WeVote

Bill

Bill

HB 5123

Consumer Data Protection Act

2026 Regular Session Introduced by Kayla Young

Widely protect WV residents’ personal data by giving consumers rights to access, delete, and opt out of data sales/sharing, with strong enforcement and penalties.

To House Environment, Infrastructure, and Technology
0
WeVote Research Nonpartisan
Bill Summary · HB 5123

Summary: HB 5123 — Consumer Data Protection Act (West Virginia, 2026)

Purpose and overall aim
- Establishes a comprehensive framework to protect consumer data privacy in West Virginia.
- Creates new consumer rights related to personal information, governs data collection, use, sale, and sharing, and sets enforcement mechanisms through the West Virginia Division of Consumer Protection (DCP).

Key provisions and changes

1) Definitions and scope
- Defines terms such as personal information, sensitive data, biometric information, de-identified data, service providers, third parties, and “verifiable consumer request.”
- Establishes criteria for who is considered a “business” subject to these provisions, including reach thresholds (revenue, number of consumers/devices, or dependency on selling/sharing data).

2) Privacy policy and notice requirements
- Businesses must maintain an online privacy policy, updated at least annually, describing:
- State-specific rights
- Categories of personal information collected
- Categories of information sold or shared
- Categories disclosed for business purposes
- Opt-out rights, deletion/correction rights, and data request rights
- Notice of collection purposes and a requirement to inform at or before data collection
- If no sale/share occurs, businesses must state that fact.

3) Consumer rights and data access
- Right to copy/de obtain personal data collected by the business (Section 46A-9-3).
- Right to delete or correct personal information (Section 46A-9-4).
- Right to know what data is sold or shared and with whom (Section 46A-9-5).
- Right to opt out of sale or sharing to third parties (Section 46A-9-6).
- Right to initiate a private action for certain data-security failures (see Private right of action below).

4) Opt-out mechanisms
- Requires a clear, conspicuous opt-out mechanism on the homepage (including a Do Not Sell or Share My Personal Information link).
- Opt-out decisions apply for at least 12 months unless the consumer re-authorizes.
- Allows authorization by a consumer’s proxy or representative to opt out on their behalf (with compliance requirements).

5) Opt-out and data-sharing exceptions
- Specifies conditions under which data is not considered sold or shared (e.g., consumer interactions with a third party or certain internal uses).
- Requires contractual restrictions on service providers and third parties to prevent sale, improper retention, or improper use of data.
- Requires robust contracting and certification requirements for those handling data.

6) Non-discrimination
- Prohibits treating a consumer differently (e.g., denial of goods/services, price discrimination) for exercising privacy rights.

7) Enforcement, penalties, and implementation
- DCP may bring civil actions for violations; penalties up to $2,500 per unintentional violation or $7,500 per intentional violation, tripled for violations involving minors (16 or younger).
- DCP can adopt implementing rules; failures to cure noncompliance within 30 days after notice can lead to enforcement action.

8) Private right of action
- Provides a private civil action for consumers whose nonencrypted/nonredacted personal information is exposed due to inadequate security measures, with damages ranging from $100 to $750 per incident (or actual damages, whichever is greater), plus possible injunctive relief.

Affected parties
- Businesses and service providers operating in West Virginia or processing WV residents’ personal data.
- Third parties that receive WV consumer data via sales/sharing arrangements.
- Consumers within West Virginia who own or control personal information.

Timeline and process
- Establishes ongoing obligations for notices, access requests, deletion/correction, and opt-out processes.
- Private right of action and enforcement provisions become active upon enactment and adoption of related rules by the DCP.

Notes
- The bill includes a broad, privacy-rights-first framework similar to modern state consumer data protection laws, with a mix of consumer remedies, business obligations, and enforcement powers for the state agency.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.