PRINTER'S NO. 654
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No. 708
Session of
2023
INTRODUCED BY KENYATTA, SHUSTERMAN, KINSEY, MADDEN, GALLOWAY,
SANCHEZ, RABB, SAMUELSON, HILL-EVANS, PARKER, FLEMING AND
NEILSON, MARCH 27, 2023
REFERRED TO COMMITTEE ON COMMERCE, MARCH 27, 2023
AN ACT
1 Providing for protection of certain personal data of consumers;
2 imposing duties on controllers and processors of personal
3 data of consumers; providing for enforcement; prescribing
4 penalties; and establishing the Consumer Privacy Fund.
5 TABLE OF CONTENTS
6 Chapter 1. Preliminary Provisions
7 Section 101. Short title.
8 Section 102. Definitions.
9 Section 103. Applicability.
10 Chapter 3. Enumeration of Rights and Responsibilities
11 Section 301. Rights of consumers and controllers.
12 Section 302. Controller responsibilities.
13 Section 303. Responsibility of processors.
14 Section 304. Data protection assessments.
15 Section 305. Processing de-identified data and exemptions.
16 Section 306. Limitations.
17 Chapter 5. Administration and Enforcement
18 Section 501. Powers and duties of Attorney General.
 1 Section 502. Enforcement procedure.
2 Section 503. Consumer Privacy Fund.
3 Chapter 7. Miscellaneous Provisions
4 Section 701. (Reserved).
5 Section 702. Effective date.
6 The General Assembly of the Commonwealth of Pennsylvania
7 hereby enacts as follows:
8 CHAPTER 1
9 PRELIMINARY PROVISIONS
10 Section 101. Short title.
11 This act shall be known and may be cited as the Consumer Data
12 Protection Act.
13 Section 102. Definitions.
14 The following words and phrases when used in this act shall
15 have the meanings given to them in this section unless the
16 context clearly indicates otherwise:
17 "Affiliate," "affiliate of" or "person affiliated with." A
18 person that directly or indirectly, through one or more
19 intermediaries, controls, is controlled by or is under common
20 control with a specified person. For the purposes of this
21 definition, "control" or "controlled" means:
22 (1) ownership of, or the power to vote, more than 50% of
23 the outstanding shares of any class of voting security of a
24 company;
25 (2) control in any manner over the election of a
26 majority of the directors or of individuals exercising
27 similar functions; or
28 (3) the power to exercise controlling influence over the
29 management of a company.
30 "Authenticate." Verifying through reasonable means that a
20230HB0708PN0654 - 2 -
 1 consumer, entitled to exercise the consumer rights under this
2 act, is the same consumer exercising the consumer rights with
3 respect to the personal data at issue.
4 "Automated means." A computer program or an electronic or
5 other automated means used independently to initiate an action
6 or respond to electronic records or performances, in whole or in
7 part, without review or action by an individual.
8 "Biometric data." Data generated by automatic measurements
9 of an individual's biological characteristics, such as a
10 fingerprint, voiceprint, eye retinas, irises or other unique
11 biological patterns or characteristics that are used to identify
12 a specific individual. The term does not include a physical or
13 digital photograph, a video or audio recording or data generated
14 therefrom or information collected, used or stored for health
15 care treatment, payment or operations under HIPAA.
16 "Breach of the security of the system" or "breach." The
17 unauthorized access and acquisition of unencrypted data, or
18 encrypted data with the confidential process or key required to
19 decrypt the data, that is likely to compromise the security or
20 confidentiality of personal information maintained by the entity
21 as part of a database of personal information regarding multiple
22 individuals that causes or the entity reasonably believes has
23 caused or will cause loss or injury to any resident of this
24 Commonwealth. Good faith acquisition of personal information by
25 an employee or agent of the entity for the purposes of the
26 entity is not a breach of the security of the system if the
27 personal information is not used for a purpose other than the
28 lawful purpose of the entity and is not subject to further
29 authorized disclosure.
30 "Business associate."
