Support Centre

Pennsylvania - Data Protection Overview

September 2019

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION 

1.1. Overview

Like many US jurisdictions, Pennsylvania information privacy and security is patchwork and evolving. Pennsylvania constitutional and common law rights in informational privacy is well developed by a deep bedrock of case law. More recently, the Supreme Court of Pennsylvania ('the Supreme Court') recognised a common law duty of reasonable care for the protection of personal data in a landmark decision that promises further expansion into rights of data security. Statutes prohibiting unlawful wiretapping and identity theft provide both criminal and civil cause of action. The state's consumer protection law, the Unfair Trade Practices and Consumer Protection Law ('the Unfair Trade Practices Law') (73 Pa. Stat. § 201-1 et seq.), has provided the Pennsylvania Attorney General ('AG') a vehicle to commence enforcement actions against companies sustaining large data breaches due to inadequate cybersecurity practices. The statute also creates a private cause of action with a fee shifting component; although to date, plaintiffs' attorneys have been unsuccessful in maintaining a data breach class action under the statute.

1.2. Constitutional Right to Privacy

The Pennsylvania Constitution addresses rights that individuals have against state and local governments in Pennsylvania. The right of privacy is one of those rights. Article I, § 8 of the Pennsylvania Constitution provides protection against unreasonable searches and seizures. It states, "The people shall be secure in their persons, houses, papers and possessions from unreasonable searches and seizures, and no warrant to search any place or to seize any person or things shall issue without describing them as nearly as may be, nor without probable cause, supported by oath or affirmation subscribed to by the affiant."

According to the Supreme Court, "[t]his right of privacy typically arises when the government seeks information related to persons accused of crimes or other malfeasance, and requires an assessment of the extent to which the government’s demands invade  the bounds of the person’s subjective privacy interest, which in turn requires consideration of the extent to which the person’s privacy interests are reasonable."1  

When weighing the strength of a citizen's right of privacy against a government search and seizure, Pennsylvania courts require "a factual examination of whether (1) the person has exhibited an actual (subjective) expectation of privacy in the items to be searched or disclosed, and (2) whether society is prepared to recognize this expectation as reasonable and protectable."2  

Pennsylvania constitutional rights to privacy are not limited to government searches or persons accused of or associated with criminal activity. The Supreme Court has also recognised a constitutional right to the "right of informational privacy"; that is, the right of an individual to control the access to, or the dissemination of, his or her personal information.3 The Supreme Court has identified Article I, § 1 of the Pennsylvania Constitution as the basis for rights to informational privacy. § 1, according to the Supreme Court, provides a "broader array of rights granted to citizens" than § 8 addressing government searches and seizures.4 Titled "Inherent Rights of Mankind," Article I, § 1 of the Pennsylvania Constitution states, "All men are born and equally free and independent, and have certain inherent and indefeasible rights, among which are those of enjoying and defending life and liberty, of acquiring, possessing and protecting property and reputation, and of pursuing their own happiness." The Supreme Court has articulated that the right to happiness referenced in § 1 includes a right to privacy, concluding that "[o]ne of the pursuits of happiness is privacy."5  

As more recently stated by the Supreme Court, "[t]here is no longer any question that the United States Constitution and the Pennsylvania Constitution provide protections for an individual's right to privacy," including "the individual's interest in avoiding disclosure of personal matters."6  

The right to informational privacy guaranteed by Article I, §1 of the Pennsylvania Constitution may not be violated by the government "unless outweighed by a public interest favoring disclosure."7

1.3. Common law right to privacy

Pennsylvania also recognises a common law right to privacy that individuals enforce against companies and other individuals by filing causes of action in civil court. The common law invasion of privacy claim is comprised of four distinct, yet interrelated torts.8 Those torts are:9 

  • intrusion upon seclusion;
  • appropriation of name or likeness; 
  • publicity given to private life; and 
  • placing a person in a false light.

Intrusion upon seclusion

A claim for intrusion upon seclusion may be asserted when "[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person."10 The claim may be based upon a physical intrusion into a place where the plaintiff has secluded himself; the use of the defendant's senses to oversee or overhear the plaintiff's private affairs; or some other form of investigation or examination into plaintiff's private concerns.11  

The cause of action cannot survive if the defendant investigated the claimant or otherwise obtained the information through legitimate means. For example, in Burger v. Blair Med. Assocs., the intrusion upon seclusion claim could not stand where defendant obtained claimant’s medical records through executed medical release.12 

Publicity given to private life

A claim for publicity given to private life may be asserted when "[o]ne who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter published is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public."13 The elements for the claim are:14  

  1. publicity, given to;
  2. private facts,
  3. which would be highly offensive to a reasonable person; and 
  4. is not of legitimate concern to the public.  

The element of "publicity" requires that "the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge."15 Notably, the cause of action for publicity given to private life is separate and distinct from a cause of action for breach of physician-patient confidentiality, and is governed by different statutes of limitations.16  

False light

A claim for false light involves "publicity that unreasonably places the other in a false light before the public."17 In a claim for false light, the claimant must show both "publicity, given to private facts, which would be highly offensive to reasonable person and which are not of legitimate concern to the public."18 A claim for false light "will be found where a major misrepresentation of a person's character, history, activities or beliefs is made that could reasonably be expected to cause a reasonable man to take serious offense."19 

For the publicity element of a false light claim, "[i]t is enough [for the plaintiff] that the defendant has given publicity to any matter concerning the plaintiff that creates a 'highly offensive' false impression about the plaintiff."20 However, if the matter is of legitimate public concern, a claim for false light will fail and be dismissed.21  

Misappropriation of name or likeness

A claim for misappropriation of name or likeness involves instances where a defendant appropriated to his own use or benefit the reputation, prestige, social or commercial standing, public interest, or other values of the claimant's name or likeness. 22 In Eagle v. Morgan, the U.S. District Court for the Eastern District of Pennsylvania ('the District Court') held that an employer's use of a former employee's LinkedIn account constituted invasion of privacy by appropriation of name or likeness.23 In addition, the District Court noted, "The Restatement (Second) of Torts describes a tortfeasor who has committed an invasion of privacy by appropriation of name or likeness as '[o]ne who appropriates to his own use or benefit the name or likeness of another.'"24  

To be liable for misappropriation of name or likeness, the defendant must have appropriated to his own use or benefit the reputation, prestige, social or commercial standing, public interest or other values of the plaintiff's name or likeness. Until the value of the name has in some way been appropriated, there is no tort.25 Thus, incidental use without the purpose of taking advantage of the value of the claimant's name or likeness is not misappropriation.26 Rather, "When the publicity is given for the purpose of appropriating to the defendant's benefit the commercial or other values associated with the name or the likeness the right of privacy is invaded."27 Invasion of privacy by appropriation of name or likeness does not require the appropriation to be done commercially.28 

Right of publicity

Under Pennsylvania law, the right of publicity is a separate and distinct cause of action from invasion of privacy that is based on principles of property rights. However, because the cause of action often is confused with invasion of privacy, misappropriation of name or likeness, by litigants (and sometimes by courts), this overview touches upon the claim. Pennsylvania law recognises both a common law and statutory claim.

