The passage of House Bill 78 (HB78), the Consumer Data Privacy Act (CDPA), through the Pennsylvania House of Representatives marks a decisive step toward enacting comprehensive privacy legislation in the Commonwealth. Currently pending in the Senate, this bill is a critical development for business owners and large corporations, especially those operating in Pennsylvania.
While HB78 largely follows the “Virginia/Connecticut model” of state privacy laws—focusing on opt-out rights—it introduces a uniquely low revenue threshold and stringent affirmative consent requirements for sensitive data, ensuring that compliance is not just an issue for major tech companies, but for a broad swath of Pennsylvania businesses and anybody who markets and sells to PA residents will have to use Captain Compliance’s software to comply once this is passed. This legislation requires immediate strategic review of data handling practices and implementation of Captain Compliance’s privacy software solutions to mitigate the significant penalties the Attorney General is authorized to pursue.
Key Components of Pennsylvania’s Consumer Data Privacy Act (HB78)
HB78 is designed to empower Pennsylvania residents with foundational rights over their personal information while imposing substantial duties on companies that collect and process that data. The bill is poised to take effect one year after enactment, signaling a need for businesses to initiate compliance planning immediately.
The Low Threshold for Coverage – The Keystone of Compliance: Decoding Pennsylvania’s Consumer Data Privacy Act (HB78)
HB78 sets jurisdictional standards that are notably aggressive on the low end, sweeping in mid-sized and data-intensive businesses that might currently be exempt from laws in other states. A for-profit entity is considered a covered “Controller” if it does business in Pennsylvania and meets any of the following criteria:
-
Has annual gross revenues exceeding $10 million (significantly lower than California’s $25 million threshold).
-
Annually buys, receives, sells, or shares for commercial purposes the personal information of at least 50,000 consumers, households, or devices (alone or in combination).
-
Derives at least 50% of annual revenues from selling consumers’ personal information.
Enhanced Sensitive Data Protection
A hallmark of HB78 is its approach to sensitive information, which is non-negotiable and requires a proactive compliance stance.
-
Definition: Sensitive Data includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, precise geolocation data, biometric data, genetic data, and personal data collected from a known child.
-
Requirement: Controllers must obtain the consumer’s affirmative consent before processing any sensitive data. This is a critical opt-in standard that demands changes to consent mechanisms.
-
Opt-in for Minors: Furthermore, controllers are prohibited from processing the personal data of a known child (under 13) or selling/targeted advertising to minors (under 16) without proper consent, aligning with federal COPPA standards and generally stricter state mandates.
Core Consumer Rights and Controller Duties
HB78 codifies a standard set of rights mirroring modern comprehensive privacy laws, but with specific operational demands for controllers:
-
Opt-Out of Profiling and Sale: Consumers gain the right to opt out of the processing of their data for the purposes of targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.
-
Deletion and Correction: Consumers have the right to delete personal data provided by or obtained about them, and the right to correct inaccuracies. Importantly, the Right to Delete allows a controller to comply by retaining only the minimum data necessary for the purpose of declining future data collection (known as a “suppression list”).
-
Response Window: Controllers must respond to consumer rights requests within 45 days, with a possible 45-day extension upon notice to the consumer.
The Operational Challenge: Data Minimization and Enforcement
For large corporations and business owners, the passage of HB78 mandates a shift in both data architecture and regulatory preparedness.
1. Data Minimization and Purpose Limitation
The bill includes a standard data minimization clause, requiring controllers to:
-
Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes disclosed to the consumer.
-
Refrain from processing data for purposes that are neither reasonably necessary nor compatible with the disclosed purposes unless they obtain the consumer’s affirmative consent.
This creates a high bar for using collected data for new, undisclosed purposes, demanding a clear and auditable purpose specification within data privacy software.
2. The Enforcement and Penalty Regime
Unlike California, which has a dual enforcement agency (CPPA) which is now called CalPrivacy and a limited private right of action (PRA), Pennsylvania grants exclusive enforcement authority to the Attorney General (AG). This is a key feature aimed at promoting regulatory uniformity and avoiding class-action lawsuits which is a win for businesses but if the AG gets aggressive it will ramp up very fast with expensive fines for non-compliance.
The enforcement structure includes:
-
No Private Right of Action: Individuals cannot directly sue businesses for violations of the CDPA.
-
High Civil Penalties: The AG is authorized to seek civil penalties of up to $7,500 per violation.
-
The Cure Period: HB78 includes a mandatory 60-day cure period that the AG must provide before initiating an enforcement action. However, this cure period is not guaranteed to be perpetual; it will likely follow the trend of other states where the AG gains discretion to eliminate the cure period for repeat offenders or egregious violations after an initial sunset date.
The Strategic Blueprint for Compliance Software
Preparing for the Pennsylvania CDPA requires investing in privacy management software that automates compliance with these specific, high-risk mandates.
-
Automated Applicability Check: Ensure your privacy software can automatically flag and track PA consumers and verify if your data volume meets the 50,000 threshold, or if your revenue meets the $10 million threshold.
-
Consent Layer for Sensitive Data: Implement a consent management platform that forces affirmative consent (a clear opt-in, not implied consent or dark patterns) for all sensitive data processing, maintaining detailed logs for audit purposes.
-
Opt-Out Preference Signal (OOPS) Readiness: Controllers would have two years from enactment to implement technology to recognize and honor universal opt-out signals, requiring integration with browser settings like the Global Privacy Control (GPC).
-
Data Protection Assessment (DPA) Automation: Required for high-risk activities (including targeted advertising, data sales, and certain profiling), DPAs must be documented and auditable. Privacy software must facilitate the assessment process, logging risk mitigation measures.
Comparative Analysis: Pennsylvania vs. Leading State Privacy Laws
HB78’s framework is closely aligned with Virginia and Connecticut, but its low revenue threshold and inclusion of specific sensitive data types give it a broader application than many mid-Atlantic laws.
| Feature | Pennsylvania HB78 (Proposed) | California CPRA (Enacted) | Connecticut CTDPA (Enacted) | Virginia VCDPA (Enacted) |
| Minimum Revenue Threshold | $10 Million (Lowest among major laws) | $25 Million | None (based only on data volume) | None (based only on data volume) |
| Minimum Consumer Threshold | 50,000 Consumers/Households/Devices | 100,000 Consumers/Households OR 50,000 devices | 100,000 Consumers | 100,000 Consumers |
| Sensitive Data Consent | Affirmative Opt-In Consent Required for Processing. | Opt-Out/Limit Use of Sensitive Personal Information. | Opt-In Consent Required for Processing. | Opt-In Consent Required for Processing. |
| Universal Opt-Out (GPC) | Required (with 2-year implementation grace period). | Required for Opt-Out of Sale/Sharing. | Required for Opt-Out of Targeted Advertising/Sale. | Not Required. |
| Private Right of Action (PRA) | None (Exclusive AG Enforcement). | Limited PRA for Data Breaches only. | None. | None. |
| Cure Period | Mandatory 60-day cure period. | Discretionary (AG or CPPA). | Discretionary (AG). | Discretionary (AG). |
| Penalty Cap | Up to $7,500 per violation. | Up to $7,500 per intentional violation. | Up to $5,000 per violation. | Up to $7,500 per violation. |
The low $10 million revenue threshold in HB78 is the primary strategic takeaway for business leaders. It means that small, digitally focused companies that may have ignored the $25 million laws of California and others must now ensure their compliance frameworks are robust. Pennsylvania is signaling that its privacy law is intended to cover more local businesses than many other states have dared to target.
The fate of HB78 now rests with the Senate. Businesses that move swiftly to implement compliance software and operational procedures that meet the Virginia/Connecticut standard, particularly regarding the opt-in requirement for sensitive data and the recognition of opt-out signals, will be well-positioned to meet the impending regulatory challenge.
