Pennsylvania's Consumer Data Privacy Act (PCDPA) is a privacy bill currently working its way through Pennsylvania's legislative system.

If approved, the PCDPA will become Pennsylvania's primary data protection law, much like the privacy laws of California, Colorado, Virginia, and so on.

This article explains Pennsylvania's Consumer Data Privacy Act (PCDPA), looking at which businesses it applies to, how to comply, the enforcement process for non-compliance, and more.

Let's get into it.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is Pennsylvania's Consumer Data Privacy Act (PCDPA)?

Pennsylvania's Consumer Data Privacy Act (PCDPA) (House Bill 1201) is one of two comprehensive privacy bills under consideration in the Commonwealth of Pennsylvania. It's up against the Pennsylvania Consumer Data Protection Act (House Bill 708).

Introduced on May 19, 2023, the PCDPA will take effect immediately if the bill passes.

In sum, Pennsylvania's Consumer Data Privacy Act (PCDPA) represents the state's efforts on data protection as it works to join the wave of U.S. states enacting their own laws.

What are the Key Definitions Under Pennsylvania's Consumer Data Privacy Act (PCDPA)?

Like many privacy laws, Pennsylvania's Consumer Data Privacy Act (PCDPA) provides its own definitions of specific terms and phrases used in its text. Below, we unpack the most important ones.

Who is a Consumer Under Pennsylvania's Consumer Data Privacy Act (PCDPA)?

According to Pennsylvania's Consumer Data Privacy Act (PCDPA), a consumer is "an individual who is a resident of this Commonwealth."

This definition excludes all residents acting in a commercial or employment context. In other words, employees, contractors, and all other "workforce individuals" aren't considered consumers under Pennsylvania's Consumer Data Privacy Act (PCDPA).

What is Personal Data Under Pennsylvania's Consumer Data Privacy Act (PCDPA)?

Pennsylvania's Consumer Data Privacy Act (PCDPA) generally maintains the status quo on the definition of personal data. It defines personal data as:

"Information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household..."

Given this definition, personal data includes but isn't limited to the following:

  • Names and aliases
  • Email and IP addresses
  • Postal addresses
  • Social security numbers
  • Search and browser histories
  • Precise geolocation data
  • Driver's license and passport numbers

The sole exception to this definition is publicly available information.

What is Sensitive Data Under Pennsylvania's Consumer Data Privacy Act (PCDPA)?

Sensitive data is a special class of data that, if exposed, could lead to discrimination or bias. Under Pennsylvania's Consumer Data Privacy Act (PCDPA), it includes data revealing any of the following:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health condition
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Precise geolocation data
  • Personal data collected from a known child
  • Genetic or biometric data that uniquely identifies an individual

What is Processing Under Pennsylvania's Consumer Data Privacy Act (PCDPA)?

Pennsylvania's Consumer Data Privacy Act (PCDPA) defines processing as:

"Any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, including the collection, use, storage, disclosure, analysis, deletion, or modification of personal data."

In other words, processing refers to any and all actions carried out on personal data, from collecting to storing to deleting it.

Pennsylvania's Consumer Data Privacy Act (PCDPA) defines consent as:

"A clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer."

Consent can be obtained in writing, electronically, or through other explicit means. It doesn't include acceptance of broad Terms and Conditions or similar agreements that explain data processing alongside unrelated information.

It also doesn't include agreements obtained through dark patterns and other underhanded practices like hovering over, pausing, muting, or closing a piece of content (e.g., closing a banner or pop-up).

Who Must Comply With Pennsylvania's Consumer Data Privacy Act (PCDPA)?

The PCDPA applies to controllers and processors who do business in the Commonwealth of Pennsylvania.

The terms 'controller' and 'processor' are notably inspired by the EU's General Data Protection Regulation (GDPR). However, Pennsylvania's Consumer Data Privacy Act (PCDPA) provides a few tweaks to its definition.

Let's take a look.

Who is a Controller Under Pennsylvania's Consumer Data Privacy Act (PCDPA)?

A controller is a legal entity (sole proprietorship, partnership, LLC, etc.) that meets all of the following criteria:

  1. Operates on a for-profit basis,
  2. Collects consumers' personal data and decides why and how it is processed, and
  3. Meets any of the following thresholds:

    • Gross annual revenue exceeds $10 million,
    • Annually buys, receives, sells, or shares (for commercial purposes) the personal data of at least 50,000 consumers, households, or devices, or
    • Derives 50% or more of annual revenue from selling consumers' personal data

Suppose a business doesn't meet these criteria but controls an entity that does and shares common branding (i.e., a trademark or shared name) with that entity. In this case, the business is also considered a controller under Pennsylvania's Consumer Data Privacy Act (PCDPA).

Who is a Processor Under Pennsylvania's Consumer Data Privacy Act (PCDPA)?

Pennsylvania's Consumer Data Privacy Act (PCDPA) defines a processor as a person or legal entity that "processes personal data on behalf of a controller."

In other words, processors are third parties that perform data-driven services for controllers. Examples include email marketing companies, IT service providers, payroll platforms, etc.

Are There Exemptions to Pennsylvania's Consumer Data Privacy Act (PCDPA)?

Like many privacy laws, Pennsylvania's Consumer Data Privacy Act (PCDPA) exempts specific organizations and data types from its scope. They include the following:

  • Pennsylvania and its political subdivisions
  • Higher education institutions
  • Nonprofits
  • National Securities Association registered under 15 U.S.C. ยง 78o-3
  • Financial institutions or data subject to 15 U.S.C. Ch. 94
  • A covered entity or business associate
  • Protected health information under HIPAA

How Does Pennsylvania's Consumer Data Privacy Act (PCDPA) Affect Consumers?

If passed, Pennsylvania's Consumer Data Privacy Act (PCDPA) will give consumers of the Commonwealth several new rights over how businesses handle their personal data.

Specifically, Section 3 of Pennsylvania's Consumer Data Privacy Act (PCDPA) gives consumers the right to:

  1. Confirm whether or not a controller is processing their personal data
  2. Correct errors in their data, considering the nature of the data and reasons for processing
  3. Delete their data, whether obtained from them directly or gathered from other sources
  4. Obtain a copy of their data in a portable and readily usable format, allowing them to transfer it to another controller seamlessly
  5. Opt out of targeted advertising and the sale of personal data
  6. Opt out of profiling for "solely automated decisions that produce legal or similarly significant effects" - decisions to provide or deny consumers any of the following:

    • Financial or lending services
    • Housing and insurance
    • Education and employment opportunities
    • Criminal justice
    • Health care services
    • Access to essentials (food, water, etc.)

To exercise these rights, Pennsylvania's Consumer Data Privacy Act (PCDPA) requires controllers to create and describe a "secure and reliable means" within their Privacy Policy.

Note: Parents or legal guardians can exercise these rights on behalf of children.

How Does Pennsylvania's Consumer Data Privacy Act (PCDPA) Affect Businesses?

As mentioned, businesses covered by Pennsylvania's Consumer Data Privacy Act (PCDPA) must comply with a number of data privacy requirements if the bill passes.

Among other requirements, businesses would have to maintain a transparent Privacy Policy, perform data protection assessments, and respond appropriately to consumer requests.

We'll look more closely at these requirements below.

What Does Pennsylvania's Consumer Data Privacy Act (PCDPA) Require?

To protect Pennsylvania's residents, the PCDPA imposes several privacy obligations on businesses to handle data responsibly.

Let's take a look at the duties of controllers and processors in turn.

Duties of Controllers

Section 5 of Pennsylvania's Consumer Data Privacy Act (PCDPA) sets out the following duties for controllers:

  • Only collect personal data necessary for purposes you originally disclosed to the consumer.
  • Avoid processing data for purposes beyond what consumers agreed to unless they provide explicit consent.
  • Set up and maintain reasonable administrative, technical, and physical security measures to protect data, considering its volume and sensitivity.
  • Obtain consent before processing sensitive data. For minors, observe the consent requirements of the Children Online Privacy Protection Act (COPPA).
  • Don't process personal data in violation of federal or state laws that ban unlawful discrimination against consumers.
  • Provide a way for consumers to withdraw their consent as easily as they provided it. Upon withdrawal, stop processing their data within 15 days of receiving the request.
  • Don't process data for targeted advertising or data sales without explicit consent in cases where you're aware that the consumer is under 16.
  • Don't discriminate against consumers for exercising their rights by denying them products or services, charging different prices, or providing them with different product or service quality.

Duties of Processors

Under Section 6, Pennsylvania's Consumer Data Privacy Act (PCDPA) requires processors to assist controllers in the performance of their duties.

