PRINTER'S NO. 2166
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
1908
Session of
2021
INTRODUCED BY RABB, SNYDER, KINSEY, McNEILL, LEE AND CIRESI,
SEPTEMBER 27, 2021
REFERRED TO COMMITTEE ON CONSUMER AFFAIRS, SEPTEMBER 27, 2021
AN ACT
Providing for transparency and disclosure of information
collected by smart technology devices; establishing the Smart
Technology Disclosure Fund; and providing for powers and
duties of the Office of Attorney General.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Short title.
This act shall be known and may be cited as the Smart
Technology Disclosure Act.
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Bureau." The Bureau of Consumer Protection in the Office of
Attorney General.
"Consumer." The user of a smart device or a retailer
purchasing a smart device wholesale for resale.
"Covered information."
(1) Information collected through a smart device,
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
including the following:
(i) Product registration data.
(ii) Viewing and audio data.
(iii) Internet Protocol ("IP") address.
(iv) User ID or other identifiers.
(v) Geolocation or information that can be used to
derive geolocation.
(2) The term includes any other information combined
with information under paragraph (1)(i), (ii), (iii), (iv)
and (v).
"Data collection." Information or data collected or planned
to be collected from a smart device about the content accessed
or reports or data derived from the smart device and other
information combined with that information or data.
"Fund." The Smart Technology Disclosure Fund established
under section 8.
"Internet service provider." As defined under section 2 of
the act of December 17, 1968 (P.L.1224, No.387), known as the
Unfair Trade Practices and Consumer Protection Law.
"Manufacturer." A company that produces a smart device. The
term includes a manufacturer's officers, agents, employees and
attorneys.
"Smart device." A physical object that has computer
processing capabilities that can collect, send or receive data
via the Internet, Bluetooth or similar networking protocols. The
term includes a television, telephone, monitor, doorbell,
security system, door lock, thermostat, lighting system, smart
speaker, motor vehicle or other device that has the ability to
connect to the Internet, Bluetooth or similar networking
protocols.
20210HB1908PN2166 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
"Third party." An entity that has access to covered
information obtained from a smart device through its operating
system, applications, programs or networking protocols. The term
includes a mobile network operator if it has access to covered
information on a smart device. The term does not include a
manufacturer.
Section 3. Disclosure requirements.
(a) General rule.--In addition to any other requirements
imposed by law, a manufacturer or third party, directly or
through a corporation, subsidiary, division, website or other
device or affiliate may not misrepresent in any manner,
expressly or by implication:
(1) the extent to which data is collected, used or
maintained or methods for protecting the privacy,
confidentiality or security of covered information; or
(2) the purpose of the collection, use or disclosure of
covered information.
(b) Notice and consent.--The following shall apply:
(1) A manufacturer of a smart device or third party,
directly or through a corporation, subsidiary, division,
website or other device or affiliate, in connection with data
collection for a product or service, shall:
(i) Prior to any data collection undertaken after
the effective date of this section, prominently disclose
to the consumer, separate and apart from a privacy
policy, terms of use page or other similar documents, the
following:
(A) The types of data that will be collected and
used.
(B) The types of data that will be shared with
20210HB1908PN2166 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
third parties.
(C) The identities of the third parties.
(D) All purposes for the agent's sharing of the
data collected.
(E) Any data sharing agreements between the
manufacturer or third party and Federal, State and
local law enforcement agencies or other government
agencies.
(ii) Obtain the consumer's affirmative express
consent to data collection as follows:
(A) At the time the disclosure under
subparagraph (i) is made.
(B) Upon any material changes to the terms
disclosed under subparagraph (i).
(iii) Provide instructions, at any time the
consumer's affirmative express consent is sought under
subparagraph (ii) for how the consumer may revoke consent
to data collection.
(iv) Obtain the consumer's affirmative express
consent to continued data collection under section 4(a)
(2).
(2) A manufacturer or third party, directly or through a
corporation, subsidiary, division, website or other device or
affiliate, may not collect the covered information of a
consumer who does not provide affirmative express consent
under paragraph (1)(ii).
