In Part One of this FAQ series, we break down Virginia's Senate Bill 754, Consumer Protection Act; prohibited practices, etc., reproductive or sexual health information (Act), which amends the Virginia Consumer Protection Act (VCPA). The law goes into effect on July 1. Overall, given the broad definitions used in the Act, the law likely regulates organizations that are not traditional health care companies, and goes beyond traditional health information.
Part One focuses on the scope, applicability, and fines and penalties available to the Virginia attorney general (AG) and private litigants. We also explore the Act's relationship to Virginia's Consumer Data Protection Act (the VCDPA). Part Two of this series will analyze the requirements of the Act and how to comply.
What is the law's purpose?
The Act is designed to protect reproductive and sexual health information (RHSI) by limiting certain data processing activities without the consent of the data subjects. The Act prohibits obtaining, disclosing, selling, or disseminating personally identifiable reproductive sexual health information without the consent of the consumer.
When does the law go into effect?
The Act goes into effect on July 1, and unlike other state privacy and AI laws, there is no stated grace period for enforcement.
To which organizations does this law apply?
The law applies to "suppliers," which means any seller, lessor, licensor, or professional that advertises, solicits, or engages in consumer transactions. It also includes manufacturers, distributors, or licensors that advertise and sell, lease, or license foods or services to be resold, leased, or sublicensed by other persons in consumer transactions. A "consumer transaction" is the advertisement, sale, lease, license, or offering for sale, lease, or license, of goods or services.
Our take: While ostensibly a privacy law, the Act does not link into the VCDPA. As such, it does not include the applicability thresholds of the VCDPA (e.g., processing the personal data of 100,000 or more consumers during the calendar year), and small and nonprofits will be subject to the Act.
Does this law amend or impact the VCDPA? To which information does the law apply?
The Act regulates "reproductive or sexual health information," defined as "information relating to the past, present, or future reproductive or sexual health of an individual." The law provides a list of information falling into that definition (it does not indicate whether the list is exclusive):
-
Efforts to research or obtain reproductive health information services or supplies, including location information that may indicate whether an individual attempted to obtain services or supplies.
-
Reproductive or sexual health conditions or status.
-
Information about reproductive and sexual health-related surgeries and procedures.
-
Use or purchase of contraceptives, birth control, or other medication related to reproductive health.
-
Bodily functions or vital signs and other measurements.
-
Information about diagnoses, treatment, or medications.
-
Any of the above information that is derived or extrapolated from non-health-related information (such as proxy, derivative, inferred, emergent, or algorithmic data).
Our take:
Interestingly, the Act arguably defines reproductive or sexual health information broader than the definition of "personal data" under the VCDPA:
"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. "Personal data" does not include de-identified data or publicly available information.
To qualify as RHSI, the information at issue must only 'relate' to the reproductive health of an individual. Unlike the definition of 'personal data' under the VCDPA, there is no explicit carve-out for de-identified or publicly available information. Additionally, the Act does not differentiate between "controllers" and "processors," which means that vendors processing RHSI on behalf of other organizations are directly subject to the Act and must obtain consent for processing RHSI.
What are some examples of non-health care organizations that may be regulated under the act?
Like Washington's MyHealthMyData law, given the potential breadth of this definition, organizations that don't consider themselves health care companies or don't believe they have reproductive health information, are likely to get swept into this regulatory scheme. Examples of companies that may get swept into the Act include:
-
Retailers. One of the more infamous privacy anecdotes involving information that could be considered RHSI related to Target and their apparent us of retail information to predict (and advertise about) a teenager's pregnancy status. Data concerning purchases that enable a retailer to derive or extrapolate RHSI from non-health-related information (such as proxy, derivative, inferred, emergent, or algorithmic data) are within the scope of the Act.
-
Search engines. The Act regulates information concerning "efforts to research or obtain reproductive health information services or supplies," which means search engines are likely within scope, as would be any organization that sells goods or services related to RHSI (e.g., drug stores) where information is captured concerning the obtaining of reproductive health information services or supplies.
-
On prem video. A video feed showing a person in a drug store buying a pregnancy test could constitute "information relating to the past, present, or future reproductive or sexual health of an individual." Certainly, any video or other information related to reproductive health clinics (to the extent not regulated under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA)) may fall into the RHSI definition.
-
Online advertising-related data. Like the Target example, data in the targeted/behavior advertising space, even if non-health related information, appears to constitute RHSI if it can be used to extrapolate RHSI.
-
Past, present, or future "sexual health" of an individual. Sexual health could encompass a wide range of conditions affecting physical, emotional, and social well-being related to sexuality. These may include reproductive health issues such as erectile dysfunction, hormonal imbalances, psychological factors like anxiety or trauma, and the side effects of certain medications or chronic diseases.
-
Geolocation data. Geolocation data that can tie an individual to their attempt to obtain reproductive health information services or supplies may also pull in non-health care companies. Mapping services, connected vehicles, device companies utilizing geolocation data that track visitors to birthing centers, adoption facilities, abortion clinics, women's health clinics, and other places where reproductive or sexual health services or supplies, may all be within scope of the Act.
Does the law include any exemptions?
Reproductive or sexual health information does not include health information that is protected under the HIPAA, or health records, or patient-identifying records used for certain purposes. However, since the Act amends and is made part of the VCPA, certain exemptions in the VDCPA will not apply, including entity-level exemptions for financial institutions and data-level exemptions for data regulated by laws like the FCRA and FERPA.
What happens if there is a violation of the law?
Violations of the VCPA are enforceable by the AG of Virginia, and may result in civil penalties of between $2,500 and $5,000 per violation.
Significantly, the VCPA (which was amended by the Act) provides consumers with a private right of action and the recovery of actual damages or $500 per violation (whichever is greater). Willful violations can result in the greater of three times actual damages or $1000 per violation. A successful plaintiff may also be awarded reasonable attorneys' fees and court costs. Notably, the VCDPA does not provide for a private right of action, but does allow AGs to obtain penalties of up to $7,500 per violation.
