Virginia Governor Glenn Youngkin recently signed S.B. 354, upgrading the Virginia Consumer Protection Act to stop the collection, disclosure, selling, or passing on of reproductive or sexual health data without the consumers’ permission. The change will be effective on July 1, 2025.
The Virginia Consumer Protection Act is a detailed consumer privacy legislation controlling consumer dealings for goods and services offered for personal, household, or family use. The legislation protects the rights of Virginia residents concerning the collection of personal data by businesses. Personal data pertains to any data associated or reasonably linked to a Virginia citizen, not including publicly accessible data, protected health information (PHI) covered by HIPAA, medical records, patient identifying data, and other data associated with other federal laws compliance. The Virginia Consumer Protection Act became effective on January 1, 2023,
With the Virginia Consumer Protection Act, consumers can validate if a controller is handling their personal information; correct errors in their personal information; ask that personal data be removed, get copies of the personal information kept by a controller and choose not to allow the processing of personal information for targeted marketing, selling personal information, and profiling.
With a private right of action as stipulated in the Virginia Consumer Protection Act, consumers can file a claim for $500 cash or actual losses, whichever is higher, including reasonable legal fees and costs. In case of willful violation, damages could triple or increase to $1,000, whichever is higher. The State Attorney General or an attorney for a county or city could investigate the incident and take legal action against organizations violating the Act on behalf of consumers.
“Reproductive or sexual health information” has a broad definition and consists of any “data associated with the past, present, or future of an individual’s reproductive or sexual health” that a consumer transacts under the Act. This doesn’t cover HIPAA-protected data – reproductive or sexual health data kept by a HIPAA-covered entity – or data associated with the therapy of substance use disorder.
The following are covered by the definition of “Reproductive or sexual health information”
- Attempts to research or get reproductive or sexual health data, services, or products
- Use or order of birth control pills, contraceptives, or other drugs associated with reproductive health, such as abortifacients
- Health condition diagnoses, sexually transmitted diseases, maternity, menstruation, ovulation, whether or not an individual is sexually active, or able to conceive, or engages in sex without protection.
- Reproductive or sexual health therapies or surgical procedures, such as pregnancy terminations
- Physical functions, vital signs, physical measurements, or symptoms associated with menstruation or being pregnant, such as cramps, basal temperature, hormone levels, or bodily discharge
Any data included in the list of covered definitions of the types of information that is taken or extrapolated from non-medical-connected data, like proxy, derivative, deduced, arising, or algorithmic information.
The Virginia Consumer Protection Act forbids any vendor from getting, exposing, selling, or distributing” personally identifiable reproductive or sexual health data associated with any “consumer transaction” without consumer permission. Authorization is necessary even when the collection of that information is necessary to deliver goods or services asked for by the consumer.