PA HB78

Pennsylvania residents gain rights to access, correct, delete, and obtain portable copies of their personal data, plus the ability to opt out of targeted advertising, data sales, and automated profiling decisions

Applies to for-profit entities doing business in Pennsylvania with over $10 million annual revenue, OR that process data of 50,000+ consumers/devices, OR derive 50%+ of revenue from selling personal data

Controllers must obtain consent before processing sensitive data (race, religion, health, sexual orientation, biometrics, precise geolocation, children's data) and must provide clear privacy notices disclosing data categories and third-party sharing

Attorney General has exclusive enforcement authority with penalties under the Unfair Trade Practices and Consumer Protection Law; no private right of action; 60-day cure period for violations during initial enforcement phase

Exempts government entities, nonprofits, higher education institutions, HIPAA-covered entities, financial institutions under Gramm-Leach-Bliley, and data already regulated by federal laws including FCRA and FERPA