SB 112 — An Act providing for consumer data privacy, for duties of controllers and for duties of processors; and imposing penalties.

PRINTER'S NO.    445

                    THE GENERAL ASSEMBLY OF PENNSYLVANIA



                       SENATE BILL
                       No. 112
                                              Session of
                                                2025

     INTRODUCED BY COLLETT, BOSCOLA, STREET, COMITTA, HAYWOOD,
        FONTANA, KANE, COSTA, TARTAGLIONE, MILLER, SANTARSIERO AND
        PISCIOTTANO, MARCH 21, 2025

     REFERRED TO COMMUNICATIONS AND TECHNOLOGY, MARCH 21, 2025


                                   AN ACT
 1   Providing for consumer data privacy, for duties of controllers
 2      and for duties of processors; and imposing penalties.
 3      The General Assembly of the Commonwealth of Pennsylvania
 4   hereby enacts as follows:
 5   Section 1.   Short title.
 6      This act shall be known and may be cited as the Consumer Data
 7   Privacy Act.
 8   Section 2.   Definitions.
 9      The following words and phrases when used in this act shall
10   have the meanings given to them in this section unless the
11   context clearly indicates otherwise:
12      "Affiliate."   A legal entity that shares common branding with
13   another legal entity or controls, is controlled by or is under
14   common control with another legal entity.
15      "Biometric data."   Data generated by automatic measurements
16   of an individual's biological characteristics, including
17   fingerprints, voiceprints, eye retinas, irises or other unique
 1   biological patterns or characteristics that are used to identify
 2   a specific individual. The term does not include a digital or
 3   physical photograph, an audio or video recording or any data
 4   generated from a digital or physical photograph or an audio or
 5   video recording. The term does not include information captured
 6   and converted to a mathematical representation, including a
 7   numeric string or similar method that cannot be used to recreate
 8   the data captured or converted to create the mathematical
 9   representation.
10      "Business associate."     As defined in 45 CFR 160.103 (relating
11   to definitions).
12      "Child."     As defined in 15 U.S.C. § 6501 (relating to
13   definitions).
14      "Common branding."    A shared name, servicemark or trademark.
15      "Consent."     A clear affirmative act signifying a consumer's
16   freely given, specific, informed and unambiguous agreement to
17   allow the processing of personal data relating to the consumer.
18   The term includes a written statement, including by electronic
19   means, or any other unambiguous affirmative action specified in
20   this definition. The term does not include acceptance of general
21   or broad terms of use or a similar document that contains
22   descriptions of personal data processing along with other
23   unrelated information, hovering over, muting, pausing or closing
24   a given piece of content or an agreement obtained through the
25   use of dark patterns.
26      "Consumer."     An individual who is a resident of this
27   Commonwealth. The term does not include an individual acting in
28   a commercial or employment context or as an employee, owner,
29   director, officer or contractor of a company, partnership, sole
30   proprietorship, nonprofit or government agency whose

20250SB0112PN0445                    - 2 -
 1   communications or transactions with a controller occur solely
 2   within the context of that individual's role with the company,
 3   partnership, sole proprietorship, nonprofit or government
 4   agency.
 5      "Control."         Any of the following:
 6             (1)   Ownership of or the power to vote on more than 50%
 7      of the outstanding shares of any class of voting security of
 8      a controller.
 9             (2)   Control in any manner over the election of a
10      majority of the directors or over the individuals exercising
11      similar functions.
12             (3)   The power to exercise a controlling influence over
13      the management of a company.
14      "Controller."         As follows:
15             (1)   A sole proprietorship, partnership, limited
16      liability company, corporation, association or other legal
17      entity that meets all of the following criteria:
18                   (i)    Is organized or operated for the profit or
19             financial benefit of its shareholders or other owners.
20                   (ii)    Alone or jointly with others, determines the
21             purposes and means of the processing of consumers'
22             personal information.
23                   (iii)    Does business in this Commonwealth.
24                   (iv)    Satisfies any of the following thresholds:
25                          (A)   Has annual gross revenues in excess of
26                   $10,000,000.
27                          (B)   Alone or in combination, annually buys or
28                   receives, sells or shares for commercial purposes,
29                   alone or in combination, the personal information of
30                   at least 50,000 consumers, households or devices.

20250SB0112PN0445                           - 3 -
 1                    (C)   Derives at least 50% of annual revenues from
 2                selling consumers' personal information.
 3          (2)   An entity that controls a sole proprietorship,
 4      partnership, limited liability company, corporation,
 5      association or other legal entity under paragraph (1) or
 6      shares common branding with the sole proprietorship,
 7      partnership, limited liability company, corporation,
 8      association or other legal entity.
 9      "Covered entity."     As defined in 45 CFR 160.103.
10      "Dark pattern."     A user interface designed or manipulated
11   with the substantial effect of subverting or impairing user
12   autonomy, decision making or choice, including a practice the
13   Federal Trade Commission refers to as a dark pattern.
14      "Decisions that produce legal or similarly significant
15   effects concerning the consumer."       Decisions made by a
16   controller that result in the provision or denial by the
17   controller of financial or lending services, housing, insurance,
18   education enrollment or opportunity, criminal justice,
19   employment opportunities, health care services or access to
20   essential goods or services.
21      "De-identified data."     Data that cannot reasonably be used to
22   infer information about, or otherwise be linked to, an
23   identified or identifiable individual or a device linked to the
24   individual, if the controller that possesses the data complies
25   with the following criteria:
26          (1)   Takes reasonable measures to ensure that the data
27      cannot be associated with an individual.
28          (2)   Publicly commits to process the data only in a de-
29      identified fashion and not attempt to re-identify the data.
30          (3)   Contractually obligates a recipient of the data to

20250SB0112PN0445                    - 4 -
 1      satisfy the criteria specified under paragraphs (1) and (2).
 2      "HIPAA."    The Health Insurance Portability and Accountability
 3   Act of 1996 (Public Law 104-191, 110 Stat. 1936).
 4      "Identified or identifiable individual."     An individual who
 5   can be readily identified, directly or indirectly.
 6      "Institution of higher education."     As defined in section
 7   118(c) of the act of March 10, 1949 (P.L.30, No.14), known as
 8   the Public School Code of 1949.
 9      "Nonprofit organization."    An organization that is exempt
10   from taxation under 26 U.S.C. § 501(c)(3), (4), (6) or (12)
11   (relating to exemption from tax on corporations, certain trusts,
12   etc.).
13      "Personal data."    As follows:
14            (1)   Any information that is linked or reasonably
15      linkable to an identified or identifiable individual.
16            (2)   The term does not include publicly available
17      information, de-identified data or biometric data captured
18      and converted to a mathematical representation.
19      "Precise geolocation data."     Information derived from
20   technology, including global positioning system level latitude
21   and longitude coordinates or other mechanisms, that directly
22   identify the specific location of an individual with precision
23   and accuracy within a radius of 1,750 feet. The term does not
24   include the content of communications or any data generated by
25   or connected to advanced utility metering infrastructure systems
26   or equipment for use by a utility.
27      "Process" or "processing."     Any operation or set of
28   operations performed, whether by manual or automated means, on
29   personal data or on sets of personal data, including the
30   collection, use, storage, disclosure, analysis, deletion or

20250SB0112PN0445                    - 5 -
 1   modification of personal data.
 2      "Processing activities that present a heightened risk of harm
 3   to a consumer."      The term includes any of the following:
 4          (1)   The processing of personal data for the purpose of
 5      targeted advertising.
 6          (2)   The sale of personal data.
 7          (3)   The processing of personal data for the purpose of
 8      profiling if the profiling presents a reasonably foreseeable
 9      risk of any of the following:
10                (i)    Unfair or deceptive treatment of, or an unlawful
11          disparate impact on, a consumer.
12                (ii)    Financial, physical or reputational injury to a
13          consumer.
14                (iii)    A physical or other intrusion upon the
15          solitude or seclusion of a consumer or the private
16          affairs or concerns of a consumer where the intrusion
17          would be offensive to a reasonable person.
18                (iv)    Any other substantial injury to a consumer.
19          (4)   The processing of sensitive data.
20      "Processor."      An individual who, or legal entity that,
21   processes personal data on behalf of a controller.
22      "Profiling."      Any form of automated processing performed on
23   personal data to evaluate, analyze or predict personal aspects
24   related to an identified or identifiable individual's economic
25   situation, health, personal preferences, interests, reliability,
26   behavior, location or movements.
27      "Protected health information."       As defined in 45 CFR
28   160.103.
29      "Pseudonymous data."      Personal data that cannot be attributed
30   to a specific individual without the use of additional

20250SB0112PN0445                     - 6 -
 1   information if the additional information is kept separately and
 2   is subject to appropriate technical and organizational measures
 3   to ensure that the personal data is not attributed to an
 4   identified or identifiable individual.
 5      "Publicly available information."     Information that:
 6          (1)     is lawfully available through Federal, State or
 7      municipal records or widely distributed media; or
 8          (2)     a controller has a reasonable basis to believe a
 9      consumer has lawfully made available to the general public.
10      "Sale of personal data."     The exchange of personal data for
11   monetary or other valuable consideration by a controller to a
12   third party. The term does not include any of the following:
13          (1)     The disclosure of personal data to a processor that
14      processes the personal data on behalf of the controller.
15          (2)     The disclosure of personal data to a third party for
16      the purpose of providing a product or service requested by a
17      consumer.
18          (3)     The disclosure or transfer of personal data to an
19      affiliate of the controller.
20          (4)     The disclosure of personal data when a consumer
21      directs the controller to disclose the personal data or
22      intentionally uses the controller to interact with a third
23      party.
24          (5)     The disclosure of personal data that a consumer:
25                (i)    intentionally made available to the general
26          public via a channel of mass media; and
27                (ii)    did not restrict to a specific audience.
28          (6)     The disclosure or transfer of personal data to a
29      third party as an asset that is part of a merger,
30      acquisition, bankruptcy or other transaction or a proposed

20250SB0112PN0445                     - 7 -
 1      merger, acquisition, bankruptcy or other transaction, in
 2      which the third party assumes control of all or part of the
 3      controller's assets.
 4      "Sensitive data."    Personal data that includes data revealing
 5   any of the following:
 6          (1)   Racial or ethnic origin.
 7          (2)   Religious beliefs.
 8          (3)   Mental or physical health condition or diagnosis.
 9          (4)   Sex life or sexual orientation.
10          (5)   Citizenship or immigration status.
11          (6)   The processing of genetic or biometric data for the
12      purpose of uniquely identifying an individual.
13          (7)   Personal data collected from a known child.
14          (8)   Precise geolocation data.
15      "Targeted advertising."    Displaying advertisements to a
16   consumer if the advertisement is selected based on personal data
17   obtained or inferred from the consumer's activities over time
18   and across nonaffiliated Internet websites or online
19   applications to predict the consumer's preferences or interests.
20   The term does not include any of the following:
21          (1)   Advertisements based on activities within a
22      controller's own Internet websites or online applications.
23          (2)   Advertisements based on the context of a consumer's
24      current search query, visit to an Internet website or online
25      application.
26          (3)   Advertisements directed to a consumer in response to
27      the consumer's request for information or feedback.
28          (4)   Processing personal data solely to measure or report
29      advertising frequency, performance or reach.
30      "Third party."   An individual or legal entity, including a

20250SB0112PN0445                   - 8 -
 1   public authority, agency or body, other than a consumer,
 2   controller or processor or an affiliate of the processor or the
 3   controller.
 4         "Trade secret."       As defined in 12 Pa.C.S. § 5302 (relating to
 5   definitions).
 6   Section 3.        Consumer data privacy.
 7         (a)   Rights of consumers.--A consumer shall have the right
 8   to:
 9               (1)   Confirm whether or not a controller is processing or
10         accessing the consumer's personal data, unless the
11         confirmation or access would require the controller to reveal
12         a trade secret.
13               (2)   Correct inaccuracies in the consumer's personal
14         data, taking into account the nature of the personal data and
15         the purposes of the processing of the consumer's personal
16         data.
17               (3)   Delete personal data provided by or obtained about
18         the consumer.
19               (4)   Obtain a copy of the consumer's personal data
20         processed by a controller in a portable and, to the extent
21         technically feasible, readily usable format that allows the
22         consumer to transmit the data to another controller without
23         hindrance, where the processing is carried out by automated
24         means in a manner that would disclose the controller's trade
25         secrets.
26               (5)   Opt out of the processing of the consumer's personal
27         data for any of the following reasons:
28                     (i)    Targeted advertising.
29                     (ii)    The sale of personal data, except as provided
30               under section 5(b).

20250SB0112PN0445                          - 9 -
 1                  (iii)   Profiling in furtherance of solely automated
 2            decisions that produce legal or similarly significant
 3            effects concerning the consumer.
 4      (b)   Exercise of rights.--A consumer may exercise the rights
 5   under subsection (a) by a secure and reliable means established
 6   by a controller and described to the consumer in the
 7   controller's privacy notice. A consumer may designate an
 8   authorized agent in accordance with section 4 to exercise the
 9   consumer's right under subsection (a)(5) to opt out of the
10   processing of the consumer's personal data on behalf of the
11   consumer. For processing personal data of a known child, the
12   parent or legal guardian may exercise the consumer's rights
13   under subsection (a) on the child's behalf. For processing
14   personal data concerning a consumer subject to a guardianship,
15   conservatorship or other protective arrangement, the guardian or
16   the conservator of the consumer may exercise the consumer's
17   rights under subsection (a) on the consumer's behalf.
18      (c)   Compliance.--Except as otherwise provided in this act, a
19   controller shall comply with a request by a consumer to exercise
20   the consumer's rights under subsection (a) as follows:
21            (1)   The controller shall respond to the consumer without
22      undue delay, but no later than 45 days after receipt of the
23      request. The controller may extend the response period under
24      this paragraph by an additional 45 days when reasonably
25      necessary, considering the complexity and number of the
26      consumer's requests, if the controller informs the consumer
27      of the extension within the initial 45-day response period
28      and the reason for the extension.
29            (2)   If the controller declines to take action regarding
30      the consumer's request, the controller shall inform the

20250SB0112PN0445                      - 10 -
 1    consumer without undue delay, but no later than 45 days after
 2    receipt of the request, of the justification for declining to
 3    take action and instructions for how to appeal the decision.
 4        (3)   Information provided in response to consumer
 5    requests shall be provided by the controller, free of charge,
 6    once per consumer during a 12-month period. If a request from
 7    a consumer is manifestly unfounded, excessive or repetitive,
 8    the controller may charge the consumer a reasonable fee to
 9    cover the administrative costs of complying with the request
10    or decline to act on the request. The controller bears the
11    burden of demonstrating the manifestly unfounded, excessive
12    or repetitive nature of the request.
13        (4)   If a controller is unable to authenticate a request
14    to exercise a right afforded under subsection (a)(1), (2),
15    (3) or (4) using commercially reasonable efforts, the
16    controller shall not be required to comply with a request
17    under this subsection and shall provide notice to the
18    consumer that the controller is unable to authenticate the
19    request to exercise the right until the consumer provides
20    additional information reasonably necessary to authenticate
21    the consumer and the consumer's request to exercise the
22    right. A controller shall not be required to authenticate an
23    opt-out request under subsection (a)(5), but the controller
24    may deny an opt-out request if the controller has a good
25    faith, reasonable and documented belief that the request is
26    fraudulent. If a controller denies an opt-out request under
27    subsection (a)(5) because the controller believes the request
28    is fraudulent, the controller shall send a notice to the
29    person who made the request disclosing that the controller
30    believes the request is fraudulent, why the controller

20250SB0112PN0445                - 11 -
 1      believes the request is fraudulent and that the controller
 2      will not comply with the request.
 3            (5)   A controller that has obtained personal data about a
 4      consumer from a source other than the consumer shall be
 5      deemed in compliance with a consumer's request to delete the
 6      personal data in accordance with subsection (a)(3) by
 7      retaining a record of the deletion request and the minimum
 8      data necessary for the purpose of ensuring that the
 9      consumer's personal data remains deleted from the
10      controller's records and not using such retained data for any
11      other purpose in accordance with the provisions of this act
12      or opting the consumer out of the processing of the data for
13      any purpose except for those exempted under section 11(a)(3).
14      (d)   Appeals.--A controller shall establish a process for a
15   consumer to appeal the controller's refusal to take action on a
16   request by a consumer to exercise the consumer's rights under
17   subsection (a) within a reasonable period of time after the
18   consumer's receipt of the decision under subsection (c)(2). The
19   appeal process shall be conspicuously available and similar to
20   the process for submitting requests to initiate an action under
21   subsection (b). No later than 60 days after receipt of an
22   appeal, the controller shall inform the consumer in writing of
23   an action taken or not taken in response to the appeal,
24   including a written explanation of the reason for the decision.
25   If the appeal is denied, the controller shall also provide the
26   consumer with an online mechanism, if available, or other method
27   through which the consumer may contact the Attorney General to
28   submit a complaint.
29   Section 4.     Designation of authorized agent.
30      A consumer may designate another person to serve as the

20250SB0112PN0445                    - 12 -
 1   consumer's authorized agent and act on the consumer's behalf to
 2   opt out of the processing of the consumer's personal data for
 3   the purposes specified under section 3(a)(5). A controller shall
 4   comply with an opt-out request received from an authorized agent
 5   under section 3(a)(5) if the controller is able to verify, with
 6   commercially reasonable effort, the identity of the consumer and
 7   the authorized agent's authority to act on the consumer's
 8   behalf.
 9   Section 5.      Duties of controllers.
10      (a)    Duties.--A controller shall:
11             (1)   Limit the collection of personal data to what is
12      adequate, relevant and reasonably necessary in relation to
13      the purposes for which the data is processed, as disclosed to
14      the consumer.
15             (2)   Except as otherwise provided in this act, refrain
16      from processing personal data for purposes that are neither
17      reasonably necessary to, nor compatible with, the purposes
18      for which the personal data is processed, as disclosed to the
19      consumer, unless the controller obtains the consumer's
20      consent.
21             (3)   Process personal data in a manner that ensures
22      reasonable and appropriate administrative, technical,
23      organizational and physical safeguards of personal data
24      collected, stored and processed.
25             (4)   Refrain from processing sensitive data concerning a
26      consumer without obtaining the consumer's consent, or, in the
27      case of the processing of sensitive data concerning a known
28      child, refrain from processing the data in accordance with 15
29      U.S.C. Ch. 91 (relating to children's online privacy
30      protection).

20250SB0112PN0445                     - 13 -
 1            (5)   Refrain from processing personal data in violation
 2      of a Federal or State law that prohibits unlawful
 3      discrimination against a consumer.
 4            (6)   Provide an effective mechanism for a consumer to
 5      revoke the consumer's consent that is at least as easy as the
 6      mechanism by which the consumer provided the consumer's
 7      consent and, upon revocation of the consent, cease to process
 8      the data as soon as practicable, but no later than 15 days
 9      after the receipt of the request.
10            (7)   Refrain from processing the personal data of a
11      consumer for the purpose of targeted advertising or selling
12      the consumer's personal data without the consumer's consent
13      under circumstances where the controller has actual knowledge
14      and willfully disregards that the consumer is younger than 16
15      years of age.
16            (8)   Refrain from discriminating against a consumer for
17      exercising any of the consumer rights under section 3(a),
18      including denying goods or services, charging different
19      prices or rates for goods or services or providing a
20      different level of quality of goods or services to the
21      consumer.
22      (b)   Construction.--Nothing in subsection (a) shall be
23   construed to require a controller to provide a product or
24   service that requires the personal data of a consumer that the
25   controller does not collect or maintain nor prohibit a
26   controller from offering a different price, rate, level, quality
27   or selection of goods or services to a consumer, including
28   offering goods or services for no fee, if the offering is in
29   connection with a consumer's voluntary participation in a bona
30   fide loyalty, rewards, premium features, discounts or club card

20250SB0112PN0445                    - 14 -
 1   program.
 2      (c)     Privacy notice.--A controller shall provide a consumer
 3   with a reasonably accessible, clear and meaningful privacy
 4   notice that includes the following:
 5            (1)   The categories of personal data processed by the
 6      controller.
 7            (2)   The purpose for processing personal data.
 8            (3)   How the consumer may exercise the consumer's rights,
 9      including how the consumer may appeal the controller's
10      decision with regard to the consumer's request under section
11      3(d).
12            (4)   The categories of personal data that the controller
13      shares with each third party.
14            (5)   The categories of each third party with which the
15      controller shares personal data.
16            (6)   An active email address or other online mechanism
17      that the consumer may use to contact the controller.
18      (d)     Disclosures.--If a controller sells personal data to a
19   third party or processes personal data for targeted advertising,
20   the controller shall clearly and conspicuously disclose the sale
21   or processing and the manner in which a consumer may exercise
22   the right to opt out of the sale or processing.
23      (e)     Means to exercise rights.--
24            (1)   A controller shall establish and describe in the
25      privacy notice under subsection (c) a secure and reliable
26      means for consumers to submit a request to exercise the
27      consumer's rights under section 3(a). The secure and reliable
28      means under this paragraph shall take into account the manner
29      in which a consumer normally interacts with the controller,
30      the need for secure and reliable communication for the

20250SB0112PN0445                    - 15 -
 1    request and the ability of the controller to verify the
 2    identity of the consumer making the request. A controller may
 3    not require a consumer to create a new account in order to
 4    exercise the consumer's rights under section 3(a) but may
 5    require the consumer to use an existing account. The secure
 6    and reliable means shall include the following:
 7             (i)    Providing a clear and conspicuous link on the
 8        controller's Internet website to an Internet web page
 9        that enables a consumer, or an agent of the consumer, to
10        opt out of the targeted advertising or sale of the
11        consumer's personal data under section 3(a)(5).
12             (ii)    No later than January 1, 2026, allowing a
13        consumer to opt out of the processing of the consumer's
14        personal data for the purpose of targeted advertising or
15        the sale of the consumer's personal data under section
16        3(a)(5) through an opt-out preference signal sent, with
17        the consumer's consent, by a platform, technology or
18        mechanism to the controller indicating the consumer's
19        intent to opt out of the processing or sale. The
20        platform, technology or mechanism shall comply with all
21        of the following criteria:
22                    (A)   Not unfairly disadvantage another
23             controller.
24                    (B)   Not make use of a default setting, but
25             instead require the consumer to make an affirmative,
26             freely given and unambiguous choice to opt out of the
27             processing or sale of the consumer's personal data.
28                    (C)   Be consumer friendly and easy to use by the
29             average consumer.
30                    (D)   Be as consistent as possible with any other

20250SB0112PN0445                   - 16 -
 1              similar platform, technology or mechanism required by
 2              a Federal or State law or regulation.
 3                  (E)    Enable the controller to accurately
 4              determine whether the consumer is a resident of this
 5              Commonwealth and whether the consumer has made a
 6              legitimate request to opt out of processing or sale
 7              of the consumer's personal data.
 8                  (F)    Be in compliance with this section. A
 9              controller that recognizes signals approved by other
10              states shall be considered in compliance with this
11              section.
12              (iii)   If a consumer's decision to opt out of the
13        processing of the consumer's personal data for the
14        purpose of targeted advertising or the sale of the
15        consumer's personal data under section 3(a)(5) through an
16        opt-out preference signal sent under subparagraph (ii)
17        conflicts with the consumer's existing controller-
18        specific privacy setting or voluntary participation in a
19        controller's bona fide loyalty, rewards, premium
20        features, discounts or club card program, the controller
21        shall comply with the consumer's opt-out preference
22        signal but may notify the consumer of the conflict and
23        provide to the consumer the choice to confirm the
24        controller-specific privacy setting or participation in
25        the program.
26        (2)   If a controller responds to a consumer's opt-out
27    request under paragraph (1)(i) by informing the consumer of a
28    charge for the use of a product or service, the controller
29    shall present the terms of a bona fide loyalty, rewards,
30    premium features, discounts or club card program for the

20250SB0112PN0445                  - 17 -
 1      retention, use, sale or sharing of the consumer's personal
 2      data.
 3   Section 6.     Duties of processors.
 4      (a)   Assistance.--A processor shall adhere to the
 5   instructions of a controller and shall assist the controller in
 6   complying with the controller's duties under this act. The
 7   assistance shall include:
 8            (1)   Taking into account the nature of processing and the
 9      information available to the processor, by appropriate
10      technical and organizational measures, insofar as is
11      reasonably practicable, to fulfill the controller's duty to
12      comply with a request by a consumer to exercise the
13      consumer's rights under section 3(a).
14            (2)   Taking into account the nature of processing and the
15      information available to the processor, by assisting the
16      controller in meeting the controller's duties in relation to
17      the security of processing the personal data and in relation
18      to the notification of a breach of security of the system of
19      the processor.
20            (3)   Providing necessary information to enable the
21      controller to conduct and document data protection
22      assessments.
23      (b)   Contracts.--A contract between a controller and a
24   processor shall govern the processor's data processing
25   procedures with respect to processing performed on behalf of the
26   controller. The contract shall be binding and clearly state the
27   instructions for processing data, the nature and purpose of
28   processing, the type of data subject to processing, the duration
29   of processing and the rights and obligations of both parties.
30   The contract shall also require that the processor:

20250SB0112PN0445                    - 18 -
 1            (1)   Ensure that each person processing personal data is
 2      subject to a duty of confidentiality with respect to the
 3      data.
 4            (2)   At the controller's direction, delete or return all
 5      personal data to the controller as requested at the end of
 6      the provision of services, unless retention of the personal
 7      data is required by Federal or State law.
 8            (3)   Upon the reasonable request of the controller, make
 9      available to the controller all information in the
10      processor's possession necessary to demonstrate the
11      processor's compliance with the provisions of this act.
12            (4)   After providing the controller with an opportunity
13      to object, engage a subcontractor pursuant to a written
14      contract that requires the subcontractor to meet the
15      obligations of the processor with respect to the personal
16      data.
17            (5)   Allow and cooperate with a reasonable assessment by
18      the controller or the controller's designated assessor, or
19      arrange for a qualified and independent assessor to conduct
20      an assessment of the processor's policies and technical and
21      organizational measures in support of the requirements under
22      this act, using an appropriate and accepted control standard
23      or framework and assessment procedure for the assessment. The
24      processor shall provide a report of the assessment to the
25      controller upon request.
26      (c)   Construction.--Nothing in this section shall be
27   construed to relieve a controller or processor from the
28   liabilities imposed on the controller or processor by virtue of
29   the role of the controller or processor in the processing
30   relationship specified under this act.

20250SB0112PN0445                    - 19 -
 1      (d)   Acting as controller or processor.--A determination of
 2   whether a person is acting as a controller or processor with
 3   respect to a specific processing of data shall be a fact-based
 4   determination that depends upon the context in which personal
 5   data is to be processed, to which the following shall apply:
 6            (1)   A person that is not limited in the person's
 7      processing of personal data pursuant to a controller's
 8      instructions or who fails to adhere to the instructions shall
 9      be a controller and not a processor with respect to a
10      specific processing of data.
11            (2)   A processor that continues to adhere to a
12      controller's instructions with respect to a specific
13      processing of personal data shall remain a processor.
14            (3)   If a processor begins, alone or jointly with others,
15      determining the purposes and means of the processing of
16      personal data, the processor shall be a controller with
17      respect to the processing and may be subject to an
18      enforcement action under section 10.
19   Section 7.     Data protection assessment.
20      (a)   Assessment.--A controller shall conduct and document a
21   data protection assessment for each of the controller's
22   processing activities that present a heightened risk of harm to
23   a consumer.
24      (b)   Benefits and risks.--In conducting a data protection
25   assessment under subsection (a), a controller shall identify and
26   weigh the benefits that may flow, directly and indirectly, from
27   the processing to the controller, the consumer, other
28   stakeholders and the public against the potential risks to the
29   consumer's rights under section 3(a) associated with the
30   processing, as mitigated by safeguards that can be employed by

20250SB0112PN0445                    - 20 -
 1   the controller to reduce the risks. The controller shall factor
 2   the following into the data protection assessment:
 3            (1)   The use of de-identified data.
 4            (2)   The reasonable expectations of the consumer.
 5            (3)   The context of the processing and the relationship
 6      between the controller and the consumer whose personal data
 7      will be processed.
 8      (c)   Availability of assessments.--The Attorney General may
 9   require a controller to disclose a data protection assessment
10   under subsection (a) that is relevant to an investigation
11   conducted by the Attorney General, and the controller shall make
12   the data protection assessment available to the Attorney
13   General. The Attorney General may evaluate a data protection
14   assessment for compliance with the provisions of this act. A
15   data protection assessment shall be confidential and exempt from
16   disclosure under 5 U.S.C. § 552 (relating to public information;
17   agency rules, opinions, orders, records, and proceedings) and
18   the act of February 14, 2008 (P.L.6, No.3), known as the Right-
19   to-Know Law. To the extent that information contained in a data
20   protection assessment disclosed to the Attorney General under
21   this subsection includes information subject to attorney-client
22   privilege or work product protection, the disclosure shall not
23   constitute a waiver of the privilege or protection.
24      (d)   Comparison of processing operations.--A single data
25   protection assessment under subsection (a) may address a
26   comparable set of processing operations that includes similar
27   activities.
28      (e)   Compliance.--If a controller conducts a data protection
29   assessment for the purpose of complying with another applicable
30   Federal or State law or regulation, the data protection

20250SB0112PN0445                    - 21 -
 1   assessment shall be deemed to satisfy the requirements under
 2   this section if the data protection assessment is reasonably
 3   similar in scope and effect to the data protection assessment
 4   that would otherwise be conducted under this section.
 5      (f)   Applicability.--The data protection assessment
 6   requirements under this section shall apply to processing
 7   activities created or generated after July 1, 2024, and shall
 8   not apply retroactively.
 9   Section 8.     De-identified and pseudonymous data.
10      (a)   Duties.--A controller in possession of de-identified
11   data shall have the following duties:
12            (1)   Take reasonable measures to ensure that the de-
13      identified data cannot be associated with an individual.
14            (2)   Publicly commit to maintaining and using de-
15      identified data without attempting to re-identify the data.
16            (3)   Contractually obligate a recipient of the de-
17      identified data to comply with the provisions of this act.
18      (b)   Construction.--Nothing in this act shall be construed to
19   require a controller or processor to:
20            (1)   re-identify de-identified data or pseudonymous data;
21            (2)   maintain data in identifiable form or collect,
22      obtain, retain or access data or technology in order to be
23      capable of associating an authenticated consumer rights
24      request under section 3(a); or
25            (3)   comply with an authenticated consumer rights request
26      under section 3(a) if the controller or processor:
27                  (i)   is not reasonably capable of associating the
28            request with the personal data, or it would be
29            unreasonably burdensome for the controller or processor
30            to associate the request with the consumer's personal

20250SB0112PN0445                      - 22 -
 1               data;
 2                     (ii)    does not use the personal data to recognize or
 3               respond to the specific consumer who is the subject of
 4               the personal data or does not associate the personal data
 5               with other personal data about the same specific
 6               consumer; and
 7                     (iii)   does not sell the personal data to a third
 8               party or otherwise voluntarily disclose the personal data
 9               to a third party other than a processor, except as
10               authorized under this section.
11         (c)   Pseudonymous data.--The consumer rights specified under
12   section 3(a)(1), (2), (3) or (4) shall not apply to pseudonymous
13   data if a controller is able to demonstrate that any information
14   necessary to identify the consumer is kept separately and is
15   subject to effective technical and organizational controls that
16   prevent the controller from accessing the information.
17         (d)   Oversight.--A controller that discloses pseudonymous
18   data or de-identified data shall exercise reasonable oversight
19   to monitor compliance with a contractual commitment to which the
20   pseudonymous data or de-identified data is subject and shall
21   take appropriate steps to address a breach of the contractual
22   commitment.
23   Section 9.        Exemptions on restrictions for controllers or
24                     processors.
25         (a)   Legal compliance.--Nothing in this act shall be
26   construed to restrict the ability of a controller or processor
27   to:
28               (1)   comply with Federal or State laws or local
29         ordinances or regulations;
30               (2)   comply with a civil, criminal or regulatory inquiry,

20250SB0112PN0445                          - 23 -
 1    investigation, subpoena or summons by a Federal, State,
 2    municipal or other governmental authority;
 3        (3)    cooperate with a law enforcement agency concerning a
 4    conduct or activity that the controller or processor
 5    reasonably and in good faith believes may violate a Federal
 6    or State law or local ordinance or regulation;
 7        (4)    investigate, establish, exercise, prepare for or
 8    defend legal claims;
 9        (5)    provide a product or service specifically requested
10    by a consumer;
11        (6)    perform under a contract to which a consumer is a
12    party, including fulfilling the terms of a written warranty;
13        (7)    take steps at the request of a consumer prior to
14    entering into a contract;
15        (8)    take immediate steps to protect an interest that is
16    essential for the life or physical safety of a consumer or
17    another individual, including when processing cannot be
18    manifestly based on the provisions of this act;
19        (9)    prevent, detect, protect against or respond to a
20    security incident, identity theft, fraud, harassment,
21    malicious or deceptive activity or illegal activity, preserve
22    the integrity or security of a system or investigate, report
23    or prosecute an individual responsible for an incident
24    specified under this paragraph;
25        (10)    engage in public or peer-reviewed scientific or
26    statistical research in the public interest that adheres to
27    all other applicable Federal or State ethics and privacy laws
28    and is approved, monitored and governed by an institutional
29    review board or a similar independent oversight entity that
30    determines whether:

20250SB0112PN0445                 - 24 -
 1                   (i)    the deletion of information is likely to provide
 2            substantial benefits to the research that do not
 3            exclusively accrue to the controller;
 4                   (ii)    the expected benefits of the research outweigh
 5            the privacy risks; and
 6                   (iii)    the controller has implemented reasonable
 7            safeguards to mitigate privacy risks associated with the
 8            research, including risks associated with re-
 9            identification;
10            (11)    assist another controller, processor or third party
11      with any of the requirements under this act; or
12            (12)    process personal data for reasons of public
13      interest in the area of public health, community health or
14      population health, but solely to the extent that the
15      processing is:
16                   (i)    subject to suitable and specific measures to
17            safeguard the rights of the consumer whose personal data
18            is being processed; and
19                   (ii)    under the responsibility of a professional
20            subject to confidentiality obligations under Federal or
21            State law or local ordinance.
22      (b)   Data collection.--The requirements imposed on a
23   controller or processor under this act shall not restrict the
24   ability of a controller or processor to collect, use or retain
25   data for internal use for any of the following purposes:
26            (1)    Conducting internal research to develop, improve or
27      repair products, services or technology.
28            (2)    Effectuating a product recall.
29            (3)    Identifying and repairing technical errors that
30      impair existing or intended functionality.

20250SB0112PN0445                        - 25 -
 1            (4)   Internal operations that are reasonably aligned with
 2      the expectations of a consumer or reasonably anticipated
 3      based on the consumer's existing relationship with the
 4      controller or are otherwise compatible with processing data
 5      in furtherance of the provision of a product or service
 6      specifically requested by a consumer.
 7      (c)   Evidentiary privilege.--The requirements imposed on a
 8   controller or processor under this act shall not apply if
 9   compliance by the controller or processor with requirements
10   would violate an evidentiary privilege under the laws of this
11   Commonwealth. Nothing in this act shall be construed to prevent
12   a controller or processor from providing personal data
13   concerning a consumer to an individual covered by an evidentiary
14   privilege under the laws of this Commonwealth as part of a
15   privileged communication.
16      (d)   Third parties.--A controller or processor that discloses
17   personal data to a third-party controller or third-party
18   processor in accordance with this act shall not be deemed to
19   have violated the provisions of this act if the third-party
20   controller or third-party processor violates the provisions of
21   this act if, at the time of the disclosure, the disclosing
22   controller or processor did not have actual knowledge that the
23   third-party controller or third-party processor would violate
24   the provisions of this act. A third-party controller or third-
25   party processor who receives personal data under this subsection
26   in accordance with this act shall not be deemed to have violated
27   the provisions of this act for a violation by the disclosing
28   controller or processor.
29      (e)   Individual liberties.--Nothing in this act shall be
30   construed to:

20250SB0112PN0445                    - 26 -
 1            (1)   impose an obligation on a controller or processor
 2      that adversely affects the rights or freedoms of an
 3      individual, including the freedom of speech or freedom of the
 4      press guaranteed in the First Amendment to the Constitution
 5      of the United States or section 7 of Article I of the
 6      Constitution of Pennsylvania; or
 7            (2)   apply to an individual's processing of personal data
 8      in the course of the individual's purely personal or
 9      household activities.
10      (f)   Personal data.--
11            (1)   Personal data processed by a controller may be
12      processed to the extent that the processing meets all of the
13      following criteria:
14                  (i)    Is reasonably necessary and proportionate to the
15            purposes specified under this section.
16                  (ii)   Is adequate, relevant and limited to what is
17            necessary in relation to the specific purposes specified
18            under this section.
19            (2)   A controller or processor that collects, uses or
20      retains personal data under subsection (b) shall, when
21      applicable, take into account the nature and purpose of the
22      collection, use or retention of the personal data. The
23      personal data under subsection (b) shall be subject to
24      reasonable administrative, technical and physical measures to
25      protect the confidentiality, integrity and accessibility of
26      the personal data and reduce reasonably foreseeable risks of
27      harm to a consumer related to the collection, use or
28      retention of the personal data.
29      (g)   Exemptions.--If a controller processes personal data in
30   accordance with an exemption under this section, the controller

20250SB0112PN0445                       - 27 -
 1   shall be responsible for demonstrating that the processing
 2   qualifies for the exemption and complies with the requirements
 3   under subsection (f).
 4      (h)   Legal entities.--The processing of personal data for the
 5   purposes expressly specified under this section shall not solely
 6   make a legal entity a controller with respect to the processing.
 7   Section 10.     Penalties, enforcement and private rights of
 8                  action.
 9      (a)   Enforcement.--The Attorney General shall have exclusive
10   authority to enforce the provisions of this act, to which the
11   following shall apply:
12            (1)   During the period beginning July 1, 2025, and ending
13      December 31, 2026, the Attorney General shall, prior to
14      initiating an action for a violation of a provision of this
15      act, issue a notice of violation to the controller or
16      processor if the Attorney General determines that a cure is
17      possible. If the controller or processor fails to cure the
18      violation within 60 days of receipt of the notice of
19      violation, the Attorney General may initiate an action under
20      this section.
21            (2)   Beginning January 1, 2027, the Attorney General may,
22      in determining whether to grant a controller or processor the
23      opportunity to cure an alleged violation under paragraph (1),
24      consider all of the following:
25                  (i)    The number of violations.
26                  (ii)    The size and complexity of the controller or
27            processor.
28                  (iii)    The nature and extent of the processing
29            activities of the controller or processor.
30                  (iv)    The substantial likelihood of injury to the

20250SB0112PN0445                       - 28 -
 1            public.
 2                  (v)    The safety of persons or property.
 3                  (vi)    Whether the alleged violation was likely caused
 4            by human or technical error.
 5            (3)   The right to cure shall apply for 60 days.
 6      (b)   Private rights of action.--Nothing in this act shall be
 7   construed as providing the basis for a private right of action
 8   for a violation of the provisions of this act.
 9      (c)   Unfair trade practice.--Violations of the provisions of
10   this act shall constitute unfair methods of competition and
11   unfair or deceptive acts or practices as defined under section 2
12   of the act of December 17, 1968 (P.L.1224, No.387), known as the
13   Unfair Trade Practices and Consumer Protection Law, and shall be
14   enforced exclusively by the Attorney General.
15      (d)   Regulations.--The Attorney General shall promulgate
16   regulations necessary to implement this section.
17   Section 11.     Nonapplicability, exemption and consent.
18      (a)   Nonapplicability.--This act shall not apply to any of
19   the following:
20            (1)   The Commonwealth or any of its political
21      subdivisions.
22            (2)   A nonprofit organization.
23            (3)   An institution of higher education.
24            (4)   A national securities association that is registered
25      under 15 U.S.C. § 78o-3 (relating to registered securities
26      associations).
27            (5)   A financial institution or an affiliate of a
28      financial institution or data subject to Title V of the
29      Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.).
30            (6)   A covered entity or business associate.

20250SB0112PN0445                       - 29 -
 1      (b)   Exemptions.--The following shall be exempt from the
 2   provisions of this act:
 3            (1)   Protected health information under HIPAA.
 4            (2)   Patient-identifying information for purposes of 42
 5      U.S.C. § 290dd-2 (relating to confidentiality of records).
 6            (3)   Identifiable private information for purposes of the
 7      Federal policy for the protection of human subjects under 45
 8      CFR Pt. 46 (relating to protection of human subjects).
 9            (4)   Identifiable private information that is otherwise
10      information collected as part of human subjects research in
11      accordance with the good clinical practice guidelines issued
12      by the International Council for Harmonization of Technical
13      Requirements for Pharmaceuticals for Human Use on the
14      effective date of this paragraph.
15            (5)   The protection of human subjects under 21 CFR Pt. 50
16      (relating to protection of human subjects) or 56 (relating to
17      institutional review boards) or personal data used or shared
18      in research, as defined in 45 CFR 164.501 (relating to
19      definitions), that is conducted in accordance with the
20      standards specified under this subsection or other research
21      conducted in accordance with applicable Federal or State law.
22            (6)   Information and documents created for the purposes
23      of 42 U.S.C. Ch. 117 (relating to encouraging good faith
24      professional review activities).
25            (7)   Patient safety work product for the purposes of 42
26      U.S.C. Ch. 6A Subch. VII Pt. C (relating to patient safety
27      improvement).
28            (8)   Information derived from any of the health-care-
29      related information exempt under this subsection that is de-
30      identified in accordance with the requirements for de-

20250SB0112PN0445                    - 30 -
 1    identification under HIPAA.
 2        (9)    Information originating from and intermingled to be
 3    indistinguishable with, or information treated in the same
 4    manner as, information exempt under this subsection that is
 5    maintained by a covered entity or business associate, program
 6    or qualified service organization as specified in 42 U.S.C. §
 7    290dd-2.
 8        (10)   Information used for public health activities and
 9    purposes as authorized by HIPAA, community health activities
10    and population health activities.
11        (11)   The collection, maintenance, disclosure, sale,
12    communication or use of personal information bearing on a
13    consumer's credit worthiness, credit standing, credit
14    capacity, character, general reputation, personal
15    characteristics or mode of living by a consumer reporting
16    agency, furnisher or user that provides information for use
17    in a consumer report or by a user of a consumer report, but
18    only to the extent that the activity is regulated by and
19    authorized under 15 U.S.C. Ch. 41 Subch. III (relating to
20    credit reporting agencies).
21        (12)    Personal data collected, processed, sold or
22    disclosed in compliance with 18 U.S.C. Ch. 123 (relating to
23    prohibition on release and use of certain personal
24    information from state motor vehicle records).
25        (13)   Personal data regulated by 20 U.S.C. Ch. 31 Subch.
26    III Pt. 4 (relating to records; privacy; limitation on
27    withholding Federal funds).
28        (14)   Personal data collected, processed, sold or
29    disclosed in compliance with 12 U.S.C. Ch. 23 (relating to
30    farm credit system).

20250SB0112PN0445                 - 31 -
 1            (15)    Data processed or maintained:
 2                   (i)    in the course of an individual applying to,
 3            employed by or acting as an agent or independent
 4            contractor of a controller, processor or third party to
 5            the extent that the data is collected and used within the
 6            context of that role;
 7                   (ii)    as the emergency contact information of an
 8            individual specified under this act and used for
 9            emergency contact purposes; or
10                   (iii)    as necessary to administer benefits for
11            another individual related to an individual who is the
12            subject of the information under paragraph (1) and used
13            for the purposes of administering the benefits.
14            (16)    Personal data collected, processed, sold or
15      disclosed in relation to price, route or service by an air
16      carrier under 49 U.S.C. Subt. VII Pt. A Subpt. i Ch. 401
17      (relating to general provisions) to the extent preempted
18      under 49 U.S.C. § 41713 (relating to preemption of authority
19      over prices, routes, and service).
20      (c)   Parental consent.--A controller or processor that
21   complies with the verifiable parental consent requirements under
22   15 U.S.C. Ch. 91 (relating to children's online privacy
23   protection) shall be deemed compliant with an obligation to
24   obtain parental consent under this act.
25   Section 12.      Effective date.
26      This act shall take effect in six months.




20250SB0112PN0445                        - 32 -