Wyoming Consumer Privacy Law

Primary law

Wyoming's breach statute defines a breach of the security of the data system as unauthorized acquisition of computerized data that materially compromises personal identifying information and causes or is reasonably believed to cause loss or injury to a Wyoming resident.

"Breach of the security of the data system" means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state.

See Wyo. Stat. § 40-12-501(a)(i).

Primary law

The Wyoming Consumer Protection Act makes knowing deceptive trade practices in connection with a consumer transaction unlawful, which is the hook for misrepresented data practices.

A person engages in a deceptive trade practice unlawful under this act when, in the course of his business and in connection with a consumer transaction, he knowingly:

See Wyo. Stat. § 40-12-105(a).

Primary law

Wyoming's genetic-data chapter prohibits obtaining, testing, retaining, or disclosing an individual's genetic data without informed consent, subject to enumerated exceptions.

Except as provided in subsection (b) of this section, no person conducting genetic testing shall do any of the following without the informed consent of the individual or the individual's authorized representative: (i) Obtain an individual's genetic data; (ii) Perform genetic testing on an individual; (iii) Retain an individual's genetic data; (iv) Disclose an individual's genetic data.

See Wyo. Stat. § 35-32-102(a).

Primary law

A website operator that disseminates arrest photographs and charges for removal must remove a photograph and related personal information without charge within thirty days of a qualifying written request.

A person who operates a website that disseminates photographic records of arrested individuals made by law enforcement agencies as part of routinely documenting an arrest and who charges individuals to remove their photographs shall remove any photograph and related name and personal information from all websites owned or controlled by that person without charging a fee within thirty (30) days of the date of a request to remove the photograph and information if the request:

See Wyo. Stat. § 40-12-601(a).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches privacy misrepresentations by businesses nationwide.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

A direct-to-consumer genetic testing company must provide both a high-level privacy-policy overview and a prominent, publicly available privacy notice covering collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices.

To safeguard the privacy, confidentiality, security and integrity of a consumer's genetic data, a direct to consumer genetic testing company shall: (i) Provide clear and complete information regarding the company's policies and procedures for the collection, use or disclosure of genetic data by making available to a consumer: (A) A high-level privacy policy overview that includes essential information about the company's collection, use or disclosure of genetic data; and (B) A prominent, publicly available privacy notice that includes, at a minimum, information about the company's data collection, consent, use, access, disclosure, transfer, security and retention and deletion practices.

See Wyo. Stat. § 35-32-102(c)(i).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a)(1).

Primary law

A vendor that maintains computerized personal identifying information on another business's behalf must disclose a breach to that business as soon as practicable, and the parties may agree which of them provides the required notice.

Any person who maintains computerized data that includes personal identifying information on behalf of another business entity shall disclose to the business entity for which the information is maintained any breach of the security of the system as soon as practicable following the determination that personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person. The person who maintains the data on behalf of another business entity and the business entity on whose behalf the data is maintained may agree which person or entity will provide any required notice as provided in subsection (a) of this section, provided only a single notice for each breach of the security of the system shall be required.

See Wyo. Stat. § 40-12-502(g).

Primary law

The genetic-data chapter excepts from its informed-consent requirement services limited to storage, retrieval, handling, or transmission of genetic data by a third-party service provider acting under a contract.

Services limited to storage, retrieval, handling or transmission of genetic data by a third party service provider pursuant to a contract or other obligation;

See Wyo. Stat. § 35-32-102(b)(xi).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires a written business-associate contract that establishes the permitted uses and disclosures of protected health information and binds the business associate to safeguard it.

A contract between the covered entity and a business associate must

See 45 C.F.R. § 164.504(e)(2).

Primary law

An individual or the individual's authorized representative may inspect, correct, and obtain the individual's genetic data.

An individual or the individual's authorized representative may inspect, correct and obtain genetic data about the individual.

See Wyo. Stat. § 35-32-103(a).

Primary law

A direct-to-consumer genetic testing company must provide a process for a consumer to access genetic data, delete the account and genetic data, and obtain destruction of the biological sample.

Provide a process for a consumer to: (A) Access the consumer's genetic data; (B) Delete the consumer's account and genetic data; and (C) Request and obtain the destruction of the consumer's biological sample.

See Wyo. Stat. § 35-32-102(c)(v).

Primary law

A person conducting genetic testing must destroy an individual's genetic data on request unless the data was obtained under a statutory exception or retention is necessary for a purpose disclosed in the informed consent.

A person conducting genetic testing shall destroy an individual's genetic data upon request by the individual or the individual's authorized representative unless: (i) The data was obtained pursuant to W.S. 35-32-102(b); or (ii) Retention of the data is necessary for a purpose disclosed to the individual or representative in the informed consent.

See Wyo. Stat. § 35-32-103(b).

Primary law

Once a security freeze is in place, a consumer reporting agency may not release the consumer's credit report or information from it for new-credit purposes without the consumer's prior authorization.

If a security freeze is in place, a consumer reporting agency may not release a consumer's credit report or information derived from the credit report to a third party that intends to use the information to determine a consumer's eligibility for credit or the opening of a new account without prior authorization from the consumer.

See Wyo. Stat. § 40-12-503(b).

Primary law

No person conducting genetic testing may obtain, test, retain, or disclose an individual's genetic data without informed consent, subject to the exceptions in subsection (b).

Except as provided in subsection (b) of this section, no person conducting genetic testing shall do any of the following without the informed consent of the individual or the individual's authorized representative: (i) Obtain an individual's genetic data; (ii) Perform genetic testing on an individual; (iii) Retain an individual's genetic data; (iv) Disclose an individual's genetic data.

See Wyo. Stat. § 35-32-102(a).

Primary law

A direct-to-consumer genetic testing company must obtain initial express consent describing uses, access, and sharing of genetic data, plus separate express consent before transfers beyond vendors and service providers or uses beyond the primary purpose of the service.

Obtain a consumer's consent for the collection, use or disclosure of the consumer's genetic data including, at a minimum: (A) Initial express consent that describes the uses of the genetic data collected through the genetic testing product or service, and specifies who has access to test results and how the genetic data may be shared; (B) Separate express consent for transferring or disclosing the consumer's genetic data to any person other than the company's vendors and service providers, or for using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses;

See Wyo. Stat. § 35-32-102(c)(ii).

Primary law

A direct-to-consumer genetic testing company must obtain separate express consent to retain a consumer's biological sample after the initial testing service is complete.

Separate express consent for the retention of any biological sample provided by the consumer following completion of the initial testing service requested by the consumer;

See Wyo. Stat. § 35-32-102(c)(ii)(C).

Primary law

A direct-to-consumer genetic testing company must obtain separate express consent for marketing based on a consumer's genetic data or based on the consumer having ordered or purchased a genetic testing product or service.

Separate express consent for marketing to a consumer based on the consumer's genetic data, or for marketing by a third party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service.

See Wyo. Stat. § 35-32-102(c)(ii)(E).

Primary law

A direct-to-consumer genetic testing company must require valid legal process before disclosing genetic data to law enforcement or other government agencies absent express written consent, and must maintain a comprehensive security program protecting genetic data.

Require valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express written consent; (iv) Develop, implement and maintain a comprehensive security program that protects a consumer's genetic data against unauthorized access, use or disclosure

See Wyo. Stat. § 35-32-102(c)(iii)-(iv).

Primary law

A direct-to-consumer genetic testing company may not disclose a consumer's genetic data to health, life, or long-term-care insurers, or to the consumer's employer, without the consumer's written consent.

Notwithstanding any other provisions in this section, a direct to consumer genetic testing company shall not disclose a consumer's genetic data to any entity offering health insurance, life insurance or long-term care insurance, or to any employer of the consumer without the consumer's written consent.

See Wyo. Stat. § 35-32-102(d).

Primary law

The genetic-data chapter's provisions applicable to direct-to-consumer genetic testing companies cannot be waived, so contract terms purporting to waive them are ineffective.

The provisions of this chapter applicable to direct to consumer genetic testing companies shall not be waived.

See Wyo. Stat. § 35-32-105(a).

Primary law

The genetic-data chapter does not apply to protected health information collected by a HIPAA covered entity or business associate.

This chapter shall not apply to protected health information that is collected by a covered entity or business associate governed by the privacy, security and breach notification rules issued by the United States Department of Health and Human Services

See Wyo. Stat. § 35-32-105(b).

Primary law

A business that owns or licenses computerized personal identifying information of Wyoming residents must promptly investigate a suspected breach and, if misuse occurred or is reasonably likely, notify affected residents as soon as possible and without unreasonable delay.

An individual or commercial entity that conducts business in Wyoming and that owns or licenses computerized data that includes personal identifying information about a resident of Wyoming shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal identifying information has been or will be misused. If the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Wyoming resident. Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

See Wyo. Stat. § 40-12-502(a).

Primary law

Personal identifying information under the breach statute is a name combined with one or more unredacted data elements specified in Wyoming's identity-theft statute, W.S. 6-3-901(b)(iii) through (xiv).

"Personal identifying information" means the first name or first initial and last name of a person in combination with one (1) or more of the data elements specified in W.S. 6-3-901(b)(iii) through (xiv), when the data elements are not redacted.

See Wyo. Stat. § 40-12-501(a)(vii).

Primary law

Breach notices must be clear and conspicuous and include, at a minimum, a toll-free contact number, the types of personal identifying information involved, a general description of the incident, the approximate breach date if determinable, the remedial actions taken, vigilance advice, and whether notice was delayed for law enforcement.

Notice required under subsection (a) of this section shall be clear and conspicuous and shall include, at a minimum: (i) A toll-free number: (A) That the individual may use to contact the person collecting the data, or his agent; and (B) From which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies. (ii) The types of personal identifying information that were or are reasonably believed to have been the subject of the breach; (iii) A general description of the breach incident; (iv) The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided; (v) In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches; (vi) Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports; (vii) Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.

See Wyo. Stat. § 40-12-502(e).

Primary law

Substitute notice is available only if the business demonstrates that notice costs would exceed statutory dollar thresholds, that the affected class exceeds statutory volume thresholds, or that it lacks sufficient contact information.

Substitute notice, if the person demonstrates: (A) That the cost of providing notice would exceed ten thousand dollars ($10,000.00) for Wyoming-based persons or businesses, and two hundred fifty thousand dollars ($250,000.00) for all other businesses operating but not based in Wyoming; (B) That the affected class of subject persons to be notified exceeds ten thousand (10,000) for Wyoming-based persons or businesses and five hundred thousand (500,000) for all other businesses operating but not based in Wyoming; or (C) The person does not have sufficient contact information.

See Wyo. Stat. § 40-12-502(d)(iii).

Primary law

Breach notification may be delayed if a law enforcement agency determines in writing that notification may seriously impede a criminal investigation.

The notification required by this section may be delayed if a law enforcement agency determines in writing that the notification may seriously impede a criminal investigation.

See Wyo. Stat. § 40-12-502(b).

Primary law

A HIPAA covered entity or business associate that notifies affected Wyoming customers in compliance with the HIPAA breach-notification rules is deemed compliant with the Wyoming breach statute.

A covered entity or business associate that is subject to and complies with the Health Insurance Portability and Accountability Act, and the regulations promulgated under that act, 45 C.F.R. Parts 160 and 164, is deemed to be in compliance with this section if the covered entity or business associate notifies affected Wyoming customers or entities in compliance with the requirements of the Health Insurance Portability and Accountability Act and 45 C.F.R. Parts 160 and 164.

See Wyo. Stat. § 40-12-502(h).

Primary law

The Attorney General enforces the breach-notification statute through actions in law or equity for compliance and damages; the statute creates no consumer private right of action.

The attorney general may bring an action in law or equity to address any violation of this section and for other relief that may be appropriate to ensure proper compliance with this section, to recover damages, or both. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.

See Wyo. Stat. § 40-12-502(f).

Primary law

A person relying on an uncured unlawful deceptive trade practice may sue under the Consumer Protection Act for the damages actually suffered as a consumer.

A person relying upon an uncured unlawful deceptive trade practice may bring an action under this act for the damages he has actually suffered as a consumer as a result of such unlawful deceptive trade practice.

See Wyo. Stat. § 40-12-108(a).

Primary law

A consumer entitled to sue over an uncured unlawful deceptive trade practice may bring a class action, and court-awarded attorney fees are determined by the time reasonably expended rather than by the amount of the judgment.

Any person who is entitled to bring an action under subsection (a) of this section on his own behalf against an alleged violator of this act for damages for an unlawful deceptive trade practice may bring a class action against such person on behalf of any class of persons of which he is a member and which has been damaged by such unlawful deceptive trade practice, subject to and pursuant to the Wyoming Rules of Civil Procedure governing class actions, except as herein expressly provided. If the court determines that actual damages have been suffered by reason of the unlawful deceptive trade practice, the court shall award reasonable attorney's fees to the plaintiffs in a class action under this subsection, provided that such fees shall be determined by the amount of time reasonably expended by the attorney for the plaintiffs and not by the amount of the judgment.

See Wyo. Stat. § 40-12-108(b).

