HB 78 — An Act providing for consumer data privacy, for duties of controllers and for duties of processors; and imposing penalties.

PRINTER'S NO.   65

                    THE GENERAL ASSEMBLY OF PENNSYLVANIA



                        HOUSE BILL
                        No. 78
                                              Session of
                                                2025

     INTRODUCED BY NEILSON, SCIALABBA, HOWARD, MENTZER, LEADBETER,
        SANCHEZ, HILL-EVANS, GIRAL, FRANKEL, KHAN, ARMANINI, WARREN,
        FREEMAN AND OTTEN, JANUARY 14, 2025

     REFERRED TO COMMITTEE ON COMMERCE, JANUARY 14, 2025


                                   AN ACT
 1   Providing for consumer data privacy, for duties of controllers
 2      and for duties of processors; and imposing penalties.
 3      The General Assembly of the Commonwealth of Pennsylvania
 4   hereby enacts as follows:
 5   Section 1.   Short title.
 6      This act shall be known and may be cited as the Consumer Data
 7   Privacy Act.
 8   Section 2.   Definitions.
 9      The following words and phrases when used in this act shall
10   have the meanings given to them in this section unless the
11   context clearly indicates otherwise:
12      "Affiliate."   A legal entity that shares common branding with
13   another legal entity or controls, is controlled by or is under
14   common control with another legal entity.
15      "Biometric data."   Data generated by automatic measurements
16   of an individual's biological characteristics, including
17   fingerprints, voiceprints, eye retinas, irises or other unique
 1   biological patterns or characteristics that are used to identify
 2   a specific individual. The term does not include a digital or
 3   physical photograph, an audio or video recording or any data
 4   generated from a digital or physical photograph or an audio or
 5   video recording. The term does not include information captured
 6   and converted to a mathematical representation, including a
 7   numeric string or similar method that cannot be used to recreate
 8   the data captured or converted to create the mathematical
 9   representation.
10      "Business associate."    As defined in 45 CFR 160.103 (relating
11   to definitions)
12      "Child."     As defined in 15 U.S.C. § 6501 (relating to
13   definitions).
14      "Common branding."    A shared name, servicemark or trademark.
15      "Consent."     A clear affirmative act signifying a consumer's
16   freely given, specific, informed and unambiguous agreement to
17   allow the processing of personal data relating to the consumer.
18   The term includes a written statement, including by electronic
19   means, or any other unambiguous affirmative action specified in
20   this definition. The term does not include acceptance of general
21   or broad terms of use or a similar document that contains
22   descriptions of personal data processing along with other
23   unrelated information, hovering over, muting, pausing or closing
24   a given piece of content or an agreement obtained through the
25   use of dark patterns.
26      "Consumer."    An individual who is a resident of this
27   Commonwealth. The term does not include an individual acting in
28   a commercial or employment context or as an employee, owner,
29   director, officer or contractor of a company, partnership, sole
30   proprietorship, nonprofit or government agency whose

20250HB0078PN0065                    - 2 -
 1   communications or transactions with a controller occur solely
 2   within the context of that individual's role with the company,
 3   partnership, sole proprietorship, nonprofit or government
 4   agency.
 5      "Control."         Any of the following:
 6             (1)   Ownership of or the power to vote on more than 50%
 7      of the outstanding shares of any class of voting security of
 8      a controller.
 9             (2)   Control in any manner over the election of a
10      majority of the directors or over the individuals exercising
11      similar functions.
12             (3)   The power to exercise a controlling influence over
13      the management of a company.
14      "Controller."         As follows:
15             (1)   A sole proprietorship, partnership, limited
16      liability company, corporation, association or other legal
17      entity that meets all of the following criteria:
18                   (i)    Is organized or operated for the profit or
19             financial benefit of its shareholders or other owners.
20                   (ii)    Alone or jointly with others, determines the
21             purposes and means of the processing of consumers'
22             personal information.
23                   (iii)    Does business in this Commonwealth.
24                   (iv)    Satisfies any of the following thresholds:
25                          (A)   Has annual gross revenues in excess of
26                   $10,000,000.
27                          (B)   Alone or in combination, annually buys or
28                   receives, sells or shares for commercial purposes,
29                   alone or in combination, the personal information of
30                   at least 50,000 consumers, households or devices.

20250HB0078PN0065                           - 3 -
 1                    (C)   Derives at least 50% of annual revenues from
 2                selling consumers' personal information.
 3          (2)   An entity that controls a sole proprietorship,
 4      partnership, limited liability company, corporation,
 5      association or other legal entity under paragraph (1) or
 6      shares common branding with the sole proprietorship,
 7      partnership, limited liability company, corporation,
 8      association or other legal entity.
 9      "Covered entity."     As defined in 45 CFR 160.103.
10      "Dark pattern."     A user interface designed or manipulated
11   with the substantial effect of subverting or impairing user
12   autonomy, decision making or choice, including a practice the
13   Federal Trade Commission refers to as a dark pattern.
14      "Decisions that produce legal or similarly significant
15   effects concerning the consumer."       Decisions made by a
16   controller that result in the provision or denial by the
17   controller of financial or lending services, housing, insurance,
18   education enrollment or opportunity, criminal justice,
19   employment opportunities, health care services or access to
20   essential goods or services.
21      "De-identified data."     Data that cannot reasonably be used to
22   infer information about, or otherwise be linked to, an
23   identified or identifiable individual or a device linked to the
24   individual, if the controller that possesses the data complies
25   with the following criteria:
26          (1)   Takes reasonable measures to ensure that the data
27      cannot be associated with an individual.
28          (2)   Publicly commits to process the data only in a de-
29      identified fashion and not attempt to re-identify the data.
30          (3)   Contractually obligates a recipient of the data to

20250HB0078PN0065                    - 4 -
 1      satisfy the criteria specified under paragraphs (1) and (2).
 2      "HIPAA."    The Health Insurance Portability and Accountability
 3   Act of 1996 (Public Law 104-191, 110 Stat. 1936).
 4      "Identified or identifiable individual."     An individual who
 5   can be readily identified, directly or indirectly.
 6      "Institution of higher education."     As defined in section
 7   118(c) of the act of March 10, 1949 (P.L.30, No.14), known as
 8   the Public School Code of 1949.
 9      "Nonprofit organization."    An organization that is exempt
10   from taxation under 26 U.S.C. § 501(c)(3), (4), (6) or (12)
11   (relating to exemption from tax on corporations, certain trusts,
12   etc.).
13      "Personal data."    As follows:
14            (1)   Any information that is linked or reasonably
15      linkable to an identified or identifiable individual.
16            (2)   The term does not include publicly available
17      information, de-identified data or biometric data captured
18      and converted to a mathematical representation.
19      "Precise geolocation data."     Information derived from
20   technology, including global positioning system level latitude
21   and longitude coordinates or other mechanisms, that directly
22   identifies the specific location of an individual with precision
23   and accuracy within a radius of 1,750 feet. The term does not
24   include the content of communications, or any data generated by
25   or connected to advanced utility metering infrastructure systems
26   or equipment for use by a utility.
27      "Process" or "processing."     An operation or set of operations
28   performed, whether by manual or automated means, on personal
29   data or on sets of personal data, including the collection, use,
30   storage, disclosure, analysis, deletion or modification of

20250HB0078PN0065                    - 5 -
 1   personal data.
 2      "Processing activities that present a heightened risk of harm
 3   to a consumer."      The term includes any of the following:
 4          (1)   The processing of personal data for the purpose of
 5      targeted advertising.
 6          (2)   The sale of personal data.
 7          (3)   The processing of personal data for the purpose of
 8      profiling if the profiling presents a reasonably foreseeable
 9      risk of any of the following:
10                (i)    Unfair or deceptive treatment of, or an unlawful
11          disparate impact on, a consumer.
12                (ii)    Financial, physical or reputational injury to a
13          consumer.
14                (iii)    A physical or other intrusion upon the
15          solitude or seclusion of a consumer or the private
16          affairs or concerns of a consumer where the intrusion
17          would be offensive to a reasonable person.
18                (iv)    Any other substantial injury to a consumer.
19          (4)   The processing of sensitive data.
20      "Processor."      An individual who, or legal entity that,
21   processes personal data on behalf of a controller.
22      "Profiling."      Any form of automated processing performed on
23   personal data to evaluate, analyze or predict personal aspects
24   related to an identified or identifiable individual's economic
25   situation, health, personal preferences, interests, reliability,
26   behavior, location or movements.
27      "Protected health information."       As defined in 45 CFR
28   160.103.
29      "Pseudonymous data."      Personal data that cannot be attributed
30   to a specific individual without the use of additional

20250HB0078PN0065                     - 6 -
 1   information if the additional information is kept separately and
 2   is subject to appropriate technical and organizational measures
 3   to ensure that the personal data is not attributed to an
 4   identified or identifiable individual.
 5      "Publicly available information."
 6          Information that:
 7          (1)     is lawfully available through Federal, State or
 8      municipal records or widely distributed media; or
 9          (2)     a controller has a reasonable basis to believe a
10      consumer has lawfully made available to the general public.
11      "Sale of personal data."     The exchange of personal data for
12   monetary or other valuable consideration by a controller to a
13   third party. The term does not include any of the following:
14          (1)     The disclosure of personal data to a processor that
15      processes the personal data on behalf of the controller.
16          (2)     The disclosure of personal data to a third party for
17      the purpose of providing a product or service requested by a
18      consumer.
19          (3)     The disclosure or transfer of personal data to an
20      affiliate of the controller.
21          (4)     The disclosure of personal data when a consumer
22      directs the controller to disclose the personal data or
23      intentionally uses the controller to interact with a third
24      party.
25          (5)     The disclosure of personal data that a consumer:
26                (i)    intentionally made available to the general
27          public via a channel of mass media; and
28                (ii)    did not restrict to a specific audience.
29          (6)     The disclosure or transfer of personal data to a
30      third party as an asset that is part of a merger,

20250HB0078PN0065                     - 7 -
 1      acquisition, bankruptcy or other transaction or a proposed
 2      merger, acquisition, bankruptcy or other transaction, in
 3      which the third party assumes control of all or part of the
 4      controller's assets.
 5      "Sensitive data."    Personal data that includes data revealing
 6   any of the following:
 7          (1)   A racial or ethnic origin.
 8          (2)   Religious beliefs.
 9          (3)   Mental or physical health condition or diagnosis.
10          (4)   Sex life or sexual orientation.
11          (5)   Citizenship or immigration status.
12          (6)   The processing of genetic or biometric data for the
13      purpose of uniquely identifying an individual.
14          (7)   Personal data collected from a known child.
15          (8)   Precise geolocation data.
16      "Targeted advertising."    Displaying advertisements to a
17   consumer if the advertisement is selected based on personal data
18   obtained or inferred from the consumer's activities over time
19   and across nonaffiliated Internet websites or online
20   applications to predict the consumer's preferences or interests.
21   The term does not include any of the following:
22          (1)   Advertisements based on activities within a
23      controller's own Internet websites or online applications.
24          (2)   Advertisements based on the context of a consumer's
25      current search query, visit to an Internet website or online
26      application.
27          (3)   Advertisements directed to a consumer in response to
28      the consumer's request for information or feedback.
29          (4)   Processing personal data solely to measure or report
30      advertising frequency, performance or reach.

