Virginia's Surprise Reproductive Health Privacy Law Covers Many Businesses, Requires High Bar for Consent

Since the reproductive health privacy law amends the Virginia Consumer Protection Act (VCPA) -- and not the state’s comprehensive privacy statute, the Virginia Consumer Data Protection Act (VCDPA) -- has major implications for companies, the lawyers said. “Its application is much different just as a result of that simple thing,” Elizabeth Johnson, Wyrick Robbins privacy attorney, said in an interview. It means the law will apply more broadly in some ways, while at the same meaning it won’t cover data brokers, she said.

Quarles attorney Meghan O’Connor said the VCPA “allows for broad attorney general enforcement authority and … a private right of action for mere non-compliance.” As a result, she argued, “We may see broader enforcement authority, litigation, and -- because of the lack of threshold requirements like VCDPA -- a large scope of regulated entities.”

Virginia Gov. Glenn Youngkin (R) unexpectedly signed the Democratic bill (SB-754) into law last month (see 2503260013). The reproductive privacy law updates the VCPA to prohibit obtaining, disclosing, selling or disseminating personally identifiable reproductive or sexual health information without a consumer’s consent. Youngkin signed the law while more states consider measures that protect the privacy of reproductive health data after Dobbs v. Jackson, the U.S. Supreme Court’s 2022 decision overturning Roe v. Wade, and in the wake of President Donald Trump’s return to the White House (see 2502210015)

Electronic Frontier Foundation staff attorney Lisa Femia said “there was some expectation that the governor wouldn't sign it, and some surprise" from EFF’s Virginia-based partner organizations “when he did.” However, she said “it’s heartening to see a recognition" of the need for "privacy protections for people even in states with Republican governors.” She added that it could be “a signal to legislators in other states” with similar political compositions “that this is something … that is passable.”

Broad Application -- Except Data Brokers?

If SB-754 had amended the VCDPA, it would have applied to controllers, said attorney Johnson: But by amending VCPA, the law is “more narrowly applicable” to what that consumer protection law calls a supplier, a term that the VCPA ties to consumer transactions. “A supplier is almost certainly going to be a party that sells things,” manufactures products for consumers to buy or advertises them for sale, she said.

That difference could mean data brokers “would not be directly covered, which is wild,” the attorney said, because “if we're concerned about this type of data, and we're not going to apply this restriction to data brokers, what on Earth are we doing?” For example, a data broker “wouldn't have to get consent if they tried to collect this information from me or receive it about me, because they're not a supplier.”

In other ways, however, the reproductive health privacy law applies to a wider range of companies than Virginia’s comprehensive privacy law.

It “applies broadly to business-to-business and consumer-facing businesses that meet the definition of ‘supplier’ under the [VCPA],” said O’Connor. The VCDPA, by contrast, doesn’t cover B2B. “The definition is broad enough to capture entities doing business in Virginia and non-resident companies that engage in consumer transactions in Virginia,” added the Quarles lawyer. Also, it lacks threshold requirements on revenue or how much data is processed.

In addition, “reproductive or sexual health information” under the new law “includes very broad swaths of data that could include commercial transaction data” for things like menstrual products and over-the-counter pain relievers for menstrual cramps, browsing behavior and purchase data, said O’Connor. It may also include geolocation data collected in a non-healthcare setting if it might show “an attempt to acquire reproductive or sexual health services or supplies,” said the attorney: Many organizations may not think of the above as health care data.

The way the definition is written means the law includes purchasing condoms and any other over-the-counter contraceptives, said Johnson. There is a Health Insurance Portability and Accountability Act (HIPAA) exemption that makes getting prescription birth-control pills from a covered pharmacy out of scope, for example. However, "if I go to a more generalized retailer and buy condoms, that is in scope.” She added that “if you use any data you have at all to extrapolate or infer health, sexual health or reproductive health information, then that's covered too.” And because SB-754 didn’t amend the privacy statute, the reproductive health law doesn’t have all of VCDPA’s exemptions, she said.

On the other hand, EFF’s Femia applauded the Virginia law for defining reproductive and sexual health information “more broadly than I think I've seen it defined pretty much anywhere else.” The consumer privacy advocate said that “recognizes that this encompasses sort of a wide variety of potential pieces of data, transaction information about a person,” which “could be used to piece together someone's private reproductive or sexual health information.”

Beyond Wash. My Health My Data

The opt-in consent the Virginia law requires goes further than Washington state’s MHMDA, as well as most privacy bills and laws, said Femia. The EFF lawyer said that’s a good thing. “Users should control their own data.”

However, Johnson said that will make it difficult for businesses to comply, especially with fewer than three months before the law takes effect. The July 1 compliance deadline doesn’t leave enough time to “meaningfully build out a consent process for consumers to help them understand what’s happening with this information,” she said. Three months might have been more feasible if lawmakers had updated the VCDPA to include reproductive health data as a form of sensitive information, rather than amending the VCPA, she noted.

Unlike MHMDA, the Virginia law’s opt-in consent provision doesn’t provide an exception for collecting data necessary to conclude the consumer’s request or transaction, said Johnson. “So, if I walk up to a retailer and I say I would like to buy tampons,” which is “kind of implied, because they're in my hands and I have my credit card, Washington will let you do that,” she said. But Virginia’s new law “requires my opt-in consent for that retailer to collect that data about me, even if all they're going to do is sell me the tampons and account for it on the books.”

“It’s extremely hard to get around this consent requirement if you're covered, and it's extremely hard to get the consent” since it requires a consumer to read a message about how the data is used and click okay before they can buy something, both online and at brick-and-mortar stores, said the Wyrick attorney. If the law is taken “literally,” she added, the consumer might have to repeat this opt-in procedure for each new piece of reproductive care data, even if they shopped at the store previously.

As such, businesses could face myriad lawsuits from individuals under the new law. “Time will tell regarding how aggressive the plaintiffs' bar will be" on "the private right of action,” but there’s “certainly the potential to see a new influx of litigation like we see under” the Illinois Biometric Information Privacy Act, said O’Connor.

But Femia praised the legislation for including a private right of action, which “allows individuals to vindicate their rights themselves,” she said. “It is another method of encouraging businesses to actually be careful with people's data privacy, to follow the law and to take actual, genuine due care with private personal identifying information.”

O’Connor said it was “somewhat surprising to see a red state enact a privacy law with strong consumer protections seemingly at the expense of businesses’ user experience.” However, privacy is “a popular issue with consumers and can be bipartisan at a high level,” she said.

Johnson said it shows that “reproductive privacy rights have become an extremely hot topic and [is] largely bipartisan.” In a purple state, a Republican might “feel tested to go along with something that seems like a no-brainer to gain the bipartisan benefit of that.”