On January 29, 2024, House Bill 5338 for a Consumer Data Protection Act and Safe Harbor for Cybersecurity Programs was introduced to the West Virginia House of Representatives and thereafter referred, on February 2, 2024, to the House Finance Committee. In particular, the bill provides for the creation of both a cybersecurity program framework and the creation of a Consumer Data Protection Act.

Scope

The bill outlines its application to persons that conduct business in West Virginia or produce products or services that are targeted to residents of West Virginia and that:

• during a calendar year, control or process personal data of at least 100,000 consumers;
• control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data; or
• have annual gross revenues generated in West Virginia which exceed $25,000,000.

However, the bill notes that it does not apply to:

• any body, authority, board, bureau, commission, district, or agency of the state or of any political subdivision of West Virginia;
• financial institutions subject to the Gramm-Leach-Bliley Act (GLBA);
• covered entities or business associates governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services established pursuant to the Health Insurance Portability and Accountability Act (HIPAA);
• non-profit organizations;
• institutions of higher education;
• protected health information under HIPAA; and

• data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within that role.

Consumer rights

The bill provides for consumer rights including the right to be informed, access, rectification, deletion, data portability, and opt out of the processing of personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. The bill also elaborates on the timeframe in which controllers must respond to consumer requests, the circumstances under which they decline to take action, and procedures for responding to consumer appeals following initial requests.

Obligations

Similarly, the bill details data processing principles such as data minimization, purpose limitation, and maintaining reasonable administrative, technical, and physical data security practices.

More specifically, the bill highlights the requirement to provide consumers with a privacy notice, including certain contents, and conduct a data protection assessment. The relationship between controllers and processors is also covered, with the bill detailing that processors must adhere to the instructions of the controller, and that the relationship between controllers and processors be governed by a contract. Further, the engagement of a subcontractor must also be governed by a written contract in accordance with the requirements applicable to processors.

Enforcement and effective date

The Attorney General of West Virginia has exclusive authority to enforce the provisions of the bill, and may initiate an action and seek damages for up to $7,500 for each violation.

The bill would enter into effect on January 1, 2025, upon its passage.

You can read the bill here and track its progress here.

Update: February 29, 2024

Bill passes House

On February 28, 2024, the bill was passed by the House, and on the same date, it was communicated to the Senate. In particular, the substituted bill only covers provisions on cybersecurity programs, and the provisions in relation to consumer data protection are no longer included.

You can read the substituted bill here and track its progress here.

Update: March 1, 2024

Bill introduced to Senate and referred to Committee

On February 29, 2024, the bill was introduced to the Senate and, on the same date, referred to the Committee on Transportation and Infrastructure. 

You can read the substituted bill here and track its progress here.

Update: March 5, 2024

Bill referred to Senate Committee on Finance

On March 4, 2024, the bill was referred to the Senate Committee on Finance after being read for the first time in the Senate on the same date.

You can read the substituted bill here and track its progress here.

Update: March 7, 2024

Bill placed for third reading in Senate 

On March 7, 2024, the bill was placed for third reading with the right to amend in the Senate after being read for the second time on March 6, 2024.

You can read the substituted bill here and track its progress here.

Update: March 11, 2024

Bill passes both houses

On March 9, 2024, the House concurred with the Senate amendments to the bill and passed the bill on the same date. 

The bill will now be sent to the Governor for signature to become law. The bill will enter into effect on January 1, 2025, after its enactment. 

You can read the substituted bill here and track its progress here.

Update: April 19, 2024

Bill vetoed by Governor

On March 9, 2024, the bill was vetoed by the Governor. 

You can read the enrolled bill here and view its legislative history here.