Virginia Consumer Protection Act Updated to Include Reproductive and Sexual Health Information
Last week, Virginia Governor Glenn Youngkin added his signature to S.B. 354, updating the Virginia Consumer Protection Act to prohibit the collection, disclosure, sale, or dissemination of consumers’ reproductive or sexual health information without consent. The amendment will take effect on July 1, 2025.
The Virginia Consumer Protection Act is a comprehensive consumer privacy law regulating consumer transactions for goods and services supplied for personal, family, or household use. The law gives Virginia residents rights over the personal data collected by businesses. Personal data is defined as any information linked or reasonably linkable to a Virginia resident, excluding publicly available information, protected health information covered by HIPAA, health records, patient identifying information, and other information relating to compliance with various other federal laws. The Virginia Consumer Protection Act went into effect on January 1, 2023,
Under the Virginia Consumer Protection Act, consumers are able to confirm if a controller is actually processing their personal data; correct inaccuracies in their personal data; request personal data is deleted, obtain copies of the personal data held by a controller and opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, and further profiling.
There is a private right of action under the Virginia Consumer Protection Act. Consumers are permitted to submit a claim for actual damages or $500, whichever is greater, plus reasonable legal costs and expenses. In the event that the violation was wilful, damages may be tripled or rise to $1,000, whichever is greater. The State Attorney General or a lawyer for a county or city can investigate and bring actions against entities for consumer violations of the Act.
The definition of “reproductive or sexual health information” is broad, and includes any “information relating to the past, present, or future reproductive or sexual health of an individual” in connection with a consumer transaction covered by the Act. This does not include HIPAA-protected data – reproductive or sexual health information held by a HIPAA-regulated entity – or records related to the treatment of substance use disorder.
The definition covers
- Efforts to research or obtain reproductive or sexual health information, services, or supplies
- Use or purchase of contraceptives, birth control, or other medications related to reproductive health, including abortifacients
- Health status such as diagnoses, sexually transmitted diseases, pregnancy, menstruation, ovulation, whether an individual is sexually active, if they are capable of conceiving, and whether an individual engages in unprotected sex.
- Reproductive or sexual health treatments or surgeries, including pregnancy terminations
- Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels
- Any information described in the list of covered descriptions of the types of information that is derived or extrapolated from non-health-related information, such as proxy, derivative, inferred, emergent, or algorithmic data.
The Virginia Consumer Protection Act prohibits any supplier from obtaining, disclosing, selling, or disseminating” personally identifiable reproductive or sexual health information in connection with any “consumer transaction” without the consent of the consumer, and consent is required even if the collection of that data is required in order to provide goods or services requested by the consumer.
