What Online Privacy Laws May a Business in Pennsylvania Be Subject To?

online privacy laws

This article was originally published in the February 2022 issue of Butler County Business Matters.

Consumer data privacy laws in Pennsylvania and the United States as a whole serve important purposes in protecting consumers from unwarranted access to their information. Businesses in Pennsylvania must work diligently to comply with the ever-changing landscape of these laws to ensure compliance and avoid liability for data breaches.

Consumer data privacy in the United States is governed by a myriad of state and federal regulations that control particular areas of data. For example, the Federal Trade Commission Act regulates unfair and deceptive commercial practices and requires companies to comply with their own posted privacy policies and provide adequate protection for personal information.  

Other laws which may apply to business owners in Pennsylvania include the Electronic Communications Privacy Act, the Children’s Online Privacy Protection Act, and the Financial Services Protection Act: each containing its own set of requirements and guidelines.  

What kind of information is protected by these privacy laws?

Internet privacy laws primarily seek to protect the personal information of consumers. This personal information, in its broadest definition, includes any information that can be used to identify, locate, or contact an individual. Practically speaking, this includes information such as a consumer’s name, email address, physical address, IP address, bank account or credit card numbers, and social security number.  

Any piece of information that, alone or combined with other pieces of information, can be used to identify an individual consumer is generally considered personal information under applicable privacy laws.  

What does compliance look like?

In addition to complying with any particularities contained in specific privacy laws, businesses that operate a website or collect consumer information of any type should have in place certain safeguards and internal procedures aimed at protecting personal information in order to help mitigate cybersecurity threats.  

While businesses should use hard safeguards such as anti-virus software, virtual private networks (VPN), and encryption to protect consumer personal information, organizations should also develop an online “threat playbook” to provide best practices to protect against cybersecurity threats. These best practices should provide employees with a course of action to follow for safe internet usage and inform them of their responsibility to maintain the utmost privacy for any consumer information in the company’s possession.  

The safest option for any business owner when it comes to online data protection is to comply with the European Union’s General Data Protection Regulation (GDPR). The GDPR provides extensive guidance concerning the contents of privacy policies and the use and processing of personal information.  

As a practical note, compliance with the GDPR may even be a contractual requirement in certain industries, such as consulting and technology. Creating a GDPR compliant privacy policy not only helps to protect personal information but also makes good business sense.  

Furthermore, while the GDPR is a European Union regulation, compliance with the same is nonetheless required for Pennsylvania business websites targeted towards or regularly accessed by individuals within the European Union. Under these circumstances, failure to comply with GDPR rules and regulations concerning the protection, collection, and processing of personal information may come with steep penalties. 

Does Pennsylvania have its own privacy laws?

Currently, Pennsylvania has two primary consumer privacy laws: the Breach of Personal Information Notification Act and the Social Security Number Privacy Act. One additional law, currently in committee and known as House Bill 1049, would regulate consumer data privacy, the rights of consumers, and the duties of businesses relating to the collection of personal information.  

The Breach of Personal Information Notification Act requires businesses and third-party providers to notify users when any consumer personal information is accessed or acquired by an unauthorized party such as a hacker.  

The Social Security Privacy Act was enacted in 2006 to permit Pennsylvania consumers to provide an alternative to their social security number in a variety of situations in order for social security numbers to be better protected from unauthorized access. Similar to the federal regulations mentioned above, these laws seek to protect consumer personal information and businesses should take the steps outlined in this article in order to prevent any potential cybersecurity breaches.  

Additionally, House Bill 1049, should it be passed, would impose substantially more obligations on businesses concerning the protection and collection of personal information. If passed, it is likely most Pennsylvania businesses will need to revamp their online privacy and collection practices or they will face penalties, fines, and civil liability.

Pittsburgh Law Firm For Privacy and Data Security Services

It is crucial for any company doing business in Pennsylvania to carefully scrutinize its data collection, retention, and dissemination practices to ensure compliance with consumer data privacy laws. The attorneys at The Lynch Law Group assist businesses in a variety of industries in navigating the complex legal framework surrounding the protection of confidential information. We can help you assess your company’s cyber risks and develop a comprehensive and legally compliant information security program.

Contact Jacob R. Penn, attorney in The Lynch Law Group’s Corporate practice at 724.776.8000, or by email at jpenn@lynchlaw-group.com.

This entry was posted in Corporate, Regulatory. Bookmark the permalink.