WEST VIRGINIA LEGISLATURE
2024 REGULAR SESSION
Originating House Bill 5698
By Delegates Linville, Rohrbach, Fehrenbacher, Hite,
Howell, Toney, and Cannon [Originating in the Committee on Finance; Reported on February 23, 2024]
Org HB 5698
1 A BILL to amend the Code of West Virginia, 1931, as amended, by adding thereto a new article,
2 designated §46A-6O-1, §46A-6O-2, §46A-6O-3, §46A-6O-4, §46A-6O-5, §46A-6O-6,
3 §46A-6O-7, §46A-6O-8, §46A-6O-9, §46A-6O-10, §46A-6O-11, §46A-6O-12 and §46A-
4 6O-13, all relating to the Consumer Data Protection Act; inserting establishing a framework
5 for controlling and processing personal data in the state; creating definitions; limiting
6 application to all persons that conduct business in the state and either control or process
7 personal data of at least 100,000 consumers or derive over 50 percent of gross revenue
8 from the sale of personal data and control or process personal data of at least 25,000
9 consumers; providing exemptions; delineating responsibilities and privacy protection
10 standards for data controllers and processors; clarifying standards do not apply to state or
11 local governmental entities; providing exceptions for certain types of data and information
12 governed by federal law; providing that consumers have rights to access, correct, delete,
13 obtain a copy of personal data, and to opt out of the processing of personal data for the
14 purposes of targeted advertising; providing that the Attorney General has exclusive
15 authority to enforce violations of the law; providing for assistance of the Attorney General in
16 obtaining relief; establishing the Consumer Privacy Fund to support this effort; and
17 providing for construction and an effective date.
Be it enacted by the Legislature of West Virginia:
ARTICLE 6O. CONSUMER DATA PROTECTION ACT.
§46A-6O-1. Definitions.
1 As used in this article, unless the context requires a different meaning:
2 "Affiliate" means a legal entity that controls, is controlled by, or is under common control
3 with another legal entity or shares common branding with another legal entity. For the purposes of
4 this definition, "control" or "controlled" means:
5 (1) Ownership of, or the power to vote, more than 50 percent of the outstanding shares of
6 any class of voting security of a company;
1
Org HB 5698
7 (2) Control in any manner over the election of a majority of the directors or of individuals
8 exercising similar functions; or
9 (3) The power to exercise controlling influence over the management of a company.
10 "Authenticate" means verifying through reasonable means that the consumer, entitled to
11 exercise his consumer rights in §46A-6O-3 of this code, is the same consumer exercising such
12 consumer rights with respect to the personal data at issue.
13 "Biometric data" means data generated by automatic measurements of an individual's
14 biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique
15 biological patterns or characteristics that is used to identify a specific individual. "Biometric data"
16 does not include a physical or digital photograph, a video or audio recording or data generated
17 therefrom, or information collected, used, or stored for health care treatment, payment, or
18 operations under HIPAA.
19 "Business associate" means the same meaning as the term established by HIPAA.
20 "Child" means any natural person younger than 13 years of age.
21 "Consent" means a clear affirmative act signifying a consumer's freely given, specific,
22 informed, and unambiguous agreement to process personal data relating to the consumer.
23 Consent may include a written statement, including a statement written by electronic means, or
24 any other unambiguous affirmative action. Consent does not include consent induced by use of a
25 user interface designed or manipulated with the substantial effect of subverting or impairing user
26 autonomy, decision-making, or choice.
27 "Consumer" means a natural person who is a resident of the State acting only in an
28 individual or household context. It does not include a natural person acting in a commercial or
29 employment context.
30 "Controller" means the natural or legal person that, alone or jointly with others, determines
31 the purpose and means of processing personal data.
32 "Covered entity" means the same as the term is established by HIPAA.
2
Org HB 5698
33 "Decisions that produce legal or similarly significant effects concerning a consumer"
34 means a decision made by the controller that results in the provision or denial by the controller of
35 financial and lending services, bank holding companies, housing, insurance, education
36 enrollment, criminal justice, employment opportunities, health care services, or access to basic
37 necessities, such as food and water.
38 "De-identified data" means data that cannot reasonably be linked to an identified or
39 identifiable natural person, or a device linked to such person. A controller that possesses "de-
40 identified data" shall comply with the requirements of subsection (a) of §46A-6O-7.
41 "Fund" means the Consumer Privacy Fund established pursuant to §46A-6O-11 of this
42 code.
43 "Health record" means any written, printed or electronically recorded material maintained
44 by a health care entity in the course of providing health services to an individual concerning the
45 individual and the services provided. "Health record" also includes the substance of any
46 communication made by an individual to a health care entity in confidence during or in connection
47 with the provision of health services or information otherwise acquired by the health care entity
48 about an individual in confidence and in connection with the provision of health services to the
49 individual.
50 "Health care provider" means the same as that term is defined in §16-30-3 of this code.
51 "HIPAA" means the federal Health Insurance Portability and Accountability Act of 1996 (42
52 U.S.C.§1320d et seq.).
53 "Identified or identifiable natural person" means a person who can be readily identified,
54 directly or indirectly.
55 "Institution of higher education" means a state institution of higher education as defined in
56 §18B-1-2 of this code and, includes further, any private institution of higher education.
3
Org HB 5698
57 "Nonprofit organization" means any corporation organized under the West Virginia
58 Nonprofit Corporation Act, Chapter §31-1-101 of this code, et seq.,or any organization exempt
59 from taxation under §§501(c)(3), 501(c)(6), or 501 (c)(12) of the Internal Revenue Code.
60 "Personal data" means any information that is linked or reasonably linkable to an identified
61 or identifiable natural person. "Personal data" does not include de-identified data or publicly
62 available information.
63 "Precise geolocation data" means information derived from technology, including, but not
64 limited to, global positioning system level latitude and longitude coordinates or other mechanisms,
65 that directly identifies the specific location of a natural person with precision and accuracy within a
66 radius of 1,750 feet. "Precise geolocation data" does not include the content of communications or
67 any data generated by or connected to advanced utility metering infrastructure systems or
68 equipment for use by a utility.
69 "Process" or "processing" means any operation or set of operations performed, whether by
70 manual or automated means, on personal data or on sets of personal data, such as the collection,
71 use, storage, disclosure, analysis, deletion, or modification of personal data.
72 "Processor" means a natural or legal entity that processes personal data on behalf of a
73 controller.
74 "Profiling" means any form of automated processing performed on personal data to
75 evaluate, analyze, or predict personal aspects related to an identified or identifiable natural
76 person's economic situation, health, personal preferences, interests, reliability, behavior, location,
77 or movements.
78 "Protected health information" means the same as the term is established by HIPAA.
79 "Pseudonymous data" means personal data that cannot be attributed to a specific natural
80 person without the use of additional information, provided that such additional information is kept
81 separately and is subject to appropriate technical and organizational measures to ensure that the
82 personal data is not attributed to an identified or identifiable natural person.
4
Org HB 5698
83 "Publicly available information" means information that is lawfully made available through
84 federal, state, or local government records, or information that a business has a reasonable basis
85 to believe is lawfully made available to the general public through widely distributed media, by the
86 consumer, or by a person to whom the consumer has disclosed the information, unless the
87 consumer has restricted the information to a specific audience.
88 "Sale of personal data" means the exchange of personal data for monetary consideration
89 by the controller to any third party. "Sale of personal data" does not include:
90 (1) The disclosure of personal data to a processor that processes the personal data on
91 behalf of the controller;
92 (2) The disclosure of personal data to a third party for purposes of providing a product or
93 service requested by the consumer;
94 (3) The disclosure or transfer of personal data to an affiliate of the controller;
95 (4) The disclosure of information that the consumer (A) intentionally made available to the
96 general public via a channel of mass media and (B) did not restrict to a specific audience; or
97 (5) The disclosure or transfer of personal data to a third party as an asset that is part of a
98 merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all
99 or part of the controller's assets.
100 "Sensitive data" means a category of personal data that includes:
101 (1) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical
102 health diagnosis, sexual orientation, or citizenship or immigration status;
103 (2) The processing of genetic or biometric data for the purpose of uniquely identifying a
104 natural person;
105 (3) The personal data collected from a known child; or
106 (4) Precise geolocation data.
107 "State agency" means the same as that term is defined in §6D-1-1 of this code and
5
Org HB 5698
108 "Targeted advertising" means displaying advertisements to a consumer where the
109 advertisement is selected based on personal data obtained from that consumer's activities over
110 time and across nonaffiliated websites or online applications to predict such consumer's
111 preferences or interests. "Targeted advertising" does not include:
112 (1) Advertisements based on activities within a controller's own websites or online
113 applications;
114 (2) Advertisements based on the context of a consumer's current search query, visit to a
115 website, or online application;
116 (3) Advertisements directed to a consumer in response to the consumer's request for
117 information or feedback; or
118 (4) Processing personal data processed solely for measuring or reporting advertising
119 performance, reach, or frequency.
120 "Third party" means a natural or legal person, public authority, agency, or body other than
121 the consumer, controller, processor, or an affiliate of the processor or the controller.
122 "Trade secret" means information, without regard to form, including, but not limited to,
123 technical, nontechnical, or financial data, a formula, pattern, compilation, program, device,
124 method, technique, plan, or process, that:
125 (1) Derives independent economic value, actual or potential, from not being generally
126 known to, and not being readily ascertainable by proper means by, other persons who can obtain
127 economic value from the information's disclosure or use; and
128 (2) Is the subject of efforts that are reasonable under the circumstances to maintain the
129 information's secrecy.
§46A-6O-2. Scope; exemptions.
1 (a) This article applies to persons that conduct business in the state or produce products or
2 services that are targeted to residents of the state and that
6
Org HB 5698
3 (1) During a calendar year, control or process personal data of at least 100,000
4 consumers;
5 (2) Control or process personal data of at least 25,000 consumers and derive over 50
6 percent of gross revenue from the sale of personal data; or
7 (3) Have annual gross revenues generated in this state which exceed $25,000,000.
8 (b) This article shall not apply to any:
9 (1) Body, authority, board, bureau, commission, district, or agency of the state or of any
10 political subdivision of the state;
11 (2) Financial institutions, bank holding companies or data subject to Title V of the federal
12 Gramm-Leach-Bliley Act (15 U.S.C.§6801 et seq.);
13 (3) Covered entity or business associate governed by the privacy, security, and breach
14 notification rules issued by the United States Department of Health and Human Services, 45
15 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology
16 for Economic and Clinical Health Act (Public Law 111-5);
17 (4) Nonprofit organization;
18 (5) Institution of higher education; or
19 (6) Insurer, as defined in §33-1-2 of this code or third party administrator as define in §33-
20 46-2 of this code.
21 (c) The following information and data is exempt from this article:
22 (1) Protected health information under HIPAA;
23 (2) Health records for purposes of Title 32.1;
24 (3) Patient identifying information for purposes of 42 U.S.C.§290dd-2;
25 (4) Identifiable private information for purposes of the federal policy for the protection of
26 human subjects under 45 C.F.R. Part 46; identifiable private information that is otherwise
27 information collected as part of human subjects research pursuant to the good clinical practice
28 guidelines issued by The International Council for Harmonisation of Technical Requirements for
7
Org HB 5698
29 Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50,
30 and 56, or personal data used or shared in research conducted in accordance with the
31 requirements set forth in this chapter, or other research conducted in accordance with applicable
32 law;
33 (5) Information and documents created for purposes of the federal Health Care Quality
34 Improvement Act of 1986 (42 U.S.C.§11101 et seq.);
35 (6) Patient safety work product for purposes of the federal Patient Safety and Quality
36 Improvement Act (42 U.S.C.§299b-21 et seq.);
37 (7) Information derived from any of the health care-related information listed in this
38 subsection that is de-identified in accordance with the requirements for de-identification pursuant
39 to HIPAA;
40 (8) Information originating from, and intermingled to be indistinguishable with, or
41 information treated in the same manner as information exempt under this subsection that is
42 maintained by a covered entity or business associate as defined by HIPAA or a program or a
43 qualified service organization as defined by 42 U.S.C.§290dd-2;
44 (9) Information used only for public health activities and purposes as authorized by HIPAA;
45 (10) The collection, maintenance, disclosure, sale, communication, or use of any personal
46 information bearing on a consumer's credit worthiness, credit standing, credit capacity, character,
47 general reputation, personal characteristics, or mode of living by a consumer reporting agency,
48 furnisher, or user that provides information for use in a consumer report, and by a user of a
49 consumer report, but only to the extent that such activity is regulated by and authorized under the
50 federal Fair Credit Reporting Act (15 U.S.C.§1681 et seq.);
51 (11) Personal data collected, processed, sold, or disclosed in compliance with the federal
52 Driver's Privacy Protection Act of 1994 (18 U.S.C.§2721 et seq.);
53 (12) Personal data regulated by the federal Family Educational Rights and Privacy Act (20
54 U.S.C.§1232g et seq.);
8
Org HB 5698
55 (13) Personal data collected, processed, sold, or disclosed in compliance with the federal
56 Farm Credit Act (12 U.S.C.§2001 et seq.);
57 (14) Data processed or maintained:
58 (A) In the course of an individual applying to, employed by, or acting as an agent or
59 independent contractor of a controller, processor, or third party, to the extent that the data is
60 collected and used within the context of that role;
61 (B) As the emergency contact information of an individual under this chapter used for
62 emergency contact purposes;
63 (C) That is necessary to retain to administer benefits for another indi