Global Data Protection Law Guide  USA - West Virginia

FBT Gibbons

 

What law(s) specifically govern personal data / information?

West Virginia has not enacted a comprehensive privacy law. Like most states, it does provide common law legal protections against invasions of privacy. These include Intrusion upon Seclusion, Appropriation of Likeness or Identity, Public Disclosure of Private Facts, and False Light.

West Virginia has enacted a Consumer Credit and Protection Act, W. Va. Code Section 46A-6-101 et seq., W. Va. C.S.R. Section 106-01. The law prohibits unfair methods of competition and certain defined unfair or deceptive trade practices. It includes a private right of action.

It is similar to Section 5 of the Federal Trade Commission Act, which provides the FTC power to enforce promises made in privacy notices, as well as challenge unfair information practices that result in substantial injury to consumers.

West Virginia subsequently amended the law to allow its state courts to be guided by the federal courts’ interpretation of FTCA Section 5. The law does not apply to time, savings, or demand deposit accounts provided by a bank.

Insurance Commissioner Rule, “Privacy of Consumer Financial and Health Information” W. Va. Code § 33-6F-1; W. Va. C.S.R. §§ 114-57-1 et seq., 114-62-1 et seq.

These rules apply to licensed insurers, producers, and other persons licensed or registered under Chapter 33 of West Virginia’s Code. It applies to licensees who contract with the State to provide services. “Non-public personal information” is defined to include non-public personal financial information and non-public personal health information.

A licensee may not disclose personal financial information to non-affiliated third parties unless otherwise permitted by the law or rule. The law requires medical records and billing information to be kept confidential under state and federal laws.

Insurance Commissioner requires each licensee to have a written information security program. Non-public personal information, whether in paper or electronic format, is covered by this rule.

 

What are the key data protection principles in this jurisdiction?:

None specified.

 

What is the supervisory authority / regulator in charge of data protection?

N/A

 

Is there a requirement to register with a supervisory authority / regulator?

N/A

 

Is there a requirement to notify the supervisory authority / regulator?

N/A

 

Is it possible to register with / notify the supervisory authority / regulator online?

N/A

 

What are the key data subject rights under the data protection laws of this jurisdiction?

N/A.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

No.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Not under state law, but where facts and circumstances indicate federal agencies may have jurisdiction over particular privacy issues, such as HIPAA data, consumer data, etc, such assessments may need to be performed.

 

Does this jurisdiction have any specific data breach notification requirements?

West Virginia Code Section 46A-2A-101 et seq. requires possessors of personal data to notify individuals of data breaches compromising that information. This notification requirement applies to the unauthorised access of unencrypted computer records of affected consumers and consumer reporting agencies. This requirement applies where more than 1,000 consumers have been, or may be, affected by the unauthorised data breach.

The Attorney General has the exclusive right to enforce violations of the law.

 

What restrictions apply to the international transfer of personal data / information?

None at the state level.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

N/A

 

What rules specifically deal with marketing?

N/A

 

Do different rules apply to business-to-business and business-to-consumer marketing?

Yes. See the description of the state’s Consumer Credit and Protection Act above.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

N/A

 

What rules specifically deal with cookies?

None.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

N/A

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Be aware of the Consumer Credit and Protection Act rules, as well as the application of federal laws, such as HIPAA.

 

What upcoming data protection developments should multinational organisations be aware of?

West Virginia’s legislature has made repeated attempts to pass a comprehensive Privacy Law, with little success. The supporters of such a law have stated that they intend to keep trying to get such a law passed.

 

Search by:

Need more information?
Contact a member firm:

Jan De Beer

FTB Gibbons

USA - West Virginia

Kai Bitter

FTB Gibbons

USA - West Virginia

Disclaimer:

© 2024, FBT Gibbons All rights reserved by FBT Gibbons as author and the owner of the copyright in this chapter. FBT Gibbons has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2024