Can I use third-party social media tools that collect personal information in Pennsylvania? What are the requirements?

Use of Third-Party Social Media Tools in Pennsylvania

If you are using third-party social media tools that collect personal information in Pennsylvania, you must comply with the state’s privacy laws. The requirements for the use and release of personal information in Pennsylvania are outlined in 43 PACO Section 1.14 ^[1.1]. Additionally, the limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties is outlined in 31 PACO Section 146a.21 ^[2.2], and the authorization required for disclosure of nonpublic personal health information is outlined in 31 PACO Section 146b.11 ^[3.1].

To use third-party social media tools that collect personal information in Pennsylvania, you must obtain the consent of the consumer whose personal information is being collected. The licensee must provide an initial notice to the consumer as required under § 146a.11 (relating to initial privacy notice to consumers required) and an opt-out notice as required in § 146a.14 (relating to form of opt-out notice to consumers and opt-out methods) ^[2.2]. The consumer must be given a reasonable opportunity to opt-out of the disclosure of their personal information to nonaffiliated third parties ^[2.2].

If the consumer does not opt-out, the licensee may disclose nonpublic personal financial information to nonaffiliated third parties for any official purposes and all routine uses by the Department, the Bureau, the Division, the Commission, or the Advisory Councils in processing applications, assessing eligibility, and managing the veterans’ programs ^[1.1].

However, if the personal information being collected is nonpublic personal health information, an authorization must be obtained from the consumer before the information can be disclosed ^[3.1]. There are exceptions to this requirement, such as when the disclosure is necessary for the performance of one or more insurance functions identified in § 146b.11(b) ^[3.1].

In addition to the above requirements, if you receive nonpublic personal financial information from a nonaffiliated financial institution under an exception in § 146a.32 or § 146a.33, your disclosure and use of that information is limited ^[2.1]. If you receive nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in § 146a.32 or § 146a.33, you may disclose the information only to the affiliates of the financial institution from which you received the information or to any other person if the disclosure would be lawful if made directly to that person by the financial institution from which you received the information ^[2.1].

In summary, to use third-party social media tools that collect personal information in Pennsylvania, you must obtain the consent of the consumer and provide them with an initial notice and opt-out notice. If the personal information being collected is nonpublic personal health information, an authorization must be obtained from the consumer. There are exceptions to these requirements, which are outlined in the relevant sections of the Pennsylvania Code ^{[1.1][2.1][2.2][3.1]}.

Source(s):

• [1.1] Use and release of personal information.
• [2.1] Limits on redisclosure and reuse of nonpublic personal financial information.
• [2.2] Limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties.
• [3.1] Authorization required for disclosure of nonpublic personal health information.

Jurisdiction

Pennsylvania

• Privacy