Communications Litigation Today was a service of Warren Communications News.
Broad Applicability Thresholds

Pa. House Commerce Unanimously Supports Comprehensive Privacy Bill

March 18, 2025 by Adam Bender|Top News

A Pennsylvania House Committee teed up a potentially imminent floor vote on a comprehensive privacy bill. The Commerce Committee voted unanimously by voice Tuesday to advance HB-78 to the floor. At a livestreamed meeting, the committee also adopted by voice an amendment to delay by six months the proposed effective date to one year after it’s enacted.

HB-78 is a bipartisan privacy bill sponsored by Reps. Ed Neilson (D) and Stephenie Scialabba (R). Although Republicans supported the legislation at Tuesday’s Commerce meeting, two members signaled that they would like to see additional changes.

Rep. Kristin Marcell (R) said there’s been much discussion about the bill over the last 24 hours “and trying to figure out … feedback from different stakeholders.” Marcell has “heard that there's going to be still some work done on this and some issues addressed,” she said. “I look forward to learning more about that.”

While voting yes, Commerce Committee Minority Chair John Lawrence (R) sees “a tension with this legislation.” He added, “Certainly, we don't want to see more onerous regulations on business, but we also want to respect the fact that people are entitled to be secure and safe with their own data privacy.” Lawrence predicted there will be amendments offered on the floor, “but I do think the issue is one that needs to move forward.”

Last year’s version of the Pennsylvania privacy bill stalled in the Senate after the House approved it on a 139-62 vote. As with that bill, HB-78 generally follows the model of most state privacy bills outside California. It would be enforced exclusively by the state attorney general, with no private right of action. For the first six months after the effective date, the AG would be required to provide a 60-day right to cure.

However, the bill has broad applicability thresholds that appear more akin to California’s privacy statute than Virginia-style laws. HB-78 would cover controllers that do business in Pennsylvania and satisfy any of the following: (1) At least $10 million in annual gross revenue; (2) “annually buys or receives, sells or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households or devices;” or (3) derives at least 50% of annual revenue from selling personal data. Pennsylvania has about 13 million people, so 50,000 consumers is only about 0.04% of the state’s population.

The measure includes common entity-level exemptions for state and local governments, nonprofits, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), national securities associations, those subject to Health Insurance Portability and Accountability Act (HIPAA) and higher education institutions. And it has data-level exemptions, including for information covered by federal laws such as HIPAA, Fair Credit Reporting Act, the Driver's Privacy Protection Act and the Family Educational Rights and Privacy Act.

The Pennsylvania bill provides consumer rights to (1) Confirm whether a controller is processing or accessing the consumer’s personal data, unless it reveals a trade secret; (2) Correct inaccuracies in personal data; (3) Delete personal data; (4) Obtain a copy of personal data in portable format; (5) Opt out of personal data sales, targeted advertising and profiling that may have a legal or other significant impact. Companies would have to support universal opt-out mechanisms.

Controllers must limit “collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” Companies should “[r]efrain from processing sensitive data” without opt-in consent, it says. Sensitive data under HB-78 would include categories common to state privacy laws: (1) Racial or ethnic origin; (2) Religious beliefs; (3) mental or physical health condition or diagnosis; (4) sex life or sexual orientation; (5) citizenship or immigration status; (6) genetic or biometric data; (7) children's data; and (8) precise geolocation data.

A consumer privacy advocate panned the Pennsylvania bill. "This bill is another example of industry-friendly legislation that blesses the current, confusing data practices of internet companies," said Eric Null, a co-director at the Center for Democracy and Technology. "While it includes many provisions we like to see in privacy bills like user rights, the allowance of authorized agents for exercising those rights, and a fairly broad definition of sensitive data, the weak data minimization protections coupled with extremely broad exemptions" like the entity-level carveout for any financial institution subject to GLBA "means this bill would provide few real privacy protections to the people of Pennsylvania."