House Bill 2987 seeks to enhance consumer data protection in West Virginia by amending the Code of West Virginia to establish the Consumer Data Protection Act. The bill introduces new definitions for key terms such as "Controller" and "Data broker," and outlines the responsibilities of data controllers and processors. It sets thresholds for applicability, requiring businesses that control or process personal data of at least 100,000 consumers or derive over 50% of their revenue from the sale of personal data to comply with the new regulations. Consumers are granted rights to access, correct, delete, and opt out of data processing, while the Attorney General is designated as the exclusive authority to enforce violations.

The legislation also mandates that covered entities maintain cybersecurity programs and conduct data protection assessments for certain processing activities. It establishes a Consumer Privacy Fund to support enforcement and delineates exemptions for specific types of data governed by federal law, such as protected health information under HIPAA. The bill emphasizes the importance of consumer consent and transparency, requiring controllers to provide clear privacy notices and respond to consumer requests within specified timeframes. Additionally, it includes provisions for civil penalties for violations and mandates annual registration for data brokers with the Attorney General. The act is set to take effect on January 1, 2026.

Statutes affected:
Introduced Version: 31A-8H-1, 31A-8H-2, 31A-8H-3, 31A-8H-4, 31A-8H-5, 46A-6O-1, 46A-6O-2, 46A-6O-3, 46A-6O-4, 46A-6O-5, 46A-6O-6, 46A-6O-7, 46A-6O-8, 46A-6O-9, 46A-6O-10, 46A-6O-11, 46A-6O-12, 46A-6O-13