Primary law

The Attorney General may sue to restrain unlawful practices by temporary restraining order or injunction, and the court may enter additional orders to compensate identifiable persons for actual damages or restore money or property.

Whenever the enforcing authority has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any practice which is unlawful under W.S. 40-12-104 or 40-12-105, and that proceedings would be in the public interest, he may bring an action in the name of this state against such person to restrain by temporary restraining order or preliminary or permanent injunction the use of such practice. The action may be brought in the district court of the county in which the person resides or has his principal place of business or in the district court of Laramie county, Wyoming. The district court may issue temporary restraining orders, including ex parte temporary restraining orders, or preliminary or permanent injunctions, in accordance with the principles of equity, to restrain and prevent violations of this act. The court may make such additional orders or judgments as are necessary to compensate identifiable persons for actual damages or restoration of money or property, real or personal, which may have been acquired by means or any act or practice restrained.

See Wyo. Stat. § 40-12-106.

Primary law

A deceptive trade practice is uncured — and therefore actionable privately — only after consumer notice and either no cure offer within fifteen days or a failure to cure within a reasonable time after acceptance.

"Uncured unlawful deceptive trade practice" means an unlawful deceptive trade practice as defined in W.S. 40-12-105: (A) With respect to which a consumer who has been damaged by the unlawful deceptive trade practice has given notice to the alleged violator pursuant to W.S. 40-12-109; and (B) Either: (I) No offer to cure has been made to such consumer within fifteen (15) days after such notice; or (II) The unlawful deceptive trade practice has not been cured as to such consumer within a reasonable time after his acceptance of the offer to cure.

See Wyo. Stat. § 40-12-102(a)(ix).

Primary law

A willful violation of the Consumer Protection Act carries a civil penalty of up to ten thousand dollars per violation, recoverable by the enforcing authority.

Except as provided in W.S. 40-12-111, any person or agent or employee of the person, who willfully uses, or has willfully used, a method or act, in violation of this act, is liable for a civil penalty of not more than ten thousand dollars ($10,000.00) for each violation. Willful violations occur when the person knew or should have known that the person's conduct was unfair or deceptive.

See Wyo. Stat. § 40-12-113(c).

Primary law

Willful violations that victimize older persons or persons with disabilities require restitution and carry a civil penalty of up to fifteen thousand dollars per violation, recoverable by the Attorney General.

Any person who willfully uses, or has willfully used, a method, act or practice in violation of this act which victimizes or attempts to victimize an older person or a person with disabilities, and commits such violation when the person knew or should have known that the conduct was unfair or deceptive, shall make restitution or reimbursement to the older person or person with disabilities including reasonable attorney fees and costs, and, in addition, is liable for a civil penalty of up to fifteen thousand dollars ($15,000.00) for each violation recoverable by the office of the attorney general.

See Wyo. Stat. § 40-12-111(b).

Primary law

Violating the genetic-data chapter is a misdemeanor, and an individual whose rights are violated may bring a civil action for an injunction and damages after written notice and a sixty-day cure period, with a prevailing party able to recover costs, expenses, and reasonable attorney fees.

Any person violating the provisions of this chapter is guilty of a misdemeanor punishable by a fine of not more than one thousand dollars ($1,000.00) for each violation. (b) An individual whose rights have been violated under the provisions of this chapter may bring a civil action to enjoin or restrain any violation of this chapter and may in the same action seek damages from the person violating this chapter. Prior to filing an action under this subsection the individual shall give notice in writing to the alleged violator stating fully the nature of the alleged violation. The alleged violator shall have not more than sixty (60) days from the date notice is provided to cure any violation. If, after sixty (60) days the violation has not been cured, the individual may bring a civil action. A prevailing party in an action brought under this subsection may recover all costs and expenses reasonably associated with the action, including but not limited to reasonable attorney fees.

See Wyo. Stat. § 35-32-104(a)-(b).

Primary law

The Attorney General may enforce the genetic-data chapter in the name of the state or as parens patriae, with a civil penalty of two thousand five hundred dollars per violation plus actual consumer damages and fees.

The attorney general may bring an action in the name of the state or as parens patriae on behalf of consumers to enforce this chapter. In any action brought by the attorney general to enforce this chapter, a person found to have violated this chapter shall be subject to a civil penalty of two thousand five hundred dollars ($2,500.00) for each violation, the recovery of actual damages incurred by consumers on whose behalf the action was brought and costs and reasonable attorneys' fees incurred by the office of the attorney general.

See Wyo. Stat. § 35-32-104(c).