Regular Session 2021-2022 House Bill 1126 P.N. 1174

PRINTER'S NO. 1174

THE GENERAL ASSEMBLY OF PENNSYLVANIA

HOUSE BILL

No.

1126

Session of

2021

INTRODUCED BY NEILSON, KINSEY, SCHLOSSBERG, SANCHEZ, GALLOWAY,

McNEILL, PARKER, FREEMAN, CIRESI, DELLOSO, WARREN, THOMAS,

SCHLEGEL CULVER, PISCIOTTANO, KINKEAD AND ROZZI,

APRIL 7, 2021

REFERRED TO COMMITTEE ON CONSUMER AFFAIRS, APRIL 7, 2021

AN ACT

Providing for consumer data privacy, for rights of consumers and

duties of businesses relating to the collection of personal

information and for duties of the Attorney General.

The General Assembly of the Commonwealth of Pennsylvania

hereby enacts as follows:

Section 1. Short title.

This act shall be known and may be cited as the Consumer Data

Privacy Act.

Section 2. Legislative findings.

The General Assembly finds and declares as follows:

(1) It is an important and substantial State interest to

protect the private, personal data in this Commonwealth.

(2) With the increasing use of technology and data in

everyday life, there is an increasing amount of private,

personal data being shared by consumers with businesses as a

part of everyday transactions and online and other

activities.

(3) The increasing collection, storage, use and sale of

personal data creates increased risks of identity theft,

financial loss and other misuse of private personal data.

(4) Many consumers do not know, understand or have

appropriate authority over the distribution, use, sale or

disclosure of their personal data.

Section 3. Definitions.

The following words and phrases when used in this act shall

have the meanings given to them in this section unless the

context clearly indicates otherwise:

"Business." As follows:

(1) A sole proprietorship, partnership, limited

liability company, corporation, association or other legal

entity:

(i) That is organized or operated for the profit or

financial benefit of its shareholders or other owners.

(ii) That collects consumers' personal information,

or on behalf of which consumers' personal information is

collected and that alone, or jointly with others,

determines the purposes and means of the processing of

consumers' personal information.

(iii) That does business in this Commonwealth.

(iv) That satisfies one or more of the following

thresholds:

(A) Has annual gross revenues in excess of

$10,000,000.

(B) Alone or in combination, annually buys,

receives for the business' commercial purposes, sells

or shares for commercial purposes, alone or in

combination, the personal information of 50,000 or

20210HB1126PN1174 - 2 -

more consumers, households or devices.

selling consumers' personal information.

(2) An entity that controls a business under paragraph

(1) and shares common branding with the business.

"Common branding." A shared name, servicemark or trademark.

"Control." Any of the following:

(1) Ownership of or the power to vote on more than 50%

of the outstanding shares of any class of voting security of

a business.

(2) Control in any manner over the election of a

majority of the directors or of individuals exercising

similar functions.

(3) The power to exercise a controlling influence over

the management of a company.

"Personal information." As follows:

(1) Information that identifies, relates to, describes,

is capable of being associated with or could reasonably be

linked, directly or indirectly, with a particular consumer or

household, including:

(i) Identifiers such as a real name, alias, postal

address, unique personal identifier, online identifier,

including an Internet website protocol address, e-mail

address, account name, Social Security number, driver's

license number, passport number or other similar

identifiers.

(ii) Characteristics of protected classifications

under Federal or State law.

(iii) Commercial information, including records of

personal property, products or services purchased,

20210HB1126PN1174 - 3 -

obtained or considered or other purchasing or consuming

histories or tendencies.

(iv) Biometric information.

(v) Internet or other electronic network activity

information, including browser history, search history

and information regarding a consumer's interaction with

an Internet website, application or advertisement.

(vi) Geolocation data.

(vii) Audio, electronic, visual, thermal, olfactory

or similar information.

(viii) Professional or employment-related

information.

(ix) Education information, defined as information

that is not publicly available personally identifiable

information under the Family Educational Rights and

Privacy Act of 1974 (Public Law 90-247, 20 U.S.C. §

1232g).

(x) Inferences drawn from any of the information

identified under this definition to create a profile

about a consumer reflecting the consumer's preferences,

characteristics, psychological trends, predispositions,

behaviors, attitudes, intelligence, abilities and

aptitudes.

