Privacy Bill Essentials: West Virginia HB 3159

Hinshaw & Culbertson - Privacy, Cyber & AI Decoded
Contact
LinkedIn
Facebook
X
Send
Embed

Hinshaw Privacy & Cyber Bytes - Insights on Compliance, Best Practices, and Trends

* Update - West Virginia House Bill 3159 died when West Virginia legislature adjourned on Saturday, April 10, 2021, after 60 days in session.

West Virginia Republicans introduced House Bill 3159 on March 15, 2021. The Bill would protect consumer data by providing a right to opt-out of the sale or sharing of personal information, the right to request a copy of the personal data collected twice a year, and the ability to request deletion or correction of certain personal information.

To whom would it apply?

The Bill would apply to for-profit businesses that collect personal information about consumers, determine the purposes and means of processing the personal information, and satisfy one or more of the following:

  • Have a global annual gross annual revenue in excess of $25 million;
  • Buy, sell, or receive/share for commercial purposes the personal information of 50,000 or more consumers, households, or devices per annum; or
  • Derive 50% or more of global annual revenue from selling or sharing personal information about consumers.

The Bill defines a "consumer" as a natural person who resides in or is domiciled in the state of West Virginia. This definition includes those domiciled in the state who reside outside the state for a temporary or transitory purpose.

The term "share" is defined as sharing, renting, releasing, disclosing, disseminating, making available, transferring, or accessing a consumer's personal information for advertising and includes:

  • Allowing a third party to use or advertise to a consumer based on the consumer's personal information without disclosure of the personal information to the third party; or
  • Monetary transactions, nonmonetary transactions, and transactions for other valuable consideration between a business and a third party for advertising for the benefit of a business.

What types of information would it cover?

Personal information is defined as information that identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being directly or indirectly associated or linked with a particular consumer or household. This information includes, for example:

  • Identifiers such as real name, alias, and email address;
  • Commercial information;
  • Biometric information;
  • Internet information such as browsing history:
  • Geolocation data; and
  • Professional or employment-related information.

Personal information does not include public information made available from federal, state, or local government records and deidentified or aggregate consumer information.

What rights would it create?

The Bill provides the right to opt-out of the sale or sharing to third parties and the ability to request deletion or correction of certain personal information. A business may not be required to comply with a request to delete if it is necessary to maintain the personal information in order to:

  • Complete the transaction;
  • Fulfill the terms of a written warranty or product recall;
  • Provide a good or service requested by the customer, or reasonably anticipated within the context of a business' ongoing business relationship with the consumer, or otherwise perform a contract between the business and a customer;
  • Detect and protect against security incidents or prosecute those responsible for the incidents;
  • Debug to identify and repair errors;
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest, with the consumer's consent;
  • Enable solely internal uses reasonably expected in the business relationship;
  • Comply with a legal obligation; and
  • Otherwise internally use the personal information in a lawful manner compatible with the context in which the consumer provided the information.

The Bill provides for the right to request that a business collecting personal information disclose to the consumer the categories and specific pieces of information the business collects and/or has sold or shared. The consumer also has the right to request a copy of the personal data collected, but may only do so twice a year.

The legislature prohibits discrimination against consumers who exercise their rights under the article. Discrimination under the section includes denying goods or services, charging different prices or rates, or providing a different level or quality of goods or services.

What obligations would it impose?

Businesses would be required to maintain an online privacy policy, make the policy available on their website, and update the information at least once every twelve months. The policy must include:

  • The state-specific privacy rights;
  • The categories of information collected about consumers;
  • Which of these categories the business sells, shares/has sold or shared;
  • The right to opt-out of the sale or sharing to third parties—a clear and conspicuous link entitled "Do Not Sell or Share My Personal Information"—and must not require the consumer to create an account in order to opt-out;
  • The right to request disclosure of the categories and specific information collected and the purposes for which the information will be used; and
  • A retention schedule that prohibits the use and retention of personal information after satisfaction of the initial purpose for collection, or after the duration of a contract, or one year after the consumer's last interaction with the business, whichever occurs first.

The Bill also contains requirements for contracts between a business and service providers or third parties which prohibit selling or sharing of personal information, among other prohibitions. Subcontractors must also abide by these terms.

How would it be enforced?

The West Virginia Division of Consumer Protection is empowered to establish rules under the legislation for enforcement and bring suit for violations. Businesses are given 30 days to cure a violation after being notified in writing of the alleged noncompliance.

The Bill provides for a private right of action for a consumer whose unencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure as a result of a business's violation to implement and maintain security procedures to protect personal information. The consumer may bring a civil action for damages and injunctive or declaratory relief.

When would it go into effect?

Effective date yet to be determined.

Where does it stand?

The Bill was introduced in the House on March 15, 2021, and is under consideration in the West Virginia House Judiciary Committee. Republicans currently have a veto-proof supermajority in both legislative chambers, and the party also controls the governorship, so the bill will not require bipartisan support.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hinshaw & Culbertson - Privacy, Cyber & AI Decoded | Attorney Advertising

Written by:

Hinshaw & Culbertson - Privacy, Cyber & AI Decoded
Hinshaw & Culbertson - Privacy, Cyber & AI Decoded
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Hinshaw & Culbertson - Privacy, Cyber & AI Decoded on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide