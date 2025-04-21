On March 24, Virginia Gov. Glenn Youngkin approved SB 754, titled "Consumer Protection Act; prohibited practices, etc., reproductive or sexual health information."

SB 754 is the latest state-level legislative move to regulate consumer health data, but with a twist – this amendment modifies Virginia's Consumer Protection Act (the Act), not the Virginia Consumer Data Protection Act (VCDPA). SB 754 amends the Act to prohibit as a fraudulent act or practice any "supplier" in connection with a "consumer transaction" from "[o]btaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer" when the consumer experiences loss as a result. The definition of consent is borrowed from the VCDPA: a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to process personal data relating to the consumer. Unlike with other consumer health data laws, there is no consent exception for data collection that is necessary to provide the product or service. Moreover, because SB 754 amends the Act instead of the state's existing omnibus privacy law, a private right of action is available in addition to regulatory enforcement authority.

Details on the key points can be found below.

Private Right of Action : SB 754 makes processing personally identifiable reproductive or sexual health information without consent of the consumer a fraudulent act or practice, which is subject to both (1) injunction or civil penalties for willful violations by the state attorney general and (2) the Act's private right of action remedy. Damages under this private right of action range from the greater of $500 or actual damages. A court can increase those damages from the greater of $1,000 or an amount not exceeding three times the actual damages sustained for willful violations. Plaintiffs may also be awarded reasonable attorneys' fees and court costs. Implication : State attorney general remedies, coupled with the availability of the private right of action, create higher risks to companies subject to the law.

: The Act covers "suppliers," which are defined broadly as any "seller, lessor, licensor, or professional that advertises, solicits, or engages in consumer transactions, or a manufacturer, distributor, or licensor that advertises and sells, leases, or licenses goods or services to be resold, leased, or sublicensed by other persons in consumer transactions." Data-Level Exemptions : Unlike the VCDPA, which includes an entity-level exemption for entities covered by the Health Insurance Portability and Accountability Act (HIPAA), SB 754 has a data-level exemption for narrow categories of information, including protected health information (PHI) subject to HIPAA, health records under Virginia's health records privacy law and patient-identifying records for substance abuse treatment. Implication : Entities that are subject to HIPAA may still have compliance requirements under SB 754 if they are collecting reproductive or sexual health information that is not classified as PHI under HIPAA. This may include, for example, such information that is collected via company websites.

: Unlike other consumer health data laws, SB 754 is narrower in scope in that it only covers a subset of health information. Note, however, that this definition broadly covers any "information relating to the reproductive or sexual health of an individual, including: Implication: The inclusion of "past, present, or future" in the preamble of the definition may be the basis for a plaintiff to bring claims related to a broad range of perinatal products, from pregnancy tests and prenatal vitamins to baby formula and breast pumps. Companies also should carefully assess inferences made about a consumer's reproductive or sexual health information, even if derived from non-health-related information. No Exception for Necessary Disclosures : Unlike other consumer health data laws, which feature a general exception to the consent requirement where disclosure is "necessary to provide a product or service that the consumer to whom such consumer health data relates has requested from such regulated entity or small business," SB 754 does not include the same consent exception. Rather, SB 754 requires consent prior to obtaining, disclosing, selling or disseminating any "personally identifiable" reproductive or sexual health information. Implication : Under a strict reading of SB 754, a supplier will need to obtain affirmative consent from a consumer for any transaction that discloses reproductive or sexual health information that is "personally identifiable." This could include consent for disclosures made to vendors such as payment processors that are necessary to process the transaction.

