Bipartisan Pa. House Majority Passes Comprehensive Privacy Bill
A comprehensive privacy bill passed the Pennsylvania House with "noteworthy" applicability thresholds and categories of sensitive data, a Philadelphia-based privacy attorney said Thursday. The state House also passed a bill Wednesday that would add a private right of action to the state’s data breach notification law.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The House voted 127-76 for the comprehensive privacy bill (HB-78), which Rep. Ed Neilson (D) introduced in January. The vote was bipartisan, with 25 Republicans joining 102 Democrats in supporting the measure. The Appropriations Committee cleared the bill 36-0 on Tuesday. HB-78 generally follows the model of most state privacy bills outside California and Maryland, and it would be enforced exclusively by the state attorney general.
“Many people who shop online or even just browse the internet don’t realize that with each click, they could be giving away sensitive data that is sold to a third party or used nefariously,” Neilson said in a news release Wednesday. “Consumers have a right to privacy, and online shopping shouldn’t be exempt from that.”
Meanwhile, House members voted 112-91 for the data breach bill (HB-997). Republicans cast all 91 nays, though 10 joined Democrats in voting yes. Inspired by a recent data breach at the convenience store franchise Wawa, the legislation would require companies to take reasonable steps to secure personal data from hacking -- and to compensate consumers in the event of a data breach (see 2505060011). In addition, it would let consumers seek damages in court after suffering harm from a data breach. Under the state’s existing data breach law, only the Pennsylvania attorney general may enforce violations.
Both bills go next to the Pennsylvania Senate, which has until Dec. 31 to pass them. The 2024 version of Neilson’s privacy bill stalled in the Senate after the House approved it 139-62.
Benjamin Mishkin, a Cozen O’Connor privacy attorney in Philadelphia, said that while “mostly consistent with predecessor consumer privacy laws in other states,” Pennsylvania’s HB-78 has some uncommon features.
The bill would cover any controller that does business in Pennsylvania and satisfies any of the following: (1) has at least $10 million in annual gross revenue; (2) “annually buys or receives, sells or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households or devices”; or (3) derives at least 50% of annual revenue from selling personal data.
“Businesses would be subject to the law just by virtue of doing business in [Pennsylvania] and hitting a monetary threshold” of $10 million in annual gross revenue, Mishkin said in an email. “This would make it the only law” besides the California Consumer Privacy Act “to make businesses subject to the law based on an economic threshold alone.” Pennsylvania’s proposed $10 million threshold is lower than CCPA’s $25 million threshold, he noted.
Meanwhile, sensitive data under HB-78 would include many categories common to state privacy laws, including racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, children's data and precise geolocation data. However, the House in April amended the bill to also add details such as Social Security numbers, driver's license information and financial account information (see 2504230037).
Mishkin highlighted the bill's inclusion of Social Security, driver’s license and state ID numbers as types of sensitive data, saying he believes California is the only other state that includes them. Pennsylvania’s bill “would require [a] consumer’s affirmative consent to process these types of sensitive information.”
HB-78 was previously amended by a committee to delay its effective date until one year after it's enacted (see 2503180033). For the first six months after that date, the AG would be required to provide a 60-day right to cure.
While no new states have enacted comprehensive privacy bills this year, a few legislatures remain as possibilities for action (see map).
In addition to Pennsylvania’s bill passing the House, a Massachussetts bill with Maryland-like data minimization requirements passed the state Senate last month (see 2509250048). A Wisconsin state representative told us in July that he hoped to quickly advance his comprehensive bill (see 2507280016), while a Michigan privacy bill has also been awaiting a Senate vote since June.