In the wake of several massive data breaches, consumer privacy (or lack thereof) has become a growing concern. For some, more surprising than the breaches was learning how much personal information companies collect from consumers—everything from Social Security numbers and email addresses to location data and demographics—and how much personal information is being sold or otherwise disseminated. As a result, legislation is being enacted around the world requiring companies to inform consumers about the collection and use of their personal information. Most notably in 2018, the European Union's General Data Protection Regulation, commonly referred to as the GDPR, established groundbreaking consumer rights over the collection, retention and dissemination of personal information. In the United States, in the absence of federal consumer privacy law, states are enacting privacy legislation focusing upon: requiring transparency around the consumer personal information that companies are collecting and using; and providing consumers with control over the personal information. For example, California enacted the California Consumer Privacy Act (CCPA), which takes effect on Jan. 1, 2020.

Now, Pennsylvania is following suit. On April 5, Pennsylvania introduced House Bill 1049, which is currently pending before the Committee on Consumer Affairs. House Bill 1049, modeled after the CCPA, addresses consumer data privacy by setting forth the rights of consumers as well as the duties of companies relating to the collection of consumer personal information. Therefore, companies doing business in Pennsylvania should familiarize themselves with its key provisions and prepare for its enactment.

Important Provisions

Even though House Bill 1049 is in committee and will likely be amended prior to its enactment, the are several provisions of the current bill that are the cornerstones of recent consumer privacy legislation and are likely to remain in the final bill. These are:

• Narrow definition of "businesses" subject to compliance—House Bill 1049 applies to companies doing business in Pennsylvania satisfying one or more of the following requirements: companies with an annual gross revenue exceeding $10 million; companies that annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers; or companies that derive 50% or more of their annual revenue from selling consumers' personal information.

• Comprehensive definition of "personal information"—Most of the information that consumers regularly give to companies in the regular course of business is deemed "personal information," such as:

• Identifiers like names, aliases, postal addresses, email addresses, account names, Social Security numbers, etc.;
• Protected characteristics under federal or state law;
• Commercial information like records of personal property or products or services purchased, obtained or considered;
• Biometric information;
• Internet or other electronics network activity like browser and search history;
• Geolocation data;
• Audio, electronic, visual, thermal, olfactory or similar information;
• Professional or employment-related information;
• Education information; and
• Inferences drawn from any of the information above to create a consumer profile reflecting a consumer's preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, and abilities and aptitudes.

House Bill 1049 explicitly excludes information that is publicly available, even if it fits into any of the above categories of protected personal information.

• Empowering consumer rights—Consistent with other consumer privacy legislation, House Bill 1049 provides consumer control over personal data. Such provisions will require companies to review policies and internal controls to determine whether current data collection and retention practices comply. These include:

• Notice and access—Consumers will have the right to know and access what personal information a company collects and whether that company sells or discloses personal information to another party. Companies must give consumers at least two methods of submitting requests for information, and the requested information must be provided to consumers within 45 days of receiving a request.

• Deletion—Consumers will have the right to request that a company delete personal information from their system entirely. A deletion request does not apply solely to the company that initially collected the information—if a consumer's personal information was sold or disseminated to another party, companies must direct that party to delete the information as well. Thus, companies must keep track of how it sells and disseminates personal information. Companies that receive deletion requests may retain the data under prescribed circumstances, such as to complete a transaction, detect security incidents, debug to repair errors, exercise free speech, engage in public of peer-reviewed research, comply with legal obligations, and enable solely internal uses that are reasonably aligned with the expectations of the consumer.

• Opt-out—Consumers will have the right to decline or opt-out of the sale of their personal information. Companies must provide notice of the possibility of sale before collecting consumer personal information. Additionally, companies must publicly offer a "Do Not Sell My Personal Information" form, which, if submitted, prohibits a company from selling the consumer's personal information. Once a consumer opts-out, a company must give the consumer at least 12 months before requesting that the consumer agree to a sale of his or her personal data.

• Private right of action—Consumers have the right to individually sue a company in the event their nonencrypted or nonredacted personal information is subject to a breach. Damages are capped at $100-$750 per consumer per incident or actual damages, whichever is greater. Additionally, injunctive or declaratory relief, and any other relief a court deems appropriate, is available. Companies must be given an opportunity to cure the violation within 30 days of receiving written notice before a consumer can sue.

• Protection for minors—Under House Bill 1049, companies cannot sell personal information of consumers under age 16 without affirmative authorization by a minor aged 13 to 16 or a parent for children under 13.

• Anti-discrimination provision—Companies cannot discriminate against consumers for exercising rights enumerated under House Bill 1049. Yet companies can offer a different price for goods or services based upon the value derived from a consumer's data.

• Civil penalties—If a company violates any provision under House Bill 1049, the attorney general can bring a civil action against the company, with potential liability capped at $7,500 per violation. Prior to initiating an action, however, companies must be given an opportunity to cure the violation within 30 days of notification.

The Takeaway

Data privacy legislation is coming to Pennsylvania. Companies doing business in Pennsylvania must begin to examine critically their data collection, retention and dissemination practices to ensure compliance. Companies should analyze: what personal information they collect; how the personal information is being collected; why the personal information is being collected; how are they using the personal information; how the personal information is protected; and who has access to the personal information. Companies should also examine what personal information is being sold or disseminated to third parties and whether the third parties have systems in place for privacy compliance. Additionally, companies should develop policies and procedures that comply with the law, and should ensure that all employees are trained properly regarding the privacy obligations.

Christopher A. Iacono is a partner in the government enforcement, compliance and white-collar litigation; health care; and litigation practice groups of Pietragallo Gordon Alfano Bosick & Raspanti. Iacono focuses his practice on commercial litigation, white-collar criminal defense, internal investigations, compliance, health care litigation and professional licensing litigation.