Virginia Consumer Protection Act Amendments Restrict Collection, Use, or Sharing of Health Information
On March 24, 2025, Senate Bill 754 (pdf) was signed into law amending the Virginia Consumer Protection Act (VCPA), the Commonwealth’s general consumer protection law. The VCPA was originally passed in 1977 as remedial legislation designed to establish “fair and ethical” transactional standards between suppliers and the consuming public.
The VCPA amendments impose new restrictions on the collection, use, or sharing of reproductive or sexual health information without consumer consent. The law also gives Virginians the option to pursue damages in court through a private right of action.
With the enactment of Senate Bill 754, Virginia joins multiple states in imposing new statutory restrictions on the use or disclosure of certain types of health information.
The VCPA amendments are scheduled to take effect on July 1, 2025.
Overview of the VCPA Amendments
The amendments to the VCPA prohibit businesses, “in connection with consumer transactions,” from “obtaining, disclosing, selling, or disseminating personally identifiable reproductive or sexual health information” without the consumer’s consent. Let’s break down each key element.
Covered Consumer Transactions
According to the VCPA, the scope of “consumer transactions” covered by the amendments include:
- Advertisement, sale, lease, license, or offering for sale, lease, or license, of goods or services to be used primarily for personal, family, or household purposes.
- Transactions involving the advertisement, offer, or sale to an individual of a business opportunity that requires both their expenditure of money or property and their personal services on a continuing basis and in which they have not been previously engaged.
- Transactions involving the advertisement, offer, or sale to an individual of goods or services relating to the individual’s finding or obtaining employment.
- A layaway agreement, whereby part or all of the price of goods is payable in one or more payments subsequent to the making of the layaway agreement and the supplier retains possession of the goods and bears the risk of their loss or damage until the goods are paid in full according to the layaway agreement.
- Transactions involving the advertisement, sale, lease, or license, or the offering for sale, lease, or license, of goods or services to a church or other religious body.
- Transactions involving the advertisement of legal services that contain information about the results of a state or federal survey, inspection, or investigation of a nursing home or certified nursing facility as described in subsection E of §32.1-126.
Reproductive and Sexual Health Information
The VCPA amendments define “reproductive and sexual health information” broadly to include information related to a consumer’s “past, present, or future reproductive or sexual health.” The amendments proceed to provide examples of the types of health information that may be covered under the law:
- Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies.
- Reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex.
- Reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy.
- Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients.
- Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels.
- Any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described above.
- Any information that is derived or extrapolated from non-health related information such as proxy, derivative, inferred, emergent, or algorithmic data.
Considering the definition of “reproductive and sexual health information” includes information that may be “derived or extrapolated” from non-health-related information via algorithms or inferences, there is an argument that the VCPA could encompass an array of online activities, such as web browser searches for common reproductive health products, the use of menstrual or ovulation tracking applications, and/or consumer location information.
Consumer Consent
Under the VCPA amendments “consent” is defined as a “clear and affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data related to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”
Private Right of Action
One of the most notable aspects of the amendments is the expansion of the VCPA’s private right of action to businesses that collect, use, or share personally identifiable reproductive or sexual health information without a consumer’s consent.
Specifically, the VCPA amendments state that collecting, using, or sharing such health information without consent will be deemed a fraudulent act or practice subject to both (1) injunction or civil penalties for willful violations by the state attorney general and (2) the act’s private right of action remedy.
The private right of action allows any person who suffers a loss due to an alleged violation of the VCPA to bring a civil suit to recover the greater of their actual damages, or $500. If the alleged violation is determined to be willful, a court has the authority to increase recoverable damages from the greater of $1,000 or an amount not to exceed three times the actual damages. In addition, plaintiffs can pursue recovery of reasonable attorneys’ fees and court costs.
Since the VCPA’s private right of action enables individuals to seek a statutorily based minimum amount of damages ($500), there is a heightened risk the law could be used as a vehicle for class action litigation. We’re seeing this happen in California with a similarly broad privacy law, the California Invasion of Privacy Act (CIPA).
Plaintiffs in California are attempting to use the CIPA, which affords a statutorily based amount of damages ($5,000), to sue businesses that use industry standard online tracking and marketing technologies, alleging that the use of such technologies constitutes a disclosure or sale of covered information. The dramatic uptick in CIPA-based class action litigation has prompted the California Legislature to consider amending the CIPA to try to curb the prevalence of “abusive” CIPA lawsuits based on the use of cookies and various other types of standard online technologies. This could be a harbinger of the future for the Virginia General Assembly.
In addition to individual legal claims, the VCPA may be enforced by the Virginia Attorney General, the attorney for the Commonwealth, or the attorney for the county, city, or town for the Literary Fund, all of whom are authorized to pursue civil penalties of up to $2,500 per violation of the VCPA, with additional penalties of up to $5,000 for any willful subsequent violations.
VCPA Exemptions
The VCPA amendments include data-specific exemptions for categories of information, including protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA), health records under Virginia’s health records privacy law, and patient-identifying records for substance abuse treatment.
Entities regulated by HIPAA may still have compliance obligations under the VCPA amendments if they are collecting reproductive or sexual health information that is not considered to be PHI under the HIPAA statute.
Impact on Virginia’s Consumer Data Privacy Law
The VCPA is a separate statute not directly linked to the Virginia Consumer Data Protection Act (VCDPA) that was signed into law in 2021. In many ways, the VCPA has a broader scope and could impact a larger number of Virginia businesses.
The VCDPA only applies to for-profit companies that do business in Virginia, or that produce products or services targeted to residents of Virginia, if they control or process personal data of 100,000 or more consumers during a calendar year or control or process personal data of 25,000 or more consumers and derive over 50 percent of their gross revenue from the sale of that personal data.
The VCPA, in contrast, does not have an applicability threshold. Basically, this means a Virginia company collecting the personal health information of less than 100,000 residents may be subject to the compliance obligations imposed by the amended VCPA.
In addition, the VCDPA contains both entity-level and data-specific exemptions for certain categories of data, such as patient safety work product under the Health Care Quality Improvement Act of 1986, information derived from health information, information used only for public health activities, and data regulated by the Family Educational Rights and Privacy Acts. The VCPA, in contrast, does not expressly exempt these categories of health information.
What Virginia Businesses Can Do to Prepare
The VCPA amendments go into effect on July 1, 2025, so there is a brief window of time for covered businesses to implement compliance protocols. Below are recommended steps covered businesses can take to strengthen their compliance posture with the impending VCPA amendments:
Conduct an Applicability Assessment
The VCPA amendments impacts “suppliers,” which are defined broadly to include any “seller, lessor, licensor, or professional that advertises, solicits, or engages in consumer transactions, or a manufacturer, distributor, or licensor that advertises and sells, leases, or licenses goods or services to be resold, leased, or sublicensed by other persons in consumer transactions.”
However, the VCPA does not apply in certain circumstances, such as consumer transactions regulated by the Federal Consumer Credit Protection Act or the Virginia Residential Landlord and Tenant Act. In addition, the VCPA does not apply when the entity using covered health information is a bank, savings institution, credit union, small loan company, insurance company, or another entity regulated by the Virginia State Corporate Commission or a similar federal regulator.
In addition, the VCPA amendments include a data-specific exclusion for HIPAA-regulated PHI, which will likely exclude reproductive health information collected by healthcare providers, insurers, and related service providers.
Review and Update Consent Procedures
In contrast to health information laws enacted in other states, the VCPA amendments do not include a consent exemption. Rather, the VCPA amendments require consumer consent prior to obtaining, disclosing, selling or disseminating any “personally identifiable” reproductive or sexual health information.
This could be interpreted to mean a covered supplier will need to secure affirmative consent from a consumer for any transaction that discloses reproductive or sexual health information that is “personally identifiable.” This could include consent for disclosures made to third-party vendors (e.g., payment processors) that are required to process and complete a transaction.
As a result, covered businesses should conduct a review of their current consent protocols and consider making updates or enhancements. For example, covered companies may want to consider implementing a cookie consent option to mitigate the risk of any nonconsensual collection of covered health information.
Review Health Data Collection Practices
Since the scope of the VCPA amendments include “past, present, or future” health information, there is a heightened risk of plaintiffs bringing class action claims related to various perinatal products (e.g., pregnancy tests, prenatal vitamins, baby formula, etc.).
As a result, covered businesses should review their health data collection practices to assess whether inferences can be made about a consumer’s reproductive or sexual health from the data collected, including whether aspects of an individual’s health information can be derived from non-health-related information.
If you are a Virginia business subject to the VCPA amendments and need assistance revising or establishing a robust data privacy compliance program, please contact the author of this article, your Woods Rogers attorney, or a member of the Woods Rogers Cybersecurity & Data Privacy practice team.
Team
- Of Counsel