Wyoming’s approach to data privacy, particularly concerning sensitive personal information, does not establish a specific statutory definition of “sensitive personal information” that mirrors broader federal definitions or those found in some other states like California. Instead, the Wyoming Personal Information Privacy Act (WPIPA), enacted in 2023, focuses on providing consumers with rights regarding personal information collected by businesses. While WPIPA grants consumers rights such as the right to access, deletion, and opt-out of the sale of personal information, it does not create a distinct category of “sensitive personal information” with enhanced protections or consent requirements beyond what is generally applied to personal information. The Act defines “personal information” broadly to include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The absence of a specific “sensitive personal information” category in WPIPA means that, under Wyoming law, there are no unique consent requirements or limitations on processing that are solely triggered by the nature of the data being sensitive, such as health information or precise geolocation, unless such data falls under other specific federal or state regulations not part of WPIPA’s core provisions. The focus remains on the collection, processing, and sale of “personal information” as defined and regulated by WPIPA, with a consumer-centric approach to rights and transparency.

Wyoming’s data privacy landscape, while not as comprehensive as some other states like California, focuses on specific consumer rights and business obligations. The Wyoming Personal Data Privacy Act (WPDPA) grants consumers rights concerning their personal data, including the right to access, correct, delete, and opt-out of the sale of personal data. Businesses that process personal data of Wyoming residents and meet certain thresholds (e.g., control or process personal data of at least 100,000 Wyoming consumers or control or process personal data of at least 30,000 Wyoming consumers and derive more than 25% of gross revenue from the sale of personal data) are subject to the Act. The WPDPA does not establish a private right of action for consumers to sue businesses directly for violations. Enforcement is primarily handled by the Wyoming Attorney General. The Act requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers. A key element is the definition of “sale” of personal data, which includes the exchange of personal data for monetary or other valuable consideration, but with specific exclusions for certain types of data sharing, such as sharing with service providers or for targeted advertising under certain conditions. The Act also mandates that controllers provide clear privacy notices and honor consumer rights requests within a specified timeframe. The absence of a private right of action means that enforcement mechanisms are state-led, emphasizing the role of the Attorney General in ensuring compliance and addressing potential breaches of consumer privacy rights under Wyoming law.

Wyoming’s approach to data privacy, particularly concerning consumer rights, is largely shaped by the Wyoming Consumer Privacy Act (WCPA). The WCPA grants consumers specific rights regarding their personal data. One of the key rights is the right to opt-out of the sale of personal data. When a consumer exercises this right, the controller must cease selling that consumer’s personal data. The act also mandates that controllers provide clear notice of this right and a mechanism for consumers to exercise it. Furthermore, the WCPA specifies that a controller must respond to a consumer’s opt-out request within a defined timeframe, generally 45 days, with a possible extension of another 45 days if reasonably necessary and the consumer is informed of the extension. The core principle is that once a consumer opts out, the controller is prohibited from selling their personal data unless the consumer subsequently provides affirmative consent to the sale. This is a fundamental aspect of consumer control over their digital footprint under Wyoming law.

No calculation is required for this question as it tests conceptual understanding of Wyoming’s approach to data privacy. Wyoming does not have a comprehensive data privacy law analogous to the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA). Instead, its privacy protections are largely sector-specific and derived from federal laws and certain state statutes addressing particular types of data or entities. For instance, Wyoming statutes might address the privacy of health information in certain contexts, or govern how government agencies handle public records containing personal information. However, there is no overarching framework that grants broad consumer rights regarding the collection, sale, or processing of personal data across all commercial sectors, nor is there a specific state agency tasked with enforcing a general data privacy regulation. Therefore, a business operating in Wyoming would primarily need to comply with federal privacy laws and any specific Wyoming statutes that apply to their particular industry or data handling practices, rather than a singular, comprehensive state data privacy act. The absence of a broad, proactive consumer data privacy law means that rights such as the right to opt-out of the sale of personal data, or the right to access and delete data, are not generally established by state statute for all consumers.

