West Virginia
West Virginia Data Privacy Laws: Breach Notification & Consumer Rights (2026)
West Virginia has no comprehensive consumer data privacy law as of 2026. Two legislative efforts, HB 2987 (2025) and HB 5123 (2026), both failed to advance. The state's primary privacy protection is a breach notification statute under W. Va. Code 46A-2A-101, which requires notice without unreasonable delay after unauthorized data access.
West Virginia does not have a comprehensive consumer data privacy law. Unlike states such as California, Virginia, and Colorado that have enacted broad data protection statutes, West Virginia relies on its data breach notification law, identity theft protections, sector-specific privacy regulations, and federal frameworks to protect residents' personal information.
Two consecutive legislative efforts to change that failed. HB 2987, the Consumer Data Protection Act, passed the West Virginia House 94-1 in March 2025 but died in the Senate Judiciary Committee before the session ended. HB 5123, a successor bill introduced in February 2026, also failed to advance before the legislature adjourned sine die on March 14, 2026.
This guide covers every West Virginia law that touches data privacy: the state's breach notification requirements under W. Va. Code 46A-2A-101 through 46A-2A-105, identity theft penalties, credit freeze rights, insurance data protections, student data privacy, the government cybersecurity framework, and the federal laws that fill the gaps left by the absence of a state omnibus statute.
West Virginia Data Breach Notification Law (W. Va. Code 46A-2A-101 Through 46A-2A-105)
West Virginia enacted its data breach notification law in 2008 as Article 2A of the Consumer Credit and Protection Act. The law requires individuals and entities that own or license computerized data containing personal information to notify affected West Virginia residents when a breach occurs.
The statute applies to any individual or entity that owns or licenses computerized data that includes personal information about multiple individuals. This covers businesses of all sizes, government agencies, nonprofit organizations, and any other legal entity that maintains consumer data electronically.
What Qualifies as a Breach of Security?
Under W. Va. Code 46A-2A-101, a "breach of the security of a system" means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information. The breach must cause the entity to reasonably believe that it has caused or will cause identity theft or other fraud to any West Virginia resident.
This definition contains several important qualifiers. The data must be both unencrypted and unredacted. Encrypted data that is accessed without authorization does not trigger the notification requirement. The entity must also have a reasonable belief that the breach will lead to identity theft or fraud, which means not every unauthorized access will require notification.
What Is Protected Personal Information?
The law defines "personal information" as an individual's first name or first initial and last name linked to any one or more of the following data elements, when the name or data elements are not encrypted or redacted:
- Social Security number
- Driver's license number or state identification card number
- Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit access to the account
The definition explicitly excludes information that is lawfully obtained from publicly available sources or from federal, state, or local government records lawfully made available to the general public.
Notification Requirements
When a breach occurs, W. Va. Code 46A-2A-102 imposes specific obligations on the entity that maintained the data.
Timing. Notice must be provided "without unreasonable delay" following discovery or notification of the breach. West Virginia does not impose a specific deadline measured in days. The only permitted delay is when a law enforcement agency determines that notification would compromise a criminal investigation or national or homeland security.
Required Content. The notification must include:
- A description of the categories of information that were accessed
- A telephone number or website address where affected individuals can learn what information the entity maintained about them
- The toll-free contact telephone numbers and addresses for the major credit reporting agencies
- Information on how to place a fraud alert or security freeze on a credit report
Methods of Notice. The law permits notification through written notice, telephone notice, or electronic notice consistent with the federal E-Sign Act.
Substitute Notice. An entity may use substitute notice if the cost of providing direct notice would exceed $50,000, the affected class exceeds 100,000 persons, or the entity does not have sufficient contact information. Substitute notice consists of email notice where available, conspicuous posting on the entity's website, and notification to major statewide media.
Large-Scale Breach Requirements
When a breach requires notification to more than 1,000 persons, the entity must also notify all nationwide consumer reporting agencies. This notification must include the timing, distribution, and content of the notices sent to affected individuals.
Third-Party Data Holders
Any individual or entity that maintains computerized data on behalf of another entity must notify that entity "as soon as practicable" following discovery of a breach. This ensures that companies using third-party data processors receive prompt notice even when they do not directly control the compromised system.
Safe Harbor and Compliance
Under W. Va. Code 46A-2A-103, the law provides three safe harbor pathways:
Internal Procedures. An entity that maintains its own notification procedures as part of an information privacy or security policy is deemed in compliance if it notifies residents consistently with those procedures and the article's timing requirements.
Financial Institutions. Financial institutions that comply with the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice are automatically deemed compliant.
Regulatory Compliance. Entities that comply with notification requirements imposed by their primary or functional federal or state regulator satisfy the article's requirements.
Enforcement and Penalties
W. Va. Code 46A-2A-104 establishes enforcement mechanisms for violations of the breach notification law.
| Violation Type | Penalty | Enforced By |
|---|---|---|
| Failure to notify (single incident) | Treated as unfair/deceptive act | WV Attorney General |
| Repeated, willful violations | Up to $150,000 per breach | WV Attorney General |
| Financial institution violations | Determined by regulator | Primary functional regulator |
The statute treats failure to comply with notice requirements as an unfair or deceptive act or practice, enforceable under West Virginia's broader consumer protection framework. The West Virginia Attorney General holds primary enforcement authority. Courts may impose monetary penalties only when defendants show a pattern of repeated and willful violations, with a maximum penalty of $150,000 per breach or related breaches discovered during a single investigation.
Financial institutions regulated by federal banking agencies fall under their primary functional regulator's exclusive jurisdiction. The law does not create a private right of action, meaning individual consumers cannot sue a company directly for failing to provide breach notification.
Attorney General Enforcement Priorities
Attorney General JB McCuskey, who took office in January 2025, has pursued several data-related enforcement initiatives. In February 2026, the AG's office filed a consumer-protection lawsuit in Mason County Circuit Court against Apple Inc., accusing Apple of allowing child sexual abuse material to be stored and distributed on iCloud and other iOS services and of failing to adopt effective detection and reporting safeguards.
McCuskey also joined a multistate coalition of attorneys general that sent letters to AI companies (including Anthropic, Apple, Google, Meta, Microsoft, and OpenAI), demanding implementation of consumer safety safeguards and robust testing protocols by January 2026. The AG's Consumer Protection Division remains the primary avenue for West Virginia residents to report data privacy violations.
Identity Theft Protections (W. Va. Code 61-3-54)
West Virginia criminalizes identity theft under W. Va. Code 61-3-54. The statute makes it a felony to knowingly take the name, birth date, Social Security number, or other identifying information of another person without consent, with intent to fraudulently represent that person in financial or credit transactions or to gain employment.
Penalties for Identity Theft
| Offense | Classification | Maximum Prison | Maximum Fine |
|---|---|---|---|
| Identity theft (financial/credit fraud) | Felony | 5 years | $1,000 |
| Identity theft (employment fraud) | Felony | 5 years | $1,000 |
There is one notable exception: a minor who obtains another person's driver's license solely to misrepresent his or her age is not subject to prosecution under this section.
Identity Theft Victim Resources
The West Virginia Attorney General's Consumer Protection Division provides identity theft assistance, including guidance on placing fraud alerts and credit freezes, reporting identity theft to law enforcement, and disputing fraudulent accounts. Victims can reach the division at 1-800-368-8808 or 304-558-8986.
Credit Security Freeze Protections (W. Va. Code 46A-6L)
West Virginia's Security Freeze on Consumer Credit Reports Act, codified in W. Va. Code 46A-6L, gives consumers the right to place a security freeze on their credit reports. A freeze prohibits a consumer reporting agency from releasing any information in a credit report without the consumer's express authorization.
A consumer reporting agency must place a security freeze no later than five business days after receiving a written request. Within five business days of placing the freeze, the agency must provide the consumer with a unique PIN or password. To temporarily lift the freeze, the agency must comply within three business days of receiving the consumer's request.
The federal Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 now requires all three major credit bureaus to offer free credit freezes nationwide, which effectively supersedes the state's fee provisions for the major bureaus.
Consumers can file civil actions against consumer reporting agencies that violate the security freeze law. Remedies include injunctive relief, actual damages or $5,000 (whichever is greater), and reasonable attorney's fees and court costs.
Insurance Data Privacy (W. Va. Code 33-6F)
West Virginia regulates the privacy of personal information in insurance transactions through W. Va. Code 33-6F, which implements Title V of the federal Gramm-Leach-Bliley Act at the state level. The law prohibits any person from disclosing nonpublic personal information contrary to the provisions of Title V of the GLBA, and the West Virginia Insurance Commissioner is required to adopt implementing rules.
Specific requirements include rules governing the circumstances under which disclosure of personal information to third parties is permitted, personal information redaction requirements before sharing records, verification procedures ensuring that recipients comply with legal restrictions on data use, and internal controls preventing unauthorized employee access to confidential records. Medical and billing records obtained during insurance claims or litigation must remain confidential under both state and federal law.
West Virginia has not adopted the NAIC Insurance Data Security Model Law (MDL-668), which would impose comprehensive information security program requirements on insurers. Insurer cybersecurity practices in the state are governed by existing regulatory guidance from the Insurance Commissioner and applicable federal requirements.
Student Data Privacy (W. Va. Code 18-2-5h)
West Virginia enacted the Student Data Accessibility, Transparency and Accountability Act, codified in W. Va. Code 18-2-5h, to protect the personal information of K-12 students.
The West Virginia Department of Education must develop a detailed data security plan including authentication controls, data encryption, employee training, breach procedures, and routine compliance audits with FERPA. Access to student data in the statewide longitudinal data system is limited to authorized Department of Education staff, contractors, district administrators, teachers, and school personnel.
The law prohibits school districts from reporting or collecting juvenile delinquency records, criminal records, medical or health records, biometric information, political affiliation, religious beliefs, sexual orientation information, firearm ownership data, and data from affective computing.
Parents have the right to inspect and review their child's education record. School districts must notify parents annually of their privacy rights and provide procedures for filing complaints.
Government Cybersecurity Framework (W. Va. Code 5A-6B and 5A-6C)
West Virginia has established a state government cybersecurity framework through two articles of its code.
The West Virginia Cybersecurity Office operates within the Office of Technology and sets cybersecurity standards for executive branch agencies. State agencies must undergo cyber risk assessments, adhere to standards established by the Chief Information Security Officer, and follow enterprise cybersecurity policies.
Under W. Va. Code 5A-6C, qualified cybersecurity incidents must be reported to the Cybersecurity Office before any citizen notification, and no later than 10 days following determination that a qualifying incident occurred. This reporting requirement applies to all state agencies in the executive branch, constitutional officers, local government entities, county boards of education, the Judiciary, and the Legislature.
Pending Legislation: Two Failed Attempts at Comprehensive Privacy Law
West Virginia made two consecutive attempts to enact a comprehensive consumer data privacy law and both failed.
HB 2987 (2025). HB 2987, the Consumer Data Protection Act, was introduced February 26, 2025, and passed the West Virginia House 94-1 on March 26, 2025. The bill was referred to the Senate Judiciary Committee on March 27, 2025, where it died without a vote when the session ended. Had it passed, the effective date would have been July 1, 2026. The bill would have covered entities processing personal data of at least 100,000 consumers (or at least 25,000 consumers with over 50% of gross revenue from personal data sales), and would have granted consumers rights to access, correct, delete, and obtain copies of their personal data, plus the right to opt out of targeted advertising.
HB 5123 (2026). HB 5123, another Consumer Data Protection Act, was introduced February 3, 2026, and referred to the House Committee on Energy and Public Works. The bill included similar consumer rights provisions and added a private cause of action. It failed to advance before the legislature adjourned sine die on March 14, 2026.
West Virginia residents continue to lack the access, deletion, correction, and opt-out rights that residents of 20-plus states now have under comprehensive privacy statutes.
Federal Laws That Protect West Virginia Residents
Because West Virginia lacks a comprehensive state privacy law, federal statutes provide the primary data protection framework for many types of personal information.
TAKE IT DOWN Act (Pub. L. 119-12, 2025)
Congress enacted the TAKE IT DOWN Act, signed into law on May 19, 2025. The Act creates a federal crime for knowingly publishing or threatening to publish nonconsensual intimate images (NCII), including AI-generated deepfakes depicting real people. Adults who violate the criminal provisions face up to two years in prison; violations involving minors face up to three years.
The platform takedown obligations took effect May 19, 2026. Covered online platforms must remove NCII and known identical copies within 48 hours of receiving a valid request. The FTC enforces the platform compliance requirements and may seek civil penalties of up to $53,088 per violation against platforms that fail to implement a compliant notice-and-removal process.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA protects the privacy and security of individually identifiable health information held by covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. Violations can result in civil monetary penalties ranging from $141 to $2,134,831 per violation category per year, depending on the level of culpability.
Gramm-Leach-Bliley Act (GLBA)
The GLBA requires financial institutions to explain their information-sharing practices and to safeguard sensitive data. West Virginia's insurance industry compliance with the GLBA is enforced through W. Va. Code 33-6F, while banking institutions are regulated by federal agencies.
Children's Online Privacy Protection Act (COPPA)
COPPA requires operators of commercial websites and online services directed at children under 13 to obtain verifiable parental consent before collecting personal information. The FTC enforces COPPA with penalties of up to $51,744 per violation.
Family Educational Rights and Privacy Act (FERPA)
FERPA protects the privacy of student education records. West Virginia's Student Data Accessibility, Transparency and Accountability Act supplements FERPA with additional state-level protections.
FTC Act Section 5
The FTC Act prohibits unfair or deceptive trade practices, including misrepresentations about data privacy and security. The FTC has used Section 5 to bring enforcement actions against companies nationwide that fail to protect consumer data or that violate their own privacy policies.
How West Virginia Compares to Other States
| Feature | West Virginia | California (CCPA/CPRA) | Virginia (VCDPA) |
|---|---|---|---|
| Comprehensive privacy law | No | Yes | Yes |
| Consumer right to access data | No | Yes | Yes |
| Consumer right to delete data | No | Yes | Yes |
| Right to opt out of data sales | No | Yes | Yes |
| Breach notification required | Yes | Yes | Yes |
| Specific notification deadline | No (without unreasonable delay) | 72 hours (AG) | 60 days |
| Private right of action for breaches | No | Limited | No |
| Security freeze rights | Yes | Yes | Yes |
| Identity theft criminal penalties | Felony, up to 5 years | Felony, up to 3 years | Felony, up to 5 years |
| Student data protections | Yes | Yes | Yes |
What West Virginia Residents Can Do Now
Place a Credit Freeze. West Virginia residents can freeze their credit files with all three major credit bureaus. Under federal law, this is free of charge. A freeze prevents new creditors from accessing your credit report, making it harder for identity thieves to open accounts in your name.
Monitor Your Credit. Under federal law, every consumer is entitled to one free credit report per year from each of the three major reporting agencies at AnnualCreditReport.com.
File Complaints. If you believe a company has violated your privacy rights or failed to notify you of a data breach, contact the West Virginia Attorney General's Consumer Protection Division at 1-800-368-8808.
Request NCII Removal. If you are a victim of nonconsensual intimate imagery, the TAKE IT DOWN Act requires covered platforms to remove images within 48 hours of a valid request. Submit reports directly through the platform or via the FTC's reporting tools.
This article provides general legal information about West Virginia data privacy laws and is not legal advice. Data privacy laws change frequently. For advice about a specific situation, consult a licensed attorney in West Virginia.
More West Virginia Laws
Frequently Asked Questions
Does West Virginia have a comprehensive consumer data privacy law like California or Virginia?
No. As of May 2026, West Virginia does not have a comprehensive consumer data privacy law. HB 2987 (Consumer Data Protection Act) passed the West Virginia House 94-1 on March 26, 2025, but died in the Senate Judiciary Committee before the session ended (it had a July 1, 2026 effective date if enacted). HB 5123, a successor bill introduced in February 2026, also failed to advance before the legislature adjourned sine die on March 14, 2026. Until comprehensive legislation is signed into law, West Virginia residents rely on the state's data breach notification law, identity theft protections, and federal laws like HIPAA, the Gramm-Leach-Bliley Act, COPPA, and FERPA.
What must a company do if my personal data is breached in West Virginia?
Under W. Va. Code 46A-2A-102, any entity that owns or licenses computerized data containing your personal information must notify you without unreasonable delay after discovering a breach. The notification must describe the categories of information accessed, provide a telephone number or website for more information, and include contact information for the major credit reporting agencies along with instructions on placing fraud alerts or security freezes. If the breach affects more than 1,000 people, the entity must also notify all nationwide consumer reporting agencies.
