SENATE AMENDED
PRIOR PRINTER'S NOS. 1272, 2315, 2442 PRINTER'S NO. 3394
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No. 1201
Session of
2023
INTRODUCED BY NEILSON, SCIALABBA, C. WILLIAMS, GAYDOS, CIRESI,
McNEILL, KHAN, SANCHEZ, KINSEY, CEPEDA-FREYTIZ, PARKER, HILL-
EVANS, GALLOWAY, GREEN, WAXMAN, OTTEN, N. NELSON, FRIEL,
SHUSTERMAN, FRANKEL, MERCURI, GUZMAN AND PISCIOTTANO,
MAY 19, 2023
SENATOR PENNYCUICK, COMMUNICATIONS AND TECHNOLOGY, IN SENATE, AS
AMENDED, JUNE 26, 2024
AN ACT
1 Providing for consumer data privacy, for duties of controllers
2 and for duties of processors; and imposing penalties.
3 The General Assembly of the Commonwealth of Pennsylvania
4 hereby enacts as follows:
5 Section 1. Short title.
6 This act shall be known and may be cited as the Consumer Data
7 Privacy Act.
8 Section 2. Definitions.
9 The following words and phrases when used in this act shall
10 have the meanings given to them in this section unless the
11 context clearly indicates otherwise:
12 "Affiliate." A legal entity that shares common branding with
13 another legal entity or controls, is controlled by or is under
14 common control with another legal entity.
15 "Biometric data." Data generated by automatic measurements
 1 of an individual's biological characteristics, including
2 fingerprints, voiceprints, eye retinas, irises or other unique
3 biological patterns or characteristics that are used to identify
4 a specific individual. The term does not include a digital or
5 physical photograph, an audio or video recording or any data
6 generated from a digital or physical photograph or an audio or
7 video recording. The term does not include information captured
8 and converted to a mathematical representation, including a
9 numeric string or similar method that cannot be used to recreate
10 the data captured or converted to create the mathematical
11 representation.
12 "Business associate." As defined in 45 CFR 160.103 (relating
13 to definitions)
14 "Child." As defined in 15 U.S.C. § 6501 (relating to
15 definitions).
16 "Common branding." A shared name, servicemark or trademark.
17 "Consent." A clear affirmative act signifying a consumer's
18 freely given, specific, informed and unambiguous agreement to
19 allow the processing of personal data relating to the consumer.
20 The term includes a written statement, including by electronic
21 means, or any other unambiguous affirmative action specified in
22 this definition. The term does not include acceptance of general
23 or broad terms of use or a similar document that contains
24 descriptions of personal data processing along with other
25 unrelated information, hovering over, muting, pausing or closing
26 a given piece of content or an agreement obtained through the
27 use of dark patterns.
28 "Consumer." An individual who is a resident of this
29 Commonwealth. The term does not include an individual acting in
30 a commercial or employment context or as an employee, owner,
20230HB1201PN3394 - 2 -
 1 director, officer or contractor of a company, partnership, sole
2 proprietorship, nonprofit or government agency whose
3 communications or transactions with a controller occur solely
4 within the context of that individual's role with the company,
5 partnership, sole proprietorship, nonprofit or government
6 agency.
7 "Control." Any of the following:
8 (1) Ownership of or the power to vote on more than 50%
9 of the outstanding shares of any class of voting security of
10 a controller.
11 (2) Control in any manner over the election of a
12 majority of the directors or over the individuals exercising
13 similar functions.
14 (3) The power to exercise a controlling influence over
15 the management of a company.
16 "Controller." As follows:
17 (1) A sole proprietorship, partnership, limited
18 liability company, corporation, association or other legal
19 entity that meets all of the following criteria:
20 (i) Is organized or operated for the profit or
21 financial benefit of its shareholders or other owners.
22 (ii) Alone or jointly with others, determines the
23 purposes and means of the processing of consumers'
24 personal information.
25 (iii) Does business in this Commonwealth.
26 (iv) Satisfies any of the following thresholds:
27 (A) Has annual gross revenues in excess of
28 $10,000,000.
29 (B) Alone or in combination, annually buys or
30 receives, sells or shares for commercial purposes,
20230HB1201PN3394 - 3 -
 1 alone or in combination, the personal information of
2 at least 50,000 consumers, households or devices.
3 (C) Derives at least 50% of annual revenues from
4 selling consumers' personal information.
5 (2) An entity that controls a sole proprietorship,
6 partnership, limited liability company, corporation,
7 association or other legal entity under paragraph (1) or
8 shares common branding with the sole proprietorship,
9 partnership, limited liability company, corporation,
10 association or other legal entity.
11 "Covered entity." As defined in 45 CFR 160.103.
12 "Dark pattern." A user interface designed or manipulated
13 with the substantial effect of subverting or impairing user
14 autonomy, decision making or choice, including a practice the
15 Federal Trade Commission refers to as a dark pattern.
16 "Decisions that produce legal or similarly significant
17 effects concerning the consumer." Decisions made by a
18 controller that result in the provision or denial by the
19 controller of financial or lending services, housing, insurance,
20 education enrollment or opportunity, criminal justice,
21 employment opportunities, health care services or access to
22 essential goods or services.
23 "De-identified data." Data that cannot reasonably be used to
24 infer information about, or otherwise be linked to, an
25 identified or identifiable individual or a device linked to the
26 individual, if the controller that possesses the data complies
27 with the following criteria:
28 (1) Takes reasonable measures to ensure that the data
29 cannot be associated with an individual.
30 (2) Publicly commits to process the data only in a de-
20230HB1201PN3394 - 4 -
 1 identified fashion and not attempt to re-identify the data.
2 (3) Contractually obligates a recipient of the data to
3 satisfy the criteria specified under paragraphs (1) and (2).
4 "HIPAA." The Health Insurance Portability and Accountability
5 Act of 1996 (Public Law 104-191, 110 Stat. 1936).
6 "Identified or identifiable individual." An individual who
7 can be readily identified, directly or indirectly.
8 "Institution of higher education." As defined in section
9 118(c) of the act of March 10, 1949 (P.L.30, No.14), known as
10 the Public School Code of 1949.
11 "Nonprofit organization." An organization that is exempt
12 from taxation under 26 U.S.C. § 501(c)(3), (4), (6) or (12)
13 (relating to exemption from tax on corporations, certain trusts,
14 etc.).
15 "Personal data." As follows:
16 (1) Any information that is linked or reasonably
17 linkable to an identified or identifiable individual.
18 (2) The term does not include publicly available
19 information, de-identified data or biometric data captured
20 and converted to a mathematical representation.
21 "Precise geolocation data." Information derived from
22 technology, including global positioning system level latitude
23 and longitude coordinates or other mechanisms, that directly
24 identify the specific location of an individual with precision
25 and accuracy within a radius of 1,750 feet. The term does not
26 include the content of communications, or any data generated by
27 or connected to advanced utility metering infrastructure systems
28 or equipment for use by a utility.
29 "Process" or "processing." Any operation or set of
30 operations performed, whether by manual or automated means, on
20230HB1201PN3394 - 5 -
 1 personal data or on sets of personal data, including the
2 collection, use, storage, disclosure, analysis, deletion or
3 modification of personal data.
4 "Processing activities that present a heightened risk of harm
5 to a consumer." The term includes any of the following:
6 (1) The processing of personal data for the purpose of
7 targeted advertising.
8 (2) The sale of personal data.
9 (3) The processing of personal data for the purpose of
10 profiling if the profiling presents a reasonably foreseeable
11 risk of any of the following:
12 (i) Unfair or deceptive treatment of, or an unlawful
13 disparate impact on, a consumer.
14 (ii) Financial, physical or reputational injury to a
15 consumer.
16 (iii) A physical or other intrusion upon the
17 solitude or seclusion of a consumer or the private
18 affairs or concerns of a consumer where the intrusion
19 would be offensive to a reasonable person.
20 (iv) Any other substantial injury to a consumer.
21 (4) The processing of sensitive data.
22 "Processor." An individual who, or legal entity that,
23 processes personal data on behalf of a controller.
24 "Profiling." Any form of automated processing performed on
25 personal data to evaluate, analyze or predict personal aspects
26 related to an identified or identifiable individual's economic
27 situation, health, personal preferences, interests, reliability,
28 behavior, location or movements.
29 "Protected health information." As defined in 45 CFR
30 160.103.
20230HB1201PN3394 - 6 -
 1 "Pseudonymous data." Personal data that cannot be attributed
2 to a specific individual without the use of additional
3 information if the additional information is kept separately and
4 is subject to appropriate technical and organizational measures
5 to ensure that the personal data is not attributed to an
6 identified or identifiable individual.
7 "Publicly available information."
8 Information that:
9 (1) is lawfully available through Federal, State or
10 municipal records or widely distributed media; or
11 (2) a controller has a reasonable basis to believe a
12 consumer has lawfully made available to the general public.
13 "Sale of personal data." The exchange of personal data for
14 monetary or other valuable consideration by a controller to a
15 third party. The term does not include any of the following:
16 (1) The disclosure of personal data to a processor that
17 processes the personal data on behalf of the controller.
18 (2) The disclosure of personal data to a third party for
19 the purpose of providing a product or service requested by a
20 consumer.
