HARRISBURG — A proposed Pennsylvania law would afford greater control to state residents to access personal data harvested by businesses online, review the information, request to have it deleted, and opt out of further collection.
House Bill 2202, the Consumer Data Privacy Act, would apply to large data collection firms — those generating revenue of at least $20 million annually, or that trade in the personal data of at least 100,000 consumers, or generate at least half of annual revenue from consumer data sales.
Affiliate firms of such companies would also be subject to regulation under the proposal, which was introduced in December by state Rep. Robert Mercuri, R-Allegheny County.
The bill was the topic of a public hearing Wednesday before the Pennsylvania House Consumer Affairs Committee. At the hearing, Mercuri called consumer data “the new oil in our economy.”
“It’s being extracted for its value and it’s being sold to advertisers at large benefit of big technology companies,” Mercuri said during hearing testimony.
Ryan Harkins, senior director of public policy at Microsoft, testified that the tech giant supports the measure in lieu of a comprehensive federal privacy law. Such laws as proposed by Mercuri are “critical” for the long-term health and interests of all involved: tech industry, public, and online ecosystem.
“The bill’s language is strong. We encourage you to avoid any efforts others may push to narrow those important rights,” Harkins said during hearing testimony.
Mercuri’s memo on the bill cites personal information like names and addresses, geolocation from digital devices, Social Security and driver’s license numbers, biometric information like fingerprints and retina scans.
Personal data wouldn’t include that which is lawfully available from public records or is collected in the aggregate and isn’t identifiable.
The Office of Attorney General would be charged with enforcing the proposed law, which calls for civil penalties of up to $2,500 for each unintentional violation and $7,500 for each intentional violation.
The bill’s proposed restrictions on data collection wouldn’t apply when “every aspect of that commercial conduct” occurs outside Pennsylvania — the business operates fully out of state, the data sale occurred beyond Pennsylvania’s borders and none of the information harvested was collected with the consumer was in the state.
There are exceptions, too, for litigation and criminal investigations, preventing fraud or harassment, and simply when a consumer requests a product or service including loyalty or rewards programs.
The proposal doesn’t come without expressed concerns.
The Pennsylvania Retailers’ Association said in written testimony that language seeking to prevent discrimination against those who opt-out of data collection could prevent benefits through loyalty and rewards programs.
The Coalition for Genetic Data Protection called for amendments to separately regulate biometric data and genetic data, saying the former can be used to immediately identify an individual.
The Pennsylvania Chamber of Business and Industry expressed support for uniform federal regulations and that patchwork privacy laws at the state level risks added costs to out-of-state employers of up to $112 billion annually, including $20 billion to $23 billion on small businesses.
Quest Diagnostics, a clinical laboratory, Pennsylvania Bankers Association and The Insurance Federation of Pennsylvania each requested exemptions for entities already subject to varied federal privacy rules.
Insurance companies use consumer data to underwrite and rate risk, pay claims and serve policyholders, Jonathan Greer, president, Insurance Federation of PA, said during hearing testimony. He added that exemptions should be considered for nonprofit entities.
“We’re not selling and monetizing personal information. That’s not what we do. That’s not our intent,” Greer said.