20230HB0708PN0654 - 3 -
 1 (1) Except as provided in paragraph (4), business
2 associate means, with respect to a covered entity, a person
3 who:
4 (i) on behalf of such covered entity or of an
5 organized health care arrangement in which the covered
6 entity participates, but other than in the capacity of a
7 member of the workforce of the covered entity or
8 arrangement, creates, receives, maintains or transmits
9 protected health information for a function or activity
10 regulated by this chapter, including claims processing or
11 administration, data analysis, processing or
12 administration, utilization review, quality assurance,
13 patient safety activities as defined in 42 CFR 3.20
14 (relating to definitions), billing, benefit management,
15 practice management and repricing; or
16 (ii) provides, other than in the capacity of a
17 member of the workforce of the covered entity, legal,
18 actuarial, accounting, consulting, data aggregation,
19 management, administrative, accreditation, or financial
20 services to or for such covered entity, or to or for an
21 organized health care arrangement in which the covered
22 entity participates, where the provision of the service
23 involves the disclosure of protected health information
24 from such covered entity or arrangement, or from another
25 business associate of such covered entity or arrangement,
26 to the person.
27 (2) A covered entity may be a business associate of
28 another covered entity.
29 (3) A person who is or does any of the following:
30 (i) A Health Information Organization, E-prescribing
20230HB0708PN0654 - 4 -
 1 Gateway or other person that provides data transmission
2 services with respect to protected health information to
3 a covered entity and that requires access on a routine
4 basis to such protected health information.
5 (ii) Offers a personal health record to one or more
6 individuals on behalf of a covered entity.
7 (iii) A subcontractor that creates, receives,
8 maintains or transmits protected health information on
9 behalf of the business associate.
10 (4) The term does not include:
11 (i) A health care provider, with respect to
12 disclosures by a covered entity to the health care
13 provider concerning the treatment of the individual.
14 (ii) A plan sponsor, with respect to disclosures by
15 a group health plan (or by a health insurance issuer or
16 HMO with respect to a group health plan) to the plan
17 sponsor.
18 (iii) A government agency, with respect to
19 determining eligibility for, or enrollment in, a
20 government health plan that provides public benefits and
21 is administered by another government agency, or
22 collecting protected health information for such
23 purposes, to the extent the activities are authorized by
24 law.
25 (iv) A covered entity participating in an organized
26 health care arrangement that performs a function or
27 activity as described by paragraph (1)(i) for or on
28 behalf of such organized health care arrangement, or that
29 provides a service as described in paragraph (1)(ii) to
30 or for the organized health care arrangement by virtue of
20230HB0708PN0654 - 5 -
 1 the activities or services.
2 "Child." An individual who is younger than 13 years of age.
3 "Consent." A clear affirmative act signifying a consumer's
4 freely given, specific, informed and unambiguous agreement to
5 process personal data relating to the consumer. The act may
6 include a written statement, including a statement written by
7 electronic means, or any other unambiguous affirmative action.
8 "Consumer." A natural person who is a resident of this
9 Commonwealth acting only in a personal or household context. The
10 term does not include a natural person who acts in a commercial
11 or employment context.
12 "Controller." An entity that, alone or jointly with others,
13 collects, uses, processes or stores personal information or
14 directs others to collect, use, process or store personal
15 information on its behalf.
16 "Covered entity." A covered entity means:
17 (1) A health plan.
18 (2) A health care clearinghouse.
19 (3) A health care provider that transmits health
20 information in electronic form in connection with a
21 transaction covered by this chapter.
22 "Data protection assessment." A process to identify and
23 minimize the data protection risks of a project by:
24 (1) Describing the nature, scope, context and purpose of
25 processing.
26 (2) Assessing necessity, proportionality and compliance
27 measures.
28 (3) Identifying and assessing risk to individuals.
29 (4) Identifying additional measures to mitigate those
30 risks.
20230HB0708PN0654 - 6 -
 1 "Decision of the controller." A decision made by a
2 controller to provide or deny a consumer's request for
3 financial or lending services, housing, insurance, education
4 enrollment, criminal justice, an employment opportunity, health
5 care services or access to a basic necessity, such as food and
6 water.
7 "De-identified data." Data that cannot reasonably be linked
8 to an identified or identifiable individual or data on a device
9 linked to the individual.
10 "Entity." An individual or business conducting business or
11 other activities involving residents of this Commonwealth
12 whether or not physically located in this Commonwealth or a
13 Commonwealth agency or political subdivision of the
14 Commonwealth.
15 "Financial institution." Any regulated financial institution
16 insured by the Federal Deposit Insurance Corporation or its
17 successor or an affiliate of the financial institution.
18 "Fund." The Consumer Privacy Fund established under section
19 503.
20 "Health care practitioner." An individual who is authorized
21 to practice some component of the healing arts by a license,
22 permit, certificate or registration issued by a Commonwealth
23 licensing agency or board.
24 "Health care provider" or "provider." An individual, trust
25 or estate, partnership, corporation (including associations,
26 joint stock companies and insurance companies) or the
27 Commonwealth or a political subdivision or instrumentality,
28 including a municipal corporation or authority, thereof that
29 operates a health care facility.
