Bill Text: WV HB5112 | 2024 | Regular Session | Introduced
Bill Title: Consumer Data Protection Act
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2024-01-25 - To House Technology and Infrastructure [HB5112 Detail]
Download: West_Virginia-2024-HB5112-Introduced.html
WEST virginia legislature
2024 regular session
Introduced
House Bill 5112
By Delegate Young
[Introduced January 25, 2024; Referred
to the Committee on Technology and Infrastructure then Judiciary]
A BILL to amend the Code of West Virginia, 1931, as amended, by adding thereto a new article, designated §46A-9-1, §46A-9-2, §46A-9-3, §46A-9-4, §46A-9-5, §46A-9-6, §46A-9-7, §46A-9-8, §46A-9-9, §46A-9-10, and §46A-9-11, all relating to consumer data privacy; defining terms, requiring privacy for certain identifying personal information; establishing a consumer right to request copy of personal data collected; establishing a consumer right to have personal information deleted or corrected; establishing a consumer right to request personal data sold or shared; establishing a consumer right to opt-out of the sale or sharing of personal information to third parties; prohibiting discrimination against consumers who exercise their right under this article; establishing procedures for requests for personal information under this article; establish a form to opt-out of sale or sharing of personal information; creating a private cause of action; empowering the West Virginia Division of Consumer Protection to establish rules under this article for enforcement; and empowering the West Virginia Division of Consumer Protection to bring suit for violation of this article.
Be it enacted by the Legislature of West Virginia:
Article 9. Consumer Data Privacy.
§46A-9-1. Definitions.
(a) Definitions. —As used in this section, the term:
"Aggregate consumer information" means information that relates to a group or category of consumers, from which the identity of an individual consumer has been removed and is not reasonably capable of being directly or indirectly associated or linked with, any consumer or household, including via a device. The term does not include one or more individual consumer records that have been deidentified.
"Biometric information" means an individual's physiological, biological, or behavioral characteristics, including an individual's deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. The term includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
"Business" means: A sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that:
(1) Is organized or operated for the profit or financial benefit of its shareholders or owners;
(2) Does business or conducts sales in this state, for money or other valuable consideration;
(3) Collects personal information about consumers, or is the entity on behalf of which such information is collected;
(4) Determines the purposes and means of processing personal information about consumers alone or jointly with others; and
(5) Satisfies one or more of the following thresholds:
(A) Has global annual gross revenues in excess of $25 million, as adjusted in January of every odd-numbered year to reflect any increase in the Consumer Price Index.
(B) Annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its global annual revenues from selling or sharing personal information about consumers.
(D) Any entity that controls or is controlled by a business and that shares common branding with the business.
"Common branding" means a shared name, servicemark, or trademark.
"Business purpose" means the use of personal information for the operational purpose of a business or service provider, or other notified purposes, provided that the use of personal information is reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. The term includes:
(1) Auditing relating to a current interaction with a consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
(2) Detecting security incidents; protecting against malicious, deceptive, fraudulent, or illegal activity; and prosecuting those responsible for that activity.
(3) Debugging to identify and repair errors that impair existing intended functionality.
(4) Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
(5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, or providing similar services on behalf of the business or service provider.
(6) Undertaking internal research for technological development and demonstration.
(7) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
"Collect" means to buy, rent, gather, obtain, receive, or access any personal information pertaining to a consumer by any means. The term includes, but is not limited to, actively or passively receiving information from the consumer or by observing the consumer's behavior.
"Commercial purposes" means to advance the commercial or economic interests of a person, such as inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or directly or indirectly enabling or effecting a commercial transaction.
"Consumer" means a natural person who resides in or is domiciled in this state, however identified, including by any unique identifier, and who is:
(1) In this state for other than a temporary or transitory purpose; or
(2) Domiciled in this state but resides outside this state for a temporary or transitory purpose.
"Deidentified" means information that does not reasonably identify, relate to, or describe a particular consumer, or is not reasonably capable of being directly or indirectly associated or linked with a particular consumer, provided that a business that uses deidentified information:
(1) Implements technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(2) Implements business processes that specifically prohibit reidentification of the information.