In short, processors must take note of the following:

  • Follow the controller's directions and help them in responding to consumer requests where practical.
  • Implement appropriate technical and organizational measures to keep data secure and notify the controller of any security breaches that occur.
  • Provide all necessary details to assist the controller in conducting and documenting data protection assessments.
  • Only process data in line with a written contract with the controller that clearly outlines the data processing instructions, purpose, duration, and the rights and responsibilities of both parties.

How Do You Comply with Pennsylvania's Consumer Data Privacy Act (PCDPA)?

If Pennsylvania's Consumer Data Privacy Act (PCDPA) passes, you'll need to take the following steps to comply.

Publish a PCDPA-Compliant Privacy Policy

Like many global privacy laws, Pennsylvania's Consumer Data Privacy Act (PCDPA) requires you to provide key disclosures about your data processing practices in a clear, accessible, and informative Privacy Policy.

You must also clarify if you plan to sell personal data to third parties or use data for targeted ads and explain how consumers can opt out.

Let's take a look at the key clauses you'll need to address in a PCDPA-compliant Privacy Policy.

The types of personal data you collect and process

Your Privacy Policy should start by explaining what types of personal data you process. To keep things transparent, it's recommended that you provide as much detail as possible.

If you handle sensitive data categories (such as geolocation data, sex life, or ethnic origins), ensure you also highlight this.

Here's how Oracle clarifies the types and sources of personal information it collects:

Oracle Privacy Policy: Which categories and specific pieces of personal information do we process and from which sources clause

Further below, Oracle goes into specifics about the pieces of information it collects and processes:

Oracle Privacy Policy: Specific piece of information Oracle collects and processes clause

Your reasons for processing personal data

Next, Pennsylvania's Consumer Data Privacy Act (PCDPA) requires that you clearly explain why you need the personal data you collect and how you intend to use it.

Here's a good example of how this clause can look, from Bumble:

Bumble Privacy Policy: Use of Your Information clause

How consumers can exercise their rights

Under this clause, outline the region-specific rights of consumers (in this case, Pennsylvania) and clarify how consumers can exercise these rights.

Here's a good example from Upwork that includes all PCDPA rights and a link to an online form for consumers to exercise their rights:

Upwork Privacy Policy: States rights clause

What third parties you share personal data with

Under Pennsylvania's Consumer Data Privacy Act (PCDPA), this clause should unpack two key pieces of information:

  1. The categories of personal data you share with third parties
  2. The categories of third parties with whom you share personal data

Bumble uses a table to address this clause, as shown below:

Bumble Privacy Policy: Disclosure of Information clause

Your contact information

Last but not least, your Privacy Policy must include a way for consumers to reach you. Specifically, Pennsylvania's Consumer Data Privacy Act (PCDPA) asks that you provide "an active email address or other online mechanism."

You may provide the contact details of your Data Protection Officer (if you have one) or other dedicated contact information.

Here's how Gymshark does this:

Gymshark Privacy Notice: Contacting Us clause

Handle Consumer Requests Appropriately

Pennsylvania's Consumer Data Privacy Act (PCDPA) requires you to respond to consumer requests to exercise their rights within 45 days. You can extend this by another 45 days for complex or numerous requests, but you must inform the consumer within the initial 45 days.

If you decide not to fulfill a request, you must provide the reasons within 45 days of getting the request and explain how the consumer can appeal your decision.

Pennsylvania's Consumer Data Privacy Act (PCDPA) allows each consumer to access their data once per year and for free. However, you can charge a reasonable fee for "manifestly unfounded, excessive, or repetitive" requests. Note that the burden of proof to demonstrate this lies with you.

Conduct Data Protection Assessments

Another important requirement under Pennsylvania's Consumer Data Privacy Act (PCDPA) is the need for data protection assessments.

Starting July 1, 2024, you must conduct and document these assessments if your data processing activities are likely to pose "a heightened risk of harm" to consumers.

To do this, you'll need to weigh the benefits of your processing activities against potential risks to consumer rights and any safeguard you have in place to mitigate these risks.

During your assessment, Pennsylvania's Consumer Data Privacy Act (PCDPA) asks that you consider the following:

  • Whether you're using de-identified data
  • What the consumer's "reasonable expectations" are
  • The context of the processing and your relationship with the consumer

To ease the burden on businesses, Pennsylvania's Consumer Data Privacy Act (PCDPA) allows you to use a single assessment for identical data processing activities. Moreover, similar assessments conducted to comply with other laws will satisfy the PCDPA's requirements.

