PA lawmakers begin discussions on data privacy legislation

Pennsylvanians could soon have greater control over their digital data if a bill seeking to regulate the use of consumer data makes it to the governor’s desk. 

Lawmakers on the House Commerce Committee met for a public hearing on data privacy where they fielded input from tech companies, insurers and trade groups on how to establish parameters for the use of consumer data. 

The hearing marked the beginning of the conversation on data privacy in Pennsylvania, with Commerce Committee Chair John Galloway saying more hearings will be held and that a working group will likely be created to study the issue in depth.

“Everybody agrees with this concept, which is the rights of consumers to control their data and make it as easy as possible without being too much of a burden on the companies and the businesses in Pennsylvania,” he said.

But lawmakers and stakeholders will need to flesh out the bill’s final language to address concerns voiced on Wednesday. 

The committee and panelists focused on House Bill 1201 – legislation from state Rep. Ed Neilson that would establish a set of data privacy rights for consumers, including a path to opt out of having some of their data processed, as well as the option to delete personal data that a business collects.

Businesses subject to the bill would be tasked with creating “a secure and reliable means” for consumers to notify them of when they choose to exercise rights outlined in the proposed legislation.

According to the bill, consumers would have the following rights:

• To confirm whether a business is processing or accessing their data
• The ability to correct inaccuracies in their personal data
• The option to delete personal data
• Access to a copy of their personal data
• The ability to opt out of having their personal data processed for the purposes of selling it or using it for targeted advertising

The state attorney general would be tasked with enforcing the law, which drew praise from several of the testifiers who appeared before the committee on Wednesday. 

Still, the bill may need to be amended to get buy-in from the insurance lobby and other sectors before it advances in the chamber.

Timothy Knapp, who serves as general counsel to the Pennsylvania Insurance Federation, asked lawmakers to consider an exemption for insurance companies in the Keystone State. He said that other laws, including the federal Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act, already spell out requirements for the handling of sensitive data.

“The insurance commissioner already has the authority to do what you’re saying the attorney general should do in this bill,” Knapp said. “So right now, if an insurance company has a data security issue, what we’re doing is, we’re going to the insurance commissioner – to our regulator – who regulates our industry.”

“What we’re saying is: ‘Why be redundant?’” Knapp added.

Other states that have already passed data privacy laws have granted exemptions for various sectors, ranging from banks to nonprofits to colleges and universities. Connecticut and Virginia have each passed laws that provide exemptions for insurance companies and financial institutions. 

Galloway said the committee may need to revisit exemptions in greater detail. “Seems like we need a whole ’nother hearing just on people who want to be or make a case for an exemption,” he said.

According to the International Association of Privacy Professionals, 11 states have enacted “comprehensive” privacy laws to date, while lawmakers in other states, including Massachusetts, Pennsylvania, New Jersey and North Carolina, have introduced data privacy-specific bills of their own.

There have been several data breaches in Pennsylvania in recent years, including a breach in Allegheny County this year, as well as a highly publicized data breach in 2021 that involved COVID-19 contact tracing data. 

Margaret Durkin, who serves as a mid-Atlantic executive director for TechNet, which describes itself as a “bipartisan network of technology CEOs and senior executives that promotes the growth of the innovation economy,” said Wednesday that the organization is hoping lawmakers align the definitions in HB 1201 with the Connecticut law, which went into effect this summer. 

“We want to make sure that they fully align to allow interoperability between states,” Durkin said. 

The legislation lays out guidelines for “controllers” – businesses that collect personal information and meet other criteria – as well as for “processors,” which are individuals or organizations that process personal data on behalf of a controller. The bill does not allow for private rights of action in response to violations of the law – a point that was praised by Durkin and other testifiers. 

Lawmakers also heard from a representative from Microsoft and John Holub of the Pennsylvania Retailers Association, who said the Retailers Association is largely supportive of the bill. “We’re extremely supportive of the language in the bill that sets roles and responsibilities for all parties who are touching consumer data. That’s both controllers and processors,” Holub said. “We feel this bill really strikes a reasonable and appropriate balance of all the roles and responsibilities.”

Still, he said, the association had some minor concerns, including the need for changes to an exemption for small businesses, as well as the effective date of the proposed law. He said if the bill is ultimately signed into law, smaller businesses without a national footprint may need more time to make sense of the provisions in the bill. 

“Most states have had effective dates anywhere from 18 to 24 months. Again, this is a very complicated process,” Holub said, adding: “It might take a little bit of time for some folks to get up to speed on this.”