20250HB0078PN0065                   - 8 -
 1      "Third party."       An individual or legal entity, including a
 2   public authority, agency or body, other than a consumer,
 3   controller or processor or an affiliate of the processor or the
 4   controller.
 5      "Trade secret."       As defined in 12 Pa.C.S. § 5302 (relating to
 6   definitions).
 7   Section 3.     Consumer data privacy.
 8      (a)   Rights of consumers.--A consumer shall have the right to
 9   do the following:
10            (1)   Confirm whether or not a controller is processing or
11      accessing the consumer's personal data, unless the
12      confirmation or access would require the controller to reveal
13      a trade secret.
14            (2)   Correct inaccuracies in the consumer's personal
15      data, taking into account the nature of the personal data and
16      the purposes of the processing of the consumer's personal
17      data.
18            (3)   Delete personal data provided by or obtained about
19      the consumer.
20            (4)   Obtain a copy of the consumer's personal data
21      processed by a controller in a portable and, to the extent
22      technically feasible, readily usable format that allows the
23      consumer to transmit the data to another controller without
24      hindrance, where the processing is carried out by automated
25      means in a manner that would disclose the controller's trade
26      secrets.
27            (5)   Opt out of the processing of the consumer's personal
28      data for the purpose of any of the following:
29                  (i)    Targeted advertising.
30                  (ii)    The sale of personal data, except as provided

20250HB0078PN0065                       - 9 -
 1            under section 5(b).
 2                  (iii)   Profiling in furtherance of solely automated
 3            decisions that produce legal or similarly significant
 4            effects concerning the consumer.
 5      (b)   Exercise of rights.--A consumer may exercise the rights
 6   under subsection (a) by a secure and reliable means established
 7   by a controller and described to the consumer in the
 8   controller's privacy notice. A consumer may designate an
 9   authorized agent in accordance with section 4 to exercise the
10   consumer's right under subsection (a)(5) to opt out of the
11   processing of the consumer's personal data on behalf of the
12   consumer. For processing personal data of a known child, the
13   parent or legal guardian may exercise the consumer's rights
14   under subsection (a) on the child's behalf. For processing
15   personal data concerning a consumer subject to a guardianship,
16   conservatorship or other protective arrangement, the guardian or
17   the conservator of the consumer may exercise the consumer's
18   rights under subsection (a) on the consumer's behalf.
19      (c)   Compliance.--Except as otherwise provided in this act, a
20   controller shall comply with a request by a consumer to exercise
21   the consumer's rights under subsection (a) as follows:
22            (1)   The controller shall respond to the consumer without
23      undue delay, but no later than 45 days after receipt of the
24      request. The controller may extend the response period under
25      this paragraph by an additional 45 days when reasonably
26      necessary, considering the complexity and number of the
27      consumer's requests, if the controller informs the consumer
28      of the extension within the initial 45-day response period
29      and the reason for the extension.
30            (2)   If the controller declines to take action regarding

20250HB0078PN0065                      - 10 -
 1    the consumer's request, the controller shall inform the
 2    consumer without undue delay, but no later than 45 days after
 3    receipt of the request, of the justification for declining to
 4    take action and instructions for how to appeal the decision.
 5        (3)   Information provided in response to consumer
 6    requests shall be provided by the controller, free of charge,
 7    once per consumer during a 12-month period. If a request from
 8    a consumer is manifestly unfounded, excessive or repetitive,
 9    the controller may charge the consumer a reasonable fee to
10    cover the administrative costs of complying with the request
11    or decline to act on the request. The controller bears the
12    burden of demonstrating the manifestly unfounded, excessive
13    or repetitive nature of the request.
14        (4)   If a controller is unable to authenticate a request
15    to exercise a right afforded under subsection (a)(1), (2),
16    (3) or (4) using commercially reasonable efforts, the
17    controller shall not be required to comply with a request
18    under this subsection and shall provide notice to the
19    consumer that the controller is unable to authenticate the
20    request to exercise the right until the consumer provides
21    additional information reasonably necessary to authenticate
22    the consumer and the consumer's request to exercise the
23    right. A controller shall not be required to authenticate an
24    opt-out request under subsection (a)(5), but the controller
25    may deny an opt-out request if the controller has a good
26    faith, reasonable and documented belief that the request is
27    fraudulent. If a controller denies an opt-out request under
28    subsection (a)(5) because the controller believes the request
29    is fraudulent, the controller shall send a notice to the
30    person who made the request disclosing that the controller

20250HB0078PN0065                - 11 -
 1      believes the request is fraudulent, why the controller
 2      believes the request is fraudulent and that the controller
 3      will not comply with the request.
 4            (5)   A controller that has obtained personal data about a
 5      consumer from a source other than the consumer shall be
 6      deemed in compliance with a consumer's request to delete the
 7      personal data in accordance with subsection (a)(3) by
 8      retaining a record of the deletion request and the minimum
 9      data necessary for the purpose of ensuring that the
10      consumer's personal data remains deleted from the
11      controller's records and not using such retained data for any
12      other purpose in accordance with the provisions of this act
13      or opting the consumer out of the processing of the data for
14      any purpose except for those exempted under section 11(a)(3).
15      (d)   Appeals.--A controller shall establish a process for a
16   consumer to appeal the controller's refusal to take action on a
17   request by a consumer to exercise the consumer's rights under
18   subsection (a) within a reasonable period of time after the
19   consumer's receipt of the decision under subsection (c)(2). The
20   appeal process shall be conspicuously available and similar to
21   the process for submitting requests to initiate an action under
22   subsection (b). No later than 60 days after receipt of an
23   appeal, the controller shall inform the consumer in writing of
24   an action taken or not taken in response to the appeal,
25   including a written explanation of the reason for the decision.
26   If the appeal is denied, the controller shall also provide the
27   consumer with an online mechanism, if available, or other method
28   through which the consumer may contact the Attorney General to
29   submit a complaint.
30   Section 4.     Designation of authorized agent.

20250HB0078PN0065                    - 12 -
 1      A consumer may designate another person to serve as the
 2   consumer's authorized agent and act on the consumer's behalf to
 3   opt out of the processing of the consumer's personal data for
 4   the purposes specified under section 3(a)(5). A controller shall
 5   comply with an opt-out request received from an authorized agent
 6   under section 3(a)(5) if the controller is able to verify, with
 7   commercially reasonable effort, the identity of the consumer and
 8   the authorized agent's authority to act on the consumer's
 9   behalf.
10   Section 5.      Duties of controllers.
11      (a)    Duties.--A controller shall have all of the following
12   duties:
13             (1)   Limit the collection of personal data to what is
14      adequate, relevant and reasonably necessary in relation to
15      the purposes for which the data is processed, as disclosed to
16      the consumer.
17             (2)   Except as otherwise provided in this act, refrain
18      from processing personal data for purposes that are neither
19      reasonably necessary to, nor compatible with, the disclosed
20      purposes for which the personal data is processed, as
21      disclosed to the consumer, unless the controller obtains the
22      consumer's consent.
23             (3)   Process personal data in a manner that ensures
24      reasonable and appropriate administrative, technical,
25      organizational and physical safeguards of personal data
26      collected, stored and processed.
27             (4)   Refrain from processing sensitive data concerning a
28      consumer without obtaining the consumer's consent or, in the
29      case of the processing of sensitive data concerning a known
30      child, without processing the data, in accordance with 15

20250HB0078PN0065                     - 13 -
 1      U.S.C. Ch. 91 (relating to children's online privacy
 2      protection).
 3            (5)   Refrain from processing personal data in violation
 4      of a Federal or State law that prohibits unlawful
 5      discrimination against a consumer.
 6            (6)   Provide an effective mechanism for a consumer to
 7      revoke the consumer's consent that is at least as easy as the
 8      mechanism by which the consumer provided the consumer's
 9      consent and, upon revocation of the consent, cease to process
10      the data as soon as practicable, but no later than 15 days
11      after the receipt of the request.
12            (7)   Refrain from processing the personal data of a
13      consumer for the purpose of targeted advertising or selling
14      the consumer's personal data without the consumer's consent
15      under circumstances where the controller has actual knowledge
16      and willfully disregards that the consumer is younger than 16
17      years of age.
18            (8)   Refrain from discriminating against a consumer for
19      exercising any of the consumer rights under section 3(a),
20      including denying goods or services, charging different
21      prices or rates for goods or services or providing a
22      different level of quality of goods or services to the
23      consumer.
24      (b)   Construction.--Nothing in subsection (a) shall be
25   construed to require a controller to provide a product or
26   service that requires the personal data of a consumer that the
27   controller does not collect or maintain nor prohibit a
28   controller from offering a different price, rate, level, quality
29   or selection of goods or services to a consumer, including
30   offering goods or services for no fee, if the offering is in

20250HB0078PN0065                    - 14 -
 1   connection with a consumer's voluntary participation in a bona
 2   fide loyalty, rewards, premium features, discounts or club card
 3   program.
 4      (c)     Privacy notice.--A controller shall provide a consumer
 5   with a reasonably accessible, clear and meaningful privacy
 6   notice that includes all of the following:
 7            (1)   The categories of personal data processed by the
 8      controller.
 9            (2)   The purpose for processing personal data.
10            (3)   How the consumer may exercise the consumer's rights,
11      including how the consumer may appeal the controller's
12      decision with regard to the consumer's request under section
13      3(d).
14            (4)   The categories of personal data that the controller
15      shares with each third party.
16            (5)   The categories of each third party with which the
17      controller shares personal data.
18            (6)   An active email address or other online mechanism
19      that the consumer may use to contact the controller.
20      (d)     Disclosures.--If a controller sells personal data to a
21   third party or processes personal data for targeted advertising,
22   the controller shall clearly and conspicuously disclose the sale
23   or processing and the manner in which a consumer may exercise
24   the right to opt out of the sale or processing.
25      (e)     Means to exercise rights.--
26            (1)   A controller shall establish and describe in the
27      privacy notice under subsection (c) a secure and reliable
28      means for consumers to submit a request to exercise the
29      consumer's rights under section 3(a). The secure and reliable
30      means under this paragraph shall take into account the manner

20250HB0078PN0065                    - 15 -
 1    in which a consumer normally interacts with the controller,
 2    the need for secure and reliable communication for the
 3    request and the ability of the controller to verify the
 4    identity of the consumer making the request. A controller may
 5    not require a consumer to create a new account in order to
 6    exercise the consumer's rights under section 3(a), but may
 7    require the consumer to use an existing account. The secure
 8    and reliable means shall include all of the following:
 9             (i)    Providing a clear and conspicuous link on the
10        controller's Internet website to an Internet web page
11        that enables a consumer, or an agent of the consumer, to
12        opt out of the targeted advertising or sale of the
13        consumer's personal data under section 3(a)(5).
14             (ii)    No later than January 1, 2027, allowing a
15        consumer to opt out of the processing of the consumer's
16        personal data for the purpose of targeted advertising or
17        the sale of the consumer's personal data under section
18        3(a)(5) through an opt-out preference signal sent, with
19        the consumer's consent, by a platform, technology or
20        mechanism to the controller indicating the consumer's
21        intent to opt out of the processing or sale. The
22        platform, technology or mechanism shall comply with all
23        of the following criteria:
24                    (A)   Not unfairly disadvantage another
25             controller.
26                    (B)   Not make use of a default setting, but
27             instead require the consumer to make an affirmative,
28             freely given and unambiguous choice to opt out of the
29             processing or sale of the consumer's personal data.
30                    (C)   Be consumer friendly and easy to use by the

20250HB0078PN0065                   - 16 -
 1              average consumer.
 2                  (D)    Be as consistent as possible with any other
 3              similar platform, technology or mechanism required by
 4              a Federal or State law or regulation.
 5                  (E)    Enable the controller to accurately
 6              determine whether the consumer is a resident of this
 7              Commonwealth and whether the consumer has made a
 8              legitimate request to opt out of processing or sale
 9              of the consumer's personal data.
10                  (F)    Be in compliance with this section. A
11              controller that recognizes signals approved by other
12              states shall be considered in compliance with this
13              section.
14              (iii)   If a consumer's decision to opt out of the
15        processing of the consumer's personal data for the
16        purpose of targeted advertising or the sale of the
17        consumer's personal data under section 3(a)(5) through an
18        opt-out preference signal sent under subparagraph (ii)
19        conflicts with the consumer's existing controller-
20        specific privacy setting or voluntary participation in a
21        controller's bona fide loyalty, rewards, premium
22        features, discounts or club card program, the controller
23        shall comply with the consumer's opt-out preference
24        signal, but may notify the consumer of the conflict and
25        provide to the consumer the choice to confirm the
26        controller-specific privacy setting or participation in
27        the program.
28        (2)   If a controller responds to a consumer's opt-out
29    request under paragraph (1)(i) by informing the consumer of a
30    charge for the use of a product or service, the controller

20250HB0078PN0065                   - 17 -
 1      shall present the terms of a bona fide loyalty, rewards,
 2      premium features, discounts or club card program for the
 3      retention, use, sale or sharing of the consumer's personal
 4      data.
 5   Section 6.     Duties of processors.
 6      (a)   Assistance.--A processor shall adhere to the
 7   instructions of a controller and shall assist the controller in
 8   complying with the controller's duties under this act. The
 9   assistance shall include all of the following:
10            (1)   Taking into account the nature of processing and the
11      information available to the processor, by appropriate
12      technical and organizational measures, insofar as is
13      reasonably practicable, to fulfill the controller's duty to
14      comply with a request by a consumer to exercise the
15      consumer's rights under section 3(a).
16            (2)   Taking into account the nature of processing and the
17      information available to the processor, by assisting the
18      controller in meeting the controller's duties in relation to
19      the security of processing the personal data and in relation
20      to the notification of a breach of security of the system of
21      the processor.
22            (3)   Providing necessary information to enable the
23      controller to conduct and document data protection
24      assessments.
25      (b)   Contracts.--A contract between a controller and a
26   processor shall govern the processor's data processing
27   procedures with respect to processing performed on behalf of the
28   controller. The contract shall be binding and clearly state the
29   instructions for processing data, the nature and purpose of
30   processing, the type of data subject to processing, the duration

20250HB0078PN0065                    - 18 -
 1   of processing and the rights and obligations of both parties.
 2   The contract shall also require that the processor comply with
 3   all of the following:
 4            (1)   Ensure that each person processing personal data is
 5      subject to a duty of confidentiality with respect to the
 6      data.
 7            (2)   At the controller's direction, delete or return all
 8      personal data to the controller as requested at the end of
 9      the provision of services, unless retention of the personal
10      data is required by Federal or State law.
11            (3)   Upon the reasonable request of the controller, make
12      available to the controller all information in the
13      processor's possession necessary to demonstrate the
14      processor's compliance with the provisions of this act.
15            (4)   After providing the controller with an opportunity
16      to object, engage a subcontractor pursuant to a written
17      contract that requires the subcontractor to meet the
18      obligations of the processor with respect to the personal
19      data.
20            (5)   Allow and cooperate with a reasonable assessment by
21      the controller or the controller's designated assessor, or
22      arrange for a qualified and independent assessor to conduct
23      an assessment of the processor's policies and technical and
24      organizational measures in support of the requirements under
25      this act, using an appropriate and accepted control standard
26      or framework and assessment procedure for the assessment. The
27      processor shall provide a report of the assessment to the
28      controller upon request.
29      (c)   Construction.--Nothing in this section shall be
30   construed to relieve a controller or processor from the

20250HB0078PN0065                    - 19 -
 1   liabilities imposed on the controller or processor by virtue of
 2   the role of the controller or processor in the processing
 3   relationship specified under this act.
 4      (d)   Acting as controller or processor.--A determination of
 5   whether a person is acting as a controller or processor with
 6   respect to a specific processing of data shall be a fact-based
 7   determination that depends upon the context in which personal
 8   data is to be processed. The following shall apply:
 9            (1)   A person who is not limited in the person's
10      processing of personal data pursuant to a controller's
11      instructions or who fails to adhere to the instructions shall
12      be a controller and not a processor with respect to a
13      specific processing of data.
14            (2)   A processor who continues to adhere to a
15      controller's instructions with respect to a specific
16      processing of personal data shall remain a processor.
17            (3)   If a processor begins, alone or jointly with others,
18      determining the purposes and means of the processing of
19      personal data, the processor shall be a controller with
20      respect to the processing and may be subject to an
21      enforcement action under section 10.
22   Section 7.     Data protection assessment.
23      (a)   Assessment.--A controller shall conduct and document a
24   data protection assessment for each of the controller's
25   processing activities that present a heightened risk of harm to
26   a consumer.
27      (b)   Benefits and risks.--In conducting a data protection
28   assessment under subsection (a), a controller shall identify and
29   weigh the benefits that may flow, directly and indirectly, from
30   the processing to the controller, the consumer, other

20250HB0078PN0065                    - 20 -
 1   stakeholders and the public against the potential risks to the
 2   consumer's rights under section 3(a) associated with the
 3   processing, as mitigated by safeguards that can be employed by
 4   the controller to reduce the risks. The controller shall factor
 5   all of the following into the data protection assessment:
 6            (1)   The use of de-identified data.
 7            (2)   The reasonable expectations of the consumer.
 8            (3)   The context of the processing and the relationship
 9      between the controller and the consumer whose personal data
10      will be processed.
11      (c)   Availability of assessments.--The Attorney General may
12   require a controller to disclose a data protection assessment
13   under subsection (a) that is relevant to an investigation
14   conducted by the Attorney General, and the controller shall make
15   the data protection assessment available to the Attorney
16   General. The Attorney General may evaluate a data protection
17   assessment for compliance with the provisions of this act. A
18   data protection assessment shall be confidential and exempt from
19   disclosure under 5 U.S.C. § 552 (relating to public information;
20   agency rules, opinions, orders, records, and proceedings) and
21   the act of February 14, 2008 (P.L.6, No.3), known as the Right-
22   to-Know Law. To the extent that information contained in a data
23   protection assessment disclosed to the Attorney General under
24   this subsection includes information subject to attorney-client
25   privilege or work product protection, the disclosure shall not
26   constitute a waiver of the privilege or protection.
27      (d)   Comparison of processing operations.--A single data
28   protection assessment under subsection (a) may address a
29   comparable set of processing operations that includes similar
30   activities.

20250HB0078PN0065                    - 21 -
 1      (e)   Compliance.--If a controller conducts a data protection
 2   assessment for the purpose of complying with another applicable
 3   Federal or State law or regulation, the data protection
 4   assessment shall be deemed to satisfy the requirements under
 5   this section if the data protection assessment is reasonably
 6   similar in scope and effect to the data protection assessment
 7   that would otherwise be conducted under this section.
 8      (f)   Applicability.--The data protection assessment
 9   requirements under this section shall apply to processing
10   activities created or generated after July 1, 2025, and shall
11   not apply retroactively.
12   Section 8.     De-identified data and pseudonymous data.
13      (a)   Duties.--A controller in possession of de-identified
14   data shall have the following duties:
15            (1)   Take reasonable measures to ensure that the de-
16      identified data cannot be associated with an individual.
17            (2)   Publicly commit to maintaining and using de-
18      identified data without attempting to re-identify the data.
19            (3)   Contractually obligate a recipient of the de-
20      identified data to comply with the provisions of this act.
21      (b)   Construction.--Nothing in this act shall be construed to
22   require a controller or processor to:
23            (1)   require a controller or processor to re-identify de-
24      identified data or pseudonymous data;
25            (2)   maintain data in identifiable form or collect,
26      obtain, retain or access data or technology in order to be
27      capable of associating an authenticated consumer rights
28      request under section 3(a); or
29            (3)   comply with an authenticated consumer rights request
30      under section 3(a) if the controller:

20250HB0078PN0065                    - 22 -
 1                   (i)    is not reasonably capable of associating the
 2               request with the personal data, or it would be
 3               unreasonably burdensome for the controller to associate
 4               the request with the consumer's personal data;
 5                   (ii)    does not use the personal data to recognize or
 6               respond to the specific consumer who is the subject of
 7               the personal data or does not associate the personal data
 8               with other personal data about the same specific
 9               consumer; and
10                   (iii)    does not sell the personal data to a third
11               party or otherwise voluntarily disclose the personal data
12               to a third party other than a processor, except as
13               authorized under this section.
14         (c)   Pseudonymous data.--The consumer rights specified under
15   section 3(a)(1), (2), (3) or (4) shall not apply to pseudonymous
16   data if a controller is able to demonstrate that any information
17   necessary to identify the consumer is kept separately and is
18   subject to effective technical and organizational controls that
19   prevent the controller from accessing the information.
20         (d)   Oversight.--A controller that discloses pseudonymous
21   data or de-identified data shall exercise reasonable oversight
22   to monitor compliance with a contractual commitment to which the
23   pseudonymous data or de-identified data is subject and shall
24   take appropriate steps to address a breach of the contractual
25   commitment.
26   Section 9.      Exemptions on restrictions for controllers or
27                   processors.
28         (a)   Legal compliance.--Nothing in this act shall be
29   construed to restrict the ability of a controller or processor
30   to:

20250HB0078PN0065                        - 23 -
 1        (1)    comply with Federal or State laws or local
 2    ordinances or regulations;
 3        (2)    comply with a civil, criminal or regulatory inquiry,
 4    investigation, subpoena or summons by a Federal, State,
 5    municipal or other governmental authority;
 6        (3)    cooperate with a law enforcement agency concerning a
 7    conduct or activity that the controller or processor
 8    reasonably and in good faith believes may violate a Federal
 9    or State law or local ordinance or regulation;
10        (4)    investigate, establish, exercise, prepare for or
11    defend legal claims;
12        (5)    provide a product or service specifically requested
13    by a consumer;
14        (6)    perform under a contract to which a consumer is a
15    party, including fulfilling the terms of a written warranty;
16        (7)    take steps at the request of a consumer prior to
17    entering into a contract;
18        (8)    take immediate steps to protect an interest that is
19    essential for the life or physical safety of a consumer or
20    another individual, including when processing cannot be
21    manifestly based on the provisions of this act;
22        (9)    prevent, detect, protect against or respond to a
23    security incident, identity theft, fraud, harassment,
24    malicious or deceptive activity or illegal activity, preserve
25    the integrity or security of a system or investigate, report
26    or prosecute an individual responsible for an incident
27    specified under this paragraph;
28        (10)    engage in public or peer-reviewed scientific or
29    statistical research in the public interest that adheres to
30    all other applicable Federal or State ethics and privacy laws

