Pennsylvania Data Privacy Laws: Breach Notification & Consumer Rights (2026)
Pennsylvania's approach to data privacy relies on a patchwork of targeted statutes rather than a single comprehensive framework. The state has strong breach notification requirements, strict wiretapping protections, and sector-specific privacy rules, but it has not yet enacted an omnibus consumer data privacy law comparable to those in California, Virginia, or Colorado.
This guide covers every major Pennsylvania data privacy statute currently in effect, the pending Consumer Data Privacy Act, federal protections that fill existing gaps, and what businesses and residents need to know about their rights and obligations in 2026.
Pennsylvania's Data Privacy Framework: An Overview
Unlike the 20 states that have enacted comprehensive consumer data privacy legislation as of early 2026, Pennsylvania continues to govern data privacy through a collection of individual laws targeting specific areas of concern.
The most significant Pennsylvania data privacy statutes include the Breach of Personal Information Notification Act for data breaches, the Wiretapping and Electronic Surveillance Control Act for communications privacy, the Insurance Data Security Act for the insurance sector, and the Unfair Trade Practices and Consumer Protection Law as a general enforcement mechanism.
This patchwork means that Pennsylvania residents have fewer explicit data rights than residents of states with comprehensive privacy laws. However, pending legislation could change that picture significantly.
Breach of Personal Information Notification Act (BPINA)
The Breach of Personal Information Notification Act, codified at 73 P.S. 2301-2329, is Pennsylvania's primary data breach law. Originally enacted in 2005 as Act 94, the law was significantly strengthened by Act 33 of 2024, signed by Governor Josh Shapiro on June 28, 2024, with amendments taking effect on September 26, 2024.
Who Must Comply
BPINA applies to any entity that maintains, stores, or manages computerized data that includes personal information of Pennsylvania residents. This includes businesses, government agencies, nonprofit organizations, healthcare providers, educational institutions, and any vendor or service provider that handles personal data on behalf of another entity.
There are no minimum size thresholds. A sole proprietor storing one Pennsylvania resident's Social Security number in a spreadsheet is subject to the same notification obligations as a Fortune 500 company.
Definition of Personal Information
Under 73 P.S. 2302, personal information is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not encrypted or redacted:
- Social Security number
- Driver's license number or state identification card number
- Financial account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to the account
- Medical information (any individually identifiable information in a current or historical medical record created by a healthcare professional)
- Health insurance information (a policy number or subscriber identification number in combination with an access code or other information permitting misuse of the individual's health insurance benefits)
The 2024 amendments through Act 33 expanded the definition to explicitly include health insurance information, closing a gap that had existed since the original 2005 law.
Notification Requirements
When an entity determines that a breach of the security of the system has occurred, it must provide notice to affected Pennsylvania residents without unreasonable delay.
The law establishes specific timelines for government entities. State agencies must provide notice within seven business days following their determination that a breach occurred. Counties, school districts, and municipalities must also notify affected individuals within seven business days.
For private entities, the standard is notification without unreasonable delay, taking into account the legitimate needs of law enforcement and the time required to determine the scope of the breach and restore system integrity.
Attorney General Notification
Act 33 of 2024 introduced a new requirement for notification to the Attorney General. When a breach affects more than 500 individuals in Pennsylvania, the entity must notify the Office of Attorney General concurrently with notifying the affected individuals. The notification to the AG must include the estimated total number of affected Pennsylvania residents.
Credit Monitoring Obligations
One of the most impactful changes from Act 33 is the mandatory credit monitoring requirement. If a breach involves an individual's Social Security number, driver's license number, state identification card number, or bank account number, the breached entity must provide affected individuals with access to an independent credit report and 12 months of credit monitoring services at no cost.
This requirement applies when the entity has determined that a consumer reporting agency must be notified under the law.
Encryption Safe Harbor
BPINA provides an important safe harbor for encrypted data. The notification requirements do not apply to information that is encrypted or redacted, as long as the encryption key itself was not also accessed or acquired during the breach.
However, this safe harbor has limits. If the encrypted information was accessed and acquired in an unencrypted form, if the breach is linked to a compromise of the encryption system itself, or if the breach involves someone who had authorized access to the encryption key, notification is still required.
