Consumer Data Privacy Legislation may be coming to Pennsylvania
By: Bryce R. Beard
In our increasingly digital world, it is more important than ever to ensure that your personal data is secure. Almost every day there are news articles on data breaches, ransomware attacks, and other cybersecurity vulnerabilities that have affected all types of businesses from interstate pipeline companies, to cell carriers, and even Pennsylvania electric utilities. But what can you, as a consumer, do to ensure your data is safe and under your control?
With little to no action by the federal government on regulating data privacy and protection, multiple states have enacted laws or have proposed laws to create much needed protections and ensure that entities that obtain your data are doing all that they can to protect it. In Pennsylvania, multiple bills have been proposed to encourage best cyber practices by businesses operating in the Commonwealth and to give consumers control over their consumer data.
One proposal is HB 1126 of 2021 which was introduced in April 2021. HB 1126 of 2021, sponsored by a group of 17 PA representatives, would create a duty for businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Importantly, the bill would create a private right of action for consumers to obtain statutory damages of a $100-$750 per consumer per incident, actual damages, and injunctive relief. As of January 2022, HB 1126 remains under deliberation in the Consumer Affairs Committee.
On January 20, 2022, 25 PA representatives introduced another bill, HB 2257 of 2022 titled “the Consumer Data Protection Act” (“CDPA”). Unlike HB 1126, which focused the business side and causes of actions for consumers whose data was compromised, the CDPA sets out consumer data standards that businesses offering products and services to Pennsylvania residents must abide by, and ultimately puts the control of consumer data back in the hands of the consumer. The CDPA Section 301 establishes a list of “Consumer Rights” which gives consumers control over how businesses (defined as “controllers” or “processors”) use and process their personal data, including that a consumers may invoke their right to:
- confirm whether the controller is processing or has access to their personal data,
- allow consumers to correct inaccuracies in their data
- demand personal data in the controller’s possession be deleted
- obtain copies of their personal data in the controller’s possession
- and, importantly, to allow consumers to “opt out” of having their personal data processed for targeted advertising, the sale of their personal data, and profiling to manipulate effects on the consumer.
The CDPA also would require controllers to respond to consumers within 45 days of receiving a request (with the possibility to extend for an additional 45-days “when reasonably necessary”), to create an appeal process for consumers if the controllers refuse to take action, and to provide the consumer with information on how to contact the Pennsylvania Attorney General if the appeal is ultimately denied.
Aside from the consumer rights process, the Section 302 of the CDPA also requires controllers to “limit the collection of personal data to what is necessary in relation to the purpose for which the data is collected… as disclosed to the consumer,” and to implement and maintain reasonable data security practices to protect consumer personal data. Importantly, while we have all experienced the “click here to agree with the terms and conditions” that pop-up everywhere online these days, the CDPA provides a key protection for consumers – Section 302(b) declares that any contract provision that “purports to waive or limit a consumer right[s] under this act shall be deemed… void and unenforceable,” thereby closing the inevitable loophole for controllers to force consumers to waive their right to protect their data. This bill, if ultimately signed into law, would require businesses to implement protocols to comply with the CDPA in order to process Pennsylvania consumer data, and may lead to initial steps that businesses must navigate in order to comply. Additionally, Section 302(d) would require any controller who sells consumers’ personal data to third parties to notify affected consumers, as well as allow the consumer to opt out of the sale of their data. Finally, the CDPA gives the Pennsylvania Attorney General authority to investigate, review data protection assessments, and enforce the provisions of the Act.
HB 2257 of 2022 is currently before the House Consumer Affairs Committee, but businesses and consumers alike should monitor this bill for developments, because the need for consumer data protections will only continue to increase as the world of digital commerce continues to expand.
Businesses that collect and maintain customer data should consult counsel to advise them on appropriate data security practices even in the absence of legislation because there is potential liability for breach even now. Those practices should be reviewed and revised regularly to keep pace with changing law – not just in your home state, but in any state where you might be subject to such data security requirements. Businesses should also monitor HB 1126 and HB 2257 for any forward progress in the legislature, as it is possible that one, both, or some combination of the bills as they stand today may be voted on in the future.