• Privacy
  • Privacy Law Update
  • Regulations

Privacy Law Update: West Virginia’s Proposed Privacy Law


Rick Buck Chief Privacy Officer

Note: The West Virginia legislature closed its session on April 10 without passing its proposed bill so the bill is considered dead for now. The following blog outlines what was proposed.

• • •

On March 15, West Virginia Delegate Danny Hamrick, joined by 10 other Republicans, introduced House Bill 3159 which is consumer data privacy legislation similar to the California Consumer Privacy Act (CCPA).


The legislation applies to businesses doing business in West Virginia that collect consumers’ personal information (PI), determine the purposes and means of processing the PI, and:

  1. Have global gross revenue over $25 million; or
  2. Annually buy, receive, sell, or share the PI of 50,000 or more consumers; or
  3. Derive 50 percent or more of global annual revenues from selling or sharing PI.

This aligns with the CCPA thresholds.

Consumer Rights:

The legislation provides consumers with the right to:

  1. Know PI collected
  2. Know PI sold or shared
  3. Opt-out of the sale or sharing of PI to third parties
  4. Correct PI
  5. Delete PI collected from the consumer, subject to certain exceptions.

Similar to CCPA businesses may deny a request to delete if the PI is necessary to:

  1. Complete the transaction for which the personal information was collected
  2. Fulfill the terms of a written warranty or product recall
  3. Provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer
  4. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, etc.
  5. Debug to identify and repair errors that impair existing intended functionality
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest, with the consumer’s consent
  7. Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business
  8. Comply with a legal obligation
  9. Otherwise internally use the consumer’s personal information in a lawful manner that is compatible with the context in which the consumer provided the information.


The legislation provides no exemptions, unlike the CCPA which provides exemptions for PI governed by, or collected, processed, sold or disclosed pursuant to other state and federal acts that protect PI, including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Health Insurance Portability and Accountability Act rules relating to data privacy and security.

Contract Requirements:

The legislation mandates certain contractual requirements between businesses and service providers and between businesses and third parties.
With respect to service providers, the contract must prohibit:

  1. Selling or sharing PI
  2. Retaining, using or disclosing PI for any purposes other than those specified in the contract
  3. Retaining, using or disclosing PI outside of the direct business relationship between the business and service provider
  4. Combining PI that the service provider receives from the business with PI it receives from another person or entity, or that the service provider collects from its own interaction with the consumer, except that the service provider may combine personal information to perform any business purpose.

The contract prohibitions with respect to third parties are the same, except the fourth prohibition above is not included. This may be a drafting error as the second prohibition above is recited twice in the list of third-party contractual prohibitions (§ 46A-9-8(e)(2) and (e)(3)).

Private Right of Action:

The legislation provides a private right of action when a certain information that would allow access to a consumer’s account “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures . . .” Damages per incident are the greater of actual damages or an amount “not less than $100 and not greater than $750.”

Attorney General Enforcement:

For any alleged violation that is not cured within 30 days of notification, the Attorney General may seek a civil penalty of not more than $2,500 if unintentional and $7,500 if intentional.

Future proof your privacy program with WireWheel’s Trust Access and Consent Center and WireWheel’s Privacy Operations Manager.

Request Demo
Rick Buck is the WireWheel Chief Privacy Officer and acts as a Privacy Advisor to WireWheel clients, helping them with the implementation and optimization of their privacy programs. Over the past 20 years, Rick has…