30 "Health record." A written, printed or electronically
20230HB0708PN0654 - 7 -
 1 recorded material maintained by a health care entity in the
2 course of providing health services to an individual concerning
3 the individual and the services provided. The term includes the
4 substance of a communication made by an individual to a health
5 care entity in confidence during or in connection with the
6 provision of health services or information otherwise acquired
7 by the health care entity about an individual in confidence and
8 in connection with the provision of health services to the
9 individual.
10 "HIPAA." The Health Insurance Portability and Accountability
11 Act of 1996 (Public Law 104-191, 110 Stat. 1936).
12 "Identifiable private information." Any of the following:
13 (1) An individual's first name or first initial and last
14 name in combination with and linked to one or more of the
15 following data elements when the elements are not encrypted
16 or redacted:
17 (i) Social Security number;
18 (ii) driver's license number;
19 (iii) State identification card number issued in
20 lieu of a driver's license;
21 (iv) passport number;
22 (v) taxpayer identification number;
23 (vi) medical information;
24 (vii) health insurance information;
25 (viii) biometric data; or
26 (ix) a financial account number or a credit or debit
27 card number in combination with other information that
28 allows a financial, credit or debit account to be used or
29 accessed.
30 (2) A data element enumerated in paragraph (1) if the
20230HB0708PN0654 - 8 -
 1 information would reasonably permit the fraudulent assumption
2 of the identity of an individual.
3 (3) An individual's username or email address in
4 combination with a password or security question and answer,
5 biometric information or other information that would permit
6 access to an online account.
7 (4) The term does not include information that an
8 individual has made public himself or herself, information
9 that the individual has consented in writing to be made
10 public or information that was lawfully made public under
11 Federal or State law or court order.
12 "Identified or identifiable natural person." An individual
13 who can be readily identified, directly or indirectly.
14 "Institution of higher education." The term includes the
15 following:
16 (1) A community college operating under Article XIX-A of
17 the act of March 10, 1949 (P.L.30, No.14), known as the
18 Public School Code of 1949.
19 (2) A university within the State System of Higher
20 Education.
21 (3) The Pennsylvania State University.
22 (4) The University of Pittsburgh.
23 (5) Temple University.
24 (6) Lincoln University.
25 (7) Another institution that is designated as "State-
26 related" by the Commonwealth.
27 (8) An accredited private or independent college or
28 university.
29 (9) A private licensed school as defined in the act of
30 December 15, 1986 (P.L.1585, No.174), known as the Private
20230HB0708PN0654 - 9 -
 1 Licensed Schools Act.
2 "International Council for Harmonisation of Technical
3 Requirements for Pharmaceuticals for Human Use" or "(ICH)." An
4 initiative that brings together regulatory authorities and the
5 pharmaceutical industry to discuss scientific and technical
6 aspects of pharmaceutical product development and registration.
7 "Minor." An individual who is under 18 years of age.
8 "Nonprofit organization." An organization exempt from
9 taxation under 26 U.S.C. § 501(c)(3), (6) or (12) (relating to
10 exemption from tax on corporations, certain trusts, etc.).
11 "Person." An individual.
12 "Personal data" or "consumer personal data." Information
13 that is linked or reasonably linkable to an identified or
14 identifiable natural person. The term does not include de-
15 identified data or publicly available information.
16 "Precise geolocation data." Information derived from
17 technology, including global positioning system level latitude
18 and longitude coordinates or other mechanisms, that directly
19 identifies the specific location of an individual with precision
20 and accuracy within a radius of 1,750 feet. The term does not
21 include the content of communications or data generated by or
22 connected to advanced utility metering infrastructure systems or
23 equipment for use by a public utility.
24 "Process" or "processing." An operation or set of operations
25 performed, whether by manual or automated means, on personal
26 data or on sets of personal data, such as the collection, use,
27 storage, disclosure, analysis, deletion or modification of
28 personal data.
29 "Processor." A person that processes personal data on behalf
30 of a controller.
20230HB0708PN0654 - 10 -
 1 "Profiling." A form of automated processing performed on
2 personal data to evaluate, analyze or predict personal aspects
3 related to an identified or identifiable natural person's
4 economic situation, health, personal preferences, interests,
5 reliability, behavior, location or movements.
6 "Protected health information." As defined in 45 CFR 160.103
7 (relating to definitions).
8 "Pseudonymous data." Personal data that cannot