Pub. 12 2021 Issue 3

wvbankers.org 28 West Virginia Banker State Privacy Legislation: A Trend Worth Watching for Banks By Matthew Chase and Mark Mangano, Jackson Kelly PLLC S tates are showing increasing interest in supplementing federal protection of consumer data privacy rights. Since 2018, three states have enacted consumer data privacy statutes. The current statutes appear to be of limited concern for community banks, but bankers should be vigilant as statutes are proposed in the states where they do business. This article will briefly discuss the state privacy trend, application, bank exemptions, and what to watch for in emerging legislation. The Growing Trend of State Consumer Privacy Regulation In 2018, California adopted the California Consumer Privacy Act (CCPA) to extend substantial data privacy protections to California consumers and impose significant compliance obligations on certain businesses collecting, processing, or selling consumer data. There appears to be growing interest in other states to follow California’s lead. The CCPA was supplemented by the California Privacy Rights Act (CPRA) in 2020. Recently, Virginia and Colorado enacted privacy laws that broadly protect their citizens. Other state legislatures have proposed similar laws, including House Bill 3159 introduced in the West Virginia House of Delegates during the 2021 legislative session. These new state privacy laws expand the rights of consumers concerning their data and personal information, including: the right to know whether an entity is processing their personal information; the right to access, correct, delete, and transfer this personal information; and the right to opt-out of targeted advertising and the sale of personal data. The new state privacy laws are generally based on a common set of international fair information practices. Many of the new and proposed state privacy laws appear to be patterned after the CCPA. They provide protections for data beyond the types of personal nonpublic information covered by the Gramm-Leach-Bliley Act (GLBA). The additional customer information that the GLBA does not cover includes personal information collected for non- financial products or services like publications and from web cookies when a potential customer visits a financial institution’s website. Application The CCPA and CPRA only apply to businesses that do business in California. Virginia’s Consumer Data Protection Act (the VCDPA) and Colorado’s Colorado Privacy Act (the CPA) expand this in-state conduct to also include persons that produce commercial products or services that are targeted to their respective residents. Each statute sets minimum activity requirements that need to be met for it to apply to a business, including annual gross revenues (the CCPA and CPRA), the number of consumers whose data is processed (the CCPA, CPRA, VCDPA, and CPA), or the number of consumers whose data is processed in conjunction with deriving revenue or receiving a discount from the sale of that data (the CCPA, CPRA, VCDPA, and CPA). The four existing state data