Press "Enter" to skip to content

West Virginia Republicans Introduce California-Style Data Privacy Legislation

privacy legislationOn March 15, West Virginia Delegate Danny Hamrick, joined by 10 other Republicans, introduced House Bill 3159 which is consumer data privacy legislation similar to the California Consumer Privacy Act (CCPA), though arguably less business friendly.


The legislation applies to businesses doing business in West Virginia that collect consumers’ personal information (PI), determine the purposes and means of processing the PI, and:

  1. Have global gross revenue over $25 million; or
  2. Annually buy, receive, sell, or share the PI of 50,000 or more consumers; or
  3. Derive 50 percent or more of global annual revenues from selling or sharing PI.

This aligns with the CCPA thresholds.

Consumer Rights

The legislation provides consumers with the right to:

  1. Know PI collected;
  2. Know PI sold or shared;
  3. Opt-out of the sale or sharing of PI to third parties;
  4. Correct PI;
  5. Delete PI collected from the consumer, subject to certain exceptions.

Again, from the CCPA playbook, a business may deny a request to delete if the PI is necessary to:

  1. Complete the transaction for which the personal information was collected;
  2. Fulfill the terms of a written warranty or product recall;
  3. Provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;
  4. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, etc.;
  5. Debug to identify and repair errors that impair existing intended functionality;
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest, with the consumer’s consent;
  7. Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business;
  8. Comply with a legal obligation;
  9. Otherwise internally use the consumer’s personal information in a lawful manner that is compatible with the context in which the consumer provided the information.


The legislation provides no exemptions, unlike the CCPA which provides exemptions for PI governed by, or collected, processed, sold or disclosed pursuant to other state and federal acts that protect PI, including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Health Insurance Portability and Accountability Act rules relating to data privacy and security.

Contract Requirements

The legislation mandates certain contractual requirements between businesses and service providers and between businesses and third parties.

With respect to service providers, the contract must prohibit:

  1. Selling or sharing PI;
  2. Retaining, using or disclosing PI for any purposes other than those specified in the contract;
  3. Retaining, using or disclosing PI outside of the direct business relationship between the business and service provider;
  4. Combining PI that the service provider receives from the business with PI it receives from another person or entity, or that the service provider collects from its own interaction with the consumer, except that the service provider may combine personal information to perform any business purpose.

The contract prohibitions with respect to third parties are the same, except the fourth prohibition above is not included. This may be a drafting error as the second prohibition above is recited twice in the list of third party contractual prohibitions (§ 46A-9-8(e)(2) and (e)(3)).

Private Right of Action

The legislation provides a private right of action when a certain information that would allow access to a consumer’s account “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures . . .” Damages per incident are the greater of actual damages or an amount “not less than $100 and not greater than $750.”

Attorney General Enforcement

For any alleged violation that is not cured within 30 days of notification, the Attorney General may seek a civil penalty of not more than $2,500 if unintentional and $7,500 if intentional.


It is interesting that the Virginia legislature, controlled by Democrats, enacted a Consumer Data Protection Act that many would consider to be fairly moderate, while the Republicans who control the legislature in West Virginia opt for a version more onerous than the CCPA.

For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.