Substitute Notice
If the cost of providing individual notice exceeds $100,000, if the affected class exceeds 175,000 individuals, or if the entity does not have sufficient contact information, the entity may provide substitute notice. Substitute notice consists of email notice when an email address is available, conspicuous posting on the entity's website, and notification to major statewide media.
Vendor Obligations
Vendors that maintain, store, or manage computerized data on behalf of another entity must notify the data owner of any breach as soon as they discover it. The responsibility for notifying affected individuals then falls on the entity that owns the data, not the vendor.
Wiretapping and Electronic Surveillance Control Act
Pennsylvania's Wiretapping and Electronic Surveillance Control Act, codified at 18 Pa.C.S. Chapter 57, is one of the strictest communications privacy laws in the United States. Pennsylvania is an all-party consent state, meaning that every participant in a conversation must consent before it can be legally recorded.
The General Prohibition
Under 18 Pa.C.S. 5703, it is a criminal offense to intentionally intercept, endeavor to intercept, or procure any other person to intercept or endeavor to intercept any wire, electronic, or oral communication. It is equally unlawful to intentionally disclose or use the contents of any communication obtained through illegal interception.
Penalties for Violations
Violating Section 5703 is a felony of the third degree under Pennsylvania law. A felony of the third degree carries a potential sentence of up to seven years in prison and fines of up to $15,000.
Beyond criminal penalties, Pennsylvania law also provides a civil cause of action. Any person whose wire, electronic, or oral communication is intercepted, disclosed, or used in violation of the Act may recover actual damages (but not less than liquidated damages computed at $100 per day for each day of violation or $1,000, whichever is greater), punitive damages, and reasonable attorney's fees and litigation costs.
Key Exceptions
Section 5704 provides several exceptions to the general prohibition on interception:
All-party consent. A person may intercept a wire, electronic, or oral communication when all parties to the communication have given prior consent.
Law enforcement. Law enforcement officers may intercept communications with proper court authorization.
Emergency situations. Certain emergency interceptions are permitted when there is an immediate danger of death or serious physical injury.
Business telephone extensions. The use of a telephone extension in the ordinary course of business is not prohibited.
The all-party consent requirement means that in Pennsylvania, recording a phone call, in-person conversation, or video meeting without the knowledge and agreement of every participant is a serious criminal offense.
Insurance Data Security Act (Act 2 of 2023)
The Insurance Data Security Act, codified at 40 Pa.C.S. Chapter 45, took effect on December 11, 2023. This law, based on the model legislation developed by the National Association of Insurance Commissioners (NAIC), establishes cybersecurity and data protection requirements specifically for insurance licensees operating in Pennsylvania.
Requirements
The Act requires insurance licensees to:
- Develop and implement a comprehensive written information security program
- Conduct regular risk assessments to identify and mitigate threats to nonpublic information
- Establish corporate oversight of their information security programs
- Investigate cybersecurity events promptly
- Notify the Insurance Commissioner of cybersecurity events
Implementation Timeline
The law established a phased compliance timeline:
- By December 11, 2024, licensees must have implemented risk assessment, information security program, and corporate oversight requirements
- By December 11, 2025, licensees must have oversight controls for third-party service providers handling nonpublic information
- By April 15, 2026, each insurer domiciled in Pennsylvania must annually certify compliance to the Insurance Commissioner
Exemptions
Entities subject to the Insurance Data Security Act are exempt from the BPINA notification requirements to the Attorney General, though they remain subject to the insurance-specific notification provisions.
Unfair Trade Practices and Consumer Protection Law (UTPCPL)
The Unfair Trade Practices and Consumer Protection Law, codified at 73 P.S. 201-1 et seq., serves as an important enforcement backstop for data privacy in Pennsylvania. Violations of BPINA are explicitly treated as unfair or deceptive acts under the UTPCPL, giving the Attorney General broad enforcement authority.
Enforcement Powers
The Attorney General and district attorneys can bring enforcement actions under the UTPCPL. Available remedies include:
- Injunctive relief to stop ongoing violations
- Restitution to affected consumers
- Civil penalties of up to $1,000 per willful violation
- Enhanced civil penalties of up to $3,000 per violation when the victim is 60 years of age or older
- Recovery of investigative costs and attorney's fees
The Bureau of Consumer Protection within the Attorney General's office handles complaints and investigations related to data privacy violations.
Assurance of Voluntary Compliance
Before pursuing formal legal action, the Attorney General may accept an assurance of voluntary compliance from a company. These agreements can include stipulations for voluntary restitution to consumers and specific remedial actions the company must take.
Employee Privacy Protections
Pennsylvania provides several privacy protections in the employment context, though these are generally more limited than those found in states with comprehensive privacy legislation.
Drug Testing
Pennsylvania does not have a general statute governing private-sector drug testing. However, public sector employers operate under restrictions. The Commonwealth may conduct pre-employment drug and alcohol testing for certain positions, but other testing requires legal justification, union negotiation where applicable, and demonstrated need.
Employers are prohibited from releasing drug test results to anyone other than those specified in applicable regulations, unless required by law or court order.
Social Media Privacy
Pennsylvania does not currently have a law prohibiting employers from requesting access to employees' or applicants' social media accounts. Several bills have been introduced in past legislative sessions to address this gap, but none have been enacted.
Background Checks
The Pennsylvania Criminal History Record Information Act (18 Pa.C.S. Chapter 91) governs the use of criminal background checks in employment decisions and includes privacy protections for the dissemination and use of criminal history records.
Pennsylvania HB 78: The Pending Consumer Data Privacy Act
The most significant pending data privacy legislation in Pennsylvania is House Bill 78, the Consumer Data Privacy Act. Introduced by Representative Ed Neilson in the 2025-2026 legislative session, HB 78 would establish Pennsylvania's first comprehensive consumer data privacy framework.
Current Status
HB 78 passed the Pennsylvania House of Representatives on October 1, 2025, by a vote of 127 to 76. As of March 2026, the bill has been referred to the Senate Communications and Technology Committee after being reported as committed by the Senate Consumer Protection and Professional Licensure Committee on February 4, 2026.
The bill has not yet been signed into law. If enacted, its provisions would take effect on January 1, 2027.
Consumer Rights Under HB 78
If enacted, HB 78 would grant Pennsylvania consumers significant rights over their personal data:
Right to access. Consumers could confirm whether a business processes their personal data and request access to that data.
Right to correct. Consumers could request correction of inaccurate personal data.
Right to delete. Consumers could request deletion of personal data a business holds about them.
Right to data portability. Consumers could obtain a copy of their personal data in a portable, readily usable format.
Right to opt out. Consumers could opt out of targeted advertising, the sale of personal data, and certain types of profiling.
The bill would also require opt-in consent before processing sensitive information such as health data, biometric data, or precise geolocation data, with enhanced protections for minors.
Who Would Be Subject to HB 78
The bill would apply to for-profit businesses that determine the purpose and means of processing personal data and meet at least one of the following thresholds:
- Generate more than $10 million in annual gross revenue
- Annually buy, receive, sell, or share the personal information of at least 50,000 consumers, households, or devices
- Derive at least 50 percent of annual revenues from selling consumers' personal information
Exemptions
HB 78 would exempt financial institutions governed by the Gramm-Leach-Bliley Act, entities covered by HIPAA, and government entities.
Enforcement
The Pennsylvania Attorney General would have exclusive enforcement authority. There would be no private right of action. The bill includes a 60-day cure period during which businesses could address alleged violations before enforcement actions proceed.
Businesses would be required to respond to consumer requests within 45 days and provide a clear appeals process for denied requests.
Business Obligations
Controllers under HB 78 would need to:
- Maintain transparent privacy notices and policies
- Limit data collection to what is necessary for disclosed purposes
- Conduct risk-based data protection assessments
- Maintain reasonable and appropriate technical and organizational security measures
- Enter into data processing agreements with processors that outline and limit data handling
Federal Privacy Laws Covering Pennsylvania Residents
In the absence of a comprehensive state privacy law, several federal statutes provide important data privacy protections for Pennsylvania residents.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA protects the privacy and security of individually identifiable health information held by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. The Pennsylvania Department of Health and Department of Human Services actively implement HIPAA standards.
HIPAA limits the use and disclosure of protected health information (PHI) without the individual's authorization and gives individuals rights to access, amend, and receive an accounting of disclosures of their health records.
Gramm-Leach-Bliley Act (GLBA)
The GLBA requires financial institutions to explain their information-sharing practices and safeguard sensitive customer financial data. This includes banks, credit unions, securities firms, and insurance companies operating in Pennsylvania.
