PRINTER'S NO. 1820
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No. 1279
Session of
2024
INTRODUCED BY COLLETT, BOSCOLA, FONTANA, DILLON, BREWSTER, KANE,
SANTARSIERO, TARTAGLIONE, MILLER, COMITTA, COSTA AND
CAPPELLETTI, JULY 12, 2024
REFERRED TO COMMUNICATIONS AND TECHNOLOGY, JULY 12, 2024
AN ACT
1 Providing for consumer data privacy, for duties of controllers
2 and for duties of processors; and imposing penalties.
3 The General Assembly of the Commonwealth of Pennsylvania
4 hereby enacts as follows:
5 Section 1. Short title.
6 This act shall be known and may be cited as the Consumer Data
7 Privacy Act.
8 Section 2. Definitions.
9 The following words and phrases when used in this act shall
10 have the meanings given to them in this section unless the
11 context clearly indicates otherwise:
12 "Affiliate." A legal entity that shares common branding with
13 another legal entity or controls, is controlled by or is under
14 common control with another legal entity.
15 "Biometric data." Data generated by automatic measurements
16 of an individual's biological characteristics, including
17 fingerprints, voiceprints, eye retinas, irises or other unique
 1 biological patterns or characteristics that are used to identify
2 a specific individual. The term does not include a digital or
3 physical photograph, an audio or video recording or any data
4 generated from a digital or physical photograph or an audio or
5 video recording. The term does not include information captured
6 and converted to a mathematical representation, including a
7 numeric string or similar method that cannot be used to recreate
8 the data captured or converted to create the mathematical
9 representation.
10 "Business associate." As defined in 45 CFR 160.103 (relating
11 to definitions).
12 "Child." As defined in 15 U.S.C. § 6501 (relating to
13 definitions).
14 "Common branding." A shared name, servicemark or trademark.
15 "Consent." A clear affirmative act signifying a consumer's
16 freely given, specific, informed and unambiguous agreement to
17 allow the processing of personal data relating to the consumer.
18 The term includes a written statement, including by electronic
19 means, or any other unambiguous affirmative action specified in
20 this definition. The term does not include acceptance of general
21 or broad terms of use or a similar document that contains
22 descriptions of personal data processing along with other
23 unrelated information, hovering over, muting, pausing or closing
24 a given piece of content or an agreement obtained through the
25 use of dark patterns.
26 "Consumer." An individual who is a resident of this
27 Commonwealth. The term does not include an individual acting in
28 a commercial or employment context or as an employee, owner,
29 director, officer or contractor of a company, partnership, sole
30 proprietorship, nonprofit or government agency whose
20240SB1279PN1820 - 2 -
 1 communications or transactions with a controller occur solely
2 within the context of that individual's role with the company,
3 partnership, sole proprietorship, nonprofit or government
4 agency.
5 "Control." Any of the following:
6 (1) Ownership of or the power to vote on more than 50%
7 of the outstanding shares of any class of voting security of
8 a controller.
9 (2) Control in any manner over the election of a
10 majority of the directors or over the individuals exercising
11 similar functions.
12 (3) The power to exercise a controlling influence over
13 the management of a company.
14 "Controller." As follows:
15 (1) A sole proprietorship, partnership, limited
16 liability company, corporation, association or other legal
17 entity that meets all of the following criteria:
18 (i) Is organized or operated for the profit or
19 financial benefit of its shareholders or other owners.
20 (ii) Alone or jointly with others, determines the
21 purposes and means of the processing of consumers'
22 personal information.
23 (iii) Does business in this Commonwealth.
24 (iv) Satisfies any of the following thresholds:
25 (A) Has annual gross revenues in excess of
26 $10,000,000.
27 (B) Alone or in combination, annually buys or
28 receives, sells or shares for commercial purposes,
29 alone or in combination, the personal information of
30 at least 50,000 consumers, households or devices.
20240SB1279PN1820 - 3 -
 1 (C) Derives at least 50% of annual revenues from
2 selling consumers' personal information.
3 (2) An entity that controls a sole proprietorship,
4 partnership, limited liability company, corporation,
5 association or other legal entity under paragraph (1) or
6 shares common branding with the sole proprietorship,
7 partnership, limited liability company, corporation,
8 association or other legal entity.
9 "Covered entity." As defined in 45 CFR 160.103.
10 "Dark pattern." A user interface designed or manipulated
11 with the substantial effect of subverting or impairing user
12 autonomy, decision making or choice, including a practice the
13 Federal Trade Commission refers to as a dark pattern.
14 "Decisions that produce legal or similarly significant
15 effects concerning the consumer." Decisions made by a
16 controller that result in the provision or denial by the
17 controller of financial or lending services, housing, insurance,
18 education enrollment or opportunity, criminal justice,
19 employment opportunities, health care services or access to
20 essential goods or services.
21 "De-identified data." Data that cannot reasonably be used to
22 infer information about, or otherwise be linked to, an
23 identified or identifiable individual or a device linked to the
24 individual, if the controller that possesses the data complies
25 with the following criteria:
26 (1) Takes reasonable measures to ensure that the data
27 cannot be associated with an individual.
28 (2) Publicly commits to process the data only in a de-
29 identified fashion and not attempt to re-identify the data.
30 (3) Contractually obligates a recipient of the data to
20240SB1279PN1820 - 4 -
 1 satisfy the criteria specified under paragraphs (1) and (2).
2 "HIPAA." The Health Insurance Portability and Accountability
3 Act of 1996 (Public Law 104-191, 110 Stat. 1936).
4 "Identified or identifiable individual." An individual who
5 can be readily identified, directly or indirectly.
6 "Institution of higher education." As defined in section
7 118(c) of the act of March 10, 1949 (P.L.30, No.14), known as
8 the Public School Code of 1949.
9 "Nonprofit organization." An organization that is exempt
10 from taxation under 26 U.S.C. § 501(c)(3), (4), (6) or (12)
11 (relating to exemption from tax on corporations, certain trusts,
12 etc.).
13 "Personal data." As follows:
14 (1) Any information that is linked or reasonably
15 linkable to an identified or identifiable individual.
16 (2) The term does not include publicly available
17 information, de-identified data or biometric data captured
18 and converted to a mathematical representation.
19 "Precise geolocation data." Information derived from
20 technology, including global positioning system level latitude
21 and longitude coordinates or other mechanisms, that directly
22 identify the specific location of an individual with precision
23 and accuracy within a radius of 1,750 feet. The term does not
24 include the content of communications or any data generated by
25 or connected to advanced utility metering infrastructure systems
26 or equipment for use by a utility.
27 "Process" or "processing." Any operation or set of
28 operations performed, whether by manual or automated means, on
29 personal data or on sets of personal data, including the
30 collection, use, storage, disclosure, analysis, deletion or
20240SB1279PN1820 - 5 -
 1 modification of personal data.
2 "Processing activities that present a heightened risk of harm
3 to a consumer." The term includes any of the following:
4 (1) The processing of personal data for the purpose of
5 targeted advertising.
6 (2) The sale of personal data.
7 (3) The processing of personal data for the purpose of
8 profiling if the profiling presents a reasonably foreseeable
9 risk of any of the following:
10 (i) Unfair or deceptive treatment of, or an unlawful
11 disparate impact on, a consumer.
12 (ii) Financial, physical or reputational injury to a
13 consumer.
14 (iii) A physical or other intrusion upon the
15 solitude or seclusion of a consumer or the private
16 affairs or concerns of a consumer where the intrusion
17 would be offensive to a reasonable person.
18 (iv) Any other substantial injury to a consumer.
19 (4) The processing of sensitive data.
20 "Processor." An individual who, or legal entity that,
21 processes personal data on behalf of a controller.
22 "Profiling." Any form of automated processing performed on
23 personal data to evaluate, analyze or predict personal aspects
24 related to an identified or identifiable individual's economic
25 situation, health, personal preferences, interests, reliability,
26 behavior, location or movements.
27 "Protected health information." As defined in 45 CFR
28 160.103.
29 "Pseudonymous data." Personal data that cannot be attributed
30 to a specific individual without the use of additional
20240SB1279PN1820 - 6 -
 1 information if the additional information is kept separately and
2 is subject to appropriate technical and organizational measures
3 to ensure that the personal data is not attributed to an
4 identified or identifiable individual.
5 "Publicly available information." Information that:
6 (1) is lawfully available through Federal, State or
7 municipal records or widely distributed media; or
8 (2) a controller has a reasonable basis to believe a
9 consumer has lawfully made available to the general public.
10 "Sale of personal data." The exchange of personal data for
11 monetary or other valuable consideration by a controller to a
12 third party. The term does not include any of the following:
13 (1) The disclosure of personal data to a processor that
14 processes the personal data on behalf of the controller.
15 (2) The disclosure of personal data to a third party for
16 the purpose of providing a product or service requested by a
17 consumer.
18 (3) The disclosure or transfer of personal data to an
19 affiliate of the controller.
20 (4) The disclosure of personal data when a consumer
21 directs the controller to disclose the personal data or
22 intentionally uses the controller to interact with a third
23 party.
24 (5) The disclosure of personal data that a consumer:
25 (i) intentionally made available to the general
26 public via a channel of mass media; and
27 (ii) did not restrict to a specific audience.
28 (6) The disclosure or transfer of personal data to a
29 third party as an asset that is part of a merger,
30 acquisition, bankruptcy or other transaction or a proposed
20240SB1279PN1820 - 7 -
 1 merger, acquisition, bankruptcy or other transaction, in
2 which the third party assumes control of all or part of the
3 controller's assets.
4 "Sensitive data." Personal data that includes data revealing
5 any of the following:
6 (1) A racial or ethnic origin.
7 (2) Religious beliefs.
8 (3) Mental or physical health condition or diagnosis.
9 (4) Sex life or sexual orientation.
10 (5) Citizenship or immigration status.
11 (6) The processing of genetic or biometric data for the
12 purpose of uniquely identifying an individual.
13 (7) Personal data collected from a known child.
14 (8) Precise geolocation data.
15 "Targeted advertising." Displaying advertisements to a
16 consumer if the advertisement is selected based on personal data
17 obtained or inferred from the consumer's activities over time
18 and across nonaffiliated Internet websites or online
19 applications to predict the consumer's preferences or interests.
20 The term does not include any of the following:
21 (1) Advertisements based on activities within a
22 controller's own Internet websites or online applications.
23 (2) Advertisements based on the context of a consumer's
24 current search query, visit to an Internet website or online
25 application.
26 (3) Advertisements directed to a consumer in response to
27 the consumer's request for information or feedback.
28 (4) Processing personal data solely to measure or report
29 advertising frequency, performance or reach.
30 "Third party." An individual or legal entity, including a
20240SB1279PN1820 - 8 -
 1 public authority, agency or body, other than a consumer,
2 controller or processor or an affiliate of the processor or the
3 controller.
4 "Trade secret." As defined in 12 Pa.C.S. § 5302 (relating to
5 definitions).
6 Section 3. Consumer data privacy.
7 (a) Rights of consumers.--A consumer shall have the right to
8 do the following:
9 (1) Confirm whether or not a controller is processing or
10 accessing the consumer's personal data, unless the
11 confirmation or access would require the controller to reveal
12 a trade secret.
13 (2) Correct inaccuracies in the consumer's personal
14 data, taking into account the nature of the personal data and
15 the purposes of the processing of the consumer's personal
16 data.
17 (3) Delete personal data provided by or obtained about
18 the consumer.
19 (4) Obtain a copy of the consumer's personal data
20 processed by a controller in a portable and, to the extent
21 technically feasible, readily usable format that allows the
22 consumer to transmit the data to another controller without
23 hindrance, where the processing is carried out by automated
24 means in a manner that would disclose the controller's trade
25 secrets.
26 (5) Opt out of the processing of the consumer's personal
27 data for the purpose of any of the following:
28 (i) Targeted advertising.
29 (ii) The sale of personal data, except as provided
30 under section 5(b).
20240SB1279PN1820 - 9 -
 1 (iii) Profiling in furtherance of solely automated
2 decisions that produce legal or similarly significant
3 effects concerning the consumer.
4 (b) Exercise of rights.--A consumer may exercise the rights
5 under subsection (a) by a secure and reliable means established
6 by a controller and described to the consumer in the
7 controller's privacy notice. A consumer may designate an
8 authorized agent in accordance with section 4 to exercise the
9 consumer's right under subsection (a)(5) to opt out of the
10 processing of the consumer's personal data on behalf of the
11 consumer. For processing personal data of a known child, the
12 parent or legal guardian may exercise the consumer's rights
13 under subsection (a) on the child's behalf. For processing
14 personal data concerning a consumer subject to a guardianship,
15 conservatorship or other protective arrangement, the guardian or
16 the conservator of the consumer may exercise the consumer's
17 rights under subsection (a) on the consumer's behalf.
18 (c) Compliance.--Except as otherwise provided in this act, a
19 controller shall comply with a request by a consumer to exercise
20 the consumer's rights under subsection (a) as follows:
21 (1) The controller shall respond to the consumer without
22 undue delay, but no later than 45 days after receipt of the
23 request. The controller may extend the response period under
24 this paragraph by an additional 45 days when reasonably
25 necessary, considering the complexity and number of the
26 consumer's requests, if the controller informs the consumer
27 of the extension within the initial 45-day response period
28 and the reason for the extension.
29 (2) If the controller declines to take action regarding
30 the consumer's request, the controller shall inform the
20240SB1279PN1820 - 10 -
 1 consumer without undue de