(2) The term does not include publicly available

information.

"Publicly available." As follows:

(1) Information that is lawfully made available from

Federal, State or local government records, as restricted by

any conditions associated with the information.

(2) The term does not include biometric information

20210HB1126PN1174 - 4 -

collected by a business about a consumer without the

consumer's knowledge or consumer information that is

deidentified or aggregate consumer information.

(3) Information is not publicly available if the data is

used for a purpose that is not compatible with the purpose

for which the data is maintained and made available in the

government records or for which it is publicly maintained.

Section 4. Consumer data privacy.

(a) General rights.--A consumer shall have the right to:

(1) Know what personal information is being collected

about the consumer.

(2) Know whether the consumer's personal information is

sold or disclosed and to whom.

(3) Decline or opt out of the sale of the consumer's

personal information.

(4) Access the consumer's personal information that has

been collected.

(5) Equal service and price, even if a consumer

exercises rights under this subsection.

(b) Disclosure by businesses.--A consumer shall have the

right to request that a business that collects personal

information about the consumer disclose to the consumer the

following:

(1) The categories of personal information the business

has collected about the consumer.

(2) The categories of sources from which the personal

information is collected.

(3) The business or commercial purpose for collecting or

selling personal information.

(4) The categories of third parties with whom the

20210HB1126PN1174 - 5 -

business shares personal information.

(5) The specific pieces of personal information the

business has collected about the consumer.

personal information about a consumer shall disclose to the

consumer the information specified under subsection (b) upon

receipt of a verifiable request from a consumer. This subsection

does not require a business to:

(1) retain any personal information about a consumer

collected for a single one-time transaction if, in the

ordinary course of business, that information about the

consumer is not retained; or

(2) reidentify or otherwise link any data that, in the

ordinary course of business, is not maintained in a manner

that would be considered personal information.

(d) Request for information sold or used for business

purposes.--A consumer shall have the right to request that a

business that sells the consumer's personal information, or that

discloses it for a business purpose, disclose to the consumer:

(1) The categories of personal information that the

business collected about the consumer.

(2) The categories of personal information that the

business sold about the consumer and the categories of third

parties to whom the personal information was sold, by

category or categories of personal information for each third

party to whom the personal information was sold.

(3) The categories of personal information that the

business disclosed about the consumer for a business purpose.

(e) Request to delete personal information.--A consumer

shall have the right to request that a business delete any

20210HB1126PN1174 - 6 -

personal information about the consumer that the business has

collected from the consumer. The following apply:

(1) A business that collects personal information about

consumers shall disclose under subsection (l) the consumer's

rights to request the deletion of the consumer's personal

information.

(2) A business that receives a verifiable request from a

consumer to delete the consumer's personal information shall

delete the consumer's personal information from its records

and direct service providers to delete the consumer's

personal information from the service provider's records.

(3) A business or a service provider shall not be

required to comply with a consumer's request to delete the

consumer's personal information if it is necessary for the

business or service provider to maintain the consumer's

personal information to:

(i) Complete the transaction for which the personal

information was collected, provide a good or service

requested by the consumer or reasonably anticipated

within the context of a business's ongoing business

relationship with the consumer or otherwise perform a

contract between the business and the consumer.

(ii) Detect security incidents, protect against

malicious, deceptive, fraudulent or illegal activity or

prosecute those responsible for that activity.

(iii) Debug to identify and repair errors that

impair existing intended functionality.

(iv) Exercise free speech, ensure the right of

another consumer to exercise the consumer's right of free

speech or exercise another right provided under Federal

20210HB1126PN1174 - 7 -

or State law.

(v) Engage in public or peer-reviewed scientific,

historical or statistical research in the public interest

that adheres to all other applicable Federal and State

ethics and privacy laws, when the business's deletion of

the information is likely to render impossible or

seriously impair the achievement of the research, if the

consumer has provided informed consent.

(vi) Enable solely internal uses that are reasonably

aligned with the expectations of the consumer based on

the consumer's relationship with the business.

(vii) Comply with a legal obligation.