Wyoming’s approach to data privacy, particularly concerning consumer rights and business obligations, is primarily shaped by the Wyoming Consumer Privacy Act (WCPA). This act grants Wyoming consumers specific rights regarding their personal information collected by businesses. A key aspect of the WCPA is the definition of a “covered entity,” which is a person that conducts business in Wyoming or produces or directs its activities toward Wyoming residents and meets certain thresholds related to processing personal data. The thresholds are based on annual revenue and the number of Wyoming consumers whose personal data is processed. Specifically, a covered entity is one that: 1) controls or processes the personal data of at least 100,000 Wyoming consumers, or 2) controls or processes the personal data of at least 30,000 Wyoming consumers and derives more than 25% of its gross annual revenue from selling personal data. The WCPA grants consumers rights such as the right to know, access, deletion, and opt-out of the sale of personal data. Businesses are required to provide clear privacy notices, respond to consumer requests within a specified timeframe, and implement reasonable security measures. The act also outlines requirements for data protection assessments for activities that present a significant risk of harm to consumers. Enforcement is handled by the Wyoming Attorney General. Understanding these thresholds is crucial for businesses to determine their compliance obligations under Wyoming law.

Wyoming’s approach to data privacy, particularly as reflected in the Wyoming Privacy Act (WPA), emphasizes consumer rights and business obligations. The WPA grants consumers rights such as the right to access, delete, and opt-out of the sale of personal data. Businesses that collect, process, or share personal data of Wyoming residents are subject to these provisions. The Act defines “sale” broadly to include exchanges for monetary or other valuable consideration, not limited to direct financial transactions. For instance, sharing data with a third-party analytics firm in exchange for market insights constitutes a sale under the WPA. The law also mandates data protection assessments for processing activities that present a heightened risk of harm to consumers, requiring businesses to identify and mitigate risks associated with data processing. Enforcement is primarily handled by the Wyoming Attorney General, with provisions for statutory damages in cases of violations. The WPA’s scope is generally triggered by a business’s engagement in processing personal data of Wyoming residents and meeting certain thresholds, such as processing data of at least 30,000 Wyoming consumers annually or deriving 25% or more of gross revenue from selling personal data of Wyoming consumers. This framework aims to provide robust privacy protections while being mindful of the operational realities for businesses.

The Wyoming Personal Information Privacy Act (WPIPPA) does not establish a specific private right of action for individuals to sue businesses directly for violations. Instead, enforcement of WPIPPA is primarily vested in the Wyoming Attorney General. The Act outlines a process where the Attorney General may investigate alleged violations and, if warranted, pursue legal action, including seeking injunctive relief and civil penalties. While individuals can report potential violations to the Attorney General, they do not possess the independent standing to initiate litigation against a controller or processor under the current statutory framework. Therefore, any claim seeking damages or other remedies directly from a business for a WPIPPA violation would not be maintainable under the Act itself.

Wyoming Statute § 60-2-101 et seq., the Wyoming Personal Data Privacy Act (WPDPA), grants consumers specific rights concerning their personal data. One of these rights is the right to access, which allows individuals to confirm whether a data controller is processing their personal data and to obtain a copy of that data. The WPDPA also outlines the obligations of data controllers in responding to such requests. A data controller must respond to a consumer’s request for access without undue delay and within a reasonable period, not exceeding 45 days. This period can be extended by an additional 45 days where reasonably necessary, considering the complexity and number of the requests. However, the controller must inform the consumer of any such extension within the initial 45-day period, along with the reasons for the delay. The law does not mandate a specific format for the response beyond ensuring it is readily understandable and provides the requested information. The core principle is transparency and empowering consumers with knowledge about their data processing.

Wyoming’s approach to data privacy, as reflected in its statutes, generally does not impose a broad, affirmative duty on all businesses to implement specific data security measures beyond what is reasonable and prudent to protect sensitive personal information from unauthorized access or disclosure. Unlike some other states that mandate detailed security programs, Wyoming law tends to focus on prohibiting deceptive practices related to data handling and providing remedies for breaches of security that result in specific types of harm or misuse of personal information. The Wyoming Personal Information Privacy Act (WPIPA) is a key piece of legislation. It grants consumers rights regarding their personal information, including the right to access, delete, and opt-out of the sale of personal information. However, the core of Wyoming’s regulatory framework, particularly concerning data security, often hinges on the concept of reasonable security. This means that while there isn’t a prescriptive list of technical safeguards, businesses are expected to implement measures that are appropriate to the nature and sensitivity of the data they hold and the risks associated with its processing. The absence of a specific, federally mandated data privacy law in the United States means that states like Wyoming are developing their own frameworks. These state laws often build upon general principles of consumer protection and data security, requiring businesses to act in good faith and avoid misrepresentations about their data practices. The emphasis is on preventing harm caused by data misuse and ensuring transparency, rather than dictating a one-size-fits-all security protocol. Therefore, a business operating in Wyoming would need to assess the types of personal information it collects, the potential risks of compromise, and implement security measures that are reasonably designed to mitigate those risks, aligning with industry best practices where applicable.

The scenario involves a Wyoming-based healthcare provider, “Prairie Health Systems,” that has experienced a data breach affecting the personal information of its patients. The question probes the specific notification requirements under Wyoming law. Wyoming does not have a standalone comprehensive data privacy law similar to California’s CCPA/CPRA or other states with extensive breach notification statutes. Instead, Wyoming’s primary statutory framework for data breach notification is found within its insurance laws, specifically concerning the protection of health insurance information, and general consumer protection provisions. The relevant statute, Wyoming Statute § 26-13-125, mandates notification to affected individuals and, in certain circumstances, the Wyoming Attorney General if a breach of “confidential information” occurs. Confidential information, in this context, is broadly defined and includes personal identifying information. The law requires notification without unreasonable delay and no later than 45 days after discovery of the breach, unless a longer period is required for specific law enforcement investigations. The notification must include specific details about the breach, the type of information compromised, and steps individuals can take to protect themselves. Given that Prairie Health Systems is a healthcare provider, the breach of patient personal information falls squarely under these notification obligations. The other options present incorrect timelines or requirements that are not aligned with Wyoming’s current statutory framework. For instance, some states have shorter notification periods, while others have different thresholds for notifying the Attorney General or specific regulatory bodies. Wyoming’s approach is less prescriptive than many other states, focusing on a general “without unreasonable delay” timeframe, with a default of 45 days.

Wyoming’s approach to data privacy, as reflected in its privacy laws, generally does not mandate a specific calculation of a “data processing threshold” in the same manner as some other states like California with its CCPA/CPRA. Instead, Wyoming Statute § 11-50-101 et seq., the Wyoming Consumer Health Data Privacy Act, focuses on the definition of “covered entity” and “consumer health data.” A “covered entity” is broadly defined as any person that conducts business in Wyoming or produces or directs its business to consumers in Wyoming and alone or jointly determines the purposes and means of processing consumer health data. The threshold for applicability is not tied to a numerical calculation of data processed or revenue, but rather on the nature of the data handled and the entity’s engagement with Wyoming consumers. Therefore, an entity would be subject to the Act if it processes consumer health data and meets the general business conduct criteria within Wyoming, regardless of a specific numerical threshold calculation. The Act’s scope is determined by the type of data and the entity’s activities, not by a quantitative processing volume or revenue figure.

Wyoming’s approach to data privacy, particularly concerning the Wyoming Privacy Act (WPA), centers on granting consumers specific rights over their personal data and imposing obligations on businesses that process this data. The WPA, enacted in 2023, is a comprehensive privacy law that provides consumers with rights such as the right to access, correct, delete, and opt-out of the sale of personal data, as well as the right to opt-out of targeted advertising and profiling. Businesses are required to conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. These assessments are crucial for understanding and mitigating potential privacy risks. The WPA does not establish a private right of action, meaning consumers cannot directly sue businesses for violations. Enforcement is primarily handled by the Wyoming Attorney General. The Act defines “personal data” broadly and “sensitive personal data” with specific categories. Businesses are also mandated to provide clear privacy notices and honor consumer requests within a specified timeframe. The scope of the WPA applies to entities that conduct business in Wyoming or produce or direct products or services to Wyoming consumers and meet certain processing thresholds. The Act’s framework emphasizes transparency, consumer control, and accountability for data controllers and processors.

No mathematical calculation is required for this question. Wyoming’s approach to data privacy, particularly concerning consumer rights, is primarily shaped by the Wyoming Privacy Act (WPA). Unlike some other states that have adopted broader definitions of “personal information” or “sensitive personal information,” the WPA focuses on specific categories of data and applies to controllers that conduct business in Wyoming or produce or direct products or services to Wyoming consumers and meet certain thresholds. A key aspect of the WPA is its tiered approach to data processing and consumer rights, which includes the right to access, delete, and opt-out of the sale of personal data. The Act distinguishes between “personal data” and “sensitive personal data,” with the latter requiring more stringent consent and processing requirements. The WPA’s definition of “sale” is also critical, encompassing the exchange of personal data for monetary or other valuable consideration. Understanding the scope of who is considered a “consumer” and what constitutes “personal data” under the WPA is paramount for compliance. The Act also outlines specific obligations for data controllers regarding data security, data breach notification, and the implementation of privacy policies. The right to opt-out of targeted advertising and the sale of personal data is a significant consumer protection mechanism within the WPA.

Wyoming’s approach to data privacy, particularly concerning biometric data, does not currently have a comprehensive, standalone biometric privacy law akin to Illinois’ Biometric Information Privacy Act (BIPA). Instead, privacy protections in Wyoming are more general and often rely on common law principles, existing statutes that may incidentally cover biometric data, and the overarching framework of consumer protection laws. The Wyoming Attorney General’s office enforces consumer protection statutes that prohibit deceptive or unfair trade practices, which could potentially be invoked if a company’s collection or use of biometric data is found to be misleading or harmful. Furthermore, while Wyoming does not mandate specific consent mechanisms for biometric data collection under a dedicated biometric privacy statute, general data privacy principles and the duty of care in handling sensitive personal information would still apply. In the absence of specific legislation, a business operating in Wyoming would need to consider the potential application of these broader legal principles, ensuring transparency and reasonable security measures when handling any personal data, including biometric identifiers. The absence of a specific Wyoming biometric privacy law means that enforcement actions would likely stem from existing consumer protection statutes or common law torts rather than a specialized regulatory framework for biometric data.

Wyoming’s approach to data privacy, particularly concerning consumer rights, centers on providing individuals with control over their personal information. While Wyoming does not have a comprehensive data privacy law akin to California’s CCPA/CPRA or Virginia’s CDPA, it has enacted specific legislation that grants certain rights. The Wyoming Personal Information Privacy Act (WPIPEA), effective January 1, 2025, aims to establish a framework for consumer data rights. This act grants consumers the right to access, delete, and opt-out of the sale of their personal information. It also mandates that controllers provide clear privacy notices and implement reasonable security measures. The definition of “personal information” under WPIPEA is broad, encompassing data that identifies or can be reasonably linked to an identified or identifiable natural person. The act also outlines specific obligations for controllers regarding data processing, consent, and data protection assessments for high-risk processing activities. Understanding the scope of “personal information” and the specific rights granted to consumers under WPIPEA is crucial for businesses operating in Wyoming. The act differentiates between a “controller” and a “processor,” assigning distinct responsibilities. For instance, controllers are primarily responsible for determining the purposes and means of processing personal data, while processors act on behalf of controllers. The law also includes provisions for data breach notification, requiring prompt notification to affected consumers and the Wyoming Attorney General in the event of an unauthorized acquisition of personal information. The enforcement of WPIPEA is vested in the Wyoming Attorney General, who can seek injunctive relief and civil penalties for violations.

Wyoming’s approach to data privacy, particularly concerning biometric data, is primarily shaped by the Wyoming Consumer Health Data Privacy Act (CHDPPA), which became effective in 2023. While the CHDPPA is the most comprehensive state-level privacy law in Wyoming, it does not specifically define or regulate biometric data in the same granular manner as some other states, such as Illinois’ Biometric Information Privacy Act (BIPA). Instead, the CHDPPA broadly defines “consumer health data” to include information that identifies or can be reasonably linked to a consumer and relates to past, present, or future physical or mental health or condition. Biometric data, when collected in a context that relates to an individual’s health status or medical treatment, could fall under this definition. For instance, a wearable device that collects heart rate and sleep patterns for health monitoring purposes would likely generate data considered “consumer health data.” The Act grants consumers rights such as the right to access, correct, delete, and opt-out of the sale of their consumer health data. It also imposes obligations on regulated entities regarding data security, purpose limitation, and data minimization. When a Wyoming resident’s biometric data is collected by a business operating under the CHDPPA and that data is linked to their health status or medical treatment, the business must comply with the Act’s provisions, including obtaining consent for processing certain types of sensitive data, which may include biometric data if it’s deemed health-related. The absence of a specific biometric privacy law means that the application of the CHDPPA to biometric data depends heavily on its context and relation to health information. Therefore, a business collecting biometric data from Wyoming residents must carefully assess whether such data qualifies as consumer health data under the CHDPPA to determine its compliance obligations. The Act’s scope is limited to entities that conduct business in Wyoming or produce or direct their activities toward Wyoming consumers and meet certain processing thresholds.

The Wyoming Personal Data Privacy Act (WPDPA), enacted in 2023, grants consumers rights concerning their personal data processed by controllers. A key aspect of this legislation is the right to opt-out of the sale of personal data and the processing of personal data for targeted advertising or profiling. When a consumer exercises this right, the controller must cease processing that personal data for the specified purposes. The WPDPA does not require a specific calculation to determine compliance; rather, it mandates a cessation of processing. The core of compliance involves establishing mechanisms to recognize and honor opt-out requests. For instance, if a controller receives a valid opt-out request from a Wyoming resident regarding the sale of their data, they must immediately stop selling that data. Similarly, if the request pertains to targeted advertising, the controller must cease using the data for that specific activity. The Act’s provisions are designed to provide individuals with control over how their personal information is used, particularly in contexts that might be perceived as intrusive or exploitative. The absence of a complex numerical formula underscores that compliance is behavioral and procedural, focusing on the actions taken by the data controller in response to consumer directives. The law’s focus is on the qualitative aspect of data processing and the controller’s adherence to consumer preferences, not on quantitative thresholds.

Wyoming’s approach to data privacy, particularly as articulated in the Wyoming Privacy Act (WPA), establishes specific rights for consumers and obligations for businesses. One key aspect of the WPA is the definition of “personal data” and the scope of entities subject to its provisions. The Act defines a “controller” as a person who alone or jointly with others determines the purposes and means of processing personal data. A “processor” is defined as a person who processes personal data on behalf of a controller. The WPA applies to controllers or processors that conduct business in Wyoming or produce or direct their products or services to Wyoming residents. Furthermore, it applies to entities that meet certain processing thresholds, specifically processing personal data of at least 100,000 Wyoming consumers or at least 30,000 Wyoming consumers if the entity derives at least 50% of its gross revenue from selling personal data. The Act distinguishes between “selling” personal data and “sharing” personal data, with different consent requirements and opt-out mechanisms. The WPA grants consumers rights such as the right to access, correct, delete, and opt-out of the sale of personal data, as well as the right to opt-out of targeted advertising and profiling. Enforcement is primarily handled by the Wyoming Attorney General. Unlike some other state privacy laws, the WPA does not establish a private right of action, meaning individuals cannot sue businesses directly for violations. This is a critical distinction for businesses operating in Wyoming or targeting Wyoming residents. The focus is on regulatory oversight and enforcement by the state’s chief legal officer.

Wyoming’s approach to data privacy, as codified in the Wyoming Data Protection Act (WDPA), primarily focuses on consumer rights and obligations for data controllers and processors. The WDPA grants consumers rights such as the right to access, delete, and opt-out of the sale of personal data. For businesses, particularly those processing significant amounts of sensitive data or engaging in targeted advertising, compliance involves establishing clear data processing agreements, conducting data protection assessments, and implementing reasonable security measures. The Act does not mandate a specific data breach notification period in days, but rather requires prompt notification without unreasonable delay, considering the nature of the breach and the affected data. This contrasts with some other states that might specify a timeframe like 30, 45, or 60 days. The WDPA’s definition of “sale” of personal data is broad, encompassing the exchange of personal data for monetary or other valuable consideration, with certain exceptions. Understanding these nuances is crucial for any entity handling Wyoming consumer data.

Wyoming’s approach to data privacy, particularly concerning sensitive personal information, often involves a balancing act between consumer protection and the legitimate interests of businesses operating within the state. While Wyoming does not have a comprehensive data privacy law akin to California’s CCPA/CPRA, its statutes and common law principles can still impose obligations on entities handling personal data. The scenario presented involves a Wyoming-based healthcare provider, “Mountain Health Services,” which experiences a data breach affecting patient records. In the absence of a specific Wyoming data privacy statute mandating breach notification for all types of personal data, the relevant legal framework would likely draw from existing statutes governing healthcare information and general consumer protection principles. Wyoming Statute § 6-3-702 addresses unauthorized access to computer systems and data, which could be implicated in a data breach. More specifically, for healthcare data, the Health Insurance Portability and Accountability Act (HIPAA) is a critical federal law that applies to covered entities, including healthcare providers. HIPAA mandates specific security standards and breach notification procedures for Protected Health Information (PHI). Therefore, Mountain Health Services’ obligations would be primarily dictated by HIPAA’s Security and Breach Notification Rules. These rules require covered entities to provide notification to affected individuals, the Secretary of Health and Human Services, and in some cases, the media, following a breach of unsecured PHI. The notification must occur without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach. The explanation of the concept involves understanding that while Wyoming may not have a singular, overarching data privacy law, sector-specific regulations (like HIPAA for healthcare) and general criminal statutes concerning unauthorized access to data form the legal landscape. The question tests the understanding of which regulatory framework would be paramount for a healthcare provider in Wyoming when dealing with a data breach of patient information. The correct answer hinges on recognizing the primacy of federal law like HIPAA in governing PHI, even within a specific state’s jurisdiction, unless the state has enacted a more stringent, specific law that complements or expands upon federal requirements in this particular context.

The Wyoming Personal Information Privacy Act (WPIPPA) defines “personal information” broadly, encompassing data that can be linked to an identified or identifiable natural person. While WPIPPA does not explicitly list every single data point, it provides a framework for understanding what falls under its purview. The act emphasizes the linkage to an individual. In the given scenario, the IP address, when combined with other readily available information, could potentially identify a specific user of the “Wyoming Wonders” website. This is because IP addresses, while not always directly revealing a name, can be traced back to an internet service provider and, with further investigation or legal process, to an individual subscriber. Therefore, a static IP address, especially in the context of website usage data, qualifies as personal information under WPIPPA due to its potential for identification. The act’s scope is designed to protect individuals by regulating the collection, processing, and sharing of such data. The focus is on the *identifiability* of the individual, not necessarily the immediate presence of a name. This aligns with broader trends in data privacy legislation in the United States, such as the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), which also consider IP addresses as personal information.

Wyoming’s approach to data privacy, particularly as it relates to consumer rights and business obligations, is shaped by its unique legislative landscape. Unlike some states that have enacted comprehensive, standalone privacy laws, Wyoming’s framework often integrates privacy considerations within existing statutes or addresses them through sector-specific regulations. For instance, the Wyoming Personal Information Privacy Act (WPIP) grants consumers certain rights regarding their personal information. When a Wyoming consumer exercises their right to opt-out of the sale of their personal information, a business must cease selling that information. The WPIP defines “sale” broadly, encompassing the exchange of personal information for monetary or other valuable consideration. If a business fails to honor a verified opt-out request, it may be subject to enforcement actions. The Wyoming Attorney General is the primary enforcer of the WPIP. Penalties for violations are typically in the form of statutory fines, which can be significant. For each violation, the Attorney General may seek a civil penalty not to exceed $7,500. Therefore, if a business is found to have continued selling a Wyoming consumer’s personal information after a valid opt-out request was received and processed, the maximum statutory fine for that specific violation would be $7,500. This reflects the state’s commitment to consumer control over personal data.

Wyoming’s approach to data privacy, particularly as codified in the Wyoming Privacy Act (WPA), emphasizes consumer rights and business obligations concerning personal data. The WPA grants consumers rights such as the right to access, delete, and opt-out of the sale of personal data. For businesses, the WPA outlines responsibilities for data security, transparency through privacy notices, and conducting data protection assessments for high-risk processing activities. The Act’s scope is determined by whether a controller conducts business in Wyoming or targets Wyoming consumers, and meets certain processing thresholds. Specifically, a controller is subject to the WPA if they conduct business in Wyoming or produce or direct activities that target Wyoming consumers, and during the preceding calendar year, processed or engaged in targeted advertising to personal data of at least 100,000 Wyoming consumers, or processed or engaged in targeted advertising to personal data of at least 25,000 Wyoming consumers and derived more than 25 percent of their gross annual revenue from selling personal data. The Act does not require a specific revenue threshold for applicability, but rather focuses on the volume of data processed and the nature of the business activities. Therefore, a business processing the personal data of 100,000 Wyoming consumers, regardless of its gross annual revenue, would fall under the WPA’s purview if it conducts business in the state or targets Wyoming consumers.

Wyoming’s approach to data privacy, particularly as embodied in the Wyoming Privacy Act (WPA), aligns with a consumer-centric model that grants individuals specific rights regarding their personal information. The Act establishes a framework for data controllers and processors, defining their obligations in handling personal data. A key aspect of the WPA is the right to opt-out of the sale of personal data. While the Act does not mandate a specific calculation for determining what constitutes “sale,” it focuses on the exchange of personal data for monetary or other valuable consideration. The Act also outlines requirements for data security, notice, and consent for certain processing activities. When considering the scope of data covered, the WPA defines “personal data” broadly to include information that identifies or is reasonably linkable to a consumer or household. The Act’s enforcement mechanism, which includes a private right of action for certain violations, distinguishes it from some other state privacy laws. The scenario presented involves a Wyoming-based company collecting and sharing data. The core question revolves around whether this sharing constitutes a “sale” under the WPA, triggering specific consumer rights. The Act’s definition of sale is critical here. Wyoming Statute § 11-50-102(a)(XXIII) defines “sale” as “the exchange of personal data for monetary or other valuable consideration.” Therefore, if a company in Wyoming shares personal data with a third party in exchange for payment or any form of valuable consideration, it is considered a sale under the WPA, and the company must provide consumers with the right to opt-out of such sales. This right is a fundamental consumer protection provision within the Act.

Wyoming’s approach to data privacy, particularly concerning consumer rights and business obligations, is shaped by its legislative framework. While Wyoming does not have a singular, comprehensive data privacy law analogous to California’s CCPA/CPRA, its statutes address specific aspects of data handling and protection. A key consideration for businesses operating in Wyoming is understanding the nuances of data breach notification requirements, which are often detailed in statutes governing consumer protection and specific industry regulations. For instance, Wyoming Statute § 6-3-1003 mandates notification to affected individuals and, in certain circumstances, to the Wyoming Attorney General in the event of a data breach involving unencrypted personal information. The scope of “personal information” typically includes names combined with social security numbers, driver’s license numbers, or financial account information. The timeline for notification is generally “as quickly as possible” and without unreasonable delay, often interpreted as within 30 to 60 days, depending on the specifics of the breach and the investigation. The law emphasizes the importance of implementing reasonable security measures to protect this information. Furthermore, while Wyoming has not enacted a broad private right of action for privacy violations, consumers may still have recourse through existing consumer protection statutes if deceptive or unfair practices related to data handling occur. The focus is on transparency and security, with a reactive approach to breaches rather than a proactive, consent-based model for general data collection and processing.

Wyoming’s approach to data privacy, particularly concerning sensitive personal information, often hinges on the definition and scope of what constitutes “personal information” and the specific obligations placed upon data controllers and processors. While Wyoming does not have a comprehensive, standalone data privacy law akin to the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA), its existing statutes and potential future legislative developments shape data protection practices. The question probes the understanding of potential legal frameworks and their implications for data handling. For instance, if a new Wyoming statute were enacted, it would likely define specific categories of sensitive data, such as biometric information or data pertaining to minors, and establish particular requirements for their collection, processing, and safeguarding. These requirements could include obtaining explicit consent, implementing enhanced security measures, or providing specific disclosure rights to individuals. The complexity lies in identifying which data types are most likely to be subject to heightened protections under emerging or existing legal frameworks, even in the absence of a singular, all-encompassing statute. The focus is on the principles of data minimization, purpose limitation, and the rights afforded to individuals regarding their personal data, especially when that data is of a sensitive nature. The answer reflects the understanding that the legal landscape is evolving and that proactive data governance is crucial, anticipating potential regulatory shifts.

