Bill Summary – FastDemocracy

WEST VIRGINIA LEGISLATURE
REGULAR SESSION
                  Originating House Bill 5698
 By Delegates Linville, Rohrbach, Fehrenbacher, Hite,
             Howell, Toney, and Cannon [Originating in the Committee on Finance; Reported on February 23, 2024]
     Org HB 5698
  A BILL to amend the Code of West Virginia, 1931, as amended, by adding thereto a new article,
         designated §46A-6O-1, §46A-6O-2, §46A-6O-3, §46A-6O-4, §46A-6O-5, §46A-6O-6,
         §46A-6O-7, §46A-6O-8, §46A-6O-9, §46A-6O-10, §46A-6O-11, §46A-6O-12 and §46A-
         6O-13, all relating to the Consumer Data Protection Act; inserting establishing a framework
         for controlling and processing personal data in the state; creating definitions; limiting
         application to all persons that conduct business in the state and either control or process
         personal data of at least 100,000 consumers or derive over 50 percent of gross revenue
         from the sale of personal data and control or process personal data of at least 25,000
         consumers; providing exemptions; delineating responsibilities and privacy protection
        standards for data controllers and processors; clarifying standards do not apply to state or
        local governmental entities; providing exceptions for certain types of data and information
        governed by federal law; providing that consumers have rights to access, correct, delete,
        obtain a copy of personal data, and to opt out of the processing of personal data for the
        purposes of targeted advertising; providing that the Attorney General has exclusive
        authority to enforce violations of the law; providing for assistance of the Attorney General in
        obtaining relief; establishing the Consumer Privacy Fund to support this effort; and
        providing for construction and an effective date.
     Be it enacted by the Legislature of West Virginia:
     ARTICLE 6O. CONSUMER DATA PROTECTION ACT.
     §46A-6O-1. Definitions.
         As used in this article, unless the context requires a different meaning:
         "Affiliate" means a legal entity that controls, is controlled by, or is under common control
  with another legal entity or shares common branding with another legal entity. For the purposes of
  this definition, "control" or "controlled" means:
         (1) Ownership of, or the power to vote, more than 50 percent of the outstanding shares of
  any class of voting security of a company;
                                                         1
     Org HB 5698
         (2) Control in any manner over the election of a majority of the directors or of individuals
  exercising similar functions; or
         (3) The power to exercise controlling influence over the management of a company.
        "Authenticate" means verifying through reasonable means that the consumer, entitled to
 exercise his consumer rights in §46A-6O-3 of this code, is the same consumer exercising such
 consumer rights with respect to the personal data at issue.
        "Biometric data" means data generated by automatic measurements of an individual's
 biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique
 biological patterns or characteristics that is used to identify a specific individual. "Biometric data"
 does not include a physical or digital photograph, a video or audio recording or data generated
 therefrom, or information collected, used, or stored for health care treatment, payment, or
 operations under HIPAA.
        "Business associate" means the same meaning as the term established by HIPAA.
        "Child" means any natural person younger than 13 years of age.
        "Consent" means a clear affirmative act signifying a consumer's freely given, specific,
 informed, and unambiguous agreement to process personal data relating to the consumer.
 Consent may include a written statement, including a statement written by electronic means, or
 any other unambiguous affirmative action. Consent does not include consent induced by use of a
 user interface designed or manipulated with the substantial effect of subverting or impairing user
 autonomy, decision-making, or choice.
        "Consumer" means a natural person who is a resident of the State acting only in an
 individual or household context. It does not include a natural person acting in a commercial or
 employment context.
        "Controller" means the natural or legal person that, alone or jointly with others, determines
 the purpose and means of processing personal data.
        "Covered entity" means the same as the term is established by HIPAA.
                                                       2
     Org HB 5698
         "Decisions that produce legal or similarly significant effects concerning a consumer"
 means a decision made by the controller that results in the provision or denial by the controller of
 financial and lending services, bank holding companies, housing, insurance, education
 enrollment, criminal justice, employment opportunities, health care services, or access to basic
 necessities, such as food and water.
         "De-identified data" means data that cannot reasonably be linked to an identified or
 identifiable natural person, or a device linked to such person. A controller that possesses "de-
 identified data" shall comply with the requirements of subsection (a) of §46A-6O-7.
         "Fund" means the Consumer Privacy Fund established pursuant to §46A-6O-11 of this
 code.