Family Educational Rights and Privacy Act (FERPA)
FERPA protects the privacy of student education records at schools that receive funding from the U.S. Department of Education. Pennsylvania's public schools and most colleges and universities are subject to FERPA requirements.
The Pennsylvania Public School Code at 24 P.S. Section 1409 adds a state-level layer by requiring that student health records maintained by schools be kept confidential, with contents divulged only when necessary for the health of the child or at a parent's request.
Children's Online Privacy Protection Act (COPPA)
COPPA requires websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information from children. This federal law applies equally to all businesses operating in or targeting Pennsylvania residents.
Fair Credit Reporting Act (FCRA)
The FCRA regulates the collection, dissemination, and use of consumer credit information. It gives Pennsylvania residents the right to access their credit reports, dispute inaccurate information, and limit certain uses of their credit data.
Data Privacy Penalty Comparison Table
| Law | Statute | Scope | Key Penalty | Enforced By |
|---|---|---|---|---|
| BPINA | 73 P.S. 2301-2329 | All entities handling PA resident data | Up to $1,000 per violation (UTPCPL) | Attorney General |
| Wiretap Act | 18 Pa.C.S. Ch. 57 | All persons | Felony 3rd degree (up to 7 years) | District Attorneys, AG |
| Insurance Data Security | 40 Pa.C.S. Ch. 45 | Insurance licensees | Regulatory sanctions | Insurance Commissioner |
| UTPCPL | 73 P.S. 201-1 et seq. | Trade and commerce | $1,000-$3,000 per violation | Attorney General, DAs |
| HB 78 (Pending) | Not yet enacted | For-profit businesses above thresholds | AG enforcement, 60-day cure | Attorney General |
How to File a Data Privacy Complaint in Pennsylvania
If you believe your data privacy rights have been violated in Pennsylvania, you have several options:
Data breach complaints. Report data breaches or notification failures to the Pennsylvania Attorney General's Bureau of Consumer Protection. You can file a complaint online or by calling the consumer protection hotline.
Wiretapping violations. Contact local law enforcement or the district attorney's office. Wiretapping violations are criminal offenses and can also be pursued through civil litigation with the help of a private attorney.
Insurance data security. Report cybersecurity concerns involving insurance companies to the Pennsylvania Insurance Department at RA-INdatasecurity@pa.gov.
Federal violations. File complaints about HIPAA violations with the U.S. Department of Health and Human Services Office for Civil Rights. File FCRA complaints with the Consumer Financial Protection Bureau.
More Pennsylvania Laws
Looking for information on other Pennsylvania privacy and recording laws? Visit our Data Privacy Laws by State hub to compare Pennsylvania with other states. You can also explore related topics:
- Pennsylvania Recording Laws for detailed information on the Wiretap Act
- New York Data Privacy Laws for comparison with a neighboring state
- California Data Privacy Laws for comparison with the CCPA/CPRA
- New Jersey Data Privacy Laws for another neighboring state comparison
This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Pennsylvania for advice about your specific situation. Last reviewed: March 2026.
Sources and References
- Pennsylvania Breach of Personal Information Notification Act (73 P.S. 2301-2329)(legis.state.pa.us).gov
- Act 33 of 2024 - Amendments to BPINA(legis.state.pa.us).gov
- PA Office of Attorney General - BPINA(attorneygeneral.gov).gov
- PA Office of Attorney General - Report a Data Breach(attorneygeneral.gov).gov
- Pennsylvania Wiretapping and Electronic Surveillance Control Act (18 Pa.C.S. Ch. 57)(legis.state.pa.us).gov
- 18 Pa.C.S. 5703 - Interception of Communications(legis.state.pa.us).gov
- Pennsylvania Insurance Data Security Act (40 Pa.C.S. Ch. 45)(pa.gov).gov
- PA Insurance Department - Data Security(insurance.pa.gov).gov
- Pennsylvania Unfair Trade Practices and Consumer Protection Law(legis.state.pa.us).gov
- PA Attorney General - Bureau of Consumer Protection(attorneygeneral.gov).gov
- HB 78 - Consumer Data Privacy Act (2025-2026)(palegis.us).gov
- PA Department of Health - HIPAA(pa.gov).gov
- PA Department of Human Services - HIPAA Privacy(pa.gov).gov
- PA Department of Health - School Record Confidentiality(pa.gov).gov