Wyoming’s approach to data privacy, particularly concerning sensitive personal information, emphasizes a balance between consumer rights and business operational needs. The Wyoming Personal Information Protection Act (WPIPA) grants consumers rights such as the right to access, delete, and opt-out of the sale of personal information. When a consumer requests the deletion of their personal information, a business must comply unless an exception applies. These exceptions are typically narrowly defined and include situations where the information is necessary to complete a transaction for which the personal information was collected, to detect and address security incidents, to debug or repair products or services, or to comply with legal obligations. The WPIPA does not mandate a specific timeframe for deletion beyond requiring prompt action after verifying the request and ensuring no exceptions apply. Businesses must also establish a process for verifying the identity of the individual making the request to prevent unauthorized deletion. The law’s focus is on enabling consumer control over their data while allowing businesses to fulfill their core functions and legal duties. The core principle is that once a consumer validly requests deletion, and no statutory exception permits retention, the data must be removed.

The Wyoming Personal Information Privacy Act (WPIPPA) defines “personal information” broadly to include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer. The act also specifies categories of sensitive personal information, which receive heightened protection. A consumer’s biometric data, such as a unique fingerprint scan used for device access, falls squarely within this definition of personal information and, due to its inherent sensitivity and potential for misuse, is also considered sensitive personal information under WPIPPA. Consequently, a business collecting and processing such biometric data must adhere to the specific consent and purpose limitation requirements mandated for sensitive personal information. This includes obtaining explicit consent from the consumer before processing and ensuring the processing is limited to the disclosed, specific, and legitimate purposes for which the data was collected. Failure to do so would constitute a violation of WPIPPA.

The scenario involves a Wyoming-based telehealth provider, “PrairieCare,” that experiences a data breach affecting patient health information. Wyoming does not have a comprehensive, standalone data privacy law analogous to the California Consumer Privacy Act (CCPA) or the European Union’s General Data Protection Regulation (GDPR). Instead, privacy protections for health information in Wyoming are primarily governed by federal law, specifically the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes national standards for the security and privacy of protected health information (PHI). The HIPAA Breach Notification Rule, part of HIPAA, mandates that covered entities, like PrairieCare, must notify affected individuals, the Secretary of Health and Human Services, and in some cases, the media, following a breach of unsecured PHI. The notification timelines and content requirements are specific. For breaches affecting 500 or more individuals, notification to the media is required. The Wyoming Department of Health and the Wyoming Attorney General’s Office would likely be involved in overseeing compliance and investigating potential violations of HIPAA or any applicable state consumer protection statutes that might touch upon data security, though the primary regulatory framework for PHI breaches is federal. Therefore, PrairieCare’s primary obligation stems from federal HIPAA regulations.

No calculation is required for this question as it tests understanding of legal principles. The Wyoming Personal Data Privacy Act (WPDPA) defines a “controller” as a natural or legal person that, alone or jointly with others, determines the purposes and means of processing personal data. This definition is crucial for understanding who is subject to the Act’s obligations. The Act also outlines specific rights granted to Wyoming consumers, such as the right to access, correct, delete, and opt-out of the sale of personal data. Controllers must implement reasonable security measures to protect personal data and provide clear and accessible privacy notices. For entities that process sensitive data or engage in targeted advertising or the sale of personal data, additional requirements, including obtaining consumer consent, may apply. The Act’s scope is generally limited to controllers and processors that conduct business in Wyoming or produce or direct their products or services to Wyoming consumers, and that meet certain processing thresholds. Understanding the distinction between a controller and a processor, as well as the specific definitions and obligations under the WPDPA, is fundamental to compliance for any entity handling Wyoming residents’ personal data. The Act aims to provide Wyoming consumers with greater control over their personal information while establishing a framework for responsible data processing by businesses operating within or targeting the state.