(3) If a smart device is shared or used by multiple
members of a household, a manufacturer or third party shall
be deemed in compliance with paragraph (1)(i), (ii) and (iii)
if disclosure is made and affirmative express consent is
20210HB1908PN2166 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
obtained upon first use of the smart device by at least one
consumer in the household.
(c) Definitions.--As used in this section, the phrase
"prominently disclose to a consumer" shall mean a disclosure is
difficult to miss and easily understandable by ordinary
consumers, including in all of the following ways:
(1) A visual disclosure that, by its size, contrast,
location, the length of time it appears and other
characteristics, stands out from accompanying text or other
visual elements so that it is easily noticed, read and
understood.
(2) An audible disclosure, including by telephone or
streaming video, that is delivered in a volume, speed and
cadence sufficient for ordinary consumers to easily hear and
understand.
(3) In any communication using an interactive electronic
medium, such as in connection with an update to device
firmware, the disclosure is unavoidable.
(4) The disclosure uses diction and syntax
understandable to ordinary consumers and appears in each
language in which the triggering representation appears.
(5) The disclosure complies with the requirements in
each medium through which it is received, including all
electronic devices and face-to-face communications.
(6) The disclosure is not contradicted or mitigated by,
or inconsistent with, anything else in the communication.
(7) When the representation or sales practice targets a
specific audience, such as children, the elderly or the
terminally ill, the term "ordinary consumers" includes
reasonable members of that group.
20210HB1908PN2166 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Section 4. Data deletion requirements.
(a) General rule.--Within 120 days of the effective date of
this section, a manufacturer or third party, in connection with
data collection for a product or service, and all others in
active concert or participation with a manufacturer or third
party, directly or through a corporation, subsidiary, division,
website or other device or affiliate, shall destroy data
collected on a consumer's smart device prior to the effective
date of this section, except:
(1) if the data collected was requested by a government
agency or required by law, regulation or court order,
including without limitation as required by rules applicable
to the safeguarding of evidence in pending litigation; or
(2) if the user of the smart device associated with the
data collected has affirmatively consented to the collection,
use or disclosure thereof as provided under section 3(b).
(b) Consumer request.--Following the effective date of this
section, a manufacturer or third party, in connection with data
collection for a product or service, and all others in active
concert or participation with a manufacturer or third party,
directly or through a corporation, subsidiary, division, website
or other device or affiliate, shall destroy data within seven
days of the consumer requesting that the data be deleted.
Section 5. Mandated privacy program.
(a) General rule.--A manufacturer or third party, directly
or through a corporation, subsidiary, division, website or other
device or affiliate, shall establish and implement and maintain
a comprehensive privacy program that is reasonably designed to:
(1) Address privacy risks related to the development and
management of new and existing products and services for
20210HB1908PN2166 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
consumers.
(2) Protect the privacy and confidentiality of covered
information collected directly or indirectly by a
manufacturer or third party, directly or through a
corporation, subsidiary, division, website or other device or
affiliate.
(b) Requirements.--A privacy program, the content and
implementation of which shall be documented in writing, shall
contain controls and procedures appropriate to the size and
complexity of the manufacturer or third party, the nature and
scope of the manufacturer's or third party's activities and the
sensitivity of the covered information, including:
(1) The designation of an employee or employees to
coordinate and be responsible for the privacy program.
(2) The identification of reasonably foreseeable risks,
both internal and external, that could result in the
unauthorized collection, use or disclosure by the
manufacturer or third party or its agents of covered
information and an assessment of the sufficiency of any
safeguards in place to control these risks. At a minimum, the
risk assessment shall include consideration of risks in each
area of relevant operation, including:
(i) Employee training and management, including
training on the requirements of this act.
(ii) Product design, development and research.
(3) The design and implementation of reasonable controls
and procedures to address risks and regular testing or
monitoring of the effectiveness of those controls and
procedures.
(4) The development and use of reasonable steps to
20210HB1908PN2166 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
select and retain Internet service providers capable of
appropriately protecting the privacy of covered information
they receive from the manufacturer or third party or its
agents and requiring Internet service providers, by contract,
to implement and maintain appropriate privacy protections for
covered information.
(5) The evaluation and adjustment of the manufacturer's
or third party's or its agents' privacy program in light of
the results of the testing and monitoring required under
paragraph (3), any changes to the manufacturer's or third
party's or its agents' operations or business arrangements or
any other circumstance that the manufacturer or third party
or its agents know or have reason to know may have an impact
on the effectiveness of the privacy program.
Section 6. Violations.
A violation of this act shall be considered an unfair or
deceptive act or practice under the act of December 17, 1968
(P.L.1224, No.387), known as the Unfair Trade Practices and
Consumer Protection Law.
Section 7. Remedies available to consumers.
Nothing in this act shall be construed to limit the remedies
available to consumers, the Attorney General or a district
attorney under the act of December 17, 1968 (P.L.1224, No.387),
known as the Unfair Trade Practices and Consumer Protection Law,
or any other Federal or State law.
Section 8. Smart Technology Disclosure Fund.
(a) Establishment.--The Smart Technology Disclosure Fund is
established in the State Treasury and shall be administered by
the bureau. All money in the fund shall be appropriated on a
continuing basis to the bureau for the purposes of this act.
20210HB1908PN2166 - 8 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(b) Fund fee.--Every manufacturer that sells smart devices
in this Commonwealth shall register with the bureau and pay a
fee determined by the bureau to be deposited into the fund.
(c) Claims against fund.--A consumer who purchases a smart
device may recover statutory damages from the fund in the event
the manufacturer of the smart device violates this act, as found
by a court of competent jurisdiction, upon the final
determination of or expiration of time for appeal in connection
with any such judgment or if a consumer is prevented from
collecting the entirety of a final judgment as a result of the
manufacturer's filing for bankruptcy protection under Federal
law. In the event the bureau and the manufacturer enter into an
assurance of voluntary compliance under the act of December 17,
1968 (P.L.1224, No.387), known as the Unfair Trade Practices and
Consumer Protection Law, which requires payment of restitution
to a consumer and the manufacturer fails to pay as required by
the terms of the assurance of voluntary compliance, the bureau
shall issue an order of payment from the fund to the consumer.
The payment made pursuant to an assurance of voluntary
compliance shall be considered a claim for the purposes of
reimbursement of the fund.
(d) Limitation on recovery.--
(1) The bureau may not provide from the fund:
(i) Less than $100 and no greater than $750 per
consumer who recovers statutory damages from the fund.
(ii) An amount for attorney fees, consequential
damages, court costs, interest, personal injury damages
or punitive damages, except as may be provided in an
assurance of voluntary compliance.
(2) In assessing the amount of statutory damages, the
20210HB1908PN2166 - 9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
court shall consider any one or more of the relevant
circumstances presented by any of the parties to the case,
including the nature and seriousness of the misconduct, the
number of violations, the persistence of the misconduct, the
length of time over which the misconduct occurred, the
willfulness of the defendant's misconduct and the defendant's
assets, liabilities and net worth.
(e) Limitation period.--A claim must be made against the
fund within two years after the consumer obtains an entry of
final judgment or decree against the manufacturer and all appeal
rights have been expired or exhausted or, in the case of an
assurance of voluntary compliance, within the later of two years
of entry into such assurance or one year after nonpayment
according to the terms of the assurance.
(f) Offer of proof.--In order to recover from the fund, a
consumer shall offer proof to the bureau that the consumer has
exhausted all reasonable actions available under law and in
equity to collect the unpaid amount of a final judgment.
(g) Partial payments for fund integrity.--In order to
preserve the integrity of the fund, the bureau may order payment
out of the fund of an amount less than the judgment amount or
the amount agreed to be paid in an assurance of voluntary
compliance. The balance remaining due to the consumer shall be
paid from the fund under subsection (h).