         "Health record" means any written, printed or electronically recorded material maintained
 by a health care entity in the course of providing health services to an individual concerning the
 individual and the services provided. "Health record" also includes the substance of any
 communication made by an individual to a health care entity in confidence during or in connection
 with the provision of health services or information otherwise acquired by the health care entity
 about an individual in confidence and in connection with the provision of health services to the
 individual.
         "Health care provider" means the same as that term is defined in §16-30-3 of this code.
         "HIPAA" means the federal Health Insurance Portability and Accountability Act of 1996 (42
 U.S.C.§1320d et seq.).
         "Identified or identifiable natural person" means a person who can be readily identified,
 directly or indirectly.
         "Institution of higher education" means a state institution of higher education as defined in
 §18B-1-2 of this code and, includes further, any private institution of higher education.
                                                      3
     Org HB 5698
         "Nonprofit organization" means any corporation organized under the West Virginia
 Nonprofit Corporation Act, Chapter §31-1-101 of this code, et seq.,or any organization exempt
 from taxation under §§501(c)(3), 501(c)(6), or 501 (c)(12) of the Internal Revenue Code.
         "Personal data" means any information that is linked or reasonably linkable to an identified
 or identifiable natural person. "Personal data" does not include de-identified data or publicly
 available information.
         "Precise geolocation data" means information derived from technology, including, but not
 limited to, global positioning system level latitude and longitude coordinates or other mechanisms,
 that directly identifies the specific location of a natural person with precision and accuracy within a
 radius of 1,750 feet. "Precise geolocation data" does not include the content of communications or
 any data generated by or connected to advanced utility metering infrastructure systems or
 equipment for use by a utility.
         "Process" or "processing" means any operation or set of operations performed, whether by
 manual or automated means, on personal data or on sets of personal data, such as the collection,
 use, storage, disclosure, analysis, deletion, or modification of personal data.
         "Processor" means a natural or legal entity that processes personal data on behalf of a
 controller.
         "Profiling" means any form of automated processing performed on personal data to
 evaluate, analyze, or predict personal aspects related to an identified or identifiable natural
 person's economic situation, health, personal preferences, interests, reliability, behavior, location,
 or movements.
         "Protected health information" means the same as the term is established by HIPAA.
         "Pseudonymous data" means personal data that cannot be attributed to a specific natural
 person without the use of additional information, provided that such additional information is kept
 separately and is subject to appropriate technical and organizational measures to ensure that the
 personal data is not attributed to an identified or identifiable natural person.
                                                       4
      Org HB 5698
          "Publicly available information" means information that is lawfully made available through
  federal, state, or local government records, or information that a business has a reasonable basis
  to believe is lawfully made available to the general public through widely distributed media, by the
  consumer, or by a person to whom the consumer has disclosed the information, unless the
  consumer has restricted the information to a specific audience.
          "Sale of personal data" means the exchange of personal data for monetary consideration
  by the controller to any third party. "Sale of personal data" does not include:
          (1) The disclosure of personal data to a processor that processes the personal data on
  behalf of the controller;
          (2) The disclosure of personal data to a third party for purposes of providing a product or
  service requested by the consumer;
          (3) The disclosure or transfer of personal data to an affiliate of the controller;
          (4) The disclosure of information that the consumer (A) intentionally made available to the
  general public via a channel of mass media and (B) did not restrict to a specific audience; or
          (5) The disclosure or transfer of personal data to a third party as an asset that is part of a
  merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all
  or part of the controller's assets.
         "Sensitive data" means a category of personal data that includes:
         (1) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical
 health diagnosis, sexual orientation, or citizenship or immigration status;
         (2) The processing of genetic or biometric data for the purpose of uniquely identifying a
 natural person;
         (3) The personal data collected from a known child; or
         (4) Precise geolocation data.
         "State agency" means the same as that term is defined in §6D-1-1 of this code and
                                                         5
      Org HB 5698
        "Targeted advertising" means displaying advertisements to a consumer where the
 advertisement is selected based on personal data obtained from that consumer's activities over
 time and across nonaffiliated websites or online applications to predict such consumer's
 preferences or interests. "Targeted advertising" does not include:
        (1) Advertisements based on activities within a controller's own websites or online
 applications;
        (2) Advertisements based on the context of a consumer's current search query, visit to a
 website, or online application;
        (3) Advertisements directed to a consumer in response to the consumer's request for
 information or feedback; or
        (4) Processing personal data processed solely for measuring or reporting advertising
 performance, reach, or frequency.
        "Third party" means a natural or legal person, public authority, agency, or body other than
 the consumer, controller, processor, or an affiliate of the processor or the controller.
