Joining Nebraska and California, Pennsylvania recently enacted legislation to penalize privacy policy violations. In Pennsylvania, any individual who misuses personally-identifiable data in violation of a published privacy policy may be subject to fines.

State Bill 705, received final legislative approval on November 20, 2004 just as the state General Assembly wrapped up its two-year session, and the bill was signed into law by Governor Edward Rendell on November 30, 2004. The law became effective 60 days thereafter.

Pennsylvania’s new legislation expands the definition of deceptive or fraudulent business practices to include knowingly making a false or misleading statement in a privacy policy regarding the use of personal information submitted by individuals. Significantly, it applies to privacy policies published on the Internet or otherwise distributed to the public.

The new legislation is a further reminder of the compelling need to ensure that privacy policies accurately reflect a company’s actual information collection, use and disclosure practices.

Under the new Pennsylvania law, each discrete violation is a summary offense, punishable by a fine of at least $50 and no more than $500.

The measure does not apply to entities covered by the privacy provisions of the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996, or Pennsylvania Insurance Department regulations relating to the privacy of consumer health or financial information.

Pennsylvania chose to act at a time when there is significant and renewed interest in privacy rights. As an example, the recent and well-publicized security breach at ChoicePoint, Inc. is having serious repercussions especially at the state level, where states are rushing to enact various data privacy security and privacy laws.

At the same time, the U. S. Senate and state legislators from a number of states, including New York, California and Texas, are debating different privacy proposals unrelated to the ChoicePoint matter. As such, it is critical to have a thorough understanding of data flows within your organization and to remain vigilant regarding forthcoming legislative developments on privacy matters.

Goodwin Procter LLP is one of the nation's leading law firms, with a team of 650 attorneys and offices in Boston, New York and Washington, D.C. The firm combines in-depth legal knowledge with practical business experience to deliver innovative solutions to complex legal problems. We provide litigation, corporate law and real estate services to clients ranging from start-up companies to Fortune 500 multinationals, with a focus on matters involving private equity, technology companies, real estate capital markets, financial services, intellectual property and products liability.

This article, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin Procter LLP or its attorneys. (c) 2005 Goodwin Procter LLP. All rights reserved.