(3) Implements business processes to prevent inadvertent release of deidentified information.
(4) Does not attempt to reidentify the information.
"Health insurance information" means a consumer's insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the consumer, or any information in the consumer's application and claims history, including any appeals records, if the information is reasonably capable of being directly or indirectly associated or linked with a consumer or household, including via a device, by a business or service provider.
"Homepage" means the introductory page of an Internet website and any Internet webpage where personal information is collected. In the case of a mobile application, the homepage is the application's platform page or download page, a link within the application, such as the "About" or "Information" application configurations, or settings page, and any other location that allows consumers to review the notice required by this article, including, but not limited to, before downloading the application.
"Person" means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.
"Personal information" means information that identifies, relates to, or describes a particular consumer or household, or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer or household, including:
(1) Identifiers such as a real name, alias, postal address, unique identifier, online identifier, internet protocol address, email address, account name, social security number, driver license number, passport number, or other similar identifiers.
(2) Information that identifies, relates to, or describes, or could be associated with, a particular individual, including, but not limited to, a name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
(3) Characteristics of protected classifications under state or federal law.
(4) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(5) Biometric information.
(6) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet website, application, or advertisement.
(7) Geolocation data.
(8) Audio, electronic, visual, thermal, olfactory, or similar information.
(8) Professional or employment-related information.
(10) Education information that is not publicly available, personally identifiable information as defined in the Family Educational Rights and Privacy Act, 20 U.S.C. s. 1232(g) and 34 C.F.R. part 99.
(11) Inferences drawn from any of the information identified in this paragraph to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
The term does not include consumer information that is:
(A) Publicly and lawfully made available from federal, state, or local government records.
(B) Deidentified or aggregate consumer information.
"Probabilistic identifier" means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories listed under subsection (a)(13) of this section, above.
"Processing" means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.
"Pseudonymize" means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
"Research" means scientific, systematic study and observation, including, but not limited to, basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer's interactions with a business's service or device for other purposes shall be:
(1) Compatible with the business purpose for which the personal information was collected.
(2) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information does not reasonably identify, relate to, or describe, or is not capable of being directly or indirectly associated or linked with, a particular consumer.
(3) Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(4) Subject to business processes that specifically prohibit reidentification of the information.
(5) Made subject to business processes to prevent inadvertent release of deidentified information.
(6) Protected from any reidentification attempts.
(7) Used solely for research purposes that are compatible with the context in which the personal information was collected and not used for any commercial purpose.
(8) Subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals in a business necessary to carry out the research purpose.
"Sell" means to sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, a consumer's personal information by a business to another business or a third party for monetary or other valuable consideration.
"Service" means work or labor furnished in connection with the sale or repair of goods.
"Service provider" means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this section, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
"Share" means to share, rent, release, disclose, disseminate, make available, transfer, or access a consumer's personal information for advertising. The term includes:
(1) Allowing a third party to use or advertise to a consumer based on a consumer's personal information without disclosure of the personal information to the third party.
(2) Monetary transactions, nonmonetary transactions, and transactions for other valuable consideration between a business and a third party for advertising for the benefit of a business.
"Third party" means a person who is not any of the following:
(1) A business that collects personal information from consumers under this section.
(2) A person to whom the business discloses personal information about consumers for a business purpose pursuant to a written contract.
"Unique identifier" means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers which can be used to identify a particular consumer or device.
"Verifiable consumer request" means a request that is made by a consumer, by a consumer on behalf of the consumer's minor child, or by a natural person or a person authorized by the consumer to act on the consumer's behalf, and that the business can reasonably verify to be the consumer about whom the business has collected personal information.
§46A-9-2. Privacy policy for personal information.
(a) A business that collects personal information about consumers shall maintain an online privacy policy, make the policy available on its Internet website, and update the information at least once every 12 months.
(b) The online privacy policy shall include the following information:
(1) All state-specific consumer privacy rights.