        "Trade secret" means information, without regard to form, including, but not limited to,
 technical, nontechnical, or financial data, a formula, pattern, compilation, program, device,
 method, technique, plan, or process, that:
        (1) Derives independent economic value, actual or potential, from not being generally
 known to, and not being readily ascertainable by proper means by, other persons who can obtain
 economic value from the information's disclosure or use; and
        (2) Is the subject of efforts that are reasonable under the circumstances to maintain the
 information's secrecy.
      §46A-6O-2. Scope; exemptions.
         (a) This article applies to persons that conduct business in the state or produce products or
  services that are targeted to residents of the state and that
                                                        6
     Org HB 5698
          (1) During a calendar year, control or process personal data of at least 100,000
  consumers;
          (2) Control or process personal data of at least 25,000 consumers and derive over 50
  percent of gross revenue from the sale of personal data; or
          (3) Have annual gross revenues generated in this state which exceed $25,000,000.
          (b) This article shall not apply to any:
          (1) Body, authority, board, bureau, commission, district, or agency of the state or of any
 political subdivision of the state;
         (2) Financial institutions, bank holding companies or data subject to Title V of the federal
 Gramm-Leach-Bliley Act (15 U.S.C.§6801 et seq.);
         (3) Covered entity or business associate governed by the privacy, security, and breach
 notification rules issued by the United States Department of Health and Human Services, 45
 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology
 for Economic and Clinical Health Act (Public Law 111-5);
         (4) Nonprofit organization;
         (5) Institution of higher education; or
         (6) Insurer, as defined in §33-1-2 of this code or third party administrator as define in §33-
 46-2 of this code.
         (c) The following information and data is exempt from this article:
         (1) Protected health information under HIPAA;
         (2) Health records for purposes of Title 32.1;
         (3) Patient identifying information for purposes of 42 U.S.C.§290dd-2;
         (4) Identifiable private information for purposes of the federal policy for the protection of
 human subjects under 45 C.F.R. Part 46; identifiable private information that is otherwise
 information collected as part of human subjects research pursuant to the good clinical practice
 guidelines issued by The International Council for Harmonisation of Technical Requirements for
                                                        7
     Org HB 5698
 Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50,
 and 56, or personal data used or shared in research conducted in accordance with the
 requirements set forth in this chapter, or other research conducted in accordance with applicable
 law;
        (5) Information and documents created for purposes of the federal Health Care Quality
 Improvement Act of 1986 (42 U.S.C.§11101 et seq.);
        (6) Patient safety work product for purposes of the federal Patient Safety and Quality
 Improvement Act (42 U.S.C.§299b-21 et seq.);
        (7) Information derived from any of the health care-related information listed in this
 subsection that is de-identified in accordance with the requirements for de-identification pursuant
 to HIPAA;
        (8) Information originating from, and intermingled to be indistinguishable with, or
 information treated in the same manner as information exempt under this subsection that is
 maintained by a covered entity or business associate as defined by HIPAA or a program or a
 qualified service organization as defined by 42 U.S.C.§290dd-2;
        (9) Information used only for public health activities and purposes as authorized by HIPAA;
        (10) The collection, maintenance, disclosure, sale, communication, or use of any personal
 information bearing on a consumer's credit worthiness, credit standing, credit capacity, character,
 general reputation, personal characteristics, or mode of living by a consumer reporting agency,
 furnisher, or user that provides information for use in a consumer report, and by a user of a
 consumer report, but only to the extent that such activity is regulated by and authorized under the
 federal Fair Credit Reporting Act (15 U.S.C.§1681 et seq.);
        (11) Personal data collected, processed, sold, or disclosed in compliance with the federal
 Driver's Privacy Protection Act of 1994 (18 U.S.C.§2721 et seq.);
        (12) Personal data regulated by the federal Family Educational Rights and Privacy Act (20
 U.S.C.§1232g et seq.);
                                                     8
     Org HB 5698
        (13) Personal data collected, processed, sold, or disclosed in compliance with the federal
 Farm Credit Act (12 U.S.C.§2001 et seq.);
        (14) Data processed or maintained:
        (A) In the course of an individual applying to, employed by, or acting as an agent or
 independent contractor of a controller, processor, or third party, to the extent that the data is
 collected and used within the context of that role;
        (B) As the emergency contact information of an individual under this chapter used for
 emergency contact purposes;
        (C) That is necessary to retain to administer benefits for another indi