The common law right of publicity grants a person an exclusive entitlement to control the commercial value of his or her name or likeness and to prevent others from exploiting it without permission.29 A defendant invades this right by "appropriating its valuable name or likeness, without authorization, [and using] it to the defendant’s commercial advantage."30 The right of publicity protects against commercial loss caused by appropriation of a name or likeness, and thus more closely resembles a property right created to protect commercial value.31 Thus, whereas invasion of privacy by appropriation of name or likeness does not require the appropriation to be done for commercial purposes, violation of the right of publicity requires it.32  

Pennsylvania law also has a statutory claim for unauthorised use of name or likeness (42 Pa. C.S. § 8316). The statute creates a private cause of action, stating that "[a]ny natural person whose name or likeness has commercial value and is used for any commercial or advertising purpose without the written consent of such natural person or the written consent of any of the parties authorized in subsection (b) may bring an action to enjoin such unauthorized use and to recover damages for any loss or injury sustained by such use" (42 Pa. C.S. § 8316(a)). The person whose name has been appropriated, his or her parent or guardian, if a minor, or any person or entity with written license to use the person's likeness for commercial or advertising purposes may commence a claim under the statute (42 Pa. C.S. § 8316(b)). If the person is deceased, any person, firm or corporation with a proper written license, as detailed in the statute, to the commercial or advertising use of the person's name or likeness also may bring an action (42 Pa. C.S. § 8316(b)). 

The statute defines 'name' or 'likeness' as "[a]ny attribute of a natural person that serves to identify that natural person to an ordinary, reasonable viewer or listener, including, but not limited to, name, signature, photograph, image, likeness, voice or a substantially similar imitation of one or more thereof" (42 Pa. C.S. § 8316(e)). The statute defines 'commercial or advertising purpose' to include "the public use or holding out of a natural person's name or likeness: (i) on or in connection with the offering for sale or sale of a product, merchandise, goods, services or businesses; (ii) for the purpose of advertising or promoting products, merchandise, goods or services of a business; or (iii) for the purpose of fundraising" (42 Pa. C.S. § 8316(e)). The term does not include the public use of a natural person's name or likeness in a communication when the person appears as a member of the public and the person is not named or otherwise identified; the purpose is associated with a news report or news presentation having public interest; is an expressive work or an original work of fine art; or is associated with the identification of a person as the author of or contributor to a written work, a performer of a recorded performance, where the written work or the performance is lawfully produced, reproduced, exhibited or broadcast (42 Pa. C.S. § 8316(e)).

The statute has a safe harbour for unknowing violations. It provides that "[n]o person, firm or corporation, including their employees and agents, in the business of producing, manufacturing, publishing or disseminating material for commercial or advertising purposes by any communications medium shall be held liable under this section unless they had actual knowledge of the unauthorized use of the name or likeness of a natural person as prohibited by this section" (42 Pa. C.S. § 8316(d)). 

Common law right to data security

The Supreme Court recognised the right in the common law to have one's data kept secure. Dittman v. UPMC held that "an employer has a legal duty to exercise reasonable care to safeguard its employees' sensitive personal information stored by the employer on an internet-accessible computer system."33 Although the Supreme Court rendered the decision in the context of an employer-employee relationship, because it relied upon longstanding principles of common law, many anticipate that the decision will apply to contexts outside the employment relationship. Unlike invasion of privacy claims, this court-recognised cause of action is based solely on underlying tort principles of duty of care. 

In Dittman, former and current employees of the University of Pittsburgh Medical Center ('UPMC') commenced a class action lawsuit after UPMC sustained a data breach compromising employee personal information. Plaintiffs asserted that UPMC failed to implement adequate security measures to protect the data, including early detection, proper encryption, and authentication protocols.34 Applying the tort principle that a person who undertakes an affirmative act must exercise reasonable care, the Supreme Court concluded that UPMC's collection of employee data was an affirmative act to trigger such a duty.35 

Although wrongdoing of a third party acts as a superseding event to absolve the affirmative actor of liability, the Supreme Court concluded that the exception did not apply in the case before it. Instead, because UPMC collected plaintiffs' personal data, it knew or should have known that a third party might try to hack into its alleged inadequately secured network to steal the data. Thus, "the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [plaintiffs'] personal and financial information from that breach."36 It is important to note that Dittman was decided at the dismissal stage, where courts are required to treat the allegations in a complaint as true. 

By recognising a common law duty of care to protect data independent of any statute or regulation, Dittman represents a flagship decision in the U.S., and it will be interesting to see whether appellate courts in other states follow Pennsylvania's lead.

2. KEY PRIVACY LAWS

2.1 The Wiretapping and Electronic Surveillance Control Act

The Pennsylvania Wiretapping and Electronic Surveillance Control Act ('the Wiretapping Act') (18 Pa. C.S. § 5701 et seq.) restricts a person's ability to monitor another. Under the Wiretapping Act, a person is guilty of a felony of the third degree if he or she (18 Pa. C.S. § 5703):

  1. intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any wire, electronic or oral communication;
  2. intentionally discloses or endeavors to disclose to any other person the contents of any wire, electronic or oral communication, or evidence derived therefrom, knowing or having reason to know that the information was obtained through the interception of a wire, electronic or oral communication; or
  3. intentionally uses or endeavors to use the contents of any wire, electronic or oral communication, or evidence derived therefrom, knowing or having reason to know, that the information was obtained through the interception of a wire, electronic or oral communication.

Subject to certain exceptions, it also is unlawful to manufacture, advertise, sell, or possess devices primarily designed to surreptitiously intercept wire, electronic, or oral communications (18 Pa. C.S. § 5705).

