The State of Consumer Data Privacy Laws

By Jenna Anderson, Staff Writer

Photo Courtesy of

Nearly every business interaction includes an additional form of currency—information. Whether purchasing an item, completing an online application, or using a smart device, consumers share their information directly with companies every day. While it seems obvious some personal information is shared in the course of transactions and services (one’s average heart rate in a fitness app, or previous order recommended on a food delivery site, etc.) the “information economy” rarely stops there.

Companies ranging from Facebook to a local coffee shop can store, study, and sell consumer’s information to others– and regularly do. More troubling, they are not required to disclose who they sell consumer data to, nor notify consumers if a data breach occurs.[1] That is because the federal data privacy laws are a patchwork of regulations that only apply to certain companies, or protect a small subset of consumers.

Most federal regulations only protect a certain class of consumer. For example, HIPAA prevents covered health entities from sharing sensitive patient health information without consent, but does not prevent a health and fitness tracking app from selling your information to pharmaceutical or insurance companies.[2] By extension, COPPA, DPPA and FERPA only protect the data of children under 13 years old, Department of Motor Vehicle applicants and college students. More universal laws like the Electronic Communications Privacy Act (“ECPA”) and Gramm-Leach-Bliley Act (“GLBA”) are inadequate in light of the growing information economy.[3]

The ECPA was written in 1986, long before website cookies, location-tracking metadata and cloud storage services were a source of profit and risk. Further, the ECPA allows the government to utilize electronic data against individuals in court, even if it is obtained illegally.[4] The GLBA requires financial institutions post a privacy notice, and if they want to share consumers’ information with a non-affiliated third party, they must provide a chance to opt out.

In the European Union, data privacy protections are more robust. The EU adopted the General Data Protection Regulation (“GDPR”), a key piece of legislation that regulates the collection and management of personal data, in 2018.[5] The GDPR creates distinct duties for data “controllers” and data “processors”. Data controllers are the entities that collect or possess data, while processors are third parties engaged by the controller process data.[6] The regulation applies to any entity that touches personal data of EU citizens and residents. Beyond personal data (name, location, and other information collected or provided by consumers), the GDPR also protects sensitive personal data, personally identifiable information and pseudonymized data.[7]

In the absence of comprehensive federal privacy law in the U.S., some states have advanced data privacy legislation themselves. California was the first state to enact comprehensive data privacy legislation through the California Consumer Privacy Act (“CCPA”), which took effect in 2020. The CCPA does not use the broad categories of GDPR, but applies to California “businesses” and “service providers”. Consumers have the right to access, delete, transfer, and have the option to opt out of personal data sharing. Entities are restricted from using an opt-in default for information sharing to individuals under sixteen. The act also provides for a limited private right of action.[8]

In Pennsylvania, a proposal to codify data privacy protections has taken the form of the Consumer Data Privacy Act (“the Act”). The Act was first introduced in 2019.[9] There are several key differences between the Act and the CCPA. Unlike the California law, the Act utilizes the GDPR categories of data “controllers” and “processors”. Sensitive data, such as racial/ethnic origin, religious beliefs, and sexual orientation cannot be controlled nor processed without consent. Further, the Act does not allow for a private cause of action but vests enforcement authority in the State Attorney General.[10]

In previous legislative sessions, the Act was referred to the Consumers Affairs Committee, where it languished without a vote.[11] In the current 2023-2024 legislative session, the bill was re-introduced as HB 1201, and it has progressed further than ever before.[12] This year, after Pennsylvania Democrats regained control of the state house, it was referred to the Commerce Committee. Longtime supporter of the Act Rep. John T. Galloway (D-140) is the Majority Chair of the Commerce Committee.

In September, the Committee held a meeting about the Act.[13] Representatives from tech companies and trade groups testified, generally in support. A representative from Microsoft said the company supports HB 1201 because it places obligations on companies to be better stewards of consumer data and puts sole authority for law enforcement in the hands of the attorney general.[14] However, the meeting will not be the last time HB 1201 is considered at length, as Galloway said the committee may need to revisit exemptions in greater detail through additional meetings or a working group.[15]

A lobbyist from the Retailers Association noted the exemption for small businesses that process less than 50,000 transactions should be raised, or its compliance would be too onerous for small businesses. The Pennsylvania Insurance Federation was also represented, which raised concerns that the authority granted to the attorney general was redundant given the state insurance commissioner is presently responsible for safeguarding consumer privacy in the insurance sector. In response, Rep. Galloway said, “Seems like we need a whole ’nother (sic) hearing just on people who want to be or make a case for an exemption.”[16]






[6] Id.











Comments are closed.