20250HB0078PN0065                  - 24 -
 1      and is approved, monitored and governed by an institutional
 2      review board or a similar independent oversight entity that
 3      determines whether:
 4                   (i)    the deletion of information is likely to provide
 5            substantial benefits to the research that do not
 6            exclusively accrue to the controller;
 7                   (ii)    the expected benefits of the research outweigh
 8            the privacy risks; and
 9                   (iii)    the controller has implemented reasonable
10            safeguards to mitigate privacy risks associated with the
11            research, including risks associated with re-
12            identification;
13            (11)    assist another controller, processor or third party
14      with any of the requirements under this act; or
15            (12)    process personal data for reasons of public
16      interest in the area of public health, community health or
17      population health, but solely to the extent that the
18      processing is:
19                   (i)    subject to suitable and specific measures to
20            safeguard the rights of the consumer whose personal data
21            is being processed; and
22                   (ii)    under the responsibility of a professional
23            subject to confidentiality obligations under Federal or
24            State law or local ordinance.
25      (b)   Data collection.--The requirements imposed on a
26   controller or processor under this act shall not restrict the
27   ability of a controller or processor to collect, use or retain
28   data for internal use for any of the following purposes:
29            (1)    Conducting internal research to develop, improve or
30      repair products, services or technology.

20250HB0078PN0065                        - 25 -
 1            (2)   Effectuating a product recall.
 2            (3)   Identifying and repairing technical errors that
 3      impair existing or intended functionality.
 4            (4)   Internal operations that are reasonably aligned with
 5      the expectations of a consumer or reasonably anticipated
 6      based on the consumer's existing relationship with the
 7      controller or are otherwise compatible with processing data
 8      in furtherance of the provision of a product or service
 9      specifically requested by a consumer.
10      (c)   Evidentiary privilege.--The requirements imposed on a
11   controller or processor under this act shall not apply if
12   compliance by the controller or processor with requirements
13   would violate an evidentiary privilege under the laws of this
14   Commonwealth. Nothing in this act shall be construed to prevent
15   a controller or processor from providing personal data
16   concerning a consumer to an individual covered by an evidentiary
17   privilege under the laws of this Commonwealth as part of a
18   privileged communication.
19      (d)   Third parties.--A controller or processor that discloses
20   personal data to a third-party controller or third-party
21   processor in accordance with this act shall not be deemed to
22   have violated the provisions of this act if the third-party
23   controller or third-party processor violates the provisions of
24   this act if, at the time of the disclosure, the disclosing
25   controller or processor did not have actual knowledge that the
26   third-party controller or third-party processor would violate
27   the provisions of this act. A third-party controller or third-
28   party processor who receives personal data under this subsection
29   in accordance with this act shall not be deemed to have violated
30   the provisions of this act for a violation by the disclosing

20250HB0078PN0065                    - 26 -
 1   controller or processor.
 2      (e)   Individual liberties.--Nothing in this act shall be
 3   construed to:
 4            (1)   impose an obligation on a controller or processor
 5      that adversely affects the rights or freedoms of an
 6      individual, including the freedom of speech or freedom of the
 7      press guaranteed in the First Amendment to the Constitution
 8      of the United States or section 7 of Article I of the
 9      Constitution of Pennsylvania; or
10            (2)   apply to an individual's processing of personal data
11      in the course of the individual's purely personal or
12      household activities.
13      (f)   Personal data.--
14            (1)   Personal data processed by a controller may be
15      processed to the extent that the processing meets all of the
16      following criteria:
17                  (i)    Is reasonably necessary and proportionate to the
18            purposes specified under this section.
19                  (ii)   Is adequate, relevant and limited to what is
20            necessary in relation to the specific purposes specified
21            under this section.
22            (2)   A controller or processor that collects, uses or
23      retains personal data under subsection (b) shall, when
24      applicable, take into account the nature and purpose of the
25      collection, use or retention of the personal data. The
26      personal data under subsection (b) shall be subject to
27      reasonable administrative, technical and physical measures to
28      protect the confidentiality, integrity and accessibility of
29      the personal data and reduce reasonably foreseeable risks of
30      harm to a consumer related to the collection, use or

20250HB0078PN0065                       - 27 -
 1      retention of the personal data.
 2      (g)   Exemptions.--If a controller processes personal data in
 3   accordance with an exemption under this section, the controller
 4   shall be responsible for demonstrating that the processing
 5   qualifies for the exemption and complies with the requirements
 6   under subsection (f).
 7      (h)   Legal entities.--The processing of personal data for the
 8   purposes expressly specified under this section shall not solely
 9   make a legal entity a controller with respect to the processing.
10   Section 10.     Penalties, enforcement and private rights of
11                  action.
12      (a)   Enforcement.--The Attorney General shall have exclusive
13   authority to enforce the provisions of this act. The following
14   shall apply:
15            (1)   During the period beginning January 1, 2026, and
16      ending July 1, 2026, the Attorney General shall, prior to
17      initiating an action for a violation of a provision of this
18      act, issue a notice of violation to the controller or
19      processor if the Attorney General determines that a cure is
20      possible. If the controller fails to cure the violation
21      within 60 days of receipt of the notice of violation, the
22      Attorney General may initiate an action under this section.
23            (2)   Beginning January 1, 2026, the Attorney General may,
24      in determining whether to grant a controller or processor the
25      opportunity to cure an alleged violation under paragraph (1),
26      consider all of the following:
27                  (i)    The number of violations.
28                  (ii)    The size and complexity of the controller or
29            processor.
30                  (iii)    The nature and extent of the processing

20250HB0078PN0065                       - 28 -
 1            activities of the controller or processor.
 2                  (iv)    The substantial likelihood of injury to the
 3            public.
 4                  (v)    The safety of persons or property.
 5                  (vi)    Whether the alleged violation was likely caused
 6            by human or technical error.
 7            (3)   The right to cure shall apply for 60 days.
 8      (b)   Private rights of action.--Nothing in this act shall be
 9   construed as providing the basis for a private right of action
10   for a violation of the provisions of this act.
11      (c)   Unfair trade practice.--Violations of the provisions of
12   this act shall constitute "unfair methods of competition" and
13   "unfair or deceptive acts or practices" under the act of
14   December 17, 1968 (P.L.1224, No.387), known as the Unfair Trade
15   Practices and Consumer Protection Law, and shall be enforced
16   exclusively by the Attorney General.
17      (d)   Regulations.--The Attorney General shall promulgate
18   regulations necessary to implement this section.
19   Section 11.     Nonapplicability, exemption and consent.
20      (a)   Nonapplicability.--This act shall not apply to any of
21   the following:
22            (1)   The Commonwealth or any of its political
23      subdivisions.
24            (2)   A nonprofit organization.
25            (3)   An institution of higher education.
26            (4)   A national securities association that is registered
27      under 15 U.S.C. § 78o-3 (relating to registered securities
28      associations).
29            (5)   A financial institution or an affiliate of a
30      financial institution or data subject to Title V of the

20250HB0078PN0065                       - 29 -
 1      Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.).
 2            (6)   A covered entity or business associate.
 3      (b)   Exemptions.--The following shall be exempt from the
 4   provisions of this act:
 5            (1)   Protected health information under HIPAA.
 6            (2)   Patient-identifying information for purposes of 42
 7      U.S.C. § 290dd-2 (relating to confidentiality of records).
 8            (3)   Identifiable private information for purposes of the
 9      Federal policy for the protection of human subjects under 45
10      CFR Subt. A Subch. A Pt. 46 (relating to protection of human
11      subjects).
12            (4)   Identifiable private information that is otherwise
13      information collected as part of human subjects research in
14      accordance with the good clinical practice guidelines issued
15      by the International Council for Harmonisation of Technical
16      Requirements for Pharmaceuticals for Human Use on the
17      effective date of this paragraph.
18            (5)   The protection of human subjects under 21 CFR Ch. I
19      Subch. A Pt. 50 (relating to protection of human subjects) or
20      56 (relating to institutional review boards) or personal data
21      used or shared in research, as defined in 45 CFR 164.501
22      (relating to definitions), that is conducted in accordance
23      with the standards specified under this subsection or other
24      research conducted in accordance with applicable Federal or
25      State law.
26            (6)   Information and documents created for the purposes
27      of 42 U.S.C. Ch. 117 (relating to encouraging good faith
28      professional review activities).
29            (7)   Patient safety work product for the purposes of 42
30      U.S.C. Ch. 6A Subch. VII Pt. C (relating to patient safety

20250HB0078PN0065                    - 30 -
 1    improvement).
 2        (8)    Information derived from any of the health-care-
 3    related information exempt under this subsection that is de-
 4    identified in accordance with the requirements for de-
 5    identification under HIPAA.
 6        (9)    Information originating from and intermingled to be
 7    indistinguishable with, or information treated in the same
 8    manner as, information exempt under this subsection that is
 9    maintained by a covered entity or business associate, program
10    or qualified service organization as specified in 42 U.S.C. §
11    290dd-2.
12        (10)    Information used for public health activities and
13    purposes as authorized by HIPAA, community health activities
14    and population health activities.
15        (11)    The collection, maintenance, disclosure, sale,
16    communication or use of personal information bearing on a
17    consumer's credit worthiness, credit standing, credit
18    capacity, character, general reputation, personal
19    characteristics or mode of living by a consumer reporting
20    agency, furnisher or user that provides information for use
21    in a consumer report or by a user of a consumer report, but
22    only to the extent that the activity is regulated by and
23    authorized under 15 U.S.C. Ch. 41 Subch. III (relating to
24    credit reporting agencies).
25        (12)    Personal data collected, processed, sold or
26    disclosed in compliance with 18 U.S.C. Ch. 123 (relating to
27    prohibition on release and use of certain personal
28    information from state motor vehicle records).
29        (13)    Personal data regulated by 20 U.S.C. Ch. 31 Subch.
30    III Pt. 4 (relating to records; privacy; limitation on

20250HB0078PN0065                 - 31 -
 1      withholding Federal funds).
 2            (14)    Personal data collected, processed, sold or
 3      disclosed in compliance with 12 U.S.C. Ch. 23 (relating to
 4      farm credit system).
 5            (15)    Data processed or maintained:
 6                   (i)    in the course of an individual applying to,
 7            employed by or acting as an agent or independent
 8            contractor of a controller, processor or third party to
 9            the extent that the data is collected and used within the
10            context of that role;
11                   (ii)    as the emergency contact information of an
12            individual specified under this act and used for
13            emergency contact purposes; or
14                   (iii)    as necessary to administer benefits for
15            another individual related to an individual who is the
16            subject of the information under paragraph (1) and used
17            for the purposes of administering the benefits.
18            (16)    Personal data collected, processed, sold or
19      disclosed in relation to price, route or service by an air
20      carrier under 49 U.S.C. Subt. VII Pt. A. Subpt. I Ch. 401
21      (relating to general provisions) to the extent preempted
22      under 49 U.S.C. § 41713 (relating to preemption of authority
23      over prices, routes, and service).
24      (c)   Parental consent.--A controller or processor that
25   complies with the verifiable parental consent requirements under
26   15 U.S.C. Ch. 91 (relating to children's online privacy
27   protection) shall be deemed compliant with an obligation to
28   obtain parental consent under this act.
29   Section 12.      Effective date.
30      This act shall take effect in six months.

20250HB0078PN0065                        - 32 -