West Virginia Data Privacy Laws: Breach Notification & Consumer Rights (2026)
West Virginia does not have a comprehensive consumer data privacy law. Unlike states such as California, Virginia, and Colorado that have enacted broad data protection statutes, West Virginia relies on a combination of its data breach notification law, identity theft protections, sector-specific privacy regulations, and federal frameworks to protect residents'' personal information.
This guide covers every West Virginia law that touches data privacy, from the state''s breach notification requirements under W. Va. Code 46A-2A-101 through 46A-2A-105 to identity theft penalties, credit freeze rights, insurance data protections, student data privacy, and the federal laws that fill the gaps.
West Virginia Data Breach Notification Law (W. Va. Code 46A-2A-101 Through 46A-2A-105)
West Virginia enacted its data breach notification law in 2008 as Article 2A of the Consumer Credit and Protection Act. The law requires individuals and entities that own or license computerized data containing personal information to notify affected West Virginia residents when a breach occurs.
The statute applies to any individual or entity that owns or licenses computerized data that includes personal information about multiple individuals. This covers businesses of all sizes, government agencies, nonprofit organizations, and any other legal entity that maintains consumer data electronically.
What Qualifies as a Breach of Security?
Under W. Va. Code 46A-2A-101, a "breach of the security of a system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information. The breach must cause the entity to reasonably believe that it has caused or will cause identity theft or other fraud to any West Virginia resident.
This definition contains several important qualifiers. The data must be both unencrypted and unredacted. Encrypted data that is accessed without authorization does not trigger the notification requirement. The entity must also have a reasonable belief that the breach will lead to identity theft or fraud, which means not every unauthorized access will require notification.
What Is Protected Personal Information?
The law defines "personal information" as an individual''s first name or first initial and last name linked to any one or more of the following data elements, when the name or data elements are not encrypted or redacted:
- Social Security number
- Driver''s license number or state identification card number
- Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit access to the account
The definition explicitly excludes information that is lawfully obtained from publicly available sources or from federal, state, or local government records that are lawfully made available to the general public.
Notification Requirements
When a breach occurs, W. Va. Code 46A-2A-102 imposes several specific obligations on the entity that maintained the data.
Timing. Notice must be provided "without unreasonable delay" following discovery or notification of the breach. West Virginia does not impose a specific deadline measured in days. The only permitted delay is when a law enforcement agency determines that notification would compromise a criminal investigation or national or homeland security.
Required Content. The notification must include:
- A description of the categories of information that were accessed (such as Social Security numbers, driver''s license numbers, or financial account numbers)
- A telephone number or website address where affected individuals can learn what information the entity maintained about them
- The toll-free contact telephone numbers and addresses for the major credit reporting agencies
- Information on how to place a fraud alert or security freeze on a credit report
Methods of Notice. The law permits notification through:
- Written notice sent to the affected individual
- Telephone notice
- Electronic notice, if consistent with the provisions of the federal Electronic Signatures in Global and National Commerce Act (E-Sign Act)
Substitute Notice. An entity may use substitute notice if it can demonstrate that the cost of providing direct notice would exceed $50,000, the affected class exceeds 100,000 persons, or the entity does not have sufficient contact information. Substitute notice consists of email notice (when available), conspicuous posting on the entity''s website, and notification to major statewide media.
Large-Scale Breach Requirements
When a breach requires notification to more than 1,000 persons, the entity must also notify all nationwide consumer reporting agencies. This notification must include the timing, distribution, and content of the notices sent to affected individuals.
Third-Party Data Holders
Any individual or entity that maintains computerized data on behalf of another entity must notify that entity "as soon as practicable" following discovery of a breach. This provision ensures that companies using third-party data processors receive prompt notice even when they do not directly control the compromised system.
Safe Harbor and Compliance
Under W. Va. Code 46A-2A-103, the law provides three safe harbor pathways:
Internal Procedures. An entity that maintains its own notification procedures as part of an information privacy or security policy is deemed in compliance if it notifies residents in accordance with those procedures, provided the procedures are consistent with the timing requirements of the article.
Financial Institutions. Financial institutions that comply with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice are automatically deemed compliant.
Regulatory Compliance. Entities that comply with notification requirements imposed by their primary or functional federal or state regulator satisfy the article''s requirements.
Enforcement and Penalties
W. Va. Code 46A-2A-104 establishes enforcement mechanisms for violations of the breach notification law.
| Violation Type | Penalty | Enforced By |
|---|---|---|
| Failure to notify (single incident) | Treated as unfair/deceptive act | WV Attorney General |
| Repeated, willful violations | Up to $150,000 per breach | WV Attorney General |
| Financial institution violations | Determined by regulator | Primary functional regulator |
The statute treats failure to comply with notice requirements as an unfair or deceptive act or practice, enforceable under West Virginia''s broader consumer protection framework. The West Virginia Attorney General holds primary enforcement authority. Courts may impose monetary penalties only when defendants show a pattern of repeated and willful violations, with a maximum penalty of $150,000 per breach of security or related breaches discovered during a single investigation.
Financial institutions regulated by federal banking agencies fall under their primary functional regulator''s exclusive jurisdiction rather than the Attorney General''s authority. The law does not create a private right of action, meaning individual consumers cannot sue a company directly for failing to provide breach notification.
Identity Theft Protections (W. Va. Code 61-3-54)
West Virginia criminalizes identity theft under W. Va. Code 61-3-54. The statute makes it a felony to knowingly take the name, birth date, Social Security number, or other identifying information of another person without consent, with intent to fraudulently represent that person in financial or credit transactions or to gain employment.
Penalties for Identity Theft
| Offense | Classification | Maximum Prison | Maximum Fine |
|---|---|---|---|
| Identity theft (financial/credit fraud) | Felony | 5 years | $1,000 |
| Identity theft (employment fraud) | Felony | 5 years | $1,000 |
There is one notable exception in the statute. A minor who obtains another person''s driver''s license solely to misrepresent his or her age is not subject to prosecution under this section.
Identity Theft Victim Resources
The West Virginia Attorney General''s Consumer Protection Division provides identity theft assistance, including guidance on placing fraud alerts and credit freezes, reporting identity theft to law enforcement, and disputing fraudulent accounts. Victims can reach the division at 1-800-368-8808 or 304-558-8986.
When identity theft occurs, the Attorney General''s office recommends taking these steps immediately:
- Contact all three major credit bureaus: Equifax (1-800-525-6285), Experian (1-888-397-3742), and TransUnion (1-800-680-7289)
- Place fraud alerts or extended fraud alerts (which last seven years) with each bureau
- Request credit freezes with proper documentation
- File a report with local law enforcement
- Monitor bank accounts and obtain free credit reports
Credit Security Freeze Protections (W. Va. Code 46A-6L)
West Virginia''s Security Freeze on Consumer Credit Reports Act, codified in W. Va. Code 46A-6L, gives consumers the right to place a security freeze on their credit reports. A freeze prohibits a consumer reporting agency from releasing any information in a credit report without the consumer''s express authorization, preventing new credit from being opened without the consumer''s knowledge.
How the Security Freeze Works
A consumer reporting agency must place a security freeze no later than five business days after receiving a written request from the consumer. Within five business days of placing the freeze, the agency must provide the consumer with a unique personal identification number (PIN) or password.
To temporarily lift the freeze, consumers must provide their PIN or password, proper identification, and the timeframe during which they want the report available. The agency must comply with temporary lift requests within three business days.
Fees and Costs
A consumer reporting agency may charge a reasonable fee of up to $5 to place, remove, or temporarily lift a security freeze. However, identity theft victims who provide a copy of a police report, an investigative report, or a complaint filed with the Federal Trade Commission, the West Virginia Attorney General, or a law enforcement agency are exempt from all fees.
Note that the federal Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 now requires all three major credit bureaus to offer free credit freezes nationwide, which effectively supersedes the state fee provisions for the major bureaus.
Consumer Remedies
Consumers can file civil actions against consumer reporting agencies that violate the security freeze law. Remedies include injunctive relief, actual damages or $5,000 (whichever is greater), and reasonable attorney''s fees and court costs.
Insurance Data Privacy (W. Va. Code 33-6F)
West Virginia regulates the privacy of personal information in insurance transactions through W. Va. Code 33-6F. This article implements the requirements of Title V of the federal Gramm-Leach-Bliley Act (GLBA) at the state level.
Key Provisions
The law prohibits any person from disclosing nonpublic personal information contrary to the provisions of Title V of the Gramm-Leach-Bliley Act. The West Virginia Insurance Commissioner is required to adopt rules implementing these federal privacy standards.
Specific requirements include:
- Rules governing the circumstances under which disclosure of personal information to third parties is permitted
- Personal information redaction requirements before sharing records
- Verification procedures ensuring that recipients comply with legal restrictions on data use
- Internal controls preventing unauthorized employee access to confidential records
Medical and billing records obtained during insurance claims or litigation must remain confidential under both state and federal law. Insurers cannot impose restrictions on medical records that contradict applicable insurance policies or federal authorizations.
Student Data Privacy (W. Va. Code 18-2-5h)
West Virginia enacted the Student Data Accessibility, Transparency and Accountability Act, codified in W. Va. Code 18-2-5h, to protect the personal information of K-12 students in the state education system.
Data Security Requirements
The West Virginia Department of Education must develop a detailed data security plan that includes:
- Guidelines for student data systems and individual student data
- Authentication of authorized access
- Data security policies including electronic, physical, and administrative safeguards
- Data encryption and employee training
- Routine compliance audits with FERPA and other relevant privacy laws
- Breach procedures and data retention policies
Access Restrictions
Access to student data in the statewide longitudinal data system is limited to:
- Authorized Department of Education staff
- Contractors working on behalf of the Department
- District administrators, teachers, and school personnel who require access to perform their duties
- Authorized staff of other West Virginia state agencies as required by law
Prohibited Data Collections
The law prohibits school districts from reporting or collecting certain categories of student information:
- Juvenile delinquency records
- Criminal records
- Medical or health records
- Biometric information
- Political affiliation
- Religious beliefs
- Sexual orientation information
- Firearm ownership data
- Data from affective computing
Parental Rights
Parents have the right to inspect and review their child''s education record maintained by the school. School districts must provide parents or guardians with a copy of their child''s educational record upon request. Districts must also notify parents annually of their privacy rights and provide procedures for filing complaints about privacy violations.
Data Governance Manager
The state superintendent is required to appoint a data governance manager responsible for establishing privacy policy, conducting privacy impact assessments, investigating incidents, and managing complaint processes.
Consent for Testing Data
If confidential information is required from the ACT, SAT, or College Board, those organizations must obtain affirmative written consent from students aged 18 or older, or from parents or guardians for students under 18. The consent must contain a detailed list of the confidential information required and the purpose for which it is needed.
Government Cybersecurity Framework (W. Va. Code 5A-6B and 5A-6C)
West Virginia has established a state government cybersecurity framework through two articles in its code that affect how government agencies handle personal data.
Cybersecurity Office (W. Va. Code 5A-6B)
The West Virginia Cybersecurity Office operates within the Office of Technology with authority to set cybersecurity standards and manage the state''s cybersecurity framework. State agencies within the executive branch must undergo cyber risk assessments, adhere to cybersecurity standards established by the Chief Information Security Officer, and follow enterprise cybersecurity policies.
The framework includes developing policy for privacy impact assessments as they relate to safeguarding data and its relationship with technology.
Cyber Incident Reporting (W. Va. Code 5A-6C)
Under W. Va. Code 5A-6C, qualified cybersecurity incidents must be reported to the Cybersecurity Office before any citizen notification, and no later than 10 days following a determination that a qualifying incident occurred.
A qualified cybersecurity incident meets at least one of these criteria:
- State or federal law requires reporting to regulatory or law enforcement agencies or affected citizens
- The entity''s ability to conduct business is substantially affected
- The incident would be classified as emergency, severe, or high by the U.S. Cybersecurity and Infrastructure Security Agency (CISA)
This reporting requirement applies to all state agencies in the executive branch, constitutional officers, local government entities, county boards of education, the Judiciary, and the Legislature.
Consumer Financial Privacy (W. Va. Code 46A)
West Virginia''s Consumer Credit and Protection Act includes provisions governing the privacy of consumer financial information. These provisions work in conjunction with the federal Gramm-Leach-Bliley Act to restrict how financial institutions may share personal financial data.
The law protects consumers against unauthorized disclosure or sale of their personal financial information. Consumers who apply for credit from financial institutions have the right to know what personal information is being sold or shared and can opt in to or decline such disclosures.
Pending Legislation: Consumer Data Protection Act (HB 2987)
West Virginia has been considering comprehensive consumer data privacy legislation. HB 2987, the Consumer Data Protection Act, was introduced on February 26, 2025, and passed the West Virginia House of Delegates on March 26, 2025. The bill was referred to the Senate Judiciary Committee on March 27, 2025. If enacted, the law would have an effective date of July 1, 2026.
Key Provisions of HB 2987
The bill would apply to persons conducting business in West Virginia that either:
- Control or process personal data of at least 100,000 consumers, or
- Derive over 50% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers
The proposed law would grant West Virginia consumers rights to access, correct, delete, and obtain copies of their personal data. It would also create the right to opt out of the processing of personal data for targeted advertising purposes.
As of March 2026, HB 2987 has not been enacted into law. The bill remains in the Senate after passing the House during the 2025 regular session.
Federal Laws That Protect West Virginia Residents
Because West Virginia lacks a comprehensive state privacy law, federal statutes provide the primary data protection framework for many types of personal information.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA protects the privacy and security of individually identifiable health information held by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. West Virginia residents'' medical data is protected by HIPAA''s Privacy Rule and Security Rule.
HIPAA requires covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information. Violations can result in civil monetary penalties ranging from $141 to $2,134,831 per violation category per year, depending on the level of culpability.
Gramm-Leach-Bliley Act (GLBA)
The GLBA requires financial institutions to explain their information-sharing practices and to safeguard sensitive data. In West Virginia, the insurance industry''s compliance with the GLBA is enforced through W. Va. Code 33-6F, while banking institutions are regulated by federal agencies.
Children''s Online Privacy Protection Act (COPPA)
COPPA requires operators of commercial websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information from children. The FTC enforces COPPA nationwide, including in West Virginia, with penalties of up to $51,744 per violation.
Family Educational Rights and Privacy Act (FERPA)
FERPA protects the privacy of student education records and gives parents certain rights regarding their children''s records. West Virginia''s Student Data Accessibility, Transparency and Accountability Act supplements FERPA with additional state-level protections and restrictions on data collection.
Federal Trade Commission Act (Section 5)
The FTC Act prohibits unfair or deceptive trade practices, including misrepresentations about data privacy and security. The FTC has used Section 5 to bring enforcement actions against companies nationwide that fail to protect consumer data or that violate their own privacy policies.
How West Virginia Compares to Other States
West Virginia''s data privacy framework is less comprehensive than many other states. Here is how it compares on key metrics:
| Feature | West Virginia | California (CCPA/CPRA) | Virginia (VCDPA) |
|---|---|---|---|
| Comprehensive privacy law | No | Yes | Yes |
| Consumer right to access data | No | Yes | Yes |
| Consumer right to delete data | No | Yes | Yes |
| Right to opt out of data sales | No | Yes | Yes |
| Breach notification required | Yes | Yes | Yes |
| Specific notification deadline | No (without unreasonable delay) | 72 hours (AG) | 60 days |
| Private right of action for breaches | No | Limited | No |
| Security freeze rights | Yes | Yes | Yes |
| Identity theft criminal penalties | Felony, up to 5 years | Felony, up to 3 years | Felony, up to 5 years |
| Student data protections | Yes | Yes | Yes |
West Virginia''s breach notification law is functional but lacks the specificity of newer state laws. The absence of a comprehensive privacy statute means West Virginia residents have fewer rights over their personal data than residents of the 20+ states that have enacted such laws.
What West Virginia Residents Can Do Now
While waiting for the legislature to act on comprehensive privacy legislation, West Virginia residents can take several steps to protect their personal data.
Place a Credit Freeze. West Virginia residents can freeze their credit files with all three major credit bureaus. Under federal law, this is now free of charge. A freeze prevents new creditors from accessing your credit report, making it harder for identity thieves to open accounts in your name.
Monitor Your Credit. Under federal law, every consumer is entitled to one free credit report per year from each of the three major reporting agencies at AnnualCreditReport.com.
File Complaints. If you believe a company has violated your privacy rights or failed to notify you of a data breach, contact the West Virginia Attorney General''s Consumer Protection Division at 1-800-368-8808.
Use Opt-Out Tools. Even without a state law requiring it, many companies offer opt-out mechanisms for data sharing and targeted advertising. Individual company privacy settings and the Digital Advertising Alliance''s opt-out tool can reduce how much of your data is shared.
Limit Personal Data Sharing. Be cautious about providing personal information online and review the privacy policies of companies you do business with. Use strong, unique passwords for financial accounts and enable two-factor authentication when available.
Looking Ahead: The Future of Data Privacy in West Virginia
The passage of HB 2987 through the West Virginia House of Delegates in 2025 signals growing interest in comprehensive data privacy legislation. If the Senate acts on the bill and it is signed into law, West Virginia would join the growing list of states with comprehensive consumer data protection statutes, with an effective date of July 1, 2026.
Key factors to watch:
- Whether the Senate Judiciary Committee advances HB 2987 or a similar bill in a future session
- The outcome of any federal comprehensive privacy legislation that could preempt state action
- Growing consumer awareness following high-profile data breaches
- Pressure from neighboring states that have enacted comprehensive privacy laws
Until comprehensive legislation passes, West Virginia residents must rely on the existing patchwork of breach notification requirements, identity theft protections, sector-specific regulations, and federal protections to safeguard their personal data.
This article provides general legal information about West Virginia data privacy laws and is not legal advice. Data privacy laws change frequently. For advice about a specific situation, consult a licensed attorney in West Virginia.
More West Virginia Laws
- West Virginia Recording Laws
- West Virginia Surveillance Camera Laws
- West Virginia Background Check Laws
- [West Virginia Medical Records Retention Laws
- West Virginia Whistleblower Laws
- West Virginia Sexting Laws
- West Virginia Child Support Laws
- West Virginia Dog Bite Laws
More West Virginia Laws
Sources and References
- W. Va. Code 46A-2A-101: Definitions (Breach of Security)(code.wvlegislature.gov).gov
- W. Va. Code 46A-2A-102: Notice of Breach(code.wvlegislature.gov).gov
- W. Va. Code 46A-2A-103: Compliance Procedures(code.wvlegislature.gov).gov
- W. Va. Code 46A-2A-104: Violations(code.wvlegislature.gov).gov
- W. Va. Code 61-3-54: Identity Theft(code.wvlegislature.gov).gov
- W. Va. Code 46A-6L: Security Freeze(code.wvlegislature.gov).gov
- W. Va. Code 33-6F-1: Insurance Privacy(code.wvlegislature.gov).gov
- W. Va. Code 18-2-5h: Student Data Privacy(code.wvlegislature.gov).gov
- W. Va. Code 5A-6B: Cybersecurity Office(code.wvlegislature.gov).gov
- W. Va. Code 5A-6C: Cyber Incident Reporting(code.wvlegislature.gov).gov
- WV Attorney General: Identity Theft Protection(ago.wv.gov).gov
- HB 2987: Consumer Data Protection Act(wvlegislature.gov).gov
- NCSL: Security Breach Notification Laws(ncsl.org)
- HHS: HIPAA(hhs.gov).gov
- FTC: Gramm-Leach-Bliley Act(ftc.gov).gov
- FTC: COPPA Rule(ftc.gov).gov
- U.S. Dept. of Education: FERPA(ed.gov).gov