In the continuing absence of comprehensive federal law regulating data privacy and protection, the states have continued to pursue their own agenda.  Pennsylvania recently became the most recent state to throw its hat into the ring with its legislature’s introduction of HB-1126, the Consumer Data Privacy Act (“CDPA”).  If passed, the CDPA would make Pennsylvania the third state to enact its own data privacy and protection laws, following California and Virginia.  CPW is here to tell you what you need to know about the CDPA and how it will likely influence litigation.  Hint: if passed, expect swelling dockets.

The CDPA creates a duty for businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information”.  Sounds familiar, right?  To encourage compliance, the CDPA would create private consumer causes of action and leave civil enforcement to the state attorney general.  In this respect, the CDPA draws more inspiration from the California Consumer Privacy Act (“CCPA”), which also created a private right of action, than Virginia’s recently enacted Consumer Data Protection Act, which left enforcement solely to the state attorney general.

Under the CDPA’s private right of action, consumers may obtain statutory damages of not less than $100 but not more than $750 per consumer per incident, actual damages, and injunctive or declaratory relief.  Before filing suit, however, consumers must provide a business with 30 days’ written notice.  The notice must specifically identify which provisions of the CDPA the business allegedly violated.  If the noticed business cures the violation within 30 days and provides the consumer with an “express written statement” detailing that the violations have been cured and affirmed that further violations will not occur, then that business is precluded from liability under the CDPA for those violations.  Should the noticed business continue the alleged violations, however, then the consumer may file suit for the underlying violations.  The CDPA also states that should a noticed business issue an “express written statement” but continue violating the statute, then the notifying consumer will also have an additional cause of action for breach of the statement.

A private right of action in a consumer privacy bill is often a prelude to a surge in litigation.  As CPW has previously reported, over 1,000 lawsuits and at least 76 class action lawsuits have been filed under the Illinois Biometric Information Protection Act and the CCPA, respectively.  With its private right of action, the CDPA promises similar numbers.  Notably, if passed, that surge could begin immediately because the CDPA becomes effective immediately.

HB-1126 has 16 co-sponsors and is currently sitting in the Consumer Affairs Committee.  CPW will continue to monitor this bill for developments.