Can I ensure that my company is compliant with expanding privacy protections in Pennsylvania? What are the requirements?

To ensure compliance with expanding privacy protections in Pennsylvania, companies must adhere to the requirements outlined in the Pennsylvania Code, specifically in 31 PACO Section 146a.11, 146a.12, 146a.13, and 146a.15.

Under 31 PACO Section 146a.11, companies must provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to customers not later than when the company establishes a customer relationship. The notice must also be provided to consumers before the company discloses nonpublic personal financial information about the consumer to any nonaffiliated third party, if the company makes a disclosure other than as authorized by § § 146a.32 and 146a.33.

Under 31 PACO Section 146a.12, companies must provide an annual privacy notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship.

Under 31 PACO Section 146a.13, the initial, annual, and revised privacy notices that a company provides must include specific categories of nonpublic personal financial information that the company collects, discloses, and shares with affiliates and nonaffiliated third parties. The notices must also include an explanation of the consumer’s right to opt out of the disclosure of nonpublic personal financial information to any nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time.

Under 31 PACO Section 146a.15, a company may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the company provided to that consumer under § 146a.11, unless the company has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices, a new opt-out notice, and a reasonable opportunity to opt-out of the disclosure.

To ensure compliance with these requirements, companies should review their privacy policies and practices to ensure that they accurately reflect the information required by 31 PACO Section 146a.13. Companies should also ensure that they provide initial and annual privacy notices to customers as required by 31 PACO Section 146a.11 and 146a.12, respectively. In addition, companies should provide revised privacy notices to customers as required by 31 PACO Section 146a.15.

Companies should regularly review their policies and practices to ensure that they are up-to-date with any changes in the law or regulations. Companies should also ensure that their employees are trained on these policies and practices to ensure that they are followed consistently.

Failure to comply with these requirements may result in penalties and legal action.

^{[1.1][1.3][1.4]}

Source(s):

• [1.1] Annual privacy notice to customers required.
• [1.3] Initial privacy notice to consumers required.
• [1.4] Information to be included in privacy notices.

Jurisdiction

Pennsylvania

• Privacy