Pennsylvania's Consumer Data Privacy Act (PCDPA)

Pennsylvania's Consumer Data Privacy Act (PCDPA), Bill 1201, is a privacy law that aims to protect the personal and sensitive data of the Keystone State's residents.

The Pennsylvania PCDPA is expected to take effect in June 2024.

This article shall take you through the Pennsylvania Consumer Data Privacy Act, what it is, who it applies to, how to comply with it, and the penalties involved if you don't.

What is the Pennsylvania Consumer Data Privacy Act (PCDPA)?

The Pennsylvania Consumer Data Privacy Act (PCDPA) is a law that grants consumers certain rights regarding their data and aims to hold data controllers (entities that process consumer information) accountable for the personal data they process (collect, use, store, or modify).

What are Some Key Definitions Under the Pennsylvania Consumer Data Privacy Act (PCDPA)?

To better understand the rules put forward by the Pennsylvania Consumer Data Privacy Act (PCDPA), we need to take a look at certain key terms that are repeated throughout the bill.

What is a Consumer Under the Pennsylvania Consumer Data Privacy Act (PCDPA)?

The Pennsylvania Consumer Data Privacy Act (PCDPA) defines a consumer as "an individual who is a resident of this commonwealth" where the commonwealth in question is Pennsylvania.

This definition excludes any individual who is acting in a commercial context as an employee, employer, or even as the owner of a company, and whose dealings with a controller are solely within the context of their role in the organization.

What is a Data Controller Under the Pennsylvania Consumer Data Privacy Act (PCDPA)?

In simple terms, a controller is a for-profit organization in charge of making decisions about how the personal information of consumers is handled, and it must meet all of the specific criteria outlined here:

• Is organized or operated for the profit or financial benefit of shareholders or owners
• Alone or with others jointly determines the purposes and means of processing consumer personal information
• Does business in the state of Pennsylvania

If all of these are met, then the business must do at least one of the following:

• Has an annual gross revenue of over $10,000
• Annually buys or receives, shares or sells for commercial purposes personal information of at least 50,000 households, devices or consumers
• Obtains at least 50% of its revenue from selling personal information

A data processor is defined as an entity that "processes personal data on behalf of a controller". This makes the processors a third party that provides data processing services for a controller.

What is Consent Under the Pennsylvania Consumer Data Privacy Act (PCDPA)?

The Pennsylvania Consumer Data Privacy Act (PCDPA) defines consent as "a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer."

The agreement has to be clear and specific and needs to outline the processing of the consumer's personal data for the consent to be viable. It can only be acceptable if the consent is asked for using a written statement by electronic or any other unambiguous means.

What is Personal and Sensitive Data Under the Pennsylvania Consumer Data Privacy Act (PCDPA)?

Consumer data is divided into two subcategories: personal data and sensitive data.

Personal data is defined as "any information that is linked or reasonably linked to an identified or identifiable individual."

It can include but isn't limited to:

• Name
• Personal phone number
• Personal email address
• IP address
• Home address

Sensitive data is a consumer's highly personal information that can be dangerous in the wrong hands. The PCDPA classifies the following as sensitive data:

• Racial or ethnic background
• Religious beliefs
• Mental or physical health details or diagnoses
• Information about sex life or sexual orientation
• Citizenship or immigration status
• Use of genetic or biometric data to uniquely identify someone
• Data collected from a known child
• Exact geolocation data

Who Must Comply With the Pennsylvania Consumer Data Privacy Act (PCDPA)?

The Pennsylvania Consumer Data Privacy Act (PCDPA) will apply to any data controller or processor who:

• Is organized or operated for the profit or financial benefit of shareholders or owners, and
• Alone or with others jointly determines the purposes and means of processing consumer personal information, and
• Does business in the state of Pennsylvania

If the above are met, then the business must do at least one of the following to fall under the scope of the act:

• Has an annual gross revenue of over $10,000
• Annually buys or receives, shares or sells for commercial purposes personal information of at least 50,000 households, devices or consumers
• Obtains at least 50% of its revenue from selling personal information

Are There Any Exemptions to the Pennsylvania Consumer Data Privacy Act (PCDPA)?

The Pennsylvania Consumer Data Privacy Act (PCDPA) exempts the following entities:

• Non-profit organizations
• Institutions of higher education
• Financial institutions or affiliates subject to Title V of the Gramm-Leach-Bliley Act
• Covered entities that are compliant with HIPAA
• Political entities of Pennsylvania
• National securities associations

Additionally, the following types of personal data are excluded from the PCDPA as they're either covered by existing federal laws or are necessary for public safety:

• Health information under HIPAA
• Information to identify patients
• Research data involving human subjects
• Data used for public health activities authorized by HIPAA
• Certain personal data involving credit-worthiness, motor vehicle records, withholding federal funds, and farm credit system, as governed by their own federal laws
• Data related to employment roles, emergency contacts, and benefits administration
• Data tied to air carriers

How Does the Pennsylvania Consumer Data Privacy Act (PCDPA) Affect Consumers?

When the Pennsylvania Consumer Data Privacy Act (PCDPA) goes into effect, individuals who fall under the definition of consumers will gain the following rights over how their personal data is processed by controllers:

• Obtain confirmation of whether or not a data controller is processing the consumer's personal data unless a trade secret would be revealed in the process
• Have inaccuracies in their personal data corrected
• Have their personal data deleted
• Obtain a copy of the personal data that the controller has
• Opt out of having personal data processed for targeted advertising, sale or profiling

How Does the Pennsylvania Consumer Data Privacy Act (PCDPA) Affect Businesses?

Under the Pennsylvania Consumer Data Privacy Act (PCDPA) guidelines, controllers should comply with the following rules to avoid getting penalties:

• Controllers must respond to consumer requests within 45 days, with a possible notified extension of an additional 45 days if necessary.
• If a controller declines a consumer's request, they must inform the consumer within 45 days, justifying their actions and establishing a means for appealing the decision and providing information about it to the consumer.
• In response to consumer requests, information must be provided free of charge, once per consumer per 12 months. The controller may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests or they may decline the request with the burden of proof.
• Controllers are not required to authenticate opt-out requests but may deny them if they believe it's fraudulent, with a notice sent to the requester.

What Does the Pennsylvania Consumer Data Privacy Act (PCDPA) Require?

The Pennsylvania Consumer Data Privacy Act (PCDPA) requires the following.

Limit Data Collection

Controllers should limit the data collection to only the data that is necessary to fulfill the purpose for which it's being collected, which should be clearly mentioned in the privacy policy. Any sensitive data of a consumer should not be collected unless they give explicit consent.

Once the data is collected, it falls upon the collector to responsibly manage, administer, and safeguard it.

Provide a Means for Consumers to Exercise their Rights

Controllers aren't required to ask for consent from the consumer for collecting their personal data (consent is needed for collecting sensitive data), but the consumer holds the right to opt out of certain instances of data processing such as targeted advertisement or sale of personal data.

Samsung dedicates a section of its privacy policy to informing consumers of how they can opt out:

For anything else, a consumer can file a request to exercise the rights that the PCDPA grants them at any time. The controller shall establish a secure and reliable means for a consumer to submit a request and appeal for it if it gets denied by the controller.

A controller is required to respond to a consumer's request in no more than 45 days, which can be extended by another 45 days if necessary, but only after notifying the consumer.

The PCDPA demands that the controller takes no discriminatory action against consumers that exercise their rights, such as "denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer."

Have a Compliant Privacy Policy

Have a compliant Privacy Policy that discloses the following information regarding the data they collect:

• Types of personal data collected
• The purposes for collecting it
• The types of data the controller shares with third parties

You can provide a comprehensive list of what kinds of personal information you collect from your consumer, similar to how Nike does here:

Gucci uses an easy-to-understand table format to indicate the reasons why it collects personal data from users. These reasons can be any, depending on how your business functions, and can include collecting data for advertisement purposes, fraud prevention, or to better understand your business:

A table format isn't necessary but it's a nice way to organize and present information to the consumer.

Nestle's Privacy Policy mentions the third parties it shares consumers' personal data with and the specific reason for doing so:

Note that it provides specific examples like Meta and Google with whom the data is shared, along with the reasoning behind it, which instills trust in the consumer.

Conduct Data Protection Assessments

The controller should conduct a data protection assessment for all of the consumer's data processing activities that have a higher risk to the consumer and document it. The General attorney may require the controller to present this document to check whether it's compliant with the PCDPA.

In the data protection assessment, controllers should weigh the benefits of processing a consumer's data to themselves, consumers, stakeholders, and the public against the risks such processing brings to the consumer. To reduce the risk to the consumer, the controller should use practices like encryption and pseudonymization which will also improve the data protection assessment.

Have a Contract in Place Between the Controller and Processor

Any data that a processor processes on behalf of the controller shall be governed by a contract between the two. This contract should clearly state the following:

• Instructions for processing data
• The nature and purpose of processing
• The type of data that is to be processed
• Duration of processing
• The rights of both parties

How is the Pennsylvania Consumer Data Privacy Act (PCDPA) Enforced?

The state's Attorney General holds the exclusive authority to enforce the PCDPA.

Starting from July 1, 2024, until December 31, 2025, the Attorney General will issue a warning notice to the controllers and processors that violate the PCDPA. These entities will have 60 days to fix the violation to avoid getting penalties, after which the violations will be considered "unfair methods of competition" and "unfair or deceptive acts or practices."

After January 1, 2026, the Attorney General may or may not give a controller or processor a warning notice before taking action on them.

What are the Penalties for Violating the Pennsylvania Consumer Data Privacy Act?

Penalties for violations of the PCDPA are not yet defined as of writing.

Summary

The Pennsylvania Consumer Data Privacy Act (PCDPA) is Pennsylvania's newest privacy law that aims to enhance the rights of consumers and the protection of their personal data.

The act requires businesses to take steps to inform users of their rights, and allow them to be exercised.

It also requires that businesses have opt-out mechanisms in place where required, as well as a compliant Privacy Policy. Data protection assessments will need to be conducted, and contracts will need to be in place between data controllers and data processors.

The state's Attorney General will be responsible for enforcement of the act, with penalties yet to be determined.