Virginia S.B. 754, now effective, amends the Virginia Consumer Protection Act to prohibit unauthorized collection and disclosure of non-HIPAA reproductive and sexual health information. The law notably includes a broad scope of applicability—much broader than the stated intent of the law's sponsors and proponents—enforceable through a private right of action.
S.B. 754 amends the state's consumer protection statute, and not its comprehensive privacy law. The bill's main sponsor, State Sen. Barbara Favola, told the legislature that sponsors had placed the law into the Virginia Consumer Protection Act and granted a private right of action specifically to avoid purely public enforcement becoming a "political football."
The Virginia Consumer Protection Act's reach is broad, prohibiting certain actions by "suppliers" in connection with "consumer transactions" regardless of data processing or revenue volume – essentially including any entity engaged in commercial activities involving the advertisement, sale, lease, or licensing of goods and services. Additionally, the law's private right of action offers consumers who "suffer loss" as the result of a violation the ability to recover the greater of actual damages or $500, which some courts have interpreted to require a plaintiff to prove actual damages to prevail on their claim.
S.B. 754 prohibits suppliers from "obtaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer." "Reproductive or sexual health information" is defined broadly, and includes, among other things, information relating to the past, present, or future reproductive or sexual health of an individual, efforts to research or obtain reproductive or sexual health information services or supplies (including location information), vital signs and measurements collected from health and menstrual tracking technologies, such as basal temperature, as well as any information derived or extrapolated from non-health related information that reveals information about an individual's reproductive or sexual health. The law adopts the Virginia Consumer Data Protection Act's definition of "consent", which requires "freely given, specific, informed, and unambiguous agreement to process personal data" through some "affirmative act."
In other words, as with Washington's My Health My Data Act and other similar laws, S.B. 754's text casts a wide net. Specifically, the open-ended definition of "reproductive or sexual health information" could potentially be interpreted to include the purchase of unscented lotion or specific women's pre-natal vitamins that reveal reproductive or sexual health status. The business risk is further exacerbated by the individual action for penalties, which like Washington's private right of action, could be leveraged by the plaintiff's bar in light of the statute's broad definitions. However, it's not clear that lawmakers intended such a broad reach, as they described the bill as having a much narrower purpose:
- Sen. Favola told the Virginia Senate Committee on General Laws & Technology that the bill was "intended to . . . protect menstrual health data when it is stored on an app";
- Gov. Glenn Youngkin, upon signing the bill, stated that "It should go without saying that when a woman has her period or visits a doctor, it is nobody's business but her own";
- State Delegate Marcus Simon, the sponsor of a previous iteration of a bill that Gov. Youngkin ultimately vetoed because it contained an extradition ban, told the Virginia House of Delegates that the bill "protects women's health data on apps and things from being revealed or divulged by the folks that keep that data," and similarly told the Committee on Health, Welfare, and Institutions that "there are a growing number of apps or software programs—or even people searching out information or going onto websites—to track personal healthcare information, particularly tracking their periods and other sexual health information, or seeking information about things like emergency contraception. What this bill seeks to do is say, 'that's private information'"; and
- Senator Scott Surovell explained that "somebody could sue, for example, if somebody was selling data that would allow you to see if they were going into an abortion clinic or purchasing birth control, that kind of thing."
Still, the text of S.B 754 allows arguments that it covers a broader swathe of activity than the uses highlighted by Virginia lawmakers. The good news is that for businesses already subject to similar restrictions in Washington, Nevada, and Connecticut, S.B. 754 won't change much from a compliance perspective. The law does not impose additional notice or contracting requirements, its scope only concerns reproductive and sexual health related topics, and its consent standard is less onerous than the valid authorization requirement to sell consumer health data in Washington and Nevada. And, to date, no private actions have been filed. Nonetheless, it's a good reminder to take stock of data processing practices that could trigger this law and evaluate options to address the requirements, as well as keep compliance programs nimble to account for likely further changes when it comes to obligations associated with health and sensitive personal information.
What is more, the law may yet change as lawmakers consider the steps companies take to comply with it. Senator Favola recently commented that "the law is focused on individually identifiable data – not aggregate data," and that she "expect[s] to make some revisions next session." She also expressed surprise about companies obtaining broad, upfront consent from Virginia residents to the collection of certain sexual health data—even if the customers had no intention of buying such products—without assurances that the data would not be sold to third parties. We will continue to monitor for further developments to Virginia's and other states' reproductive health privacy laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
