West Virginia Biometric Privacy Laws: Collection, Consent & Penalties (2026)

West Virginia has one of the most limited biometric privacy frameworks in the country. The state's breach notification law does not explicitly cover biometric data, and no comprehensive consumer data privacy statute addresses biometric identifiers. This places West Virginia behind most of its neighbors in protecting residents' fingerprints, facial recognition templates, and other biometric information.

However, there are signs of change. In February 2026, legislators introduced HB 5567, a Biometric Information Privacy Act modeled on Illinois's BIPA. If enacted, the bill would make West Virginia one of the few states with a standalone biometric privacy statute that includes a private right of action.

For a broader overview of privacy protections in the state, see the parent guide to West Virginia Data Privacy Laws.

Current Law: Breach Notification Without Biometric Coverage

West Virginia's breach notification law is codified at W.V. Code 46A-2A-101 through 46A-2A-105. The law requires businesses to notify West Virginia residents when a data breach compromises their personal information.

What Counts as Personal Information

Under W.V. Code 46A-2A-101, "personal information" is defined as a person's first name or first initial and last name linked to any one or more of the following unencrypted data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password

Biometric data is not listed among these elements. This means that a breach exposing fingerprints, facial recognition templates, iris scans, or voiceprints does not, by itself, trigger West Virginia's breach notification requirements.

What Triggers Notification

A "breach of the security of a system" under W.V. Code 46A-2A-101 means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information, and that causes the entity to reasonably believe the breach has caused or will cause identity theft or other fraud to a West Virginia resident.

Notification Requirements

When a covered breach occurs, the entity must provide notice to affected individuals "without unreasonable delay." Unlike many states that set a specific timeline (such as 30, 45, or 60 days), West Virginia uses the "without unreasonable delay" standard, giving businesses discretion in timing.

The entity must also notify the West Virginia Attorney General of the breach.

Good Faith Exception

The law includes a good faith exception under W.V. Code 46A-2A-101. If an employee or agent of the entity acquires personal information in good faith for the entity's lawful purposes, and the information is not used improperly or subject to further unauthorized disclosure, it is not considered a breach.

The Gap: No Biometric Data Protection

The absence of biometric data from West Virginia's breach notification law creates a significant gap in consumer protection.

No Collection Consent Requirements

West Virginia law does not require any form of notice or consent before businesses or employers collect biometric data. A company can implement fingerprint scanners, facial recognition systems, or voice authentication without providing notice to or obtaining permission from the individuals affected.

No Retention or Destruction Requirements

There are no state requirements to set retention schedules for biometric data, to publish data retention policies, or to destroy biometric data after a set period or when the purpose for collection has ended.

No Purpose Limitation

Businesses that collect biometric data in West Virginia face no restrictions on how they use, share, or sell that data. There are no state-level prohibitions on selling biometric information to third parties.

No Private Right of Action

Individual West Virginia residents cannot file lawsuits over biometric data collection or misuse under current law.

No Specific Penalties for Biometric Violations

Because no law specifically governs biometric data, there are no dedicated penalties for collecting, misusing, or failing to secure biometric information.

Proposed Biometric Information Privacy Act (HB 5567)

West Virginia legislators introduced HB 5567 on February 16, 2026. The bill would create a standalone Biometric Information Privacy Act, making West Virginia one of the few states to adopt a law specifically dedicated to biometric data protection.

Key Definitions

Under the proposed bill, a "biometric identifier" would mean:

• Retina or iris scan
• Fingerprint
• Voiceprint
• Scan of hand or face geometry

The bill would exclude writing samples, written signatures, photographs, human biological samples used for scientific testing, demographic data, tattoo descriptions, and physical descriptions such as height, weight, hair color, or eye color. Medical data collected under HIPAA would also be excluded.

What the Bill Would Require

If enacted, HB 5567 would regulate the retention, collection, disclosure, and destruction of biometric identifiers. Based on the legislative summary, the bill would establish requirements for:

• Notice and consent before collecting biometric data
• Limitations on how biometric data can be disclosed or sold
• Retention schedules and destruction requirements
• Security standards for stored biometric data

Private Right of Action

One of the most significant provisions of HB 5567 is the inclusion of a private right of action. This would allow individuals to sue businesses that violate the act, similar to the provision in Illinois's BIPA that has generated thousands of lawsuits.

Civil Penalties

The bill would create civil penalties for violations, though the specific dollar amounts will depend on the final version of the legislation.

Current Status

As of early 2026, HB 5567 has been referred to the Committee on Health and Human Resources, then to the Judiciary Committee. The bill has not yet received a committee vote. Previous biometric privacy bills introduced in West Virginia (including similar bills in 2020, 2022, and 2023) did not advance beyond committee.

Federal Laws That Apply in West Virginia

Because West Virginia lacks state-level biometric data protections, federal laws provide the primary framework in certain sectors.

HIPAA

Health care providers, insurers, and their business associates in West Virginia must comply with HIPAA when handling biometric data in a health care context. This includes requirements for patient consent, data security, and breach notification when biometric health data is compromised.

Gramm-Leach-Bliley Act (GLBA)

Financial institutions that collect biometric data for customer authentication must comply with GLBA security requirements. West Virginia's breach notification law acknowledges compliance with federal regulators' requirements.

Children's Online Privacy Protection Act (COPPA)

Companies collecting biometric data from children under 13 must comply with COPPA, which requires verifiable parental consent before collecting biometric identifiers.

Enforcement Under Current Law

The West Virginia Attorney General has general enforcement authority over consumer protection matters under the state's Consumer Credit and Protection Act (W.V. Code Chapter 46A). While there is no specific biometric data enforcement mechanism, the AG can potentially pursue cases involving deceptive or unfair practices related to data handling.

For breach notification violations, the Attorney General can bring enforcement actions under W.V. Code 46A-2A-104, which provides for injunctive relief and potential penalties.

How West Virginia Compares to Neighboring States

West Virginia lags behind most of its neighbors in biometric data protection.

Virginia enacted the Consumer Data Protection Act, which classifies biometric data as sensitive and requires opt-in consent for processing. Maryland has adopted strong biometric data protections through its Online Data Privacy Act.

Kentucky enacted the Kentucky Consumer Data Protection Act with biometric data provisions. Ohio and Pennsylvania have considered biometric privacy legislation but have not yet enacted comprehensive protections.

If HB 5567 passes, West Virginia would leapfrog many of these states by adopting a standalone biometric privacy act with a private right of action.

Practical Guidance for West Virginia Residents

Without dedicated biometric privacy protections, West Virginia residents should take proactive steps.

Ask businesses and employers about their biometric data practices before providing fingerprints, facial scans, or other biometric information. While they are not legally required to disclose their practices, many organizations have privacy policies that address biometric data.

If you believe a company has mishandled your personal data, you can file a consumer complaint with the West Virginia Attorney General's Consumer Protection Division.

Monitor the progress of HB 5567 through the West Virginia Legislature website. If the bill advances, it could significantly change the biometric privacy landscape in the state.

More Virginia Laws

• Virginia Recording Laws
• Virginia Whistleblower Laws
• Virginia Data Privacy Laws
• Virginia Data Privacy Laws
• Virginia Data Privacy Laws
• Virginia Recording Laws
• Virginia Recording Laws
• Virginia Recording Laws

Sources and References

This article references West Virginia statutes available through the West Virginia Code website. For the text of the proposed Biometric Information Privacy Act, see HB 5567. For consumer complaints, contact the West Virginia Attorney General.

This article provides general legal information about West Virginia biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official West Virginia government sources.