Introduction to the Pennsylvania Consumer Data Protection Act

Recently released data from the FBI shows that Pennsylvania led the country in ransomware losses for 2020 — more than $5 million in losses. Across the nation, the number of cyberattacks has risen and all businesses have been impacted by these crimes.


There could be a direct correlation between the apparent gap in data privacy laws at the state level and their susceptibility to cyber-crime. Notably, there are only four states that have robust data privacy laws: California (CCPA/CPRA), Virginia (VCDPA), Colorado (ColoPA), and most recently, Utah (UCPA).


Coincidentally, there has been a recent push within the commonwealth of Pennsylvania, to pass similar legislation. Most recently, two proposed bills have been introduced by Pennsylvania legislators, namely HB 1126 (April 7, 2021), HB 2202 (December 13, 2021) and HB 2257 (January 20, 2022) namely referred to as the Pennsylvania Consumer Data Protection Act[1]. The objective of this legislation would provide a long overdue welcome of protection to consumers within the commonwealth.


Notably, but not limited in scope, the proposed Pennsylvania Consumer Data Protection Act would require organizations to implement and maintain reasonable administrative and technical security practices for personal data.[2]


This would also create an avenue for consumers to obtain statutory damages if their personal information is subject to a breach involving nonencrypted and nonredacted personal information. In reference to civil actions, this legislation would also grant the Pennsylvania attorney general the ability to file suit against businesses, service providers, and third parties who are found to violate this act, subject to penalties up to $7,500 for each charged violation.


Going forward, we will have to wait until the Pennsylvania legislature reconvenes for any updates on this proposed act.


Recently, another act was proposed, titled the Protecting Consumer Information and Privacy Act. This act would require all businesses to notify consumers of what personal information is collected and if it will be sold. In addition, businesses must provide consumers with the choice to delete their information or prevent it from being sold.


Alexander N. DiMeo is an Associate at Wade Clark Mulcahy LLP.



[2]This act, had it passed, would have taken effect on January 1, 2023, or in 18 months; whichever was later.

About: PBA Cybersecurity and Data Privacy

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.

Leave a Reply

Your email address will not be published. Required fields are marked *