On March 15, West Virginia Delegate Danny Hamrick, joined by 10 other Republicans, introduced House Bill 3159 which is consumer data privacy legislation similar to the California Consumer Privacy Act (CCPA), though arguably less business friendly.
The legislation applies to businesses doing business in West Virginia that collect consumers’ personal information (PI), determine the purposes and means of processing the PI, and:
- Have global gross revenue over $25 million; or
- Annually buy, receive, sell, or share the PI of 50,000 or more consumers; or
- Derive 50 percent or more of global annual revenues from selling or sharing PI.
This aligns with the CCPA thresholds.
The legislation provides consumers with the right to:
- Know PI collected;
- Know PI sold or shared;
- Opt-out of the sale or sharing of PI to third parties;
- Correct PI;
- Delete PI collected from the consumer, subject to certain exceptions.
Again, from the CCPA playbook, a business may deny a request to delete if the PI is necessary to:
- Complete the transaction for which the personal information was collected;
- Fulfill the terms of a written warranty or product recall;
- Provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, etc.;
- Debug to identify and repair errors that impair existing intended functionality;
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest, with the consumer’s consent;
- Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business;
- Comply with a legal obligation;
- Otherwise internally use the consumer’s personal information in a lawful manner that is compatible with the context in which the consumer provided the information.
The legislation provides no exemptions, unlike the CCPA which provides exemptions for PI governed by, or collected, processed, sold or disclosed pursuant to other state and federal acts that protect PI, including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the Health Insurance Portability and Accountability Act rules relating to data privacy and security.
The legislation mandates certain contractual requirements between businesses and service providers and between businesses and third parties.
With respect to service providers, the contract must prohibit:
- Selling or sharing PI;
- Retaining, using or disclosing PI for any purposes other than those specified in the contract;
- Retaining, using or disclosing PI outside of the direct business relationship between the business and service provider;
- Combining PI that the service provider receives from the business with PI it receives from another person or entity, or that the service provider collects from its own interaction with the consumer, except that the service provider may combine personal information to perform any business purpose.
The contract prohibitions with respect to third parties are the same, except the fourth prohibition above is not included. This may be a drafting error as the second prohibition above is recited twice in the list of third party contractual prohibitions (§ 46A-9-8(e)(2) and (e)(3)).
Private Right of Action
The legislation provides a private right of action when a certain information that would allow access to a consumer’s account “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures . . .” Damages per incident are the greater of actual damages or an amount “not less than $100 and not greater than $750.”
Attorney General Enforcement
For any alleged violation that is not cured within 30 days of notification, the Attorney General may seek a civil penalty of not more than $2,500 if unintentional and $7,500 if intentional.
It is interesting that the Virginia legislature, controlled by Democrats, enacted a Consumer Data Protection Act that many would consider to be fairly moderate, while the Republicans who control the legislature in West Virginia opt for a version more onerous than the CCPA.
For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit https://mauricewutscher.com/data-privacy-and-security/.