Create and Adhere to a Data Processing Contract

As mentioned, Pennsylvania's Consumer Data Privacy Act (PCDPA) requires controllers and processors to maintain a contract that governs their operations. This contract is otherwise known as a processing agreement.

Under Pennsylvania's Consumer Data Privacy Act (PCDPA), a valid contract requires processors to comply with the following:

  • Ensure that everyone processing consumers' data is bound by a duty of confidentiality.
  • Delete or return personal data at the controller's instruction unless retention is required by law.
  • Give the controller all necessary information to demonstrate compliance with Pennsylvania's Consumer Data Privacy Act (PCDPA) upon reasonable request.
  • Require subcontractors to sign a valid contract (similar to the processor's) after getting the controller's approval.
  • Require the processor to cooperate with reasonable policy assessments by the controller or an appointed assessor to ensure PCDPA compliance.

Honor Universal Opt-Out Mechanisms

From January 1, 2026, Pennsylvania's Consumer Data Privacy Act (PCDPA) requires that you honor universal opt-out mechanisms - like Global Privacy Control (GPC) - to allow consumers to opt out of targeted ads and data sales.

Universal opt-out signals work as a device or browser setting that allows consumers to notify websites of their preferences.

For example, here's how you can explain how GPC opt-out signals are honored:

Generic Do Not Track/Global Privacy Control clause

And here's how you can acknowledge when consumers activate GPC opt-out signals on their browsers:

Generic Cookie Settings menu with GPC pop-up highlighted

Under Pennsylvania's Consumer Data Privacy Act (PCDPA), valid opt-out signals must meet the following standards:

  • Not unfairly disadvantage another business
  • Be easy-to-use and consumer-friendly
  • Not use any default setting but require consumers to freely and actively decide to opt
  • Be consistent with similar opt-out mechanisms to make things less confusing for consumers
  • Allow you to confirm if opt-out requests are legitimate and from a Pennsylvania resident

How will Pennsylvania's Consumer Data Privacy Act (PCDPA) be Enforced?

Enforcement of Pennsylvania's Consumer Data Privacy Act (PCDPA) will rest exclusively in the hands of the Pennsylvania Attorney General (AG). This means Pennsylvania residents can't sue businesses for alleged violations.

From July 1, 2024, to December 31, 2025, businesses will have a 60-day "cure period" to fix identified violations.

Starting January 1, 2026, cure periods will be offered based on the AG's discretion, considering the following:

  • The number of violations
  • The size and complexity of the business
  • The potential harm to the public
  • The nature and scope of the business's processing activities
  • The safety of individuals or property
  • Whether the violation was caused by human or technical error

What are the Penalties for Violating Pennsylvania's Consumer Data Privacy Act (PCDPA)?

At the time of this writing, Pennsylvania's Consumer Data Privacy Act (PCDPA) doesn't specify an exact amount for violations. We'll keep you informed as additional information is available.

Summary

In the continued absence of a national data protection framework, Pennsylvania has moved to enact its own comprehensive law. If passed, the PCDPA will bring Pennsylvania into the ranks of California, Colorado, Virginia, and other states with comprehensive laws.

Pennsylvania's Consumer Data Privacy Act (PCDPA) applies to controllers and (to a lesser extent) processors who do business in the Commonwealth of Pennsylvania.

Controllers are for-profit entities that decide the purpose and means of processing data and meet any of the following thresholds:

  • Annual gross revenue is over $10 million,
  • Buys, receives, sells, or shares personal data of at least 50,000 consumers, households, or devices, or
  • Derives 50% or more of annual revenue from selling consumers' data

Like many privacy laws, Pennsylvania's Consumer Data Privacy Act (PCDPA) grants consumers a number of privacy rights while imposing duties on businesses (both controllers and processors).

To comply with Pennsylvania's Consumer Data Privacy Act (PCDPA), you'll need to take note of the following:

  • Publish a PCDPA-compliant Privacy Policy
  • Handle consumer requests appropriately and within the legal timeframe (45 days)
  • Conduct data protection assessments for "high-risk" processing activities
  • Create a data processing contract with your processors
  • Honor universal opt-out mechanisms

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy