Virginia Governor Signs Reproductive Health Data Restrictions into Law

April 02, 2025 in Data Privacy, Health + Biotech Privacy, State Legislation

On March 24, 2025, Governor Youngkin (R) of Virginia signed SB 754—which amends the Virginia Consumer Protection Act (VCPA) to restrict the collection and processing of “reproductive or sexual health information” and is enforceable through a private right of action—into law. The law will take effect July 1, 2025.

Entities covered by SB 754, which applies broadly across consumer-facing and business-to-business organizations, will need to implement substantially the same compliance measures in Virginia that they have put in place in Washington State to comply with the My Health, My Data Act. In particular, organizations will need to obtain individuals’ consent before collecting and transferring their personal information when it has even an attenuated relationship to reproductive or sexual health.

Governor Youngkin signed SB 754 into law on the same day he vetoed a bill that would have regulated high-risk AI systems and social media use by children and teenagers under the age of 16, taking many by surprise. We expect that state legislatures will push the legal envelope with respect to health and reproductive data throughout the year and beyond.

Scope

The Virginia Consumer Protection Act (VCPA) —which SB 754 modifies—governs “supplier(s) in connection with…consumer transaction[s],” including advertisements, sales, and offers of consumer and business goods and services. A “supplier” is an entity that “advertises, solicits, or engages in consumer transactions, or ... advertises, sells, leases, or licenses goods or services to be resold, leased, or sublicensed by others in consumer transactions.”

The VCPA does not establish volume or revenue requirements, so this law will apply to a significantly broader range of organizations than those that are currently subject to the Virginia Consumer Data Protection Act (VCDPA), including to entities that operate only in the business-to-business context. The VCPA’s limited exemptions will excuse only a small set of entities such as banks, credit unions, and real estate licensees, from compliance.

Restricted processing

For in-scope entities and transactions, the law prohibits “[o]btaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer.”

“Reproductive or sexual health information” broadly includes “information relating to the past, present, or future reproductive or sexual health of an individual” even if it “is derived or extrapolated from non-health related information.” This includes “[e]fforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies” and “[b]odily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy.”

“Reproductive and sexual health information” is defined to exclude HIPAA-covered information as well as records governed by 42 U.S.C. § 290dd-2, which applies to records of patients seeking treatment or being treated for substance use disorders, or Virginia’s health code. SB 754 incorporates the VCDPA’s definition of “consent,” which requires “a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer,” including electronic consent. The VCPA does not explicitly define “sale.”

Enforcement

Violating SB 754’s prohibition on the collection or transfer of reproductive or sexual health information is a per se violation of the VCPA, which may be enforced by the state or through a private right of action. Penalties under the private right of action may include the greater of actual damages or $500 (if violation is willful, this increases to the greater of treble actual damages or $1,000), as well as attorney fees and costs.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Cameron Cantrell is an Associate at Hintze Law PLLC representing companies on AI, privacy, and cybersecurity issues.

Felicity Slater is an Associate at Hintze Law PLLC. Felicity has experience with global data protection issues, including data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

French Competition Authority Fines Apple €150M Alleging Market Power Abuse of Ad Privacy System

April 01, 2025 in Global Privacy & Security, Global Privacy Updates, Online Advertising

By Susan Hintze and Hansenard Piou

Note that the Autorité has not yet been published the decision in question as it is in process of redacting information relating to trade secrets. Please check back for updates.

On March 31st, 2025, the French Competition Authority (the Autorité), in collaboration with CNIL, announced Decision 25-D-02 of March 28, 2025, which fined Apple €150 million for allegedly abusing its market position with its App Tracking Transparency (ATT) system. The Autorité, in its summary of the decision, claimed Apple unfairly advantages its own apps and advertising practices while harming third party apps and advertising efforts, including those of small publishers.

Launched in April 2021, the ATT system requires third-party iOS and iPadOS apps to obtain user consent for collection of data for targeted advertising purposes through a consent-management popup before the app’s use. Upon such consent, the app would gain access to the device’s Identifier for Advertisers (IDFA). Prior to the launch of the ATT system, several associations raised concern that the ATT process was “an obstacle to the possibilities of carrying out targeted advertising for users of Apple devices,” but the Autorité declined to issue interim measures.

While acknowledging that Apple’s privacy objectives for the ATT system are legitimate, the Autorité noted Apple’s ability to influence the business models of third-party mobile app publishers and stated that Apple must implement its privacy objectives in a way that balances its responsibility as a dominant operator of a digital platform. The Autorité held that under the French competition law, the ATT system is an abuse of Apple’s dominance as its means for implementing the system is neither necessary nor proportionate to meet those privacy objectives. Instead, the Autorité found Apple’s privacy implementation places an asymmetric burden on third party publishers as compared to Apple’s treatment of its own applications.

The Autorité based this finding of asymmetry on three factors:

A December 2022 CNIL opinion stated that third party mobile app publishers are unable to rely on the Apple ATT system’s popup for compliance with their own consent