21 (3) The disclosure or transfer of personal data to an
22 affiliate of the controller.
23 (4) The disclosure of personal data when a consumer
24 directs the controller to disclose the personal data or
25 intentionally uses the controller to interact with a third
26 party.
27 (5) The disclosure of personal data that a consumer:
28 (i) intentionally made available to the general
29 public via a channel of mass media; and
30 (ii) did not restrict to a specific audience.
20230HB1201PN3394 - 7 -
 1 (6) The disclosure or transfer of personal data to a
2 third party as an asset that is part of a merger,
3 acquisition, bankruptcy or other transaction or a proposed
4 merger, acquisition, bankruptcy or other transaction, in
5 which the third party assumes control of all or part of the
6 controller's assets.
7 "Sensitive data." Personal data that includes data revealing
8 any of the following:
9 (1) A racial or ethnic origin.
10 (2) Religious beliefs.
11 (3) Mental or physical health condition or diagnosis.
12 (4) Sex life or sexual orientation.
13 (5) Citizenship or immigration status.
14 (6) The processing of genetic or biometric data for the
15 purpose of uniquely identifying an individual.
16 (7) Personal data collected from a known child.
17 (8) Precise geolocation data.
18 "Targeted advertising." Displaying advertisements to a
19 consumer if the advertisement is selected based on personal data
20 obtained or inferred from the consumer's activities over time
21 and across nonaffiliated Internet websites or online
22 applications to predict the consumer's preferences or interests.
23 The term does not include any of the following:
24 (1) Advertisements based on activities within a
25 controller's own Internet websites or online applications.
26 (2) Advertisements based on the context of a consumer's
27 current search query, visit to an Internet website or online
28 application.
29 (3) Advertisements directed to a consumer in response to
30 the consumer's request for information or feedback.
20230HB1201PN3394 - 8 -
 1 (4) Processing personal data solely to measure or report
2 advertising frequency, performance or reach.
3 "Third party." An individual or legal entity, including a
4 public authority, agency or body, other than a consumer,
5 controller or processor or an affiliate of the processor or the
6 controller.
7 "Trade secret." As defined in 12 Pa.C.S. § 5302 (relating to
8 definitions).
9 Section 3. Consumer data privacy.
10 (a) Rights of consumers.--A consumer shall have the right to
11 do the following:
12 (1) Confirm whether or not a controller is processing or
13 accessing the consumer's personal data, unless the
14 confirmation or access would require the controller to reveal
15 a trade secret.
16 (2) Correct inaccuracies in the consumer's personal
17 data, taking into account the nature of the personal data and
18 the purposes of the processing of the consumer's personal
19 data.
20 (3) Delete personal data provided by or obtained about
21 the consumer.
22 (4) Obtain a copy of the consumer's personal data
23 processed by a controller in a portable and, to the extent
24 technically feasible, readily usable format that allows the
25 consumer to transmit the data to another controller without
26 hindrance, where the processing is carried out by automated
27 means in a manner that would disclose the controller's trade
28 secrets.
29 (5) Opt out of the processing of the consumer's personal
30 data for the purpose of any of the following:
20230HB1201PN3394 - 9 -
 1 (i) Targeted advertising.
2 (ii) The sale of personal data, except as provided
3 under section 5(b).
4 (iii) Profiling in furtherance of solely automated
5 decisions that produce legal or similarly significant
6 effects concerning the consumer.
7 (b) Exercise of rights.--A consumer may exercise the rights
8 under subsection (a) by a secure and reliable means established
9 by a controller and described to the consumer in the
10 controller's privacy notice. A consumer may designate an
11 authorized agent in accordance with section 4 to exercise the
12 consumer's right under subsection (a)(5) to opt out of the
13 processing of the consumer's personal data on behalf of the
14 consumer. For processing personal data of a known child, the
15 parent or legal guardian may exercise the consumer's rights
16 under subsection (a) on the child's behalf. For processing
17 personal data concerning a consumer subject to a guardianship,
18 conservatorship or other protective arrangement, the guardian or
19 the conservator of the consumer may exercise the consumer's
20 rights under subsection (a) on the consumer's behalf.
21 (c) Compliance.--Except as otherwise provided in this act, a
22 controller shall comply with a request by a consumer to exercise
23 the consumer's rights under subsection (a) as follows:
24 (1) The controller shall respond to the consumer without
25 undue delay, but no later than 45 days after receipt of the
26 request. The controller may extend the response period under
27 this paragraph by an additional 45 days when reasonably
28 necessary, considering the complexity and number of the
29 consumer's requests, if the controller informs the consumer
30 of the extension within the initial 45-day response period
20230HB1201PN3394