Pennsylvania Data Privacy Laws

In today’s world, major data breaches are a frequent occurrence, and Pennsylvania residents aren’t immune. These breaches can target your Social Security number, bank accounts, and even your genetic information.

Home • What is a Data Breach • Pennsylvania Data Privacy Laws

Last Modified date: July 8, 2025

Thankfully, Pennsylvania state data privacy laws provide protection and give you legal recourse if your data is stolen. Class Action U has connected thousands in Pennsylvania and around the country with data breach lawyers who can help you fight back.

Key Pennsylvania Data Privacy Laws You Should Know

Pennsylvania law currently requires businesses to have a detailed information security plan and provide prompt notifications for data breaches.

The Pennsylvania General Assembly is currently considering a privacy bill that would impose additional requirements on businesses and grant consumers greater rights over their data once it is collected.

Pennsylvania Consumer Data Privacy Act (PCDPA)

If passed as a law, PCDPA would provide residents with more comprehensive privacy protections. The bill would give consumers the right to know if a business has their data and would allow them to amend or delete their data. Consumers could also opt out of the sale of their data to a third party.

PCDPA would also require businesses to collect the least amount of data they need for their purposes.

As of June 2025, the PCDPA is still pending in the Pennsylvania House as HB78.

Data Security Provisions Under Pennsylvania’s Business and Commerce Code

Under Pennsylvania’s Business and Commerce Code, businesses that store personal information must implement and maintain reasonable data security measures. These include identifying foreseeable risks, regularly testing their systems, and responding appropriately to vulnerabilities.

Breaches of Personal Information Notification Act (BIPNA)

Signed into law in 2005 and modified in 2024, BIPNA sets standards for data security and data breach notification. It also provides consumers with access to credit reporting and monitoring if their information has been compromised.

Under BIPNA, both public and private organizations must notify the state Attorney General if they have a data breach that affects more than 500 Pennsylvania residents. They must notify both consumers and the Attorney General “without unreasonable delay,” which is generally understood to be 60 days or less.

Recent Data Breaches in Pennsylvania

Pennsylvania residents have been affected by data breaches from both local organizations and large corporations.

For example, in July 2024, the Pennsylvania State Education Association suffered a data breach. In April 2025, 10 lawsuits were merged into a class action case alleging that the PSEA took months to notify those affected. The breach is estimated to have affected 500,000 people.

Meanwhile, there are corporate data breaches that have impacted people nationwide. For instance, in September 2024, genetic testing company 23AndMe settled a lawsuit over a data breach for $30 million. At least some of the genetic data accessed was found for sale on the dark web, and Pennsylvania residents were among those affected.

Understanding Personal Information Under Pennsylvania Law

According to data breach laws in Pennsylvania, personal information consists of your first name or first initial and your last name, plus your:

Social Security number
Driver’s license or state ID number
Bank account numbers
Credentials that would allow a person to log on to your account
Health insurance information

Medical information may also be covered if maintained by a state agency or contractor, depending on the context and applicable HIPAA exemptions.

When Must Companies Notify You of a Data Breach in Pennsylvania?

Pennsylvania data breach notification laws apply to breaches that affect 500 or more Pennsylvania residents. Companies are required to notify both the Attorney General and those affected. Notification to the Attorney General must include a description of the breach, the date it happened, and the total number of consumers affected.

In addition to contacting Pennsylvania consumers and the attorney general, companies must also contact consumer reporting agencies. Companies are also responsible for providing a free credit report and 12 months of credit monitoring to consumers if Social Security, state ID, or bank account numbers were affected.

Timeline for Notification

For private businesses, BIPNA says notifications must be sent out “without unreasonable delay.” Generally, courts have interpreted that as meaning within 60 days.

The law places public entities on a tighter timeline. In most cases, the Attorney General or local district attorney must be notified within three business days, and those affected by the breach must be notified within seven business days.

Notification Requirements for Affected Consumers

Organizations must provide a notice to all affected customers by either mail, phone call, or email. If the breach is extremely large or if the necessary contact information isn’t available, they may provide alternate notification, which consists of notification to statewide media, email, and a notice on the organization’s website.

Experienced a BREACH?

Your Privacy Rights as a Pennsylvania Resident

As a Pennsylvania resident, you have rights if you are the victim of a data breach:

You have the right to keep your data safe. The law requires companies to protect personal information.
If a data breach does occur, you have the right to be notified promptly. In most cases, the responsible company must notify you by mail, phone, or email.
If you have suffered losses as a result of a data breach, you have the right to seek legal recourse. You can also notify the Bureau of Consumer Protection.

If you have suffered damages as the result of a data breach, you can sue the responsible party as an individual or join a class action lawsuit. A data breach lawyer can help you assess your options.

How To File a Complaint or Seek Legal Action in Pennsylvania

If you receive a data breach notice or suspect a breach has happened, knowing what to do can help protect both your information and your finances:

Learn more about the breach, including the type of data breach, and what the organization is doing to prevent further damage.
Monitor your financial accounts for transactions you don’t recognize.
Change any passwords that were compromised and consider setting up multi-factor authentication.
Request a free credit report and consider placing a freeze on your credit.
Look into filing a complaint with the BCP or pursuing legal options, such as working with a privacy lawyer to file a data breach lawsuit.

Filing Complaints With the Pennsylvania Attorney General

If you’ve been impacted by a data breach, you can file a complaint online with the Bureau of Consumer Protection. The form will ask you to provide a description of the incident and upload any relevant documents.

After the BCP receives your complaint and confirms that it’s the best agency to help you, it will contact both you and the business in an attempt to provide mediation. If mediation is not successful, you may pursue other legal options.

If the BCP receives multiple complaints about the same company, the Attorney General may decide to pursue criminal charges if they seem warranted.

Joining a Class Action Lawsuit

Lawsuits can help you recover damages after a data breach. While you do have the right to file individually, most data breach victims either start a class action lawsuit or join a suit already in progress.

Class action lawsuits are often an easier and more efficient way for large groups of plaintiffs to win damages. However, you do have to meet certain criteria to join a suit. An experienced data breach attorney can help you learn more.

Stay Informed and Take Control of Your Data in Pennsylvania

Knowledge is the best weapon you have when it comes to protecting your personal data. Understanding Pennsylvania state data laws and monitoring your online transactions can help you defend against data breaches and be prepared if the worst happens.

If you suspect your personal information has been compromised, Class Action U is here to help. We’ve connected hundreds of Pennsylvanians with experienced privacy lawyers ready to help you fight back. Contact us today if a data breach has put your information at risk.

"*" indicates required fields

Name*

First Name Last Name

Email*

Phone Number*

Zip Code*

Tell Us About Your Case

By submitting this form, I agree to the Terms, Disclaimer and Privacy Notice and to receiving calls and emails from the law firm handling this investigation

TCPA*

By checking this box and clicking "Submit", I am providing my electronic signature expressly consenting to receive marketing phone calls, emails, and SMS text messages from Kopelowitz Ostrow Ferguson Weiselberg Gilbert (KO), or parties acting on its behalf, related to the products or services that I am inquiring about on the landline and/or mobile phone number that I provided, regardless of whether it is on any Do Not Call registry. I confirm that the phone number set forth above is accurate and that I am the regular user of the phone number. I understand that these calls may be generated using an automatic telephone dialing system and may contain pre-recorded and/or artificial voice messages. I understand that consent is not required as a condition for purchasing or obtaining any products or services. For SMS messages campaigns, text "STOP" to stop and "HELP" for help. Msg & data rates may apply.

This field is for validation purposes and should be left unchanged.