Private cause of action

Although a penal statute, the Wiretapping Act also recognises a private cause of action. It provides that "[a]ny person whose wire, electronic or oral communication is intercepted, disclosed or used in violation of this chapter shall have a civil cause of action against any person who intercepts, discloses or uses or procures any other person to intercept, disclose or use, such communication; and shall be entitled to recover from any such person" (18 Pa. C.S. § 5725(a)(1)). The U.S. Court of Appeals for the Third Circuit has adopted a four-part test to establish a prima facie claim under 18 Pa. C.S. § 5725. The test is whether: "(1) Plaintiff engaged in [an oral] communication; (2) Plaintiff possessed an expectation that the communication would not be intercepted; (3) Plaintiff's his expectation was justifiable under the circumstances; and (4) Defendant attempted to, or successfully intercepted the communication, or encouraged another to do so."37 Importantly, only the sender of the communication has standing to sue – the intended recipient of the communication has no standing to asset a claim under the Wiretapping Act.38  

Criminal conviction under the Wiretapping Act is not a condition precedent to civil liability.39 In Marks, the Supreme Court remarked that because "the purpose of the damage provision [in the Wiretapping Act] is to encourage civil enforcement of the [the Wiretapping Act], all that is required to make the damage provision of the [the Wiretapping Act] operative is a determination by the [trial] court [...] that the [the Wiretapping Act] was violated."40 Consent is a defense to such a claim. The Wiretapping Act is not violated where "all parties to the communication have given prior consent to" interception of the communication (18 Pa. C.S. § 5704(4)). If all parties to a communication have not consented to the interception, there is a violation of the Wiretapping Act.41 18 Pa. C.S. § 5704 provides additional defenses/exceptions to the Wiretapping Act.  

A successful claimant may recover (18 Pa. C.S. § 5725(a)(2)):

  • actual damages, but not less than liquidated damages computed at the rate of $100 a day for each day of violation, or $ 1,000 per day, whichever is higher; 
  • punitive damages; and 
  • reasonable attorney's fees.

2.2  Identity theft

Under Chapter 41 of Title 18 of the Pennsylvania Consolidated Statutes, a person commits the criminal offence of 'identity theft' of another person if he or she "possesses or uses, through any means, identifying information of another person without the consent of that other person to further any unlawful purpose" (18 Pa. C.S. § 4120(a)).

The law defines 'identifying information' as "[a]ny document, photographic, pictorial or computer image of another person, or any fact used to establish identity, including, but not limited to, a name, birth date, Social Security number, driver's license number, nondriver governmental identification number, telephone number, checking account number, savings account number, student identification number, employee or payroll number or electronic signature" (18 Pa. C.S. § 4120(f)). The law defines 'document' as "[a]ny writing, including, but not limited to, birth certificate, Social Security card, driver's license, nondriver government-issued identification card, baptismal certificate, access device card, employee identification card, school identification card or other identifying information recorded by any other method, including, but not limited to, information stored on any computer, computer disc, computer printout, computer system, or part thereof, or by any other mechanical or electronic means" (18 Pa. C.S. § 4120(f)).

A conviction for identity theft in which the defendant convicted of forgery, identity theft, and fraudulently obtaining public assistance, was affirmed by the Superior Court of Pennsylvania where the defendant used his brother's name and identifying information to obtain medical services and Medicaid benefits as a result of receiving open heart surgery.42 The defendant admitted to using his brother's name and had signed his brother's name to various documents to obtain medical services and to obtain public assistance as an unemployed and uninsured person.

Each time a person possesses or uses identifying information in violation of 18 Pa. C.S. § 4120(a), it constitutes a separate offence (18 Pa. C.S. § 4120(b)). Further, the total values involved in offences under this section committed pursuant to one scheme or course of conduct, whether from the same victim or several victims, may be aggregated in determining the grade of the offence (18 Pa. C.S. § 4120(b)). The degree of felony and fine depends upon the value of any property or whether it was committed in furtherance of a criminal conspiracy (18 Pa. C.S. § 4120(c)(1)). When a person commits identity theft and the victim is 60 years of age or older, a care-dependent person as defined in 18 Pa. C.S. § 2713 (relating to neglect of care-dependent person), or an individual under 18 years of age, the grading of the offence is elevated one grade higher than the above-values specified to permit a more severe sentence (18 Pa. C.S. § 4120(c)(2)). 

Separately, a person commits the offence of "falsely impersonating persons privately employed" if he or she pretends or holds himself or herself out, "without due authority," to anyone as an employee of any person for the purpose of gaining access to any premises (18 Pa. C.S. § 4115). The offence is a misdemeanour of the second degree (18 Pa. C.S. § 4115).

Private cause of action

Subchapter A of Chapter 83 of Title 42 of the Pennsylvania Consolidated Statute also recognises a private cause of action for identity theft, and a claimant may seek the following damages for identity theft (42 Pa. C.S. § 8315):

  • actual damages arising from the incident or $500, whichever is greater. Damages include loss of money, reputation or property, whether real or personal. The court may, in its discretion, award up to three times the actual damages sustained, but not less than $500;
  • reasonable attorney fees and court costs;
  • additional relief the court deems necessary and proper.

2.3    Unlawful dissemination of an intimate image 

Pennsylvania law recognises a private cause of action for unlawful dissemination of an intimate image in order to recover damages for any loss or injury sustained as a result of the violation (42 Pa. C.S. § 8316.1(a)). The claim may be brought by the person, or guardian if the person is incompetent or a minor (42 Pa. C.S. § 8316.1(b)). 

Damages include (42 Pa. C.S. § 8316.1(c)(1)):

  • actual damages arising from the incident or $500, whichever is greater; 
  • loss of money, reputation or property, whether real or personal; and
  • an award, at the court’s discretion, of up to three times the actual damages sustained, but not less than $500. 

A court also may award reasonable attorney fees, court costs, and additional relief the court deems necessary and proper (42 Pa. C.S. § 8316.1(c)(2)). A court awarding damages must consider whether the dissemination of the intimate image may cause long-term or permanent injury (42 Pa. C.S. § 8316.1(c)). An award of damage under the Consolidated Statute may limit the ability of the victim to obtain restitution from a defendant convicted of a crime under 18 Pa. C.S. § 1106 (42 Pa. C.S. § 8316.1(d)).

2.4  Possession of unlawful devices

Under Pennsylvania penal law, a person commits the criminal offence of possession of an unlawful device if that person, with the intent to defraud another person, either "(i) uses a device to access, read, obtain, memorize or store, temporarily or permanently, information encoded on the computer chip, magnetic strip or stripe or other storage mechanism of a payment card or possesses a device capable of doing so; or (ii) places information encoded on the computer chip, magnetic strip or stripe or other storage mechanism of a payment card onto the computer chip, magnetic strip or stripe or other storage mechanism of a different card or possesses a device capable of doing so" (18 Pa. C.S. § 4121(a)(1)).

In addition, a person violates the statute if he or she "knowingly possesses, sells or delivers a device which is designed to read and store in the device's internal memory information encoded on a computer chip, magnetic strip or stripe or other storage mechanism of a payment card other than for the purpose of processing the information to facilitate a financial transaction" (18 Pa. C.S. § 4121(a)(2)). The law defines "payment card" as a "credit card, a charge card, a debit card or another card which is issued to an authorized card user to purchase or obtain goods, services, money or another thing of value" (18 Pa. C.S. § 4121(c)). 