(2) A list of the categories of personal information the business collects or has collected about consumers.
(3) Of the categories identified, a list that identifies which categories of personal information the business sells or shares or has sold or shared about consumers.
(c) If the business does not sell or share personal information, the business shall disclose that fact.
(d) Of the categories identified in subsection (b) of this section, a list that identifies which categories of personal information the business discloses or shares or has disclosed or shared about consumers for a business purpose. If the business does not disclose or share personal information for a business purpose, the business shall disclose that fact.
(e) The right to opt-out of the sale or sharing to third parties and the ability to request deletion or correction of certain personal information.
(f) A consumer may request that a business that collects personal information disclose to the consumer the categories and specific pieces of personal information the business collects from or about consumers.
(g) A business that collects personal information shall, at or before the point of collection, inform consumers of the categories of personal information to be collected and the purposes for which the categories of personal information will be used.
(h) A business may not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
(i) A business shall provide the information specified in subsection (f) of this section to a consumer only upon receipt of a verifiable consumer request.
(j) A business shall provide and follow a retention schedule that prohibits the use and retention of personal information after satisfaction of the initial purpose for collecting or obtaining the information, or after the duration of a contract, or one year after the consumer's last interaction with the business, whichever occurs first.
§46A-9-3. Consumer right to request copy of personal data collected.
(a) A consumer may request that a business that collects personal information about the consumer disclose the personal information that has been collected by the business.
(b) A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but may not be required to provide personal information to a consumer more than twice in a 12-month period.
(c) A business shall disclose the following to the consumer:
(1) The specific pieces of personal information it has collected about the consumer.
(2) The categories and sources from which it collected the consumer's personal information.
(3) The business or commercial purpose for collecting or selling the consumer's personal information.
(4) The categories of third parties which the business shares the consumer's personal information.
(d) A business that collects personal information about a consumer shall disclose the information specified in subsection (a) of this section to the consumer upon receipt of a verifiable consumer request from the consumer.
(e) This subsection does not require a business to do the following:
(1) Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained.
(2) Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
§46A-9-4. Right to have personal information deleted or corrected.
(a) A consumer may request that a business delete any personal information about the consumer which the business has collected from the consumer.
(b) A business that receives a verifiable consumer request from a consumer to delete the consumer's personal information shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records.
(c) A business or a service provider may not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information to do any of the following:
(1) Complete the transaction for which the personal information was collected.
(2) Fulfill the terms of a written warranty or product recall conducted in accordance with federal law.
(3) Provide a good or service requested by the consumer, or reasonably anticipated within the context of a business' ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
(4) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
(5) Debug to identify and repair errors that impair existing intended functionality.
(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws when the business' deletion of the information is likely to render impossible or seriously impair the achievement of the research, if the consumer has provided informed consent.
(7) Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business.
(8) Comply with a legal obligation.
(9) Otherwise internally use the consumer's personal information in a lawful manner that is compatible with the context in which the consumer provided the information.
(d) A consumer may request a business that maintains inaccurate personal information about the consumer to correct the inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information. A business that receives a verifiable consumer request to correct inaccurate personal information shall use commercially reasonable efforts to correct the inaccurate personal information as directed by the consumer.
§46A-9-5. Right to request personal data sold or shared.
(a) A consumer may request that a business that sells or shares personal information about the consumer, or discloses such information for a business purpose, to disclose to the consumer:
(1) The categories of personal information about the consumer the business sold or shared.
(2) The categories of third parties to which the personal information about the consumer was sold or shared by category of personal information for each category of third parties to which the personal information was sold or shared.
(3) The categories of personal information about the consumer that the business disclosed for a business purpose.
(b) A business that sells or shares personal information about consumers or discloses such information for a business purpose shall disclose the information specified in subsection (a) of this section to the consumer upon receipt of a verifiable consumer request from the consumer.
(c) A third party may not sell or share personal information about a consumer that has been sold or shared to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to opt-out.
§46A-9-6 Right to opt-out of the sale or sharing of personal information to third parties.
(a) A consumer may at any time direct a business that sells or shares personal information about the consumer to third parties to not sell or share the consumer’s personal information. This right may be referred to as the right to opt-out.
(b) A business that sells or shares personal information to third parties shall provide notice to consumers that this information may be sold and shared and that consumers may opt-out of the sale or sharing of their personal information.
(c) Notwithstanding subsection (a) of this section, a business may not sell or share the personal information of a consumer if the business has actual knowledge that the consumer is not 16 years of age or older, unless the consumer, in the case of consumers between 13 and 15 years of age, or the consumer's parent or guardian, in the case of consumers who are 12 years of age or younger, has affirmatively authorized the sale or sharing of the consumer's personal information. A business that willfully disregards the consumer's age is deemed to have had actual knowledge of the consumer's age. This right may be referred to as the right to opt-in.
(d) A business that has received direction from a consumer prohibiting the sale or sharing of the consumer's personal information or that has not received consent to sell or share a minor consumer's personal information is prohibited from selling or sharing the consumer's personal information after its receipt of the consumer's direction, unless the consumer subsequently provides express authorization for the sale or sharing of the consumer's personal information.
(e) A business does not sell personal information when:
(1) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this section. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party.
(2) The business uses or shares an identifier for a consumer who has opted out of the sale or sharing of the consumer's personal information for the purposes of alerting third parties that the consumer has opted out of the sale or sharing of the consumer's personal information.
(3) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
(A) The business has provided notice that the personal information of the consumer is being used or shared in its terms and conditions.
(B) The service provider does not further collect, sell, share, or use the personal information of the consumer except as necessary to perform the business purpose.
(C) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this article. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this article.
(f) A business does not share personal information when:
(1) A consumer uses or directs the business to intentionally disclose personal information or intentionally interact with one or more third parties.
(2) The business uses or shares an identifier for a consumer who has opted-out of sharing the consumer's personal information for the purposes of alerting persons that the consumer has opted-out of sharing the consumer's personal information.
§46A-9-7 Discrimination against consumers who exercise their right under this article.
A business may not discriminate against a consumer who exercised any of the consumer's rights under this article. Discrimination under this section includes, but is not limited to:
(1) Denying goods or services to the consumer.
(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(3) Providing a different level or quality of goods or services to the consumer.
(4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
§46A-9-8. Requests for personal information.
(a) To comply with this subsection, a business shall, in a form that is reasonably accessible to consumers, make available two or more methods for submitting verifiable consumer requests, including, but not limited to, a toll-free number and, if the business maintains an Internet website, a link on the homepage of the website. The business may not require the consumer to create an account with the business in order to make a verifiable consumer request.
(b) The business shall deliver the information required or act on the request to a consumer free of charge within 45 days after receiving a verifiable consumer request. The response period may be extended once by 30 additional days when reasonably necessary, taking into account the complexity of the consumer's requests, provided the business informs the consumer of any such extension within the initial 45-day response period along with the reason for the extension. The information shall be delivered in a readily usable format that allows the consumer to transmit the information from one entity to another entity without hindrance.
(c) If a third party assumes control of all or part of a business and acquires a consumer's personal information as part of the transfer, and the third party materially alters how it uses a consumer's personal information or shares the information in a manner that is materially inconsistent with the promises made at the time of collection, the third party shall provide prior notice of the new or changed practice to the customer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices.
(d) Any contract between a business and a service provider shall prohibit the service provider from:
(1) Selling or sharing the personal information;
(2) Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract for the business, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract with the business;
(3) Retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business; or
(4) Combining the personal information that the service provider receives from or on behalf of the business with personal information that it receives from or on behalf of another person or entity or that the service provider collects from its own interaction with the consumer, provided that the service provider may combine personal information to perform any business purpose.
(e) Any contract between a business and a third party shall prohibit the third party that receives a consumer's personal information from the following:
(1) Selling or sharing the personal information.
(2) Retaining, using, or disclosing the personal information for any purpose other than the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
(3) Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
(4) Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
(f) The contract shall include a certification made by the person or entity receiving the personal information stating that the person or entity understands and will comply with the restrictions under this article.
(g) Any contract between a business and a third party or between a business and a service provider for receiving personal information shall include a provision that any contract between a third party and any subcontractor or between a service provider and any subcontractor shall require the subcontractor to meet the obligations of the third party or service provider with respect to personal information.
(h) A third party or service provider or any subcontractor thereof who violates any of the restrictions imposed upon it under this article is liable for any violations. A business that discloses personal information to a third party or service provider in compliance with this section is not liable if the person receiving the personal information uses it in violation of the restrictions under this article, provided that at the time of disclosing the personal information, the business does not have actual knowledge or reason to believe that the person intends to commit such a violation.
§46A-9-9. Form to opt-out of sale or sharing of personal information.
(a) A business shall, in a form that is reasonably accessible to consumers:
(1) Provide a clear and conspicuous link on the business's Internet homepage, entitled "Do Not Sell or Share My Personal Information," to an internet webpage that enables a consumer, or a person authorized by the consumer, to opt-out of the sale or sharing of the consumer's personal information. A business may not require a consumer to create an account in order to direct the business not to sell the consumer's personal information.
(2) Include a description of a consumer's rights along with a separate link to the "Do Not Sell or Share My Personal Information" internet webpage in:
(A) Its online privacy policy or policies.
(B) Any state-specific consumer privacy rights.
(3) Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with this section are informed of all requirements in this article and how to direct consumers to exercise their rights under this article.
(4) For consumers who opt-out of the sale or sharing of their personal information, refrain from selling or sharing personal information collected by the business about the consumer.
(5) For consumers who opted-out of the sale or sharing of their personal information, respect the consumer's decision to opt-out for at least 12 months before requesting that the consumer authorize the sale of the consumer's personal information.
(6) Use any personal information collected from the consumer in connection with the submission of the consumer's opt-out request solely for the purposes of complying with the opt-out request.
(b) This subsection does not require a business to include the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to West Virginia consumers and that includes the required links and text, and the business takes reasonable steps to ensure that West Virginia consumers are directed to the homepage for West Virginia consumers and not the homepage made available to the public generally.
(c) A consumer may authorize another person to opt-out of the sale or sharing of the consumer's personal information on the consumer's behalf, and a business shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf.
§46A-9-10. Private cause of action.
A consumer whose nonencrypted and nonredacted personal information or e-mail address, in combination with a password or security question and answer that would allow access to the account, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may bring civil action for any of the following:
(1) Damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.
(2) Injunctive or declaratory relief, as the court deems proper.
§46A-9-11. Enforcement and implementation.
(a) If the West Virginia Division of Consumer Protection has reason to believe that any business, service provider, or other person or entity is in violation of this article and that proceedings would be in the public interest, the division may bring an action against the business, service provider, or other person or entity and may seek a civil penalty of not more than $2,500 for each unintentional violation or $7,500 for each intentional violation. The fines may be tripled if the violation involves a consumer who is 16 years of age or younger.
(b) The division may adopt rules to implement this article.
(c) A business may be found to be in violation of this section if it fails to cure any alleged violation within 30 days after being notified in writing by the department of the alleged noncompliance.
NOTE: The purpose of this bill is to protect consumer data privacy by establishing a consumer right to request copy of personal data collected; establishing a consumer right to have personal information deleted or corrected; establishing a consumer right to request personal data sold or shared; establishing a consumer right to opt-out of the sale or sharing of personal information to third parties; prohibiting discrimination against consumers who exercise their right under this article; establishing procedures for requests for personal information under this article; establish a form to opt-out of sale or sharing of personal information; creating a private cause of action; empowering the West Virginia Division of Consumer Protection to establish rules under this article for enforcement; and empowering the West Virginia Division of Consumer Protection to bring suit for violation of this article.
Strike-throughs indicate language that would be stricken from a heading or the present law and underscoring indicates new language that would be added.