(h) Special order of payment.--If the money in the fund is
insufficient to satisfy a duly authorized claim or portion of
the claim, the bureau shall, when sufficient money exists in the
fund, satisfy the unpaid claims or portions of the claims, in
the order that those claims or portions of claims were
originally determined.
20210HB1908PN2166 - 10 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(i) Investigation by bureau.--If the bureau pays an amount
from the fund as a result of a claim against a manufacturer, the
bureau may conduct an investigation to determine if the
manufacturer is possessed of assets liable to be sold or applied
in satisfaction of the claim on the fund. If the bureau
discovers any such assets, the bureau may take any lawful action
necessary for the reimbursement of the fund.
Section 9. Procedure of submitted claims.
(a) Initial claim.--In order to recover from the fund, a
consumer shall submit to the bureau the documentation required
under section 8(f), together with:
(1) a copy of the judgment and evidence that the
judgment has not been appealed;
(2) a copy of the assurance of voluntary compliance and
a certification that the manufacturer has failed to pay; or
(3) evidence that the consumer has been prevented from
collecting the entirety of a final judgment as a result of
the manufacturer's filing for bankruptcy protection under
Federal law. In the event of the manufacturer's bankruptcy
filing, the consumer shall only be entitled to collect from
the fund the amount the consumer was prevented from
collecting as a result of the bankruptcy filing.
(b) Copy of claim to manufacturer.--On receipt of a claim
under this section, the bureau shall send a copy of the claim to
the manufacturer alleged to be responsible for the violation of
this act. The manufacturer shall file a response or objection to
the claim within 30 days of the receipt of the notice of the
claim. Failure to respond to the claim shall constitute a waiver
of any defense of objection to the claim. The only defense a
manufacturer may raise in response is a defense of payment in
20210HB1908PN2166 - 11 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
full of the claim.
(c) General order of payment.--Except as otherwise provided
in this act, the bureau shall pay from the fund approved claims
in the order that the claims are submitted.
Section 10. Reimbursement of fund.
(a) General rule.--After the bureau pays a claim from the
fund:
(1) The bureau shall be subrogated to all rights of the
consumer in the claim up to the amount paid.
(2) The consumer shall assign to the bureau all rights
of the consumer in the claim up to the amount paid.
(3) The bureau has a right to reimbursement of the fund
by the manufacturer for:
(i) The amount paid from the fund.
(ii) Interest on the amount at an annual rate of 5%
as adjusted by the Consumer Price Index on an annual
basis.
(4) All money that the bureau recovers on a claim shall
be deposited into the fund.
(b) Suit for nonpayment.--If, within 30 days after the
bureau gives notice, a manufacturer on whose account a claim was
paid fails to reimburse the fund in full, the bureau may
initiate an action against the manufacturer in a court of
competent jurisdiction for the unreimbursed amount.
(c) Judgment.--The bureau is entitled to a judgment for the
unreimbursed amount if the bureau proves that:
(1) A claim was paid from the fund on account of the
manufacturer.
(2) The manufacturer has not reimbursed the fund in
full.
20210HB1908PN2166 - 12 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(3) The bureau directed payment based on a final
judgment of a court of competent jurisdiction or an assurance
of voluntary compliance.
Section 11. Burden of proof.
In a civil proceeding alleging a violation of this act, the
burden of proving an exemption is on the person claiming the
exemption. In a criminal proceeding alleging a violation of this
act, the burden of producing evidence to support a defense based
upon an exemption is on the person claiming the exemption.
Section 12. Regulations.
The Office of Attorney General shall promulgate regulations
necessary to carry out the provisions of this act, which shall,
at a minimum, include:
(1) The fee paid by manufacturers to the bureau for
registering under section 8.
(2) The information required from a manufacturer when
registering with the bureau.
(3) The acceptable forms of proof required under section
8.
Section 13. Effective date.
This act shall take effect in 120 days.
20210HB1908PN2166 - 13 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21