(f) Compliance with request.--A business that sells personal

information about a consumer, or that discloses a consumer's

personal information for a business purpose, shall disclose the

information specified under subsection (d) to the consumer upon

receipt of a verifiable request from the consumer.

(g) Third parties.--A third party may not sell personal

information about a consumer that has been sold to the third

party by a business unless the consumer has received explicit

notice and is provided an opportunity to exercise the right to

opt out.

(h) Notice.--A business that sells consumers' personal

information to third parties shall provide notice to consumers

that this information may be sold and that a consumer has the

right to opt out of the sale of their personal information at

any time.

(i) Prohibition on sale of personal information.--A business

that has received direction from a consumer not to sell the

consumer's personal information or, in the case of a minor

20210HB1126PN1174 - 8 -

consumer's personal information has not received consent to sell

the minor consumer's personal information, shall be prohibited

from selling the consumer's personal information after receipt

of the consumer's direction, unless the consumer subsequently

provides express authorization for the sale of the consumer's

personal information.

(j) Consumers of young age.--Notwithstanding subsection (i),

a business may not sell the personal information of a consumer

if the business has actual knowledge that the consumer is less

than 16 years of age, unless the consumer, in the case of a

consumer who is between 13 and 16 years of age, or the

consumer's parent or guardian, in the case of a consumer who is

less than 13 years of age, has affirmatively authorized the sale

of the consumer's personal information. A business that

willfully disregards the consumer's age shall be deemed to have

had actual knowledge of the consumer's age.

(k) Discrimination prohibited.--

(1) A business may not discriminate against a consumer

because the consumer exercised any of the consumer's rights

under this section, including by:

(i) Denying goods or services to the consumer.

(ii) Charging different prices or rates for goods or

services, including through the use of discounts or other

benefits or imposing penalties.

(iii) Providing a different level or quality of

goods or services to the consumer.

(iv) Suggesting that the consumer will receive a

different price or rate for goods or services or a

different level or quality of goods or services.

(2) Nothing in this subsection shall prohibit a business

20210HB1126PN1174 - 9 -

from charging a consumer a different price or rate, or from

providing a different level or quality of goods or services

to the consumer, if that difference is reasonably related to

the value provided to the consumer by the consumer's data.

(l) Compliance with notice requirements.--To comply with the

notice requirements under this section, a business shall:

(1) In a form that is reasonably accessible to

consumers, make available to consumers two or more designated

methods for submitting requests for information required to

be disclosed, including, at a minimum, a toll-free telephone

number, and if the business maintains a publicly accessible

Internet website, the website address.

(2) In a form that is reasonably accessible to

consumers, disclose and deliver the required information to a

consumer free of charge within 45 days of receiving a

verifiable request from the consumer. The time period to

provide the required information may be extended once by an

additional 45 days when reasonably necessary, if the consumer

is provided notice of the extension within the first 45-day

period.

(3) In a form that is reasonably accessible to

consumers, provide a clear and conspicuous link on the

business's publicly accessible Internet website, titled "Do

Not Sell My Personal Information," to a publicly accessible

Internet website that enables a consumer, or a person

authorized by the consumer, to opt out of the sale of the

consumer's personal information. A business may not require a

consumer to create an account to direct the business not to

sell the consumer's personal information.

(4) Include a description of a consumer's rights along

20210HB1126PN1174 - 10 -

with a separate link to the "Do Not Sell My Personal

Information" publicly accessible Internet website required

under paragraph (3) in the following:

(i) The business's online privacy policy or policies

if the business has an online privacy policy or policies.

(ii) A description of consumers' privacy rights

under the laws of this Commonwealth.

(5) Ensure that all individuals responsible for handling

consumer inquiries about the business's privacy practices are

informed of the requirements of this section and how to

direct consumers to exercise their rights.

(6) For consumers who exercise their right to opt out of

the sale of their personal information, refrain from selling

personal information collected by the business about the

consumer.

(7) For a consumer who has opted out of the sale of the

consumer's personal information, respect the consumer's

decision to opt out for at least 12 months before requesting

that the consumer authorize the sale of the consumer's

personal information.

(8) Use personal information collected from the consumer

in connection with the submission of the consumer's opt-out

request solely for the purposes of complying with the opt-out

request.

(9) Nothing in this subsection shall be construed to

require a business to comply with this subsection by

including the required links and text on its publicly

accessible Internet website that the business makes available

to the public generally, if the business maintains a separate

and additional publicly accessible Internet website that is

20210HB1126PN1174 - 11 -

dedicated to consumers in this Commonwealth and that includes

the required links and text, and the business takes

reasonable steps to ensure that consumers in this

Commonwealth are directed to the publicly accessible Internet

website for consumers in this Commonwealth and not the

publicly accessible Internet website made available to the

public generally.

(m) Obligations on business.--The obligations imposed on a

business under this section shall not restrict a business's

ability to:

(1) Comply with Federal, State or local laws.

(2) Comply with a civil, criminal or regulatory inquiry,

investigation, subpoena or summons by Federal, State or local

authorities.

(3) Cooperate with law enforcement agencies concerning

conduct or activity that the business, service provider or

third party reasonably and in good faith believes may violate

Federal, State or local laws.

(4) Exercise or defend legal claims.

(5) Collect, use, retain, sell or disclose consumer

information that is deidentified or in the aggregate consumer

information.

(6) Collect or sell a consumer's personal information if

every aspect of that commercial conduct takes place wholly

outside of this Commonwealth. For purposes of this section,

commercial conduct takes place wholly outside of this

Commonwealth if the business collected that information while

the consumer was outside of this Commonwealth, no part of the

sale of the consumer's personal information occurred in this

Commonwealth and no personal information collected while the

20210HB1126PN1174 - 12 -

consumer was in this Commonwealth is sold. This paragraph

shall not permit a business from storing, including on a

device, personal information about a consumer when the

consumer is in this Commonwealth and then collecting that

personal information when the consumer and stored personal

information is outside of this Commonwealth.

(n) Civil action by consumer.--

(1) A consumer whose nonencrypted or nonredacted

personal information is subject to an unauthorized access and

exfiltration, theft or disclosure as a result of the

business's violation of the duty to implement and maintain

reasonable security procedures and practices appropriate to

the nature of the information to protect the personal

information may institute a civil action for any of the

following:

(i) To recover damages in an amount not less than

$100 and not more than $750 per consumer per incident or

actual damages, whichever is greater.

(ii) Injunctive or declaratory relief.

(iii) Any other relief the court deems appropriate.

(2) In assessing the amount of statutory damages, a

court shall consider any one or more of the relevant

circumstances presented by any of the parties to the case,

including the nature and seriousness of the misconduct, the

number of violations, the persistence of the misconduct, the

length of time over which the misconduct occurred, the

willfulness of the defendant's misconduct and the defendant's

assets, liabilities and net worth.

(3) An action under this section may be brought by a

consumer if, prior to initiating any action against a

20210HB1126PN1174 - 13 -

business for statutory damages on an individual or classwide

basis, a consumer provides a business 30 days' written notice

identifying the specific provisions of this act the consumer

alleges have been or are being violated. In the event a cure

is possible, if, within the 30 days the business actually

cures the noticed violation and provides the consumer an

express written statement that the violations have been cured

and that no further violations shall occur, no action for

individual statutory damages or classwide statutory damages

may be initiated against the business. No notice shall be

required prior to an individual consumer initiating an action

solely for actual pecuniary damages suffered as a result of

the alleged violations of this act. If a business continues

to violate this act in breach of the express written

statement provided to the consumer under this paragraph, the

consumer may initiate an action against the business to

enforce the written statement and may pursue statutory

damages for each breach of the express written statement, as

well as any other violation of this act that postdates the

written statement.

(o) Violation.--A business shall be in violation of this

section if the business fails to cure an alleged violation

within 30 days after being notified of alleged noncompliance. A

business, service provider or other person that violates this

section shall be liable for a civil penalty in a civil action

brought by the Attorney General of up to $7,500 for each

violation.

(p) Opinion of Attorney General.--A business or third party

may seek the opinion of the Attorney General for guidance on how

to comply with the provisions of this act.

20210HB1126PN1174 - 14 -

(q) Rules and regulations.--The Attorney General shall

promulgate rules and regulations to implement this section.

Section 5. Effective date.

This act shall take effect immediately.

20210HB1126PN1174 - 15 -