Can I sue a company for a data breach in West Virginia?
West Virginia's breach notification statute does not provide a private right of action, meaning you cannot sue a company solely for failing to notify you of a breach under that law. Enforcement is handled by the West Virginia Attorney General, who can pursue penalties of up to $150,000 per breach for repeated willful violations. However, you may have other legal options under common law theories such as negligence or invasion of privacy. For credit reporting violations, the security freeze law (W. Va. Code 46A-6L) does allow consumers to file civil actions seeking actual damages or up to $5,000, plus attorney's fees.
How do I place a credit freeze in West Virginia?
West Virginia residents can place a security freeze on their credit reports by contacting each of the three major credit bureaus: Equifax (1-800-525-6285), Experian (1-888-397-3742), and TransUnion (1-800-680-7289). Under federal law, credit freezes are now free. Once a freeze is placed, the bureau must provide you with a unique PIN or password within five business days. To temporarily lift the freeze for a specific creditor or time period, provide your PIN and the bureau must comply within three business days.
What are the penalties for identity theft in West Virginia?
Under W. Va. Code 61-3-54, identity theft is a felony in West Virginia. Anyone who knowingly takes another person's name, birth date, Social Security number, or other identifying information without consent, with intent to make fraudulent financial transactions or gain employment, faces up to five years in prison, a fine of up to $1,000, or both. There is one exception: minors who use another person's driver's license solely to misrepresent their age are not subject to prosecution under this section.
Does the federal TAKE IT DOWN Act apply in West Virginia?
Yes. The TAKE IT DOWN Act (Pub. L. 119-12), signed on May 19, 2025, applies nationwide, including in West Virginia. It is a federal crime to knowingly publish or threaten to publish nonconsensual intimate images (NCII), including AI-generated deepfakes. Adult violators face up to two years in prison; violations involving minors face up to three years. Platform takedown obligations took effect May 19, 2026: covered platforms must remove NCII within 48 hours of a valid request. The FTC enforces platform compliance.
What data privacy rights do West Virginia residents have over their data held by companies?
West Virginia residents currently have very limited state-law data rights. There is no state law requiring companies to let you access, correct, or delete personal data they hold, and no right to opt out of data sales or targeted advertising under state law. You do have the right to be notified of data breaches involving your personal information under W. Va. Code 46A-2A-102, and the right to place a credit freeze under W. Va. Code 46A-6L. Federal law provides additional rights in specific sectors: HIPAA covers health data, GLBA covers financial institution data, COPPA covers children's data, and FERPA covers student records.
Sources and References
- W. Va. Code 46A-2A-101: Definitions (Breach of Security)(code.wvlegislature.gov).gov
- W. Va. Code 46A-2A-102: Notice of Breach(code.wvlegislature.gov).gov
- W. Va. Code 46A-2A-103: Compliance Procedures(code.wvlegislature.gov).gov
- W. Va. Code 46A-2A-104: Violations(code.wvlegislature.gov).gov
- W. Va. Code 61-3-54: Identity Theft(code.wvlegislature.gov).gov
- W. Va. Code 46A-6L: Security Freeze(code.wvlegislature.gov).gov
- W. Va. Code 33-6F-1: Insurance Privacy(code.wvlegislature.gov).gov
- W. Va. Code 18-2-5h: Student Data Privacy(code.wvlegislature.gov).gov
- W. Va. Code 5A-6B: Cybersecurity Office(code.wvlegislature.gov).gov
- W. Va. Code 5A-6C: Cyber Incident Reporting(code.wvlegislature.gov).gov
- WV Attorney General: Identity Theft Protection(ago.wv.gov).gov
- HB 2987: Consumer Data Protection Act(wvlegislature.gov).gov
- NCSL: Security Breach Notification Laws(ncsl.org)
- HHS: HIPAA(hhs.gov).gov
- FTC: Gramm-Leach-Bliley Act(ftc.gov).gov
- FTC: COPPA Rule(ftc.gov).gov
- U.S. Dept. of Education: FERPA(www2.ed.gov).gov
- FTC: Take It Down Act Enforcement Begins (May 2026)(ftc.gov).gov