A first offence constitutes a felony of the third degree. A second or subsequent offence constitutes a felony of the second degree (18 Pa. C.S. § 4121(b)).

2.5  Privacy of social security numbers

Under the Privacy of Social Security Numbers Law ('the Social Security Numbers Law') (74 Pa. Stat. § 201 et seq.) social security numbers are entitled to confidentiality. The Social Security Numbers Law further prohibits a person or entity, or state agency or political subdivision, from (74 Pa. Stat. § 201(a)): 

  • publicly displaying a person’s social security number; 
  • printing the number on a card required to access products or services, or requiring an individual to transmit his or her social security number over the internet in absence of encryption; 
  • requiring an individual to use his or her social security number to access an internet website unless a password or unique personal identification number or other authentication device is also required; 
  • printing an individual’s social security number on any materials that are mailed to the individual unless federal or state law requires the social security number to be on the document to be mailed; or 
  • disclosing in any manner, except to the agency issuing the license, the social security number of an individual who applies for a recreational license.

Lawsuits for violations of the Social Security Numbers Law may be brought by the AG. A violation of the law is deemed a summary offence and is punishable by a fine of not less than $50 and not more than $500, and for every second or subsequent violation, by a fine of not less than $500 and not more than $5,000 may be assessed (74 Pa. Stat. § 201(g)). The law is also subject to criminal enforcement (74 Pa. Stat. § 202). The law does not apply to financial institutions, as defined by the Gramm-Leach-Bliley Act of 1999 ('GLBA'), 'covered entities' under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), or an entity subject to the Fair Credit Reporting Act of 1970 (74 Pa. Stat. § 204).

2.6  Consumer Protection

The purpose of the Unfair Trade Practices Law is to protect the consumer public and eradicate unfair or deceptive business practices.43 The Supreme Court has instructed that courts should construe the Unfair Trade Practices Law liberally in order to effect the legislative goal of consumer protection.44 The Unfair Trade Practices Law lists 21 acts that are deemed unfair and deceptive in commerce. In recent years, the AG has used the Unfair Trade Practices Law to commence enforcement actions against companies failing to adequately protect consumer data, citing the catch-all provision in the law, which prohibits "fraudulent or deceptive conduct which creates a likelihood of confusion or of misunderstanding" (73 Pa. Stat. § 201-2(4)(xxi)).45  In the aftermath of recent high-profile data breaches, such as Neiman Marcus and Target, the AG has used the Unfair Trade Practices Law (together with attorneys general in other states using similar state consumer protection statutes) to commence enforcement actions against those companies and to negotiate 'Assurances of Voluntary Compliance' with them. These settlement agreements require companies sustaining the data breaches to develop and implement policies and procedures to better protect consumers personal information.46

Private cause of action

The Unfair Trade Practices Law also creates a private cause of action. To date, plaintiffs have tried unsuccessfully to obtain class certification for private causes of action brought under 73 Pa. Stat. § 201-2(4)(xxi) based on the alleged mismanagement of personal health information.47  

The Unfair Trade Practices Law has a fee-shifting component which allows successful claimants and their attorneys to recoup attorneys' fees expanded in the action, even if such fees are in excess of the damages awarded. As a result, this law has attracted plaintiffs' attorneys to bring even de minimus cases in hope of obtaining significant awards for fees. For fee-shifting under the Unfair Trade Practices Law, courts look to the benefits provided to the claimants by their attorneys, and have noted that "the fee-shifting statutory provision of [the Unfair Trade Practices Law] is designed to promote its purpose of punishing and deterring unfair and deceptive business practices and to encourage experienced attorneys to litigate such cases, even where recovery is uncertain."48

2.7    Invasion of Privacy 

Under Chapter 75 of Title 18 of the Pennsylvania Consolidated Statute, invasion of privacy is also a criminal offence. A person may be convicted of invasion of privacy if the offender, for the purpose of arousing or gratifying the sexual desire of any person, knowingly does any of the following (18 Pa. C.S. § 7507.1(a)):

  • views, photographs, videotapes, electronically depicts, films or otherwise records another person without that person's knowledge and consent while that person is in a state of full or partial nudity and is in a place where that person would have a reasonable expectation of privacy;
  • photographs, videotapes, electronically depicts, films or otherwise records or personally views the intimate parts, whether or not covered by clothing, of another person without that person's knowledge and consent and which intimate parts that person does not intend to be visible by normal public observation; and
  • transfers or transmits an image obtained in violation of the first or second points above by live or recorded telephone message, electronic mail or the internet or by any other transfer of the medium on which the image is stored.

The law defines 'full or partial nudity' as a "[d]isplay of all or any part of the human genitals or pubic area or buttocks, or any part of the nipple of the breast of any female person, with less than a fully opaque covering" and defines 'intimate part' as any part of human genitals, pubic area or buttocks, or the nipple of a female breast (18 Pa. C.S. § 7507.1(e)). A 'place where a person would have a reasonable expectation of privacy' is defined as "[a] location where a reasonable person would believe that he could disrobe in privacy without being concerned that his undressing was being viewed, photographed or filmed by another" (18 Pa. C.S. § 7507.1(e)).

The law recognises separate violations for each victim of an offence under the same or similar circumstances, such as a scheme or course of conduct, whether at the same or different times; or if a person is a victim on multiple occasions during a separate courses of conduct (18 Pa. C.S. § 7507.1(a.1)). An offence for invasion of privacy constitutes a misdemeanour of the third degree; however, if there are multiple offences, the offence constitutes a misdemeanour of the second degree (18 Pa. C.S. § 7507.1(b)). There is no private cause of action under the law against a manufacturer of a device or a provider of a product or service that is used to commit a violation of 18 Pa. C.S. § 7507.1 (42 Pa. C.S. § 8317).

3. HEALTH DATA

3.1  Key Laws

The protection of health data under Pennsylvania law is a patchwork. Chapter 146b of Title 31 of the Pa. Code governs the privacy of consumer health information (31 Pa. Code. § 146b.1). However, the law applies to insurers only. Safeguards for protecting health data under 31 Pa. Code. § 146b.1 are governed under 31 Pa. Code §§ 146c.1-.11, which establishes standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of consumer information (see Section 10 of the note). Data security of health data implicate some common law duties of care recently recognised by the Supreme Court under Dittman v. UPMC,49 (see section 1.3 of the note). Pennsylvania also recognises a common law right for physician-patient confidentiality separate and distinct from an invasion of privacy claim.50  

In addition, Chapter 115 of Title 28 of the Pa. Code requires that medical records be stored "in such a manner as to provide protection from loss, damage and unauthorized access" (28 Pa. Code § 115.22). All medical records must be treated as confidential (28 Pa. Code § 115.27; see also § 5.53 of Chapter 5 of Title 28 of the Pa. Code; and § 563.9 of Chapter 563 of Title 28 Pa. Code). As such, "[o]nly authorized personnel" may have access to medical records, and "written authorization of the patient" must be presented and maintained in the original record as authority for release of medical information outside the hospital (28 Pa. Code § 115.27). The law treats medical records as "the property of the hospital," but prohibits their removal from a hospital premises, except for court purposes (28 Pa. Code § 115.28). Copies of such records may be made for authorised appropriate purposes such as insurance claims, and physician review, that consistent with the confidentiality requirements under 28 Pa. Code § 115.27 (28 Pa. Code § 115.28, see also §7111 of Chapter 15 of Title 50 of the Pa. Stat.).

3.2    Key Definitions for 31 Pa. Code § 146b

31 Pa. Code. § 146b has many key definitions, and defines 'consumer' as an "individual, or that individual's legal representative, who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal health information" (31 Pa. Code § 146b.2). The definition also provides examples and illustrations of 'consumers' (31 Pa. Code § 146b.2). 

31 Pa. Code. § 146b defines 'licensee' as a licensed insurer, a producer and other persons or entity licensed or required to be licensed under Pennsylvania insurance law, including health maintenance organisations. The term licensee also includes a licensee that enrolls, insures or otherwise provides an insurance related service to participants that procure health insurance through a governmental health insurance programme, and a non-admitted insurer that accepts business placed through a surplus lines licensee in Pennsylvania (31 Pa. Code §146b.2). 

The term 'nonpublic personal health information' means either health information that identifies an individual who is the subject of the information, or health information that there is a reasonable basis to believe could be used to identify an individual (31 Pa. Code § 146b.2). The term does not include 'nonpublic personal financial information' (31 Pa. Code § 146b.2).

4. FINANCIAL DATA

4.1  Key Laws

Chapter 146a of Title 31 of the Pennsylvania Code otherwise governs the privacy of consumer financial information (31 Pa. Code. § 146a.1). Similar to Chapter 146b of the Pennsylvania Code, the statute limits the definition for licensees to insurers and thus is limited in scope. Safeguards for protecting consumer financial data are governed under 31 Pa. Code §§ 146c.1-.11, which establishes standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information (see section 10 of the note below). In addition, data security of financial data implicate common law duties of care recently recognised by the Supreme Court under Dittman v. UPMC (see Section 1.3. of the note).51

4.2  Key Definitions for 31 Pa. Code § 146a

The law defines a 'consumer' as an "individual who seeks to obtain, obtains or has obtained an insurance product or service from a licensee that is to be used primarily for personal, family or household purposes, and about whom the licensee has nonpublic personal financial information, or that individual's legal representative" (31 Pa. Code § 146a.2). Like the definition for consumer health data under 31 Pa. Code § 146b.2, the definition of consumer under 31 Pa. Code § 146a.2 provides examples and illustrations of 'consumers.' 

A 'customer' is defined as a "consumer who has a customer relationship with a licensee" (31 Pa. Code § 146a.2). A 'customer relationship' is defined as a "continuing relationship between a consumer and a licensee under which the licensee provides one or more insurance products or services to the consumer that are to be used primarily for personal, family or household purposes" (31 Pa. Code § 146a.2).

31 Pa. Code § 146a.2 defines licensee as an insurer, a producer, or other persons or entities licensed or required to be licensed under Pennsylvania insurance law, including health maintenance organisations. The term also includes a licensee that enrolls, insures or otherwise provides insurance related services to participants that procure health insurance through a governmental health insurance programme, and a non-admitted insurer that accepts business placed through a surplus lines licensee in Pennsylvania (31 Pa. Code § 146a.2). 

The term 'personally identifiable financial information' is defined to mean "(A) Information that a consumer provides to a licensee to obtain an insurance product or service from the licensee; (B) Information about a consumer resulting from a transaction involving an insurance product or service between a licensee and a consumer, and (C) Information that the licensee otherwise obtains about a consumer in connection with providing an insurance product or service to that consumer" (31 Pa. Code § 146a.2). The term does not include publicly available information, any list, description or other grouping of consumers derived without using any personally identifiable financial information that is not publicly available, and health information (31 Pa. Code § 146a.2).

5. EMPLOYMENT DATA

The Supreme Court held that employers have a common law right duty of reasonable care to safeguard the sensitive personal information data of their current and former employees stored in internet-accessible information systems (see section 1.3. of the note).52

6. ONLINE PRIVACY

Currently, there are no Pennsylvania-specific requirements addressing online privacy.

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

Under Pennsylvania's Unsolicited Telecommunication Advertisement Act ('the Unsolicited Telecommunication Act') (Chapter 40 of Title 73 of the Pennsylvania Statutes) it is unlawful to send an unsolicited commercial email or facsimile (from a computer or fax machine) located in Pennsylvania, or to send email to addresses, that (73 Pa .Stat. § 2250.3(a)):

  • uses a third party's internet domain name in the return electronic mail message without permission of the third party;
  • includes false or misleading information in the return address portion of the electronic mail, facsimile or wireless advertisement such that the recipient would be unable to send a reply message to the original authentic sender;
  • contains false or misleading information in the subject line; or
  • fails to operate a valid sender-operated return email address or toll-free telephone number that the recipient of the unsolicited documents may email or call to notify the sender not to transmit further unsolicited documents.

It also unlawful to use a covered mobile telephone messaging system to transmit an unsolicited commercial email (Pa. Stat. § 2550.3(b)). 

The Unsolicited Telecommunication Act also prohibits a person to (73 Pa. Stat. § 2250.4):

  • conspire with another person to initiate the transmission of a commercial electronic mail message, fax or wireless advertisement that uses a third party's internet domain name without permission of the third party or to otherwise misrepresent or obscure any information identifying the point of origin or the transmission path of a commercial electronic mail message;
  • falsify or forge commercial electronic mail, fax or wireless transmission or other routing information in any manner in connection with the transmission of unsolicited commercial electronic mail or wireless advertisement;
  • assist in the transmission of a commercial electronic mail message, fax or wireless advertisement when the person providing the assistance knows or consciously avoids knowing that the initiator of the commercial electronic mail message or fax is engaged or intends to engage in any act or practice that violates the provisions of this act;
  • temporarily or permanently remove, alter, halt or otherwise disable any computer or wireless data, programs software or network to initiate a commercial electronic mail message, fax or wireless advertisement; and
  • sell, give or otherwise distribute or possess with the intent to sell, give or distribute software that is primarily designed or produced for the purposes of facilitating or enabling falsification of commercial electronic mail, fax or wireless advertisement transmissions.

A violation of the Unsolicited Telecommunication Act constitutes a violation of the Unfair Trade Practices Law (73 Pa. Stat. § 2250.5(a)) (see section 2.6 of the note). Thus, a private action brought under the statute may be based on any of twenty-one unfair practices described in the Unfair Trade Practices Law (73 Pa. Stat. §201-2(4)).

Under the Unsolicited Telecommunication Act, persons who provide an email service, or wireless telecommunications companies, have the discretion to block or filter the receipt or transmission of any commercial email or wireless advertisement that it reasonably believes is or may be sent in violation of the Unsolicited Telecommunication Act (73 Pa. Stat. § 2250.6(a)(1)). Moreover, the Unsolicited Telecommunication Act does not prevent or limit a person who provides internet access or an email service, or a wireless telecommunications company, from (73 Pa. Stat. § 2250.6(a)(2)):

  • adopting a policy regarding commercial or other electronic mail, including a policy of blocking, filtering or declining to transmit certain types of electronic mail messages;
  • suspending or terminating the services or accounts of any person deemed in violation of this act; or
  • enforcing such policy through technology, contract or pursuant to any remedy available under any provision of law.

No person who provides internet access or an email service, or a wireless telecommunication company, may be held liable for any action voluntarily taken in good faith to block the receipt or transmission through its service of any commercial email which it reasonably believes is or may be sent in violation of the Unsolicited Telecommunication Act (73 Pa. Stat. § 2250.6(b)).

8. PRIVACY POLICIES

Currently, there are no Pennsylvania-specific requirements addressing privacy notices.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

Currently, there are no Pennsylvania-specific requirements addressing data disposal.

9.1  Standards for Safeguarding Customer Information 

9.1.1  Key Provisions

Title 31 of the Pennsylvania Code sets for standards for safeguarding consumer information for licensees under Chapters 146a (financial data) and 146b (health data) (31 Pa. Code §§ 146c.1-.11). The law establishes standards that licensees must adhere to (31 Pa. Code § 146c.1):  

  • for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information, under §§ 501, 505(b) and 507 of the GLBA (15 U.S.C. §§ 6801, 6805(b), and 6807)
  • for ensuring the security and confidentiality of customer records and information;
  • to protect against any reasonably anticipated threats or hazards to the security or integrity of the records;
  • to protect against unauthorized access to or use of records or information that could result in substantial harm or inconvenience to a customer; and
  • that apply to nonpublic personal information, including nonpublic personal financial information and nonpublic personal health information.

The Pennsylvania Code requires that licensees (see definitions in sections 3.2 and 4.2 of the note) to "implement a comprehensive written information security program that includes administrative, technical and physical safeguards for the protection of customer information" (31 Pa. Code § 146c.3). Recognising that a one-size-fits-all approach is unworkable, the law further provides that "[t]he administrative, technical and physical safeguards included in the information security program shall be appropriate to the size and complexity of the licensee and the nature and scope of its activities" (31 Pa. Code § 146c.3). The information security programme must be designed to (31 Pa. Code § 146c.4):

  • safeguard the security and confidentiality of customer information; 
  • protect against any reasonably anticipated threats or hazards to the security or integrity of the information; and 
  • protect against unauthorised access to or use of the information that could result in substantial harm or inconvenience to any customer. 

Furthermore, 31 Pa. Code §§ 146c.6 – 146c.9 provide nonexclusive illustrations and methods by which a licensee may implement an adequate comprehensive written information security programme designed to satisfy required safeguards (31 Pa. Code § 146c.5). The illustrated methods and procedures are:

  • conducting risk assessments that (31 Pa. Code § 146c.6): 
    • identify reasonably foreseeable internal or external threats that could result in unauthorised disclosure, misuse, alteration or destruction of customer information or customer information systems; 
    • assesses the likelihood and potential damage of such threats, taking into consideration the sensitivity of customer information at issue; and 
    • assess the sufficiency of policies, procedures, information systems, and other safeguards already in place to mitigate the identified risks. 
  • manage and control the risk by (31 Pa. Code § 146c.7):
    • designing the information security programme to control the identified risks in a manner commensurate with the sensitivity of the information and the complexity and scope of the licensee's activities; 
    • training staff to implement the information security programme; and 
    • regularly monitoring and testing key controls, systems, and procedures of the information security programme based on the licensee's risk assessment. 
  • manage security risks created through the use of third-party service providers by (31 Pa. Code § 146c.8):
    • exercising "appropriate due diligence" in selecting service providers;
    • requiring service providers to implement "appropriate measures" designed to meet the objectives of the data security standards; and 
    • when indicated by its risk assessment, to takes appropriate steps to confirm that the service providers have satisfied its data security obligations. 
  • adjusting the information security programme based upon relevant changes in technology, the sensitivity of customer information, identified threats, and/or the licensee's own changing business arrangements (31 Pa. Code § 146c.9). 

A licensee violates the Chapter 31 of the Pennsylvania Code when (31 Pa. Code § 146c.10(b)): 

  • it "knew or reasonably should have known" of a pattern of activity, or of a practice of a service provider, that constitutes either a violation of § 146a or § 146b; 
  • it "knew or reasonably should have known" of a pattern of activity, or of a practice of a service provider, that constitutes a violation of the safeguard standards; 
  • it knew or reasonably should have known of a 'material breach' of the contract or other arrangement between the licensee and the service provider, unless the licensee took reasonable steps to cure the breach or end the violation.

Violations under §§ 146c.3 and 146c.4, which address the implementation of an adequate comprehensive written information security programme designed to satisfy required safeguards, are deemed by the Pennsylvania Department of Insurance ('the Department') to be an unfair method of competition and an unfair or deceptive act or practice, and thus are subject to applicable penalties or remedies under the Unfair Insurance Practices Act ('the Insurance Act') (31 Pa. Code § 146c.10(a)). In addition to injunctive relief (§ 117.10 of Title 40 of the Pennsylvania Statutes), civil penalties that may be imposed by the Department under the Unfair Insurance Practices Act are (40 Pa. Stat. § 117.11):

  • for each method of competition, act or practice defined in § 5 of the Insurance Act and in violation of the Insurance Act, which the person knew or reasonably should have known was such a violation, a penalty of not more than $5,000 for each violation but not to exceed and aggregate penalty of $50,000 in any six month period;
  • for each method of competition, act or practice defined in § 5 of the Insurance Act and in violation of the Insurance Act, which the person did not know nor reasonably should have known was such a violation, a penalty of not more than $1,000 for each violation but not to exceed an aggregate penalty of $10,000 in any six month period; and
  • for each violation of an order issued by the Insurance Commissioner of Pennsylvania pursuant to § 9 of the Insurance Act, while such order is in effect, a penalty of not more than $10,000.

