Pennsylvania Data Privacy Laws: Breach Notification & Consumer Rights (2026)

Pennsylvania has no comprehensive consumer data privacy law as of May 2026. The Breach of Personal Information Notification Act (73 P.S. 2301), strengthened by Act 33 of 2024, governs breach notification, while HB 78 has passed the House and awaits a full Senate vote.

Pennsylvania's approach to data privacy relies on a patchwork of targeted statutes rather than a single comprehensive framework. The state has strong breach notification requirements, strict wiretapping protections, and sector-specific privacy rules, but it has not yet enacted an omnibus consumer data privacy law comparable to those in California, Virginia, or Colorado.

This guide covers every major Pennsylvania data privacy statute currently in effect, the pending Consumer Data Privacy Act, federal protections that fill existing gaps, and what businesses and residents need to know about their rights and obligations in 2026.

Pennsylvania's Data Privacy Framework: An Overview

Unlike the 20-plus states that have enacted comprehensive consumer data privacy legislation, Pennsylvania continues to govern data privacy through a collection of individual laws targeting specific areas of concern.

The most significant Pennsylvania data privacy statutes include the Breach of Personal Information Notification Act for data breaches, the Wiretapping and Electronic Surveillance Control Act for communications privacy, the Insurance Data Security Act for the insurance sector, and the Unfair Trade Practices and Consumer Protection Law as a general enforcement mechanism.

This patchwork means that Pennsylvania residents have fewer explicit data rights than residents of states with comprehensive privacy laws. However, pending legislation and active federal enforcement are changing that picture.

Breach of Personal Information Notification Act (BPINA)

The Breach of Personal Information Notification Act, codified at 73 P.S. 2301-2329, is Pennsylvania's primary data breach law. Originally enacted in 2005 as Act 94, the law was significantly strengthened by Act 33 of 2024, signed by Governor Josh Shapiro on June 28, 2024, with amendments taking effect on September 26, 2024.

Who Must Comply

BPINA applies to any entity that maintains, stores, or manages computerized data that includes personal information of Pennsylvania residents. This includes businesses, government agencies, nonprofit organizations, healthcare providers, educational institutions, and any vendor or service provider that handles personal data on behalf of another entity.

There are no minimum size thresholds. A sole proprietor storing one Pennsylvania resident's Social Security number in a spreadsheet is subject to the same notification obligations as a Fortune 500 company.

Definition of Personal Information

Under 73 P.S. 2302, personal information is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not encrypted or redacted:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to the account
• Medical information (any individually identifiable information in a current or historical medical record created by a healthcare professional)
• Health insurance information (a policy number or subscriber identification number in combination with an access code or other information permitting misuse of the individual's health insurance benefits)

The 2024 amendments through Act 33 expanded the definition to explicitly include health insurance information, closing a gap that had existed since the original 2005 law.

Notification Requirements

When an entity determines that a breach of the security of the system has occurred, it must provide notice to affected Pennsylvania residents without unreasonable delay.

The law establishes specific timelines for government entities. State agencies must provide notice within seven business days following their determination that a breach occurred. Counties, school districts, and municipalities must also notify affected individuals within seven business days.

For private entities, the standard is notification without unreasonable delay, taking into account the legitimate needs of law enforcement and the time required to determine the scope of the breach and restore system integrity.

Attorney General Notification

Act 33 of 2024 introduced a new requirement for notification to the Attorney General. When a breach affects more than 500 individuals in Pennsylvania, the entity must notify the Office of Attorney General concurrently with notifying the affected individuals. The notification to the AG must include the estimated total number of affected Pennsylvania residents.

Credit Monitoring Obligations

One of the most impactful changes from Act 33 is the mandatory credit monitoring requirement. If a breach involves an individual's Social Security number, driver's license number, state identification card number, or bank account number, the breached entity must provide affected individuals with access to an independent credit report and 12 months of credit monitoring services at no cost.

This requirement applies when the entity has determined that a consumer reporting agency must be notified under the law.

Security Freeze Rights

Pennsylvania residents have the right to place a security freeze on their consumer report under 73 P.S. 2329. A security freeze prohibits a consumer reporting agency from releasing the consumer's credit report or any information from the report without the consumer's express authorization. This is a powerful tool for identity theft victims to prevent fraudulent accounts from being opened in their name.

Consumers request a freeze directly with each of the major consumer reporting agencies. The freeze remains in place until the consumer requests it be lifted or permanently removed.

Encryption Safe Harbor

BPINA provides an important safe harbor for encrypted data. The notification requirements do not apply to information that is encrypted or redacted, as long as the encryption key itself was not also accessed or acquired during the breach.

However, this safe harbor has limits. If the encrypted information was accessed and acquired in an unencrypted form, if the breach is linked to a compromise of the encryption system itself, or if the breach involves someone who had authorized access to the encryption key, notification is still required.

Substitute Notice

If the cost of providing individual notice exceeds $100,000, if the affected class exceeds 175,000 individuals, or if the entity does not have sufficient contact information, the entity may provide substitute notice. Substitute notice consists of email notice when an email address is available, conspicuous posting on the entity's website, and notification to major statewide media.

Vendor Obligations

Vendors that maintain, store, or manage computerized data on behalf of another entity must notify the data owner of any breach as soon as they discover it. The responsibility for notifying affected individuals then falls on the entity that owns the data, not the vendor.

Wiretapping and Electronic Surveillance Control Act

Pennsylvania's Wiretapping and Electronic Surveillance Control Act, codified at 18 Pa.C.S. Chapter 57, is one of the strictest communications privacy laws in the United States. Pennsylvania is an all-party consent state, meaning that every participant in a conversation must consent before it can be legally recorded.

The General Prohibition

Under 18 Pa.C.S. 5703, it is a criminal offense to intentionally intercept, endeavor to intercept, or procure any other person to intercept or endeavor to intercept any wire, electronic, or oral communication. It is equally unlawful to intentionally disclose or use the contents of any communication obtained through illegal interception.

Penalties for Violations

Violating Section 5703 is a felony of the third degree under Pennsylvania law. A felony of the third degree carries a potential sentence of up to seven years in prison and fines of up to $15,000.

Beyond criminal penalties, Pennsylvania law also provides a civil cause of action. Any person whose wire, electronic, or oral communication is intercepted, disclosed, or used in violation of the Act may recover actual damages (but not less than liquidated damages computed at $100 per day for each day of violation or $1,000, whichever is greater), punitive damages, and reasonable attorney's fees and litigation costs.

Key Exceptions

Section 5704 provides several exceptions to the general prohibition on interception:

All-party consent. A person may intercept a wire, electronic, or oral communication when all parties to the communication have given prior consent.

Law enforcement. Law enforcement officers may intercept communications with proper court authorization.

Emergency situations. Certain emergency interceptions are permitted when there is an immediate danger of death or serious physical injury.

Business telephone extensions. The use of a telephone extension in the ordinary course of business is not prohibited.

The all-party consent requirement means that in Pennsylvania, recording a phone call, in-person conversation, or video meeting without the knowledge and agreement of every participant is a serious criminal offense.

Insurance Data Security Act (Act 2 of 2023)

The Insurance Data Security Act, codified at 40 Pa.C.S. Chapter 45, took effect on December 11, 2023. This law, based on the model legislation developed by the National Association of Insurance Commissioners (NAIC), establishes cybersecurity and data protection requirements specifically for insurance licensees operating in Pennsylvania.

Requirements

The Act requires insurance licensees to:

• Develop and implement a comprehensive written information security program
• Conduct regular risk assessments to identify and mitigate threats to nonpublic information
• Establish corporate oversight of their information security programs
• Investigate cybersecurity events promptly
• Notify the Insurance Commissioner of cybersecurity events

Compliance Timeline

The law established a phased compliance timeline, all deadlines now passed:

• By December 11, 2024: licensees implemented risk assessment, information security program, and corporate oversight requirements
• By December 11, 2025: licensees established oversight controls for third-party service providers handling nonpublic information
• By April 15, 2026: each insurer domiciled in Pennsylvania must annually certify compliance to the Insurance Commissioner (first certification deadline)

Exemptions

Entities subject to the Insurance Data Security Act are exempt from the BPINA notification requirements to the Attorney General, though they remain subject to the insurance-specific notification provisions.

Unfair Trade Practices and Consumer Protection Law (UTPCPL)

The Unfair Trade Practices and Consumer Protection Law, codified at 73 P.S. 201-1 et seq., serves as an important enforcement backstop for data privacy in Pennsylvania. Violations of BPINA are explicitly treated as unfair or deceptive acts under the UTPCPL, giving the Attorney General broad enforcement authority.

Enforcement Powers

The Attorney General and district attorneys can bring enforcement actions under the UTPCPL. Available remedies include:

• Injunctive relief to stop ongoing violations
• Restitution to affected consumers
• Civil penalties of up to $1,000 per willful violation
• Enhanced civil penalties of up to $3,000 per violation when the victim is 60 years of age or older
• Recovery of investigative costs and attorney's fees

The Bureau of Consumer Protection within the Attorney General's office handles complaints and investigations related to data privacy violations. Attorney General Dave Sunday, who took office in January 2025, continues to operate the breach reporting portal launched under his predecessor.

Assurance of Voluntary Compliance

Before pursuing formal legal action, the Attorney General may accept an assurance of voluntary compliance from a company. These agreements can include stipulations for voluntary restitution to consumers and specific remedial actions the company must take.

Notable Enforcement Actions

Pennsylvania joined a 49-state coalition in an enforcement action against Blackbaud, a cloud software provider, following a 2020 data breach affecting over 5.5 million records. The multistate settlement resulted in a $49.5 million penalty. Pennsylvania has also participated in multistate actions against healthcare data handlers and financial service providers for breach notification failures.

Employee Privacy Protections

Pennsylvania provides several privacy protections in the employment context, though these are generally more limited than those found in states with comprehensive privacy legislation.

Drug Testing

Pennsylvania does not have a general statute governing private-sector drug testing. However, public sector employers operate under restrictions. The Commonwealth may conduct pre-employment drug and alcohol testing for certain positions, but other testing requires legal justification, union negotiation where applicable, and demonstrated need.

Employers are prohibited from releasing drug test results to anyone other than those specified in applicable regulations, unless required by law or court order.

Social Media Privacy

Pennsylvania does not currently have a law prohibiting employers from requesting access to employees' or applicants' social media accounts. Several bills have been introduced in past legislative sessions to address this gap, but none have been enacted.

Background Checks

The Pennsylvania Criminal History Record Information Act (18 Pa.C.S. Chapter 91) governs the use of criminal background checks in employment decisions and includes privacy protections for the dissemination and use of criminal history records.

Pennsylvania HB 78: The Pending Consumer Data Privacy Act

The most significant pending data privacy legislation in Pennsylvania is House Bill 78, the Consumer Data Privacy Act. Introduced by Representative Ed Neilson in the 2025-2026 legislative session, HB 78 would establish Pennsylvania's first comprehensive consumer data privacy framework.

Current Status

HB 78 passed the Pennsylvania House of Representatives on October 1, 2025, by a vote of 127 to 76. The Senate Consumer Protection and Professional Licensure Committee reported the bill favorably (14 yes, 0 no) on February 4, 2026, after which the bill was re-referred to the Senate Communications and Technology Committee. As of May 2026, the bill has not yet received a full Senate vote.

The bill has not been signed into law. If enacted, its provisions would take effect on January 1, 2027. A similar bill from the prior session (HB 1201) received bipartisan House support but stalled in the Senate, making the outcome of HB 78 uncertain.

Consumer Rights Under HB 78

If enacted, HB 78 would grant Pennsylvania consumers significant rights over their personal data:

Right to access. Consumers could confirm whether a business processes their personal data and request access to that data.

Right to correct. Consumers could request correction of inaccurate personal data.

Right to delete. Consumers could request deletion of personal data a business holds about them.

Right to data portability. Consumers could obtain a copy of their personal data in a portable, readily usable format.

Right to opt out. Consumers could opt out of targeted advertising, the sale of personal data, and certain types of profiling.

The bill would also require opt-in consent before processing sensitive information such as health data, biometric data, or precise geolocation data, with enhanced protections for minors.

Who Would Be Subject to HB 78

The bill would apply to for-profit businesses that determine the purpose and means of processing personal data and meet at least one of the following thresholds:

• Generate more than $10 million in annual gross revenue
• Annually buy, receive, sell, or share the personal information of at least 50,000 consumers, households, or devices
• Derive at least 50 percent of annual revenues from selling consumers' personal information

Exemptions

HB 78 would exempt financial institutions governed by the Gramm-Leach-Bliley Act, entities covered by HIPAA, and government entities.

Enforcement

The Pennsylvania Attorney General would have exclusive enforcement authority. There would be no private right of action. The bill includes a 60-day cure period during which businesses could address alleged violations before enforcement actions proceed.

Businesses would be required to respond to consumer requests within 45 days and provide a clear appeals process for denied requests.

Business Obligations

Controllers under HB 78 would need to:

• Maintain transparent privacy notices and policies
• Limit data collection to what is necessary for disclosed purposes
• Conduct risk-based data protection assessments
• Maintain reasonable and appropriate technical and organizational security measures
• Enter into data processing agreements with processors that outline and limit data handling

Federal Privacy Laws Covering Pennsylvania Residents

In the absence of a comprehensive state privacy law, several federal statutes provide important data privacy protections for Pennsylvania residents.

TAKE IT DOWN Act (2025)

Congress enacted the TAKE IT DOWN Act (Pub. L. 119-12), signed by President Trump on May 19, 2025. The law targets nonconsensual intimate visual depictions (NCII), including AI-generated deepfakes.

The Act has two operative components. First, it criminalizes the knowing publication or threatened publication of NCII. Second, it requires covered platforms (websites, apps, and online services that serve the public and primarily provide a forum for user-generated content) to establish a notice-and-removal process. When a covered platform receives a valid takedown request, it must remove the content along with any known identical copies within 48 hours.

The Federal Trade Commission began enforcing the platform obligations on May 19, 2026. Platforms that fail to comply face civil penalties of up to $53,088 per violation per day. The FTC sent compliance letters to major platforms including Alphabet, Amazon, Apple, Meta, Microsoft, Reddit, Snapchat, TikTok, and X in advance of the enforcement date.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA protects the privacy and security of individually identifiable health information held by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. The Pennsylvania Department of Health and Department of Human Services actively implement HIPAA standards.

HIPAA limits the use and disclosure of protected health information (PHI) without the individual's authorization and gives individuals rights to access, amend, and receive an accounting of disclosures of their health records.

Gramm-Leach-Bliley Act (GLBA)

The GLBA requires financial institutions to explain their information-sharing practices and safeguard sensitive customer financial data. This includes banks, credit unions, securities firms, and insurance companies operating in Pennsylvania.

Family Educational Rights and Privacy Act (FERPA)

FERPA protects the privacy of student education records at schools that receive funding from the U.S. Department of Education. Pennsylvania's public schools and most colleges and universities are subject to FERPA requirements.

The Pennsylvania Public School Code at 24 P.S. Section 1409 adds a state-level layer by requiring that student health records maintained by schools be kept confidential, with contents divulged only when necessary for the health of the child or at a parent's request.

Children's Online Privacy Protection Act (COPPA)

COPPA requires websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information from children. This federal law applies equally to all businesses operating in or targeting Pennsylvania residents.

Fair Credit Reporting Act (FCRA)

The FCRA regulates the collection, dissemination, and use of consumer credit information. It gives Pennsylvania residents the right to access their credit reports, dispute inaccurate information, and limit certain uses of their credit data.

Data Privacy Penalty Comparison Table

How to File a Data Privacy Complaint in Pennsylvania

If you believe your data privacy rights have been violated in Pennsylvania, you have several options:

Data breach complaints. Report data breaches or notification failures to the Pennsylvania Attorney General's Bureau of Consumer Protection. You can file a complaint online or by calling the consumer protection hotline.

Wiretapping violations. Contact local law enforcement or the district attorney's office. Wiretapping violations are criminal offenses and can also be pursued through civil litigation with the help of a private attorney.

Insurance data security. Report cybersecurity concerns involving insurance companies to the Pennsylvania Insurance Department at RA-INdatasecurity@pa.gov.

TAKE IT DOWN Act complaints. Report nonconsensual intimate image violations to the FTC online reporting portal or directly to the platform using its required removal process.

Federal violations. File complaints about HIPAA violations with the U.S. Department of Health and Human Services Office for Civil Rights. File FCRA complaints with the Consumer Financial Protection Bureau.

More Pennsylvania Laws

Looking for information on other Pennsylvania privacy and recording laws? Visit our Data Privacy Laws by State hub to compare Pennsylvania with other states. You can also explore related topics:

• Pennsylvania AI Meeting Recording Laws
• Pennsylvania Alimony Laws
• Pennsylvania At-Will Employment Laws
• Pennsylvania Car Accident Laws
• Pennsylvania Car Seat Laws
• Pennsylvania Child Custody Laws
• Pennsylvania Child Support Laws
• Pennsylvania Common Law Marriage Laws
• Pennsylvania Deepfake Laws
• Pennsylvania Divorce Laws
• Pennsylvania Dog Bite Laws
• Pennsylvania Emancipation Laws
• Pennsylvania Expungement Laws
• Pennsylvania Hit and Run Laws
• Pennsylvania Landlord-Tenant Laws
• Pennsylvania Lemon Laws