Global Data Privacy Guide |
|
USA, Pennsylvania |
|
|
(United States)
Firm
Troutman Pepper Locke LLP
Contributors Updated 01 Mar 2022 |
|
| What is the key legislation? | Pennsylvania has no single comprehensive data privacy legislation. Rather, Pennsylvania has adopted several different laws addressing data privacy and related consumer protection issues. Important state laws relating to data privacy include Pennsylvania’s data breach notification statute and law relating to the privacy of social security numbers. Entities and persons in Pennsylvania also may have to comply with applicable Federal laws relating to data privacy and security. Relevant state laws relating to data privacy include Pennsylvania’s:
Depending upon the nature of the data and the identity of the entity or person collecting, using and disclosing the data, entities and persons in Pennsylvania may also have to comply with United States Federal laws relating to data privacy and security. Potentially applicable Federal laws include laws relating to the collection, use and disclosure of health information (e.g., Health Insurance Portability and Accountability Act ("HIPAA"), the Genetic Information Nondiscrimination Act ("GINA") and regulations on the confidentiality of patient records relating to the treatment of substance abuse), financial information (e.g., Gramm-Leach-Bliley Act and the Fair Credit Reporting Act), educational records (e.g., Family Educational Rights and Privacy Act) and regulatory guidance regarding the privacy and security of personally identifiable information in general promulgated by the Federal Trade Commission ("FTC"). Entities should consult all relevant up-to-date state and federal laws when collecting, using and disclosing personally identifiable information in Pennsylvania, and continue to monitor developments at both the state and federal levels. |
| What data is protected? | The definition of protected data varies by statute. Note: Data Breach Notification Law Pennsylvania’s data breach notification statute defines “personal information” as an individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted: Social Security number; driver license number or state identification card number issued in lieu of a driver's license; or financial account number or credit card number or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account. (73 Pa. Stat. § 2302). “Personal information” does not include publicly available information that is lawfully made available to the general public from Federal, State, or local government records. (73 Pa. Stat. §2302). Criminal History Record Information Act “Criminal history record information” under Pennsylvania’s Criminal History Record Information Act means information collected by criminal justice agencies concerning individuals, and arising from the initiation of a criminal proceeding, consisting of identifiable descriptions, dates and notations of arrests, indictments, informations or other formal criminal charges and any dispositions arising therefrom. The term does not include intelligence information, investigative information or treatment information, including certain medical and psychological information, or information and records specified in 18 Pa. C.S. §9104. (18 Pa. C.S. §9102). Laws Relating to Privacy of Social Security Numbers Pennsylvania’s Privacy of Social Security Numbers Law protects the privacy of individuals’ Social Security numbers. (71 Pa. State § 2601; 74 Pa. Stat § 201 et. seq.) Federal Law As stated above, persons and entities collecting, using and disclosing personally identifiable information in Pennsylvania may also be subject to United States Federal laws applicable to the industry in which the person or entity operates or the type of data at issue (e.g., health information, financial information, educational records, and other personally identifiable information). |
| Who is subject to privacy obligations? | Applicability varies by law. Laws may apply to all persons and entities doing business in Pennsylvania unless otherwise stated or to a specific subset of persons and entities such as employers. Note: Data Breach Notification Law Pennsylvania’s data breach notification statute applies to any agency or political subdivision of the Commonwealth of Pennsylvania, and individuals and entities doing business in Pennsylvania. (73 Pa. Stat. § 2302) Criminal History Record Information Act Pennsylvania’s Criminal History Record Information Act applies to a board, commission or department of the Commonwealth and to employers. (18 Pa. C.S. §§9124 and 9125). City of Philadelphia’s Criminal Records Screening Standards The City of Philadelphia’s Criminal Records Screening Standards applies to any person, company, corporation, labor organization or association which employs any persons within the City of Philadelphia and agencies of the City of Philadelphia. (Philadelphia Code, Title 9, Chapter 9-3502) Laws Relating to Privacy of Social Security Numbers Pennsylvania’s Privacy of Social Security Numbers Law applies to all persons, entities, agencies and political subdivisions of the Commonwealth of Pennsylvania. (74 Pa. Stat. § 201(a)) |
| What are the principles applicable to personal data processing? | In general, personal data collection practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. Pennsylvania law also prescribes specific rules for the collection of criminal history data and Social Security numbers. As stated above, persons and entities collecting, using and disclosing personally identifiable information in Pennsylvania may also be subject to United States Federal laws applicable to the industry in which the person or entity operates or the type of data at issue (e.g., health information, financial information, educational records, and other personally identifiable information). Note: Accuracy of Privacy Policies Personal data collection practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. It is a violation of Pennsylvania law to knowingly make a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public. (18 Pa. Stat. § 4107(a)(10)). Pennsylvania’s Unfair Trade Practices and Consumer Protection Law also makes it unlawful to engage in fraudulent or deceptive business conduct which creates a likelihood of confusion or of misunderstanding. (73 Pa. Stat. 201-2(4)(xxi)). Accordingly, an entity’s failure to adhere to the personal data collection practices described in its privacy policies can result in a violation of Pennsylvania law. City of Philadelphia’s Criminal Records Screening Standards Private employers in the City of Philadelphia are prohibited from inquiring about or requiring disclosure by an applicant for the employment of any prior arrest which is no longer pending and did not result in a conviction for a criminal offense unless specifically authorized by law. In addition, private employers in the City of Philadelphia are prohibited from inquiring about or requiring disclosure of an applicant’s previous criminal conviction from the time the applicant inquires about employment until the employer extends a conditional offer of employment (which can only be withdrawn under certain individualized circumstances). (Philadelphia Code, Title 9, Chapter 9-3503 - 9-3504). Laws Relating to Privacy of Social Security Numbers Pennsylvania law prohibits any person, entity or agency or political subdivision from requiring an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the Social Security number is encrypted or to use his or Social Security number to access an Internet website unless a password or unique personal identification number or other authentication device is also required to access the website. (74 Pa. Stat. § 201(a)). Pennsylvania agencies and municipalities must provide any individual that is applying for or renewing a professional license or certification, occupational license or certification, or recreational license with the opportunity to submit a Pennsylvania driver’s license number in lieu of a Social Security number. (71 Pa. Stat. § 2603). |
| How is the processing of personal data regulated? | In general, personal data use and disclosure practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. Pennsylvania law also prescribes specific rules for the use and disclosure of criminal history data and Social Security numbers. As stated above, persons and entities collecting, using and disclosing personally identifiable information in Pennsylvania may also be subject to United States Federal laws applicable to the industry in which the person or entity operates or the type of data at issue (e.g., health information, financial information, educational records, and other personally identifiable information). Note: Accuracy of Privacy Policies Personal data disclosure practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. It is a violation of Pennsylvania law to knowingly make a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public. (18 Pa. Stat. § 4107(a)(10)). Pennsylvania’s Unfair Trade Practices and Consumer Protection Law also makes it unlawful to engage in fraudulent or deceptive business conduct which creates a likelihood of confusion or of misunderstanding. (73 Pa. Stat. 201-2(4)(xxi)). Accordingly, an entity’s failure to adhere to the personal data use and disclosure practices described in its privacy policies can result in a violation of Pennsylvania civil and criminal law. Criminal History Record Information Act Felony and misdemeanor convictions may be considered by an employer as part of the evaluation of an applicant only to the extent to which the convictions relate to the applicant’s suitability for employment in the position for which the individual has applied. An employer must notify the applicant in writing if the decision not to hire the applicant is based in whole or in part on criminal history record information. (18 Pa. C.S. §9125(b) and (c)). Laws Relating to Privacy of Social Security Numbers No person, entity or agency or political subdivision of Pennsylvania may: (i) publicly post or publicly display an individual’s Social Security number in any manner; (ii) print an individual’s Social Security number on any card required for the individual to access products or services provided by the person, entity, or Pennsylvania agency or political subdivision; (iii) require an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the Social Security number is encrypted; (iv) require an individual to use his or her Social Security number to access an Internet website unless a password or unique identifier or other authentication device is also required to access the website; (v) print an individual’s Social Security number on any materials that are mailed to the individual unless Federal or state law requires the Social Security number to be on the document to be mailed; or (vi) disclose in any manner, except to the agency issuing the license the Social Security number of an individual who applies for a recreational license. (74 Pa. Stat. § 201(a)) |
| How are storage, security and retention of personal data regulated? | In general, personal data storage, security and retention practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. In addition, failure to adhere to publicly represented personal data storage, security, and retention practices may constitute unfair or deceptive trade practices under the Federal Trade Commission Act (the "FTC Act"). In addition to the FTC Act, as stated above, persons and entities collecting, using and disclosing personally identifiable information in Pennsylvania may also be subject to United States Federal laws applicable to the industry in which the person or entity operates or the type of data at issue (e.g., health information, financial information, educational records, and other personally identifiable information). Note: Personal data storage, security and retention practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. It is a violation of Pennsylvania law to knowingly make a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public. (18 Pa. Stat. § 4107(a)(10)). Pennsylvania’s Unfair Trade Practices and Consumer Protection Law also makes it unlawful to engage in fraudulent or deceptive business conduct which creates a likelihood of confusion or of misunderstanding. (73 Pa. Stat. 201-2(4)(xxi)). Accordingly, an entity’s failure to adhere to the personal data storage, security and retention practices described in its privacy policies can result in a violation of Pennsylvania civil and criminal law. In addition, the Federal Trade Commission has brought enforcement actions against entities for unfair and deceptive trade practices under the FTC Act as a result false or misleading statements regarding the security of personal data, failure to maintain “reasonable” security safeguards, and failure to comply with stated privacy policies. (See, e.g., FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015); LabMD, Inc. v. Federal Trade Commission No. 16-16270 (11th Cir. 2018); In the matter of Snapchat, Inc., No. C-4501, December 23, 2014[LG1] ; In the matter of Cambridge Analytica, LLC, Docket No. 9383, November 25, 2019; United States v. Facebook, Inc., Case No. 19-cv-2184 (D.D.C. July 24, 2019); In the Matter of Flo Health, Inc., Docket No. 4747 (June 17, 2021). Finally, the National Institute of Standards and Technology ("NIST") published guidance providing considerations for managing cybersecurity and privacy risks for the “internet of things” (“IoT”) (i.e., web-connected devices) on June 25, 2019. NIST has updated these standards periodically as trends and industry standards change. Additionally, on May 12, 2021, Executive Order 14028 tasked NIST with issuing guidance and identifying practices that enhance the security of the software supply chain and developing a multi-faceted initiative related to cybersecurity labeling for consumers, including labeling for IoT products. On February 4, 2022, NIST recommended criteria for cybersecurity labeling on IoT products. A summary report about cybersecurity labeling is expected in May 2022. While NIST is a non-regulatory agency, this published guidance will serve to inform the “reasonableness” standard included in many privacy and security laws and regulations[LG2] . For example, Executive Order 14028 further directed the Secretary of Homeland Security to develop a standard set of operational procedures to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting Federal Civilian Executive Branch Agency Information Systems, which shall incorporate all appropriate NIST standards. |
| What are the data subjects' rights? | There are no general Pennsylvania laws governing data subjects’ rights to access or correct their personal information. However, under the Inspection of Employee Records Law ("Personnel Files Act"), employers are required to provide employees access to personnel files used to determine the employee’s qualifications for employment, promotion, additional compensation, termination, or disciplinary action. (43 Pa. Stat. §1322) Under specified circumstances, the Bureau of Labor Standards of the Department of Labor and Industry may make and enforce an order providing access to the personnel files and the opportunity for an employee to place a counter statement in the employee's file, in the event an alleged error is determined by the employee. (43 Pa. Stat. §1324). |
| Are there restrictions on cross-border data transfers? | Not currently under Pennsylvania law. Note: Yes. Pennsylvania’s data breach notification statute (“Breach Notification Statute”) is codified at 73 Pa. Stat. §2301 et. seq. |
| Are there any notification requirements for data breaches? | Yes. Pennsylvania’s data breach notification statute (“Breach Notification Statute”) is codified at 73 Pa. Stat. §2301 et. seq. Note: When Notice is Required Any state agency, a political subdivision of Pennsylvania or an individual or business in Pennsylvania ("entity") that maintains, stores or manages computerized data that includes personal information must provide notice of any breach of the security of the system following the discovery of the breach to any resident of Pennsylvania whose unencrypted and unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person. (73 Pa. Stat. §2303(a)) “Personal information” is defined as an individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted: Social Security number; driver's license number or state identification card number issued in lieu of a driver's license; or account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. (73 Pa. Stat. §2302). “Breach of the security of the system” is defined as the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of Pennsylvania. (73 Pa. Stat. §2302). An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key. (73 Pa. Stat. §2303(b)). Timing of Notice Notification must be made without unreasonable delay. (73 Pa. Stat. §2303(a)). The notification may be delayed if a law enforcement agency determines and advises the entity in writing specifically referencing the statute that the notification will impede a criminal or civil investigation. Notification must be made after the law enforcement agency determines that it will not compromise the investigation or national or homeland security. (73 Pa. Stat. §2304). Notice may be delayed if the entity takes measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. (73 Pa. Stat. §2303(a)). Method of Notice Delivery Notice may be provided: (i) in writing to the last known home address for the individual; or (ii) by telephone if the affected individual can reasonably be expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms, and verifies personal information, but does not require the individual to provide personal information and the individual is provided with a telephone number to call or Internet website to visit for further information or assistance; or (iii) by email if a prior business relationship exists and the person or entity has a valid email address for the individual. Substitute notice may be given if the cost of providing notice would exceed $100,000, the number of affected individuals exceeds $175,000, or the entity does not have sufficient contact information. Substitute notice must consist of email, conspicuous posting of the notice on the entity’s website and publication in major statewide media. (73 Pa. Stat. §2302). Notification to Consumer Reporting Agencies If notice is required to be given to more than 1,000 individuals at one time, the entity must also notify all national consumer reporting agencies of the timing, distribution and number of notices, without unreasonable delay. (73 Pa. Stat. §2305). Preemption An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures or guidelines established by the entity’s primary or functional federal regulator will be in compliance with the Breach Notification Statute. Financial institutions that comply with the notification requirements of the Federal Interagency Response Programs for Unauthorized Access to Customer Information and Customer Notice are specifically deemed to be in compliance with the Breach Notification Statute. Vendor Compliance A vendor that maintains, stores or manages computerized data on behalf of another entity must provide notice of any breach of the security of the system following the discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity on whose behalf the data is being maintained, stored or managed is responsible for compliance with the Breach Notification Statute. (73 Pa. Stat. §2303(c)). |
| Who is the privacy regulator? | The Pennsylvania Attorney General is the state regulator charged with enforcing Pennsylvania privacy laws. Certain laws also provide individuals with the right to sue for violations. Note: Data Breach Notification Law The Pennsylvania Attorney General has exclusive jurisdiction over the enforcement of Pennsylvania’s data breach notification statute. (73 Pa. Stat. §2308) Unfair Trade Practices and Consumer Protection Law The Pennsylvania Attorney General or appropriate District Attorney may bring civil actions for violations of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. (73 Pa. Stat. §201-8) Pennsylvania’s Unfair Trade Practices and Consumer Protection Law also provide for a private right of action. (73 Pa. Stat. §201-9.2) Criminal History Record Information Act Pennsylvania's Attorney General, or any other individual or agency, may institute an action in a court of proper jurisdiction against any person, agency, or organization to enjoin any criminal justice agency, noncriminal justice agency, organization or individual violating the provisions of the Pennsylvania Criminal History Record Information Act or to compel such agency, organization or person to comply with the provisions of the Pennsylvania Criminal History Record Information Act. Any person aggrieved by a violation of the provisions of the Pennsylvania Criminal History Record Information Act or of the rules and regulations promulgated thereunder may bring an action for damages by reason of such violation. (18 Pa. C.S. §9183). City of Philadelphia Fair Criminal Record Screening Standards The Philadelphia Commission on Human Relations (“Commission”) enforces the City’s Fair Criminal Record Screening Standards. A private right of action exists if certain requirements are met (e.g., the Commission must have concluded, within one year after the filing of a complaint, that it has not found sufficient evidence of a violation to proceed further with an investigation or has not entered into a conciliation agreement to which the complainant is a party). (Philadelphia Code, Title 9, Chapter 9-3506). Inspection of Employee Records Law (Personnel Files Act) The Department of Labor and Industry's Bureau of Labor Standards—now known as “Labor Law Compliance”—is responsible for the enforcement of the provisions of the Personnel Files Act. (43 Pa. Stat. §1324). Federal Regulators Applicable Federal regulators may include the Federal Trade Commission, the Federal Communications Commission, the Office of Civil Rights of the Federal Department of Health and Human Services and the Securities and Exchange Commission, depending on the applicable law. |
| What are the consequences of a privacy breach? | Violators of Pennsylvania privacy laws may be subject to civil penalties of varying amounts, depending upon the statute that has been violated. Note: Data Breach Notification Law/ Unfair Trade Practices and Consumer Protection Law A violation of Pennsylvania’s data breach notification law is deemed to be a breach of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. (73 Pa. Stat. §2308) Pennsylvania’s Unfair Trade Practices and Consumer Protection Law provides for a USD $1,000 civil penalty per violation or a USD $5,000 penalty per violation for any person who violates the terms of an injunction or any of the terms of an assurance of voluntary compliance. (73 Pa. Stat. §201-8). Any person who purchases or leases goods or services primarily for personal, family or household purposes and thereby suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by any person of a method, act or practice declared unlawful by Pennsylvania’s Unfair Trade Practices and Consumer Protection Law, may bring a private action, to recover actual damages or USD $100, whichever is greater. The court may, in its discretion, award up to three times the actual damages sustained, but not less than USD $100, and may provide such additional relief as it deems necessary or proper. The court may award to the plaintiff, in addition to other relief provided in this section, costs and reasonable attorney fees. (73 Pa. Stat. §201-9.2) Pennsylvania Criminal History Record Information Act Pennsylvania's Attorney General or any other individual or agency may institute an action in a court of proper jurisdiction against any person, agency or organization to enjoin any criminal justice agency, noncriminal justice agency, organization or individual violating the provisions of the Pennsylvania Criminal History Record Information Act or to compel such agency, organization or person to comply with the provisions of the Pennsylvania Criminal History Record Information Act. Any person aggrieved by a violation of the provisions of the Pennsylvania Criminal History Record Information Act may bring an action for damages by reason of such violation. A person found by a court to have been aggrieved by a violation of the Pennsylvania Criminal History Record Information Act or related rules and regulations is entitled to actual and real damages of not less than USD $100 for each violation and to reasonable costs of litigation and attorney's fees. Exemplary and punitive damages of not less than USD $1,000 nor more than USD $10,000 shall be imposed for any willful violation. (18 Pa. C.S. §9183). City of Philadelphia Fair Criminal Record Screening Standards Violations of the City’s Fair Criminal Record Screening Standards are punishable by a fine of up to USD $2,000 per violation. (Philadelphia Code, Title 9, Chapter 9-3506; 1-109(3)) Restrictions on Disclosure of Social Security Numbers Violations of Pennsylvania’s laws regarding the use and disclosure of Social Security numbers is a summary offense punishable by a fine of not less than USD $50 and not more than USD $500. Subsequent violations are punishable by a fine of not less than USD $500 and not more than USD $5,000. (74 Pa. Stat. §201(g)). |
| How is electronic marketing regulated? | Electronic marketing is subject to Pennsylvania’s Unfair Trade Practices and Consumer Protection Law and the Unsolicited Telecommunication Advertisement Act. Entities and individuals may also have to comply with federal law applicable to electronic marketing. Note: Unfair Trade Practices and Consumer Protection Law Pennsylvania’s Unfair Trade Practices and Consumer Protection Law prohibits several enumerated “unfair or deceptive acts and practices,” including engaging in any fraudulent or deceptive conduct which creates a likelihood of confusion or of misunderstanding. Electronic marketing practices in Pennsylvania must not utilize such unfair or deceptive acts and practices. (73 Pa. Stat. §§201-2 and 201-3). Unsolicited Telecommunication Advertisement Act Pennsylvania’s Unsolicited Telecommunication Advertisement Act prohibits initiating a transmission or assisting a transmission of an unsolicited commercial electronic mail message if the email (i) uses a third party’s Internet domain in the return email address without permission of the third party; (ii) includes false or misleading information in the return address portion of the email, facsimile or wireless advertisement; (iii) contains false or misleading information in the subject line; or (iv) fails to contain a valid sender-operated return email address mechanism or toll-free telephone number that the recipient of the unsolicited documents may email or call. (73 Pa. Stat. §2250.3(a)). Additionally, a covered mobile telephone messaging system may not be used to transmit an unsolicited commercial electronic mail message. (73 Pa. Stat. §2250.3(b)). Commercial electronic mail message means an electronic mail message sent for the purpose of promoting real property, goods, or services, but does not include an electronic mail transmission: (i) to which an interactive computer service has attached an advertisement in exchange for the free use of an electronic mail account when the sender has agreed to such an arrangement; or (ii) sent as a result of an established business relationship. (73 Pa. Stat. §2250.2). Recipients of such emails are permitted to bring actions under the Pennsylvania Unfair Trade Practices and Consumer Protection Law. Attorneys’ fees are also recoverable. For willful violations, civil penalties of up to $1,500,000 are recoverable. The Pennsylvania Attorney General may bring claims and recover civil penalties for violations of the law. ISPs are permitted to initiate actions to enjoin conduct and to recover penalties in the amount of no less than $1 or no more than $10 per violation. (73 Pa. Stat. §§2250.7 and 2250.8). Federal Law Individuals and entities in Pennsylvania also must comply with Federal laws regulating electronic marketing. Notably, the Federal CAN-SPAM Act prohibits false or misleading header information and deceptive subject lines in commercial emails and requires senders of such emails to identify them as ads and provide a valid physical address and opt-out mechanism in the ads. Opt-outs must be honored within 10 business days. Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to USD $46,517 as of December 2021. (15 U.S.C. 7701 et. seq.; 16 C.F.R. §1.98). The Federal Telephone Consumer Protection Act ("TCPA"), which is enforced by the Federal Communications Commission, generally prohibits sending text marketing messages to individuals without prior express consent. The TCPA provides for a private right of action and damages of up to USD $500 per violation. (See 47 U.S.C. 227 et. seq.) |
| Are there any recent developments or expected reforms? | None are currently pending under Pennsylvania law. However, please note the nation and federal trends noted in the “Key Legislation Overview” above. Note: As of February 2022, Pennsylvania has a number of key cybersecurity-related bills and amendments passing through its Legislature. Senate Bill 696 amends Pennsylvania’s Breach of Personal Information Notification Act, 73 Pa. Stat. §2301, et seq. Among the amendments are adding “medical information,” “health insurance information,” and “a user name or email address in combination with a password or security question and answer that would permit access to an online account,” into the statutory definition of “Personal Information.” Additionally, the bill would require any state agency, county, school district, or municipality that experiences a data breach to provide notification of the breach to affected individuals within seven days of the discovery of the breach. It also would require an affected agency to notify Pennsylvania’s Attorney General within three days of the breach, and any affected county, school district, or municipality affected to notify the district attorney in the county where the breach occurred within three business days following the breach. Senate Bill 482 provides a full-scale reform of Pennsylvania’s state information technology, data security, and cybersecurity infrastructure, including the establishment of the Office of Information Technology (“OIT”) within the Governor’s Office of Administration. The OIT is designed to, among other things, consolidate information technology functions and powers vested in state agencies; provide, operate, and manage information technology services for each state agency under the Governor’s jurisdiction; and provide documentation and training related to information technology and cybersecurity. It creates the position of the director of the OIT to perform and carry out a variety of cybersecurity and information technology-related functions for the OIT. It also imposes criminal penalties for any person to purchase, attempt to purchase or attempt to procure any property or services of the OIT for private use or benefit. If signed into law, Senate Bill 482 will be codified at 71 Pa. C.S. §4301, et seq. Further, Senate Bill 726 is designed to prohibit, prevent, and detect ransomware attacks, as well as restore systems and captured information quickly after disruption, provide timely notice of ransomware attacks, and permit the pursuit and prosecution of ransomware perpetrators. In short, the bill defines “ransomware,” and makes it illegal to develop, use, possess, sell, or threaten to use ransomware in the Commonwealth. The bill also provides penalties for violations, ranging from first-degree misdemeanors to first-degree felonies based on how much money is being demanded in ransom. If signed into law, Senate Bill 726 will be codified at 18 Pa. C.S. §7671, et seq. Entities should consult all relevant and up-to-date state and federal laws when collecting, using and disclosing personally identifiable information in Pennsylvania, and continue to monitor developments at both the state and federal levels. |
Global Data Privacy Guide
Pennsylvania has no single comprehensive data privacy legislation. Rather, Pennsylvania has adopted several different laws addressing data privacy and related consumer protection issues. Important state laws relating to data privacy include Pennsylvania’s data breach notification statute and law relating to the privacy of social security numbers. Entities and persons in Pennsylvania also may have to comply with applicable Federal laws relating to data privacy and security. Relevant state laws relating to data privacy include Pennsylvania’s:
- Breach of Personal Information Notification Act (73 Pa. Stat. §2301, et. seq.);
- Statute prohibiting deceptive privacy policies (18 Pa. C.S. § 4107(a)(10));
- Criminal History Record Information Act and other laws governing the use of criminal records (18 Pa. C.S. §9101 et. seq.);
- Statute protecting the privacy of social security numbers (71 Pa. Stat. §2601, et. seq.); and
- Unsolicited Telecommunication Advertisement Act (73 Pa. Stat. §2250.1, et seq.).
Depending upon the nature of the data and the identity of the entity or person collecting, using and disclosing the data, entities and persons in Pennsylvania may also have to comply with United States Federal laws relating to data privacy and security. Potentially applicable Federal laws include laws relating to the collection, use and disclosure of health information (e.g., Health Insurance Portability and Accountability Act ("HIPAA"), the Genetic Information Nondiscrimination Act ("GINA") and regulations on the confidentiality of patient records relating to the treatment of substance abuse), financial information (e.g., Gramm-Leach-Bliley Act and the Fair Credit Reporting Act), educational records (e.g., Family Educational Rights and Privacy Act) and regulatory guidance regarding the privacy and security of personally identifiable information in general promulgated by the Federal Trade Commission ("FTC").
Entities should consult all relevant up-to-date state and federal laws when collecting, using and disclosing personally identifiable information in Pennsylvania, and continue to monitor developments at both the state and federal levels.
The definition of protected data varies by statute.
Note:
Data Breach Notification Law
Pennsylvania’s data breach notification statute defines “personal information” as an individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted: Social Security number; driver license number or state identification card number issued in lieu of a driver's license; or financial account number or credit card number or debit card number in combination with any required security code, access code or password that would permit access to an individual’s financial account. (73 Pa. Stat. § 2302). “Personal information” does not include publicly available information that is lawfully made available to the general public from Federal, State, or local government records. (73 Pa. Stat. §2302).
Criminal History Record Information Act
“Criminal history record information” under Pennsylvania’s Criminal History Record Information Act means information collected by criminal justice agencies concerning individuals, and arising from the initiation of a criminal proceeding, consisting of identifiable descriptions, dates and notations of arrests, indictments, informations or other formal criminal charges and any dispositions arising therefrom. The term does not include intelligence information, investigative information or treatment information, including certain medical and psychological information, or information and records specified in 18 Pa. C.S. §9104. (18 Pa. C.S. §9102).
Laws Relating to Privacy of Social Security Numbers
Pennsylvania’s Privacy of Social Security Numbers Law protects the privacy of individuals’ Social Security numbers. (71 Pa. State § 2601; 74 Pa. Stat § 201 et. seq.)
Federal Law
As stated above, persons and entities collecting, using and disclosing personally identifiable information in Pennsylvania may also be subject to United States Federal laws applicable to the industry in which the person or entity operates or the type of data at issue (e.g., health information, financial information, educational records, and other personally identifiable information).
Applicability varies by law. Laws may apply to all persons and entities doing business in Pennsylvania unless otherwise stated or to a specific subset of persons and entities such as employers.
Note:
Data Breach Notification Law
Pennsylvania’s data breach notification statute applies to any agency or political subdivision of the Commonwealth of Pennsylvania, and individuals and entities doing business in Pennsylvania. (73 Pa. Stat. § 2302)
Criminal History Record Information Act
Pennsylvania’s Criminal History Record Information Act applies to a board, commission or department of the Commonwealth and to employers. (18 Pa. C.S. §§9124 and 9125).
City of Philadelphia’s Criminal Records Screening Standards
The City of Philadelphia’s Criminal Records Screening Standards applies to any person, company, corporation, labor organization or association which employs any persons within the City of Philadelphia and agencies of the City of Philadelphia. (Philadelphia Code, Title 9, Chapter 9-3502)
Laws Relating to Privacy of Social Security Numbers
Pennsylvania’s Privacy of Social Security Numbers Law applies to all persons, entities, agencies and political subdivisions of the Commonwealth of Pennsylvania. (74 Pa. Stat. § 201(a))
In general, personal data collection practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. Pennsylvania law also prescribes specific rules for the collection of criminal history data and Social Security numbers.
As stated above, persons and entities collecting, using and disclosing personally identifiable information in Pennsylvania may also be subject to United States Federal laws applicable to the industry in which the person or entity operates or the type of data at issue (e.g., health information, financial information, educational records, and other personally identifiable information).
Note:
Accuracy of Privacy Policies
Personal data collection practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. It is a violation of Pennsylvania law to knowingly make a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public. (18 Pa. Stat. § 4107(a)(10)). Pennsylvania’s Unfair Trade Practices and Consumer Protection Law also makes it unlawful to engage in fraudulent or deceptive business conduct which creates a likelihood of confusion or of misunderstanding. (73 Pa. Stat. 201-2(4)(xxi)). Accordingly, an entity’s failure to adhere to the personal data collection practices described in its privacy policies can result in a violation of Pennsylvania law.
City of Philadelphia’s Criminal Records Screening Standards
Private employers in the City of Philadelphia are prohibited from inquiring about or requiring disclosure by an applicant for the employment of any prior arrest which is no longer pending and did not result in a conviction for a criminal offense unless specifically authorized by law. In addition, private employers in the City of Philadelphia are prohibited from inquiring about or requiring disclosure of an applicant’s previous criminal conviction from the time the applicant inquires about employment until the employer extends a conditional offer of employment (which can only be withdrawn under certain individualized circumstances). (Philadelphia Code, Title 9, Chapter 9-3503 - 9-3504).
Laws Relating to Privacy of Social Security Numbers
Pennsylvania law prohibits any person, entity or agency or political subdivision from requiring an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the Social Security number is encrypted or to use his or Social Security number to access an Internet website unless a password or unique personal identification number or other authentication device is also required to access the website. (74 Pa. Stat. § 201(a)). Pennsylvania agencies and municipalities must provide any individual that is applying for or renewing a professional license or certification, occupational license or certification, or recreational license with the opportunity to submit a Pennsylvania driver’s license number in lieu of a Social Security number. (71 Pa. Stat. § 2603).
In general, personal data use and disclosure practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. Pennsylvania law also prescribes specific rules for the use and disclosure of criminal history data and Social Security numbers.
As stated above, persons and entities collecting, using and disclosing personally identifiable information in Pennsylvania may also be subject to United States Federal laws applicable to the industry in which the person or entity operates or the type of data at issue (e.g., health information, financial information, educational records, and other personally identifiable information).
Note:
Accuracy of Privacy Policies
Personal data disclosure practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. It is a violation of Pennsylvania law to knowingly make a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public. (18 Pa. Stat. § 4107(a)(10)). Pennsylvania’s Unfair Trade Practices and Consumer Protection Law also makes it unlawful to engage in fraudulent or deceptive business conduct which creates a likelihood of confusion or of misunderstanding. (73 Pa. Stat. 201-2(4)(xxi)). Accordingly, an entity’s failure to adhere to the personal data use and disclosure practices described in its privacy policies can result in a violation of Pennsylvania civil and criminal law.
Criminal History Record Information Act
Felony and misdemeanor convictions may be considered by an employer as part of the evaluation of an applicant only to the extent to which the convictions relate to the applicant’s suitability for employment in the position for which the individual has applied. An employer must notify the applicant in writing if the decision not to hire the applicant is based in whole or in part on criminal history record information. (18 Pa. C.S. §9125(b) and (c)).
Laws Relating to Privacy of Social Security Numbers
No person, entity or agency or political subdivision of Pennsylvania may: (i) publicly post or publicly display an individual’s Social Security number in any manner; (ii) print an individual’s Social Security number on any card required for the individual to access products or services provided by the person, entity, or Pennsylvania agency or political subdivision; (iii) require an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the Social Security number is encrypted; (iv) require an individual to use his or her Social Security number to access an Internet website unless a password or unique identifier or other authentication device is also required to access the website; (v) print an individual’s Social Security number on any materials that are mailed to the individual unless Federal or state law requires the Social Security number to be on the document to be mailed; or (vi) disclose in any manner, except to the agency issuing the license the Social Security number of an individual who applies for a recreational license. (74 Pa. Stat. § 201(a))
In general, personal data storage, security and retention practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. In addition, failure to adhere to publicly represented personal data storage, security, and retention practices may constitute unfair or deceptive trade practices under the Federal Trade Commission Act (the "FTC Act").
In addition to the FTC Act, as stated above, persons and entities collecting, using and disclosing personally identifiable information in Pennsylvania may also be subject to United States Federal laws applicable to the industry in which the person or entity operates or the type of data at issue (e.g., health information, financial information, educational records, and other personally identifiable information).
Note: Personal data storage, security and retention practices must be accurately represented in any privacy policy utilized by an entity in Pennsylvania. It is a violation of Pennsylvania law to knowingly make a false or misleading statement in a privacy policy, published on the Internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public. (18 Pa. Stat. § 4107(a)(10)). Pennsylvania’s Unfair Trade Practices and Consumer Protection Law also makes it unlawful to engage in fraudulent or deceptive business conduct which creates a likelihood of confusion or of misunderstanding. (73 Pa. Stat. 201-2(4)(xxi)). Accordingly, an entity’s failure to adhere to the personal data storage, security and retention practices described in its privacy policies can result in a violation of Pennsylvania civil and criminal law.
In addition, the Federal Trade Commission has brought enforcement actions against entities for unfair and deceptive trade practices under the FTC Act as a result false or misleading statements regarding the security of personal data, failure to maintain “reasonable” security safeguards, and failure to comply with stated privacy policies. (See, e.g., FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015); LabMD, Inc. v. Federal Trade Commission No. 16-16270 (11th Cir. 2018); In the matter of Snapchat, Inc., No. C-4501, December 23, 2014[LG1] ; In the matter of Cambridge Analytica, LLC, Docket No. 9383, November 25, 2019; United States v. Facebook, Inc., Case No. 19-cv-2184 (D.D.C. July 24, 2019); In the Matter of Flo Health, Inc., Docket No. 4747 (June 17, 2021).
Finally, the National Institute of Standards and Technology ("NIST") published guidance providing considerations for managing cybersecurity and privacy risks for the “internet of things” (“IoT”) (i.e., web-connected devices) on June 25, 2019. NIST has updated these standards periodically as trends and industry standards change. Additionally, on May 12, 2021, Executive Order 14028 tasked NIST with issuing guidance and identifying practices that enhance the security of the software supply chain and developing a multi-faceted initiative related to cybersecurity labeling for consumers, including labeling for IoT products. On February 4, 2022, NIST recommended criteria for cybersecurity labeling on IoT products. A summary report about cybersecurity labeling is expected in May 2022. While NIST is a non-regulatory agency, this published guidance will serve to inform the “reasonableness” standard included in many privacy and security laws and regulations[LG2] . For example, Executive Order 14028 further directed the Secretary of Homeland Security to develop a standard set of operational procedures to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting Federal Civilian Executive Branch Agency Information Systems, which shall incorporate all appropriate NIST standards.
There are no general Pennsylvania laws governing data subjects’ rights to access or correct their personal information. However, under the Inspection of Employee Records Law ("Personnel Files Act"), employers are required to provide employees access to personnel files used to determine the employee’s qualifications for employment, promotion, additional compensation, termination, or disciplinary action. (43 Pa. Stat. §1322) Under specified circumstances, the Bureau of Labor Standards of the Department of Labor and Industry may make and enforce an order providing access to the personnel files and the opportunity for an employee to place a counter statement in the employee's file, in the event an alleged error is determined by the employee. (43 Pa. Stat. §1324).
Not currently under Pennsylvania law.
Note: Yes. Pennsylvania’s data breach notification statute (“Breach Notification Statute”) is codified at 73 Pa. Stat. §2301 et. seq.
Yes. Pennsylvania’s data breach notification statute (“Breach Notification Statute”) is codified at 73 Pa. Stat. §2301 et. seq.
Note:
When Notice is Required
Any state agency, a political subdivision of Pennsylvania or an individual or business in Pennsylvania ("entity") that maintains, stores or manages computerized data that includes personal information must provide notice of any breach of the security of the system following the discovery of the breach to any resident of Pennsylvania whose unencrypted and unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person. (73 Pa. Stat. §2303(a))
“Personal information” is defined as an individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements when the data elements are not encrypted or redacted: Social Security number; driver's license number or state identification card number issued in lieu of a driver's license; or account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. (73 Pa. Stat. §2302).
“Breach of the security of the system” is defined as the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of Pennsylvania. (73 Pa. Stat. §2302).
An entity must provide notice of the breach if encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of the security of the encryption or if the security breach involves a person with access to the encryption key. (73 Pa. Stat. §2303(b)).
Timing of Notice
Notification must be made without unreasonable delay. (73 Pa. Stat. §2303(a)). The notification may be delayed if a law enforcement agency determines and advises the entity in writing specifically referencing the statute that the notification will impede a criminal or civil investigation. Notification must be made after the law enforcement agency determines that it will not compromise the investigation or national or homeland security. (73 Pa. Stat. §2304). Notice may be delayed if the entity takes measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. (73 Pa. Stat. §2303(a)).
Method of Notice Delivery
Notice may be provided: (i) in writing to the last known home address for the individual; or (ii) by telephone if the affected individual can reasonably be expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms, and verifies personal information, but does not require the individual to provide personal information and the individual is provided with a telephone number to call or Internet website to visit for further information or assistance; or (iii) by email if a prior business relationship exists and the person or entity has a valid email address for the individual. Substitute notice may be given if the cost of providing notice would exceed $100,000, the number of affected individuals exceeds $175,000, or the entity does not have sufficient contact information. Substitute notice must consist of email, conspicuous posting of the notice on the entity’s website and publication in major statewide media. (73 Pa. Stat. §2302).
Notification to Consumer Reporting Agencies
If notice is required to be given to more than 1,000 individuals at one time, the entity must also notify all national consumer reporting agencies of the timing, distribution and number of notices, without unreasonable delay. (73 Pa. Stat. §2305).
Preemption
An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures or guidelines established by the entity’s primary or functional federal regulator will be in compliance with the Breach Notification Statute. Financial institutions that comply with the notification requirements of the Federal Interagency Response Programs for Unauthorized Access to Customer Information and Customer Notice are specifically deemed to be in compliance with the Breach Notification Statute.
Vendor Compliance
A vendor that maintains, stores or manages computerized data on behalf of another entity must provide notice of any breach of the security of the system following the discovery by the vendor to the entity on whose behalf the vendor maintains, stores or manages the data. The entity on whose behalf the data is being maintained, stored or managed is responsible for compliance with the Breach Notification Statute. (73 Pa. Stat. §2303(c)).
The Pennsylvania Attorney General is the state regulator charged with enforcing Pennsylvania privacy laws. Certain laws also provide individuals with the right to sue for violations.
Note:
Data Breach Notification Law
The Pennsylvania Attorney General has exclusive jurisdiction over the enforcement of Pennsylvania’s data breach notification statute. (73 Pa. Stat. §2308)
Unfair Trade Practices and Consumer Protection Law
The Pennsylvania Attorney General or appropriate District Attorney may bring civil actions for violations of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. (73 Pa. Stat. §201-8) Pennsylvania’s Unfair Trade Practices and Consumer Protection Law also provide for a private right of action. (73 Pa. Stat. §201-9.2)
Criminal History Record Information Act
Pennsylvania's Attorney General, or any other individual or agency, may institute an action in a court of proper jurisdiction against any person, agency, or organization to enjoin any criminal justice agency, noncriminal justice agency, organization or individual violating the provisions of the Pennsylvania Criminal History Record Information Act or to compel such agency, organization or person to comply with the provisions of the Pennsylvania Criminal History Record Information Act. Any person aggrieved by a violation of the provisions of the Pennsylvania Criminal History Record Information Act or of the rules and regulations promulgated thereunder may bring an action for damages by reason of such violation. (18 Pa. C.S. §9183).
City of Philadelphia Fair Criminal Record Screening Standards
The Philadelphia Commission on Human Relations (“Commission”) enforces the City’s Fair Criminal Record Screening Standards. A private right of action exists if certain requirements are met (e.g., the Commission must have concluded, within one year after the filing of a complaint, that it has not found sufficient evidence of a violation to proceed further with an investigation or has not entered into a conciliation agreement to which the complainant is a party). (Philadelphia Code, Title 9, Chapter 9-3506).
Inspection of Employee Records Law (Personnel Files Act)
The Department of Labor and Industry's Bureau of Labor Standards—now known as “Labor Law Compliance”—is responsible for the enforcement of the provisions of the Personnel Files Act. (43 Pa. Stat. §1324).
Federal Regulators
Applicable Federal regulators may include the Federal Trade Commission, the Federal Communications Commission, the Office of Civil Rights of the Federal Department of Health and Human Services and the Securities and Exchange Commission, depending on the applicable law.
Violators of Pennsylvania privacy laws may be subject to civil penalties of varying amounts, depending upon the statute that has been violated.
Note:
Data Breach Notification Law/ Unfair Trade Practices and Consumer Protection Law
A violation of Pennsylvania’s data breach notification law is deemed to be a breach of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. (73 Pa. Stat. §2308) Pennsylvania’s Unfair Trade Practices and Consumer Protection Law provides for a USD $1,000 civil penalty per violation or a USD $5,000 penalty per violation for any person who violates the terms of an injunction or any of the terms of an assurance of voluntary compliance. (73 Pa. Stat. §201-8).
Any person who purchases or leases goods or services primarily for personal, family or household purposes and thereby suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by any person of a method, act or practice declared unlawful by Pennsylvania’s Unfair Trade Practices and Consumer Protection Law, may bring a private action, to recover actual damages or USD $100, whichever is greater. The court may, in its discretion, award up to three times the actual damages sustained, but not less than USD $100, and may provide such additional relief as it deems necessary or proper. The court may award to the plaintiff, in addition to other relief provided in this section, costs and reasonable attorney fees. (73 Pa. Stat. §201-9.2)
Pennsylvania Criminal History Record Information Act
Pennsylvania's Attorney General or any other individual or agency may institute an action in a court of proper jurisdiction against any person, agency or organization to enjoin any criminal justice agency, noncriminal justice agency, organization or individual violating the provisions of the Pennsylvania Criminal History Record Information Act or to compel such agency, organization or person to comply with the provisions of the Pennsylvania Criminal History Record Information Act. Any person aggrieved by a violation of the provisions of the Pennsylvania Criminal History Record Information Act may bring an action for damages by reason of such violation. A person found by a court to have been aggrieved by a violation of the Pennsylvania Criminal History Record Information Act or related rules and regulations is entitled to actual and real damages of not less than USD $100 for each violation and to reasonable costs of litigation and attorney's fees. Exemplary and punitive damages of not less than USD $1,000 nor more than USD $10,000 shall be imposed for any willful violation. (18 Pa. C.S. §9183).
City of Philadelphia Fair Criminal Record Screening Standards
Violations of the City’s Fair Criminal Record Screening Standards are punishable by a fine of up to USD $2,000 per violation. (Philadelphia Code, Title 9, Chapter 9-3506; 1-109(3))
Restrictions on Disclosure of Social Security Numbers
Violations of Pennsylvania’s laws regarding the use and disclosure of Social Security numbers is a summary offense punishable by a fine of not less than USD $50 and not more than USD $500. Subsequent violations are punishable by a fine of not less than USD $500 and not more than USD $5,000. (74 Pa. Stat. §201(g)).
Electronic marketing is subject to Pennsylvania’s Unfair Trade Practices and Consumer Protection Law and the Unsolicited Telecommunication Advertisement Act. Entities and individuals may also have to comply with federal law applicable to electronic marketing.
Note:
Unfair Trade Practices and Consumer Protection Law
Pennsylvania’s Unfair Trade Practices and Consumer Protection Law prohibits several enumerated “unfair or deceptive acts and practices,” including engaging in any fraudulent or deceptive conduct which creates a likelihood of confusion or of misunderstanding. Electronic marketing practices in Pennsylvania must not utilize such unfair or deceptive acts and practices. (73 Pa. Stat. §§201-2 and 201-3).
Unsolicited Telecommunication Advertisement Act
Pennsylvania’s Unsolicited Telecommunication Advertisement Act prohibits initiating a transmission or assisting a transmission of an unsolicited commercial electronic mail message if the email (i) uses a third party’s Internet domain in the return email address without permission of the third party; (ii) includes false or misleading information in the return address portion of the email, facsimile or wireless advertisement; (iii) contains false or misleading information in the subject line; or (iv) fails to contain a valid sender-operated return email address mechanism or toll-free telephone number that the recipient of the unsolicited documents may email or call. (73 Pa. Stat. §2250.3(a)).
Additionally, a covered mobile telephone messaging system may not be used to transmit an unsolicited commercial electronic mail message. (73 Pa. Stat. §2250.3(b)).
Commercial electronic mail message means an electronic mail message sent for the purpose of promoting real property, goods, or services, but does not include an electronic mail transmission: (i) to which an interactive computer service has attached an advertisement in exchange for the free use of an electronic mail account when the sender has agreed to such an arrangement; or (ii) sent as a result of an established business relationship. (73 Pa. Stat. §2250.2).
Recipients of such emails are permitted to bring actions under the Pennsylvania Unfair Trade Practices and Consumer Protection Law. Attorneys’ fees are also recoverable. For willful violations, civil penalties of up to $1,500,000 are recoverable. The Pennsylvania Attorney General may bring claims and recover civil penalties for violations of the law. ISPs are permitted to initiate actions to enjoin conduct and to recover penalties in the amount of no less than $1 or no more than $10 per violation. (73 Pa. Stat. §§2250.7 and 2250.8).
Federal Law
Individuals and entities in Pennsylvania also must comply with Federal laws regulating electronic marketing. Notably, the Federal CAN-SPAM Act prohibits false or misleading header information and deceptive subject lines in commercial emails and requires senders of such emails to identify them as ads and provide a valid physical address and opt-out mechanism in the ads. Opt-outs must be honored within 10 business days. Each separate email in violation of the CAN-SPAM Act is subject to penalties of up to USD $46,517 as of December 2021. (15 U.S.C. 7701 et. seq.; 16 C.F.R. §1.98). The Federal Telephone Consumer Protection Act ("TCPA"), which is enforced by the Federal Communications Commission, generally prohibits sending text marketing messages to individuals without prior express consent. The TCPA provides for a private right of action and damages of up to USD $500 per violation. (See 47 U.S.C. 227 et. seq.)
None are currently pending under Pennsylvania law. However, please note the nation and federal trends noted in the “Key Legislation Overview” above.
Note:
As of February 2022, Pennsylvania has a number of key cybersecurity-related bills and amendments passing through its Legislature. Senate Bill 696 amends Pennsylvania’s Breach of Personal Information Notification Act, 73 Pa. Stat. §2301, et seq. Among the amendments are adding “medical information,” “health insurance information,” and “a user name or email address in combination with a password or security question and answer that would permit access to an online account,” into the statutory definition of “Personal Information.” Additionally, the bill would require any state agency, county, school district, or municipality that experiences a data breach to provide notification of the breach to affected individuals within seven days of the discovery of the breach. It also would require an affected agency to notify Pennsylvania’s Attorney General within three days of the breach, and any affected county, school district, or municipality affected to notify the district attorney in the county where the breach occurred within three business days following the breach.
Senate Bill 482 provides a full-scale reform of Pennsylvania’s state information technology, data security, and cybersecurity infrastructure, including the establishment of the Office of Information Technology (“OIT”) within the Governor’s Office of Administration. The OIT is designed to, among other things, consolidate information technology functions and powers vested in state agencies; provide, operate, and manage information technology services for each state agency under the Governor’s jurisdiction; and provide documentation and training related to information technology and cybersecurity. It creates the position of the director of the OIT to perform and carry out a variety of cybersecurity and information technology-related functions for the OIT. It also imposes criminal penalties for any person to purchase, attempt to purchase or attempt to procure any property or services of the OIT for private use or benefit. If signed into law, Senate Bill 482 will be codified at 71 Pa. C.S. §4301, et seq.
Further, Senate Bill 726 is designed to prohibit, prevent, and detect ransomware attacks, as well as restore systems and captured information quickly after disruption, provide timely notice of ransomware attacks, and permit the pursuit and prosecution of ransomware perpetrators. In short, the bill defines “ransomware,” and makes it illegal to develop, use, possess, sell, or threaten to use ransomware in the Commonwealth. The bill also provides penalties for violations, ranging from first-degree misdemeanors to first-degree felonies based on how much money is being demanded in ransom. If signed into law, Senate Bill 726 will be codified at 18 Pa. C.S. §7671, et seq.
Entities should consult all relevant and up-to-date state and federal laws when collecting, using and disclosing personally identifiable information in Pennsylvania, and continue to monitor developments at both the state and federal levels.