9.1.2  Key Definitions

Licensee: has the same limited definition, an insurer, as defined under 31 Pa. Code §§ 146a.2 and 146b.2, except that the term does not include a purchasing group or a non-admitted insurer in regard to the surplus lines business (31 Pa. Code § 146c.2). 

Customer: means either a 'customer,' as defined in 31 Pa. Code § 146a.2 (relating to definitions) or a 'consumer' as defined in 31 Pa. Code § 146b.2 (relating to definitions). 

Customer information systems: means the "electronic or physical methods used to access, collect, store, use, transmit, protect or dispose of customer information" (31 Pa. Code § 146c.2). 

Customer information: means either "nonpublic personal financial information," as defined in 31 Pa. Code § 146a.2, or "nonpublic personal health information," as defined in 31 Pa. Code § 146b.2, about a customer, whether in paper, electronic or other form that is maintained by or on behalf of the licensee (31 Pa. Code § 146c.2). 

Service provider: means a "person that maintains, processes or otherwise is permitted access to customer information through its provision of services directly to the licensee" (31 Pa. Code § 146c.2).

9.2  The Consumer Protection Against Computer Spyware Act

Under the Consumer Protection Against Computer Spyware Act ('the Computer Spyware Act') (73 Pa. Stat. § 2330.1 et seq.), it is unlawful to install, or caused to be installed, computer software on a user's computer that deceptively modifies the computer's functions or acquires information. The Computer Spyware Act prohibits a person or entity from inducing a user to install software by misrepresenting that installing software is necessary for security or privacy reasons, or in order to open, view or play a particular type of content; or causing the execution of software in violation of the Computer Spyware Act (73 Pa. Stat. § 2330.5). 

The Computer Spyware Act further provides that a person or entity that is not an authorised user shall not cause computer software to be copied or procure the copying onto the computer of an authorised user in this Commonwealth and use the software to do any of the following acts or any other acts deemed to be deceptive (73 Pa. Stat. § 2330.3):

  • modify through deceptive means any of the following settings related to the computer's access to or use of the internet:
    • the page that appears when an authorised user launches an internet browser or similar software program used to access and navigate the internet;
    • the default provider or internet website proxy the authorised user uses to access or search the internet;
    • the authorised user's list of bookmarks used to access internet website pages;
  • collect through deceptive means personally identifiable information that meets any of the following criteria:
    • it is collected through the use of a keystroke-logging function that records all keystrokes made by an authorised user who uses the computer and transfers that information from the computer to another person; 
    • it includes all or substantially all of the Internet websites visited by an authorised user, other than internet websites of the provider of the software, if the computer software was installed in a manner designed to conceal from all authorised users of the computer the fact that the software is being installed; and 
    • it is a data element described in paragraphs (2), (3), (4) or (5) (i) or (ii) of the definition of 'personally identifiable information' that is extracted from the authorised user's computer hard drive for a purpose wholly unrelated to any of the purposes of the software or service described to an authorised user;
  • prevent, without the authorisation of an authorised user, through deceptive means an authorised user's reasonable efforts to block the installation of or to disable software by causing software that the authorised user has properly removed or disabled to automatically reinstall or reactivate on the computer without the authorisation of an authorised user;
  • misrepresent that software will be uninstalled or disabled by an authorised user's action with knowledge that the software will not be so uninstalled or disabled; and
  • through deceptive means, remove, disable or render inoperative security, antispyware or antivirus software installed on the computer.

The Computer Spyware Act also prohibits a person from installing upon a computer software to engage in the following acts, "or any other acts deemed to be deceptive" (73 Pa. Stat. § 2330.4(1)):

  • take control of the authorised user's computer by doing any of the following:
    • transmitting or relaying commercial electronic mail or a computer virus from the authorised user's computer where the transmission or relaying is initiated by a person other than the authorised user and without the authorisation of an authorised user;
    • accessing or using the authorised user's modem or internet service for the purpose of causing damage to the authorised user's computer or of causing an authorised user to incur financial charges for a service that is not authorised by an authorised user;
    • using the authorised user's computer as part of an activity performed by a group of computers for the purpose of causing damage to another computer, including, but not limited to, launching a denial of service attack; and
    • opening a series of stand-alone messages in the authorised user's computer without the authorisation of an authorised user and with knowledge that a reasonable computer user cannot close the advertisements without turning off the computer or closing the internet application.

The statute also prohibits a person from installing computer that modifies an authorised user's security or other settings protecting information in order to steal the user's personal information, or the computer's security settings of the computer for the purpose of causing damage to one or more computers (73 Pa. Stat. § 2330.4(2)). The statute also prohibits a person from installing computer that prevents an authorised user's reasonable efforts to block the installation of or to disable software by doing any of the following (73 Pa. Stat. § 2330.4(3)):

  • presenting the user with a fake option to decline installation of software; 
  • falsely representing that software has been disabled; 
  • requiring the user to access the internet to remove the software when the software frequently operates in a manner that prevents the user from accessing the internet;
  • changing the name, location, or other designation information of the software for the purpose of preventing the user from locating the software to remove it;
  • using randomised or deceptive file names, directory folders, formats or registry entries, or causing installation in a computer’s directory or computer memory to evade the software’s detection or removal; and
  • requiring that the user obtain a special code or download software from a third party to uninstall the software.

Violation of §§ 3(2) and 4(1)(i), (ii) and (iii) and (2) constitutes a felony of the second degree with imprisonment up to ten years and/or a fine of up to $25,000 (73 Pa. Stat. § 2330.8). A private cause of action exists under the statue for providers of computer software; internet service providers, and trademark owners whose trademark are used without authorisation (73 Pa. Stat. § 2330.9(a)). Relief includes injunctive relief, actual damages or statutory damages of up to $100,000 for each violation, and costs, including attorneys' fees (73 Pa. Stat. § 2330.9(b) and (d)). When considering damages, a court may increase an award treble actual damages if the court finds that "the violations have occurred with a frequency with respect to a group of victims as to constitute a pattern or practice" (73 Pa. Stat. § 2330.9(c)).

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

Not applicable.


1. Pennsylvania State Educ. Ass’n v. Commonwealth, 148 A.3d 142, 149-50 (Pa. 2016).

2. Id. at 150; see, e.g., Commonwealth v. Rekasie, 778 A.2d 624, 628 (Pa. 2001).

3. Pa. State Educ. Ass’n, 148 A.3d at 150.

4. Id.

5. Commonwealth v. Murray, 223 A.2d 102, 109 (Pa. 1966). The Supreme Court outlined, "One of the pursuits of happiness is privacy"; thus, "[t]he right to privacy is as much property of the individual as the land to which he holds title and the clothing he wears on his back."

