On this pageWhich privacy laws apply to your business in Pennsylvania?
State Law Practice Note

Pennsylvania Consumer Privacy Law

Pennsylvania has no comprehensive consumer-privacy statute. The operative state law is the Breach of Personal Information Notification Act (73 P.S. §§ 2301 et seq.), enforced exclusively by the Attorney General under the Unfair Trade Practices and Consumer Protection Law; the rest of a Pennsylvania privacy program rides the federal and sectoral overlay (FTC Act § 5, GLBA, HIPAA, COPPA).

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary law73 P.S. § 2302; 73 P.S. § 2329; FTC Act § 5; HIPAA Notice of Privacy Practices; GLBA Safeguards Rule; HIPAA Business Associate Contracts; 73 P.S. § 2303; 73 P.S. § 2305; 73 P.S. § 2308; 18 Pa.C.S. § 5703; 18 Pa.C.S. § 5725
Case lawPopa v. Harriet Carter Gifts, Inc., 52 F.4th 121 (3d Cir. 2022)

Which privacy laws apply to your business in Pennsylvania?

There is no comprehensive Pennsylvania consumer-privacy law. The operative state statute is the Breach of Personal Information Notification Act, which applies to any entity — defined as a State agency, a political subdivision, or an individual or a business doing business in the Commonwealth — that maintains, stores, or manages computerized personal information of Pennsylvania residents . It carries no revenue or consumer-volume threshold, and it governs breach response rather than day-to-day data handling .

Unlike California, Virginia, or Colorado, Pennsylvania has not enacted an omnibus privacy statute, so its residents do not have general rights to access, delete, correct, or opt out of the sale of their personal data under state law, and businesses are not subject to state notice-at-collection, consent, or data-protection-assessment duties. What fills the gap is a layered framework: the Breach Act sets the one statewide data-security duty, and the rest of a Pennsylvania privacy program rides a federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; the Children's Online Privacy Protection Act governs services directed to children under 13; and CAN-SPAM and the TCPA govern email and SMS marketing. Pennsylvania's own Wiretapping and Electronic Surveillance Control Act (WESCA) — an all-party-consent wiretap statute — sits alongside the Breach Act as state law and has become the main engine of website session-replay and tracking-pixel litigation against businesses, a point developed in the consumer-lawsuit prong below. None of those federal regimes is a Pennsylvania statute, but together with WESCA and the Breach Act they are what actually shapes a compliant Pennsylvania-facing program today. This note is written to stay durable: if Pennsylvania later enacts a comprehensive law, the program built to this overlay upgrades rather than restarts.

Sources for this answer

Primary law

A.1 73 P.S. § 2302

The Breach Act applies to any entity — a State agency, a political subdivision, or an individual or business doing business in Pennsylvania.

“Entity.” A State agency, a political subdivision of the Commonwealth or an individual or a business doing business in this Commonwealth.

See 73 P.S. § 2302.

Primary law

A.2 73 P.S. § 2329

The Breach Act applies to the determination or notification of a breach occurring on or after its effective date — it is a breach-response statute, not a general data-handling regime.

This act shall apply to the determination or notification of a breach of the security of the system that occurs on or after the effective date of this section.

See 73 P.S. § 2329.

What must your Pennsylvania privacy policy contain?

No Pennsylvania statute requires a general consumer privacy policy or fixes what it must say. For most businesses, the privacy policy is governed not by a state checklist but by the rule that whatever you publish has to be true: under Section 5 of the FTC Act and Pennsylvania's Unfair Trade Practices and Consumer Protection Law, a policy that misstates how you collect, use, share, retain, or secure data is a deceptive practice . Where a sectoral regime applies, that regime supplies the contents instead — a HIPAA covered entity, for example, must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties .

In practice this means the drafting question in Pennsylvania is less what must be included and more does the policy match actual practice. Build the policy from the federal and sectoral overlay: the GLBA privacy-notice rules if you are a financial institution, the HIPAA Notice of Privacy Practices if you are a covered entity or business associate, and a COPPA notice if your service is directed to children under 13. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct. There is no Pennsylvania-mandated source to cite here, which is itself the point: the contents are overlay-driven, not state-statute-driven.

Sources for this answer

Primary law

B.1 FTC Act § 5

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

B.2 HIPAA Notice of Privacy Practices

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520.

What must your contracts with vendors say?

Pennsylvania has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. Vendor data terms are instead driven by the sectoral regimes that apply to your business and by contract best practice.

Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract and to require them to implement appropriate safeguards ; HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before sharing protected health information . Outside those verticals, the prudent move is to carry the same protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Pennsylvania statute compels them. The Breach Act touches vendors only narrowly: a vendor that holds data on another entity's behalf must notify that entity after discovering a breach, leaving the entity responsible for notifying residents. That is a breach-response duty, not a general DPA mandate, so there is no Pennsylvania source to cite for omnibus vendor terms.

Sources for this answer

Primary law

C.1 GLBA Safeguards Rule

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4.

Primary law

C.2 HIPAA Business Associate Contracts

HIPAA requires a written business-associate contract that establishes the permitted uses and disclosures of protected health information and binds the business associate to safeguard it.

A contract between the covered entity and a business associate must

See 45 C.F.R. § 164.504.

When must you notify people of a data breach in Pennsylvania?

An entity that maintains, stores, or manages computerized personal information must notify any Pennsylvania resident whose unencrypted and unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person . The notice must be made without unreasonable delay . A reportable breach is the unauthorized access and acquisition of computerized data that materially compromises personal information and causes, or is reasonably believed to cause, loss or injury to a resident . When notice goes to more than 500 persons at one time, the entity must also notify the nationwide consumer reporting agencies without unreasonable delay .

This is the one prong where Pennsylvania imposes a hard, statutory clock, so it is the center of any Pennsylvania incident-response plan. Personal information under the Act is a resident's name combined with an unencrypted, unredacted Social Security number, driver's license or state ID number, financial-account or card number with its access code, certain medical or health-insurance information, or online-account credentials. Encryption and redaction are safe harbors — a breach of properly encrypted data generally does not trigger notice unless the key was also compromised. Public entities face fixed, shorter clocks the Act spells out separately (State agencies and certain local entities measured in business days), and the Attorney General must be notified concurrently once a breach reaches more than 500 Pennsylvania residents. An entity that follows its own breach-notification procedures under an information privacy or security policy consistent with the Act is deemed compliant, and a financial institution that meets the federal interagency notice guidance is likewise deemed compliant.

Sources for this answer

Primary law

D.1 73 P.S. § 2303

An entity holding computerized personal information must notify any Pennsylvania resident whose unencrypted, unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person, without unreasonable delay.

An entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following determination of the breach of the security of the system to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.

See 73 P.S. § 2303(a).

Primary law

D.2 73 P.S. § 2302

A breach of the security of the system is the unauthorized access and acquisition of computerized data that materially compromises personal information and causes, or is reasonably believed to cause, loss or injury to a Pennsylvania resident.

The unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth.

See 73 P.S. § 2302.

Primary law

D.3 73 P.S. § 2305

When an entity notifies more than 500 persons at one time, it must also notify the nationwide consumer reporting agencies, without unreasonable delay, of the timing, distribution, and number of notices.

When an entity provides notification under this act to more than 500 persons at one time, the entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in section 603 of the Fair Credit Reporting Act (Public Law 91-508, 15 U.S.C. § 1681a), of the timing, distribution and number of notices.

See 73 P.S. § 2305.

Can a consumer sue your business in Pennsylvania over privacy?

Not under the Breach Act. A violation of the Act is deemed an unfair or deceptive practice under the Unfair Trade Practices and Consumer Protection Law , and the Office of Attorney General has exclusive authority to bring that action — so the Breach Act gives consumers no private right of action . Other Pennsylvania law is a different story. The Wiretapping and Electronic Surveillance Control Act (WESCA) makes it a third-degree felony to intentionally intercept any wire, electronic, or oral communication without all parties' consent , and it gives any person whose communication is intercepted a private civil cause of action — with liquidated and punitive damages and fees . The Third Circuit held in Popa v. Harriet Carter Gifts that this framework reaches ordinary website tracking, so third-party session-replay or pixel code can be an unlawful interception unless the visitor consented .

Enforcement of Pennsylvania's one statewide data-security duty is therefore a public matter: the Attorney General, through the Bureau of Consumer Protection, brings UTPCPL actions for failures to notify or to secure data, seeking injunctions, restitution, and civil penalties. That does not mean a Pennsylvania business faces no litigation exposure — it means the exposure comes from other doors. Plaintiffs routinely plead common-law theories such as negligence and breach of implied contract after a breach, though those face steep standing hurdles absent actual misuse of the data. The fastest-growing exposure is WESCA: after Popa, plaintiffs' firms have filed waves of class actions treating third-party session-replay, chat, and advertising-pixel code as an unlawful two-party-consent interception, and the practical defense is to obtain the visitor's consent to that tracking before it runs. The durable takeaway: the Breach Act itself is AG-enforced only, but a Pennsylvania privacy program still has to manage real private-suit exposure under the wiretap law.

Sources for this answer

Primary law

E.1 73 P.S. § 2308

A violation of the Breach Act is deemed an unfair or deceptive act or practice under the Unfair Trade Practices and Consumer Protection Law.

A violation of this act shall be deemed to be an unfair or deceptive act or practice in violation of the act of December 17, 1968 (P.L. 1224, No. 387),

See 73 P.S. § 2308.

Primary law

E.2 73 P.S. § 2308

The Office of Attorney General has exclusive authority to bring a UTPCPL action for a Breach Act violation, so there is no private right of action under the Act.

The Office of Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of this act.

See 73 P.S. § 2308.

Primary law

E.3 18 Pa.C.S. § 5703

Pennsylvania's Wiretapping and Electronic Surveillance Control Act makes it a third-degree felony to intentionally intercept, or procure another to intercept, any wire, electronic, or oral communication, subject to the chapter's exceptions.

Except as otherwise provided in this chapter, a person is guilty of a felony of the third degree if he: (1) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any wire, electronic or oral communication;

See 18 Pa.C.S. § 5703.

Primary law

E.4 18 Pa.C.S. § 5725

Any person whose communication is intercepted, disclosed, or used in violation of WESCA has a private civil cause of action against the violator and may recover actual or liquidated damages, punitive damages, and reasonable attorney's fees.

Any person whose wire, electronic or oral communication is intercepted, disclosed or used in violation of this chapter shall have a civil cause of action against any person who intercepts, discloses or uses or procures any other person to intercept, disclose or use, such communication;

See 18 Pa.C.S. § 5725(a).

Case law

E.5 Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121 (3d Cir. 2022)

The Third Circuit held that WESCA reaches everyday website tracking — a third party's interception of a visitor's browser communications can violate the Act unless the visitor consented — reviving a session-replay wiretap claim.

Thus if someone consents to the interception of her communications with a website, the WESCA does not impose liability.

See Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121 (3d Cir. 2022).

OpenAgreements is a free legal reference project maintained by UseJunior. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer