Pennsylvania, like Nebraska, has a specific law treating violation of a privacy policy as a deceptive trade practice.

Pennsylvania law says that “A person commits an offense if, in the course of business, the person  ... Knowingly makes a false statement in a privacy policy, published on the internet or otherwise distributed or published, regarding the use of personal information submitted by members of the public.”

Fines for violating 18 Pa.C.S. §4107 range from $50 to $500.

Any business that has its principle place of business, is registered, or headquartered in Pennsylvania would be required to comply with the law regardless of whether or not the data being collected belonged to a Pennsylvania resident.

The Attorney General has the power to “investigate and to institute criminal proceedings for any violation of this section or series of such violations involving more than one county in the Commonwealth, or involving any county of the Commonwealth and another state.”

Any survey, opinion, and marketing research company not located in Pennsylvania that might gather data on any Pennsylvania resident should comply with the law, since Pennsylvania’s long-arm statute may allow researchers outside the state to be prosecuted.

Violating the Law
A company violates the Pennsylvania law when they “knowingly make a false or misleading statement.” The Model Penal Code defines “knowingly” as being aware that conduct will result in certain consequences. This high threshold means that the writer of the privacy policy must know that what he or she is writing is not reflected in the company’s practices.

The law also allows a company a defense if it “proves by a preponderance of the evidence” that the “conduct was not knowingly or recklessly deceptive.” If a company can show that it was more likely than not they negligently or recklessly made the statement in their privacy policy which was not reflected in the company practices, then they will not be liable under the Pennsylvania statute.

However, a consumer harmed by an accidental breach of a company’s privacy policies may be able to sure the data holder on other grounds.

Moreover, Section 5 of the FTC Act gives the FTC power to take action against both “unfair” and “deceptive” trade practices (a power it exercises frequently in data security and privacy cases). Establishing that a business engaged in unfair trade practices requires showing that a consumer suffered some sort of harm as a result of a business’s conduct. A deceptive trade practice, on the other hand, can be claimed even absent any harm to the consumer; the FTC merely has to show that the company broke a promise to consumers or customers, such a violating a privacy policy.

As always, MRA recommends compliance with this law even if you don’t think it specifically applies to your company by keeping firm practices consistent with stated policies. Litigating these kinds of issues can be very costly, even if your company is eventually successful. And compliance with the Pennsylvania law will help you keep compliant with the FTC Act.

A research company should draft privacy policies which accurately state the company’s practices, ensure employees are following the privacy policy, and ensure the security of any data retained. Say what you do and do what you say. For more details, consult our white paper on drafting a privacy policy for your research company.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.