumer not to sell the
consumer's personal information or, in the case of a minor
20210HB1126PN1174 - 8 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
consumer's personal information has not received consent to sell
the minor consumer's personal information, shall be prohibited
from selling the consumer's personal information after receipt
of the consumer's direction, unless the consumer subsequently
provides express authorization for the sale of the consumer's
personal information.
(j) Consumers of young age.--Notwithstanding subsection (i),
a business may not sell the personal information of a consumer
if the business has actual knowledge that the consumer is less
than 16 years of age, unless the consumer, in the case of a
consumer who is between 13 and 16 years of age, or the
consumer's parent or guardian, in the case of a consumer who is
less than 13 years of age, has affirmatively authorized the sale
of the consumer's personal information. A business that
willfully disregards the consumer's age shall be deemed to have
had actual knowledge of the consumer's age.
(k) Discrimination prohibited.--
(1) A business may not discriminate against a consumer
because the consumer exercised any of the consumer's rights
under this section, including by:
(i) Denying goods or services to the consumer.
(ii) Charging different prices or rates for goods or
services, including through the use of discounts or other
benefits or imposing penalties.
(iii) Providing a different level or quality of
goods or services to the consumer.
(iv) Suggesting that the consumer will receive a
different price or rate for goods or services or a
different level or quality of goods or services.
(2) Nothing in this subsection shall prohibit a business
20210HB1126PN1174 - 9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from charging a consumer a different price or rate, or from
providing a different level or quality of goods or services
to the consumer, if that difference is reasonably related to
the value provided to the consumer by the consumer's data.
(l) Compliance with notice requirements.--To comply with the
notice requirements under this section, a business shall:
(1) In a form that is reasonably accessible to
consumers, make available to consumers two or more designated
methods for submitting requests for information required to
be disclosed, including, at a minimum, a toll-free telephone
number, and if the business maintains a publicly accessible
Internet website, the website address.
(2) In a form that is reasonably accessible to
consumers, disclose and deliver the required information to a
consumer free of charge within 45 days of receiving a
verifiable request from the consumer. The time period to
provide the required information may be extended once by an
additional 45 days when reasonably necessary, if the consumer
is provided notice of the extension within the first 45-day
period.
(3) In a form that is reasonably accessible to
consumers, provide a clear and conspicuous link on the
business's publicly accessible Internet website, titled "Do
Not Sell My Personal Information," to a publicly accessible
Internet website that enables a consumer, or a person
authorized by the consumer, to opt out of the sale of the
consumer's personal information. A business may not require a
consumer to create an account to direct the business not to
sell the consumer's personal information.
(4) Include a description of a consumer's rights along
20210HB1126PN1174 - 10 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
with a separate link to the "Do Not Sell My Personal
Information" publicly accessible Internet website required
under paragraph (3) in the following:
(i) The business's online privacy policy or policies
if the business has an online privacy policy or policies.
(ii) A description of consumers' privacy rights
under the laws of this Commonwealth.
(5) Ensure that all individuals responsible for handling
consumer inquiries about the business's privacy practices are
informed of the requirements of this section and how to
direct consumers to exercise their rights.
(6) For consumers who exercise their right to opt out of
the sale of their personal information, refrain from selling
personal information collected by the business about the
consumer.
(7) For a consumer who has opted out of the sale of the
consumer's personal information, respect the consumer's
decision to opt out for at least 12 months before requesting
that the consumer authorize the sale of the consumer's
personal information.
(8) Use personal information collected from the consumer
in connection with the submission of the consumer's opt-out
request solely for the purposes of complying with the opt-out
request.
(9) Nothing in this subsection shall be construed to
require a business to comply with this subsection by
including the required links and text on its publicly
accessible Internet website that the business makes available
to the public generally, if the business maintains a separate
and additional publicly accessible Internet website that is
20210HB1126PN1174 - 11 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
dedicated to consumers in this Commonwealth and that includes
the required links and text, and the business takes
reasonable steps to ensure that consumers in this
Commonwealth are directed to the publicly accessible Internet
website for consumers in this Commonwealth and not the
publicly accessible Internet website made available to the
public generally.
(m) Obligations on business.--The obligations imposed on a
business under this section shall not restrict a business's
ability to:
(1) Comply with Federal, State or local laws.
(2) Comply with a civil, criminal or regulatory inquiry,
investigation, subpoena or summons by Federal, State or local
authorities.
(3) Cooperate with law enforcement agencies concerning
conduct or activity that the business, service provider or
third party reasonably and in good faith believes may violate
Federal, State or local laws.
(4) Exercise or defend legal claims.
(5) Collect, use, retain, sell or disclose consumer
information that is deidentified or in the aggregate consumer
information.
(6) Collect or sell a consumer's personal information if
every aspect of that commercial conduct takes place wholly
outside of this Commonwealth. For purposes of this section,
commercial conduct takes place wholly outside of this
Commonwealth if the business collected that information while
the consumer was outside of this Commonwealth, no part of the
sale of the consumer's personal information occurred in this
Commonwealth and no personal information collected while the
20210HB1126PN1174 - 12 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
consumer was in this Commonwealth is sold. This paragraph
shall not permit a business from storing, including on a
device, personal information about a consumer when the
consumer is in this Commonwealth and then collecting that
personal information when the consumer and stored personal
information is outside of this Commonwealth.
(n) Civil action by consumer.--
(1) A consumer whose nonencrypted or nonredacted
personal information is subject to an unauthorized access and
exfiltration, theft or disclosure as a result of the
business's violation of the duty to implement and maintain
reasonable security procedures and practices appropriate to
the nature of the information to protect the personal
information may institute a civil action for any of the
following:
(i) To recover damages in an amount not less than
$100 and not more than $750 per consumer per incident or
actual damages, whichever is greater.
(ii) Injunctive or declaratory relief.
(iii) Any other relief the court deems appropriate.
(2) In assessing the amount of statutory damages, a
court shall consider any one or more of the relevant
circumstances presented by any of the parties to the case,
including the nature and seriousness of the misconduct, the
number of violations, the persistence of the misconduct, the
length of time over which the misconduct occurred, the
willfulness of the defendant's misconduct and the defendant's
assets, liabilities and net worth.
(3) An action under this section may be brought by a
consumer if, prior to initiating any action against a
20210HB1126PN1174 - 13 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
business for statutory damages on an individual or classwide
basis, a consumer provides a business 30 days' written notice
identifying the specific provisions of this act the consumer
alleges have been or are being violated. In the event a cure
is possible, if, within the 30 days the business actually
cures the noticed violation and provides the consumer an
express written statement that the violations have been cured
and that no further violations shall occur, no action for
individual statutory damages or classwide statutory damages
may be initiated against the business. No notice shall be
required prior to an individual consumer initiating an action
solely for actual pecuniary damages suffered as a result of
the alleged violations of this act. If a business continues
to violate this act in breach of the express written
statement provided to the consumer under this paragraph, the
consumer may initiate an action against the business to
enforce the written statement and may pursue statutory
damages for each breach of the express written statement, as
well as any other violation of this act that postdates the
written statement.
(o) Violation.--A business shall be in violation of this
section if the business fails to cure an alleged violation
within 30 days after being notified of alleged noncompliance. A
business, service provider or other person that violates this
section shall be liable for a civil penalty in a civil action
brought by the Attorney General of up to $7,500 for each
violation.
(p) Opinion of Attorney General.--A business or third party
may seek the opinion of the Attorney General for guidance on how
to comply with the provisions of this act.
20210HB1126PN1174 - 14 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(q) Rules and regulations.--The Attorney General shall
promulgate rules and regulations to implement this section.
Section 5. Effective date.
This act shall take effect immediately.
20210HB1126PN1174 - 15 -
1
2
3
4