6. In re T.R., 731 A.2d 1276, 1279 (Pa. 1999).

7. Pa. State Educ. Ass’n, 148 A.3d at 150, holding right of privacy protected from disclosure under Right To Know statute home addresses of public school employees.

8. E.g., Estate of Rennick v. Universal Credit Servs., LLC, 2019 U.S. Dist. LEXIS 6888 at *16 (E.D. Pa. Jan. 15, 2019).

9. Harris v. Easton Pub. Co., 483 A.2d 1377, 1383 (Pa. Super. Ct. 1984); see also Burger v. Blair Med. Assocs., 964 A.2d 374, 376 (Pa. 2009).

10. Harris, 483 A.2d at 1383, citing Restatement (Second) of Torts § 652B.

11. Id.

12. Burger v. Blair Med. Assocs., 964 A.2d 374, 378 (Pa. 2009).

13. Harris, 483 A.2d at 1384, citing Restatement (Second) of Torts § 652D; see also Burger, 964 A.2d at 379.

14. Harris, 483 A.2d at 1384.

15. Id.; Burger, 964 A.2d at 379, in which the "publicity" element was unsatisfied where the defendant disclosed the claimant's drug use only to the employer; Vogel v. W.T. Grant Co., 327 A.2d 133, 137 (Pa. 1974), in which the "publicity" element was unsatisfied where the defendant disclosed the claimant's private affairs to employer and three relatives.

16. Burger, 964 A.2d at 379.

17. Tanzosh v. InPhoto Surveillance, 2008 U.S. Dist. LEXIS 76022, *17 (M.D. Pa. Sept. 26, 2008); see also Rush v. Philadelphia Newspapers, Inc., 732 A.2d 648, 654 (Pa. Super. Ct. 1999).

18. Id.

19. Rush, 732 A.2d at 654.

20. Tanzosh, 2008 U.S. Dist. LEXIS 76022 at *17 (quoting Fogel v. Forbes, Inc., 500 F. Supp. 1081, 1087-88 (E.D. Pa. 1980)).

21. Rush, 732 A.2d at 654.

22. Eagle v. Morgan, 2013 U.S. Dist. LEXIS 34220, *20 (E.D. Pa. Mar. 12, 2013).

23. Id.

24. Id. (quoting Restatement (Second) of Torts § 652C).

25. AFL Phila. LLC v. Krause, 639 F. Supp. 2d 512, 530 (E.D. Pa. 2009), quoting Restatement (Second) of Torts § 652C, comment c.

26. Id., at 531.

27. Id.

28. Id.; Rose v. Triple Crown Nutrition, Inc., 2007 U.S. Dist. LEXIS 14785 (M.D. Pa. Mar. 2, 2007).

29. Eagle v. Morgan, 2013 U.S. Dist. LEXIS 34220, *20 (E.D. Pa. Mar. 12, 2013); see also World Wrestling Fed. Entm’t, Inc. v. Big Dog Holdings, Inc., 280 F. Supp. 2d 413, 443-44 (W.D. Pa. 2003).

30. Eagle, 2013 U.S. Dist. LEXIS 34220 at *20.

31. Id.

32. AFL Phila. LLC v. Krause, 639 F. Supp. 2d 512, 531 (E.D. Pa. 2009).

33. Dittman v. UPMC, 196 A.3d 1036, 1038 (Pa. 2018).

34. Id. at 1038-39.

35. Id. at 1046-47.

36. Id. at 1047-48.

37. Kine v. Security Guards, Inc., 386 F.3d 246, 257 (3d Cir. 2004).

38. Kump v. Nazareth Area Sch. Dist., 425 F. Supp. 2d 622, 633 (E.D. Pa. 2006) (student whose cell phone was confiscated by teacher and who alleged that teacher and assistant principal intercepted and replied to text messages sent to student's phone lacked standing to bring a claim section 5725 because the student had not engaged in a communication and only was intended recipient of the intercepted communications).

39. Marks v. Bell Tele. Co. of Pa., 331 A.2d 424, 430 n.6 (Pa. 1975).

40. Id.; see also Simmers v. Packer, 36 Pa. D.&C.4th 182, 185 (Pa. Ct. Comm. Pl. 1997).

41. Commonwealth v. Jung, 531 A.2d 498, 503-504 (Pa. Super. Ct. 1987).

42. Commonwealth v. Green, 2009 Pa. Dist. & Centy Dec,. LEXIS 270 (Pa. Ct. Comm. P. Oct. 8, 2009), aff’d, 13 A.3d 998 (PA. Super. Ct. 2010).

43. Aberts v. Verna, 2016 Pa. Dist. & Cnty Dec. LEXIS 3028 (Pa. Ct. Comm. Pl. June 27, 2016).

44. Com., by Creamer v. Monumental Properties, Inc., 329 A.2d 812, 816 (Pa. 1974).

45. E.g., Bennett v. A.T. Masterpiece Homes at Broadsprings, LLC, 40 A.3d 145, 151-152 (Pa. Super. Ct. 2012) (describing 73 P.S. § 201-2(4)(xxi) as a “catchall” phrase). 

46. See Commonwealth of Pennsylvania v. The Neiman Marcus Group, LLC, Case No. 190100160 (Pa. Ct. Comm. Pl. Philadelphia Cty., Jan. 8, 2019); Commonwealth of Pennsylvania v. Target Corp., Case No. 215-MD-2017 (Pa. Commw. Ct. May 23, 2017); see also 73 P.S. § 201-5 (authorizing the Pennsylvania Attorney General to enter into Assurances of Compliance).

47. E.g., Baum v. Keystone Mercy Health Plan, 116 A.3d 682 (Pa. Super. Dec. 9, 2014).

48. Boehm v. Riversource Life Ins. Co., 117 A.3d 308, 336-37 (Pa. Super. Ct. 2014); see also Krebs v. United Refining Co. of Pennsylvania, 893 A.2d 776, 788 (Pa. Super. Ct. 2006), which stated "these cases hold generally that where the General Assembly has departed from the 'American Rule' (where each party is responsible for his or her own attorneys' fees and costs), by providing a fee-shifting remedy in a remedial statute, the trial court's discretionary award or denial of attorneys' fees must be made in a manner consistent with the aims and purposes of that statute."

49. Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018).

50. Burger v. Blair Med. Assocs., 964 A.2d 374, 379 (Pa. 2009).

51. Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018).

52. Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018).