Regulon.AI — WV-HB-5567 · WV HB 5567 (Biometric Information Privacy Act)

Summary

Creates a Biometric Information Privacy Act modeled closely on the Illinois BIPA. Regulates private entities that possess, collect, or receive biometric identifiers (retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry) or biometric information. Requires written notice and written release before collection, mandates publicly available retention and destruction policies, prohibits sale or profiting from biometric data, restricts disclosure, and requires reasonable security standards. Excludes government agencies, HIPAA-covered health care data, and entities subject to the Gramm-Leach-Bliley Act. Creates a private right of action with tiered liquidated damages ($1,000 for negligent violations, $5,000 for intentional or reckless violations) plus attorneys' fees and injunctive relief.

Enforcement & Penalties

Enforcement Authority

Private right of action. No designated agency enforcer. Any person aggrieved by a violation may bring an action in circuit court or as a supplemental claim in federal district court. Standing requires that the plaintiff be 'aggrieved by a violation' — no cure period or safe harbor is specified.

Penalties

For negligent violations: liquidated damages of $1,000 or actual damages, whichever is greater. For intentional or reckless violations: liquidated damages of $5,000 or actual damages, whichever is greater. Prevailing party may also recover reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses, and other relief including injunctive relief as the court considers appropriate. Liquidated damages do not require proof of actual monetary harm.

Who Is Covered

"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include a state or local government agency. A private entity does not include any court of West Virginia, a clerk of the court, or a judge or justice thereof.

Compliance Obligations 6 obligations · click obligation ID to open requirement page

D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics

§ 15-17-3(b)

Plain Language

Before collecting, capturing, purchasing, or otherwise obtaining any biometric identifier or biometric information, a private entity must provide the individual (or their legally authorized representative) with written notice that biometric data is being collected or stored, written notice of the specific purpose and duration of collection, storage, and use, and must obtain a written release from the individual. All three steps must be completed before the data is obtained. In the employment context, a written release executed as a condition of employment satisfies the consent requirement. This is structurally identical to the Illinois BIPA §15(b) informed consent requirement.

Statutory Text

(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) Informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) Informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) Receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.

G-01 AI Governance Program & Documentation · G-01.1 · Deployer · Biometrics

§ 15-17-3(a)

Plain Language

Any private entity that possesses biometric identifiers or biometric information must develop and make publicly available a written retention and destruction policy. The policy must establish a schedule for permanently destroying biometric data when the original purpose for collection has been satisfied or within three years of the individual's last interaction with the entity — whichever comes first. The entity must then actually comply with its own published schedule and destruction guidelines, absent a valid warrant or subpoena. This is both a documentation obligation and an ongoing operational obligation.

Statutory Text

(a) A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.

D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics

§ 15-17-3(c)

Plain Language

Private entities are categorically prohibited from selling, leasing, trading, or otherwise profiting from any person's biometric identifier or biometric information. This is an absolute prohibition with no exceptions — there is no consent carve-out that would permit monetization even with the individual's agreement. This goes beyond typical data minimization requirements by entirely banning commercial exploitation of biometric data.

Statutory Text

(c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.

D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics

§ 15-17-3(d)

Plain Language

Private entities may not disclose, redisclose, or disseminate a person's biometric identifier or biometric information except in four narrow circumstances: (1) the subject or their authorized representative consents; (2) the disclosure completes a financial transaction the subject requested or authorized; (3) disclosure is required by law or ordinance; or (4) disclosure is required by a valid warrant or subpoena. Any disclosure outside these four categories is a violation. Unlike the collection consent requirement in § 15-17-3(b), consent for disclosure does not need to be in writing — the statute says 'consents' without specifying a writing requirement.

Statutory Text

(d) No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) The subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (2) The disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) The disclosure or redisclosure is required by state or federal law or municipal ordinance; or (4) The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

S-01 AI System Safety Program · Deployer · Biometrics

§ 15-17-3(e)

Plain Language

Private entities must protect biometric identifiers and biometric information through two cumulative security standards: (1) the reasonable standard of care within the entity's industry, and (2) protections at least as strong as those the entity applies to its other confidential and sensitive information (e.g., Social Security numbers, account numbers, PINs). Both standards must be met simultaneously — the entity must apply whichever is more protective. This covers storage, transmission, and protection from disclosure.

Statutory Text

(e) A private entity in possession of a biometric identifier or biometric information shall: (1) Store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) Store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the way the private entity stores, transmits, and protects other confidential and sensitive information.

Other · Biometrics

§ 15-17-5(c)-(d)

Plain Language

Two categories of entities are entirely excluded from the Act: (1) financial institutions and their affiliates subject to Title V of the Gramm-Leach-Bliley Act, and (2) contractors, subcontractors, or agents of state or local government agencies when acting in that capacity. These exclusions supplement the definition of 'private entity,' which already excludes government agencies and courts directly. Practitioners at financial institutions or government contractors should confirm their entity falls within these carve-outs before relying on them.

Statutory Text

(c) Nothing in this article may be considered to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder. (d) Nothing in this article may be construed to apply to a contractor, subcontractor, or agent of a state agency or local unit of government when working for that state agency or local unit of government.