Laws & Statutes WV WV-HB-5567
HB-5567
WV · State · USA
WV
USA
● Pending
West Virginia House Bill 5567 — Biometric Information Privacy Act
West Virginia's proposed Biometric Information Privacy Act regulates the collection, use, storage, disclosure, and destruction of biometric identifiers and biometric information by private entities. It requires private entities to provide written notice and obtain written consent before collecting biometric identifiers, maintain a publicly available retention and destruction policy, and prohibits the sale or unauthorized disclosure of biometric data. The bill creates a private right of action with liquidated damages of $1,000 per negligent violation or $5,000 per intentional/reckless violation, plus attorneys' fees and injunctive relief. The bill exempts government agencies, HIPAA-covered health care data, and financial institutions subject to the Gramm-Leach-Bliley Act. The bill is closely modeled on the Illinois Biometric Information Privacy Act (BIPA).
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party (No data)
Bipartisan No
Prior session None
Legislative History
2026-02-16 introduced Filed for introduction
2026-02-16 other To Health and Human Resources then Judiciary
2026-02-16 introduced Introduced in House
2026-02-16 other To House Health and Human Resources
Mapped Requirements
D-01 Automated Processing Rights & Data Controls
Official Sources
Full Text
Entry Last Reviewed
2026-04-02
AI generated
Summary

West Virginia's proposed Biometric Information Privacy Act regulates the collection, use, storage, disclosure, and destruction of biometric identifiers and biometric information by private entities. It requires private entities to provide written notice and obtain written consent before collecting biometric identifiers, maintain a publicly available retention and destruction policy, and prohibits the sale or unauthorized disclosure of biometric data. The bill creates a private right of action with liquidated damages of $1,000 per negligent violation or $5,000 per intentional/reckless violation, plus attorneys' fees and injunctive relief. The bill exempts government agencies, HIPAA-covered health care data, and financial institutions subject to the Gramm-Leach-Bliley Act. The bill is closely modeled on the Illinois Biometric Information Privacy Act (BIPA).

Enforcement & Penalties
Enforcement Authority
Private right of action only. Any person aggrieved by a violation may bring suit in circuit court or as a supplemental claim in federal district court. No designated agency enforcer. Standing requires that the plaintiff be 'aggrieved by a violation' of the article. No cure period or safe harbor is provided.
Penalties
For negligent violations: liquidated damages of $1,000 or actual damages, whichever is greater, per violation. For intentional or reckless violations: liquidated damages of $5,000 or actual damages, whichever is greater, per violation. Prevailing party may also recover reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses, and other relief including injunctive relief as the court considers appropriate. Liquidated damages do not require proof of actual monetary harm.
Who Is Covered
"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include a state or local government agency. A private entity does not include any court of West Virginia, a clerk of the court, or a judge or justice thereof.
Compliance Obligations 7 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
§ 15-17-3(b)
Plain Language
Before collecting any biometric identifier or biometric information — including fingerprints, voiceprints, retina or iris scans, or scans of hand or face geometry — a private entity must provide written notice to the individual (or their legal representative) that biometric data is being collected or stored, specify the purpose and duration of collection, storage, and use, and obtain a written release from the individual. All three steps must be completed before any collection occurs. In the employment context, the written release may be executed as a condition of employment. This is a pre-collection obligation that cannot be satisfied retroactively.
Statutory Text
(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) Informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) Informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) Receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
Other · Biometrics
§ 15-17-3(a)
Plain Language
Any private entity that possesses biometric identifiers or biometric information must develop and make publicly available a written policy that establishes a retention schedule and permanent destruction guidelines. Biometric data must be destroyed when the original purpose for collection has been satisfied or within three years of the individual's last interaction with the entity, whichever comes first. The entity must follow its own schedule unless compelled otherwise by a valid court-issued warrant or subpoena. This is both a policy documentation obligation and an operational data lifecycle requirement.
Statutory Text
(a) A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.
Other · Biometrics
§ 15-17-3(c)
Plain Language
Private entities are categorically prohibited from selling, leasing, trading, or otherwise deriving profit from any person's or customer's biometric identifier or biometric information. There are no exceptions to this prohibition — consent of the individual does not authorize a sale. This is an absolute bar on commercial exploitation of biometric data, distinct from the disclosure restrictions in § 15-17-3(d) which permit disclosure under certain conditions.
Statutory Text
(c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.
Other · Biometrics
§ 15-17-3(d)
Plain Language
Private entities may not disclose, redisclose, or disseminate a person's biometric identifier or biometric information except in four specified circumstances: (1) the individual or their legal representative consents; (2) the disclosure completes a financial transaction the individual requested or authorized; (3) disclosure is required by law or ordinance; or (4) disclosure is compelled by a valid warrant or subpoena. Outside these four exceptions, all sharing of biometric data with third parties is prohibited. This is a default non-disclosure rule with limited carve-outs, distinct from the absolute prohibition on commercial exploitation in § 15-17-3(c).
Statutory Text
(d) No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) The subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (2) The disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) The disclosure or redisclosure is required by state or federal law or municipal ordinance; or (4) The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Other · Biometrics
§ 15-17-3(e)
Plain Language
Private entities must protect biometric identifiers and biometric information in storage and transmission using at least two benchmarks: (1) the reasonable standard of care within their industry, and (2) protections that are at least as strong as those applied to other confidential and sensitive information such as Social Security numbers, account numbers, and genetic markers. Both standards must be met simultaneously — the entity must satisfy whichever is more protective. This establishes a floor for biometric data security without prescribing specific technical controls.
Statutory Text
(e) A private entity in possession of a biometric identifier or biometric information shall: (1) Store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) Store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the way the private entity stores, transmits, and protects other confidential and sensitive information.
Other · Biometrics
§ 15-17-4
Plain Language
This section creates the enforcement mechanism for all obligations in the article. It establishes a private right of action for any aggrieved person, with tiered liquidated damages ($1,000 for negligence, $5,000 for intentional or reckless violations) per violation, plus attorneys' fees, costs, and injunctive relief. It creates no independent compliance obligation — its substance is captured in the law-level enforcement_authority and damages fields.
Statutory Text
Any person aggrieved by a violation of this article has a right of action in circuit court or as a supplemental claim in federal district court against an offending party. A prevailing party may recover for each violation: (1) Against a private entity that negligently violates a provision of this article, liquidated damages of $1,000 or actual damages, whichever is greater; (2) Against a private entity that intentionally or recklessly violates a provision of this article, liquidated damages of $5,000 or actual damages, whichever is greater; (3) Reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses; and (4) Other relief, including an injunction, as the state or federal court may consider appropriate.
Other · Biometrics
§ 15-17-5
Plain Language
This section contains four savings and exemption clauses: (a) the article does not affect judicial discovery or admissibility of biometric data; (b) the article does not conflict with HIPAA; (c) financial institutions subject to the Gramm-Leach-Bliley Act are entirely exempt; and (d) contractors working on behalf of state or local government agencies are exempt when acting in that capacity. These provisions narrow the article's scope but create no new affirmative obligation.
Statutory Text
(a) Nothing in this article may be construed to impact the admission or discovery of biometric identifiers and biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person. (b) Nothing in this article may be construed to conflict with the federal Health Insurance Portability and Accountability Act of 1996 and the rules promulgated under that act. (c) Nothing in this article may be considered to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder. (d) Nothing in this article may be construed to apply to a contractor, subcontractor, or agent of a state agency or local unit of government when working for that state agency or local unit of government.