On March 24, Virginia Gov. Glenn Youngkin approved SB 754, titled "Consumer Protection Act; prohibited practices, etc., reproductive or sexual health information."
SB 754 is the latest state-level legislative move to regulate consumer health data, but with a twist – this amendment modifies Virginia's Consumer Protection Act (the Act), not the Virginia Consumer Data Protection Act (VCDPA). SB 754 amends the Act to prohibit as a fraudulent act or practice any "supplier" in connection with a "consumer transaction" from "[o]btaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer" when the consumer experiences loss as a result. The definition of consent is borrowed from the VCDPA: a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to process personal data relating to the consumer. Unlike with other consumer health data laws, there is no consent exception for data collection that is necessary to provide the product or service. Moreover, because SB 754 amends the Act instead of the state's existing omnibus privacy law, a private right of action is available in addition to regulatory enforcement authority.
Details on the key points can be found below.
- Private Right of Action: SB 754 makes
processing personally identifiable reproductive or sexual health
information without consent of the consumer a fraudulent act or
practice, which is subject to both (1) injunction or civil
penalties for willful violations by the state attorney general and
(2) the Act's private right of action remedy. Damages under
this private right of action range from the greater of $500 or
actual damages. A court can increase those damages from the greater
of $1,000 or an amount not exceeding three times the actual damages
sustained for willful violations. Plaintiffs may also be awarded
reasonable attorneys' fees and court costs.
- Implication: State attorney general remedies, coupled with the availability of the private right of action, create higher risks to companies subject to the law.
- No Threshold Minimums: The Act covers
"suppliers," which are defined broadly as any
"seller, lessor, licensor, or professional that advertises,
solicits, or engages in consumer transactions, or a manufacturer,
distributor, or licensor that advertises and sells, leases, or
licenses goods or services to be resold, leased, or sublicensed by
other persons in consumer transactions."
- Implication: Unlike the VCDPA (which only applies to controllers processing at least 100,000 consumers' personal data), an entity could fall in scope merely by doing business in Virginia.
- Data-Level Exemptions: Unlike the VCDPA, which
includes an entity-level exemption for entities covered by the
Health Insurance Portability and Accountability Act (HIPAA), SB 754
has a data-level exemption for narrow categories of information,
including protected health information (PHI) subject to HIPAA,
health records under Virginia's health records privacy law and
patient-identifying records for substance abuse treatment.
- Implication: Entities that are subject to HIPAA may still have compliance requirements under SB 754 if they are collecting reproductive or sexual health information that is not classified as PHI under HIPAA. This may include, for example, such information that is collected via company websites.
- Broad Definition of "Reproductive or Sexual Health
Information": Unlike other consumer health data laws,
SB 754 is narrower in scope in that it only covers a subset of
health information. Note, however, that this definition broadly
covers any "information relating to the past, present,
or future reproductive or sexual health of an individual,
including:
- Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies;
- Reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex;
- Reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy;
- Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients;
- Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels;
- Any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described in subdivisions 1 through 5; and
- Any information described in subdivisions 1 through 6 that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data.
- Implication: The inclusion of "past, present, or future" in the preamble of the definition may be the basis for a plaintiff to bring claims related to a broad range of perinatal products, from pregnancy tests and prenatal vitamins to baby formula and breast pumps. Companies also should carefully assess inferences made about a consumer's reproductive or sexual health information, even if derived from non-health-related information.
- No Exception for Necessary Disclosures: Unlike
other consumer health data laws, which feature a general exception
to the consent requirement where disclosure is "necessary to
provide a product or service that the consumer to whom such
consumer health data relates has requested from such regulated
entity or small business," SB 754 does not include the same
consent exception. Rather, SB 754 requires consent prior to
obtaining, disclosing, selling or disseminating
any "personally identifiable"
reproductive or sexual health information.
- Implication: Under a strict reading of SB 754, a supplier will need to obtain affirmative consent from a consumer for any transaction that discloses reproductive or sexual health information that is "personally identifiable." This could include consent for disclosures made to vendors such as payment processors that are necessary to process the transaction.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
