Privacy Laws in Pennsylvania: What You Need to Know in 2026

Pennsylvania does not yet have a comprehensive consumer privacy law on the books, but the state is closer than ever. House Bill 78 passed the Pennsylvania House of Representatives on October 1, 2025, and was re-referred to the Senate Communications and Technology Committee on February 4, 2026. If signed into law, it would make Pennsylvania one of the largest states by population to grant residents meaningful control over their personal data. Here is where things stand and what you can do right now to protect your privacy.

The Current Status of HB 78

House Bill 78, formally titled the Pennsylvania Consumer Data Privacy Act, represents the most serious legislative effort the state has made toward comprehensive data privacy. After clearing the House in late 2025, the bill moved to the Senate, where it was assigned to the Communications and Technology Committee in February 2026. As of May 2026, the bill has not yet received a Senate floor vote and has not been signed into law.

This means that Pennsylvania residents currently lack the kind of enforceable consumer privacy rights that residents of California, Colorado, Virginia, and a growing list of other states already have. However, understanding what HB 78 proposes is important because many of its provisions could become law in the near future.

What HB 78 Would Cover

The bill applies to entities that conduct business in Pennsylvania or produce products or services targeted at Pennsylvania residents, and that meet one of two thresholds:

• Volume threshold: Controllers that process the personal data of 100,000 or more Pennsylvania consumers during a calendar year.
• Revenue threshold: Controllers that process the personal data of at least 25,000 consumers and derive more than 50 percent of their gross revenue from the sale of personal data.

These thresholds are broadly similar to those used by Virginia and Colorado, which means most small businesses would be exempt while large data brokers, tech companies, and major retailers would be covered.

Consumer Rights Under HB 78

If enacted, HB 78 would grant Pennsylvania residents the following rights:

• Right to access: You could request confirmation of whether a business is processing your personal data and obtain a copy of it.
• Right to correct: You could ask businesses to fix inaccurate personal data they hold about you.
• Right to delete: You could request that a business delete the personal data it has collected from you.
• Right to data portability: You could obtain your data in a portable, commonly used format for transfer to another service.
• Right to opt out: You could opt out of the sale of your personal data, targeted advertising, and certain forms of profiling.

Sensitive Data and Opt-In Consent

One of the stronger provisions in HB 78 is the requirement for opt-in consent before a business can process sensitive personal data. Under the bill, sensitive data includes:

• Health information and medical diagnoses
• Biometric data used for identification purposes
• Precise geolocation data
• Racial or ethnic origin
• Religious beliefs
• Sexual orientation or sex life
• Citizenship or immigration status
• Data from a known child

This opt-in model for sensitive data mirrors the approach taken by Colorado, Connecticut, and Virginia. It means businesses would need to get your explicit permission before collecting or using any of the categories listed above, rather than collecting them by default and letting you opt out after the fact.

Enhanced Protections for Minors

HB 78 includes specific provisions for the personal data of children and teenagers. These enhanced protections would restrict how businesses can collect and use data from minors, adding a layer of safety beyond the federal COPPA baseline that only covers children under 13. The exact scope of the minor protections is still being refined as the bill moves through committee, but the intent is to make it harder for companies to target young Pennsylvanians with data-driven advertising.

Data Minimization and Protection Assessments

HB 78 includes two provisions that go beyond simple consumer rights and impose operational obligations on businesses:

• Data minimization: Businesses would be required to limit data collection to what is reasonably necessary for the stated purpose. This prevents companies from vacuuming up everything they can and figuring out what to do with it later.
• Data protection assessments: Companies that engage in activities with heightened privacy risk, such as targeted advertising, selling personal data, or processing sensitive data, would need to conduct formal assessments weighing the benefits of processing against the risks to consumers.

These requirements would bring Pennsylvania in line with the more robust privacy frameworks already operating in Colorado and Connecticut.

Enforcement: Attorney General Only

Under HB 78, enforcement authority would rest exclusively with the Pennsylvania Attorney General. There is no private right of action, meaning individual consumers would not be able to sue businesses directly for violations. Instead, you would file a complaint with the AG's office, which would investigate and bring enforcement actions as it sees fit.

How Pennsylvania Compares to Other States

Even before HB 78 becomes law, it is useful to see how its provisions stack up against the two most frequently referenced state privacy laws:

Pennsylvania vs. California (CCPA/CPRA)

• California's law is already in effect and has been since 2020, with the CPRA strengthening it further in 2023. Pennsylvania's law remains a proposal.
• California includes a private right of action for data breaches. HB 78 does not, though HB-997 could add something similar.
• California created the California Privacy Protection Agency, a dedicated enforcement body. Pennsylvania's bill relies on the existing AG office.
• Both laws cover opt-out rights for data sales, targeted advertising, and profiling.

Pennsylvania vs. Virginia (VCDPA)

• Virginia's Consumer Data Protection Act has been in effect since January 2023. It shares many structural similarities with HB 78.
• Both use nearly identical applicability thresholds (100,000 consumers or 25,000 consumers plus revenue from data sales).
• Both require opt-in consent for sensitive data.
• Neither provides a private right of action; both rely on AG enforcement.
• HB 78's data minimization and youth protection provisions could make it slightly stronger than Virginia's law once enacted.

What Pennsylvania Residents Can Do Right Now

You do not need to wait for HB 78 to become law to start protecting your personal information. Here are concrete steps you can take today:

1. Opt out of data brokers manually. Sites like Spokeo, BeenVerified, Whitepages, and dozens of others publish your name, address, phone number, and family details. Each site has its own opt-out process, and you can begin removing yourself today.
2. Use PrivacyOn to automate broker removals. PrivacyOn submits opt-out requests to more than 100 data broker sites on your behalf and continuously monitors for your information reappearing. This is the most efficient way for Pennsylvania residents to reduce their exposure across the data broker ecosystem.
3. Freeze your credit. Place a free credit freeze with Equifax, Experian, and TransUnion to prevent identity thieves from opening accounts in your name.
4. Enable Global Privacy Control. Install a browser that supports GPC signals, such as Firefox, Brave, or DuckDuckGo. While Pennsylvania does not yet require businesses to honor GPC, companies covered by California's and Colorado's laws already must, and many apply those settings nationwide.
5. Review app permissions. Go through your phone and revoke location, microphone, and camera access for apps that do not need them.
6. Use strong, unique passwords. A password manager ensures you are not reusing credentials across sites, which is one of the most common sources of data exposure.

Looking Ahead

Pennsylvania is one of the most populous states still without a comprehensive privacy law, which makes HB 78's progress through the legislature significant. The bill has already cleared the House and is under active consideration in the Senate. Whether it passes in 2026 or is carried into a future session, the direction is clear: Pennsylvania is moving toward stronger consumer data protections.

In the meantime, the most effective thing you can do is take control of the data that is already out there. Opt out of data brokers, tighten your digital security, and consider using a service like PrivacyOn to handle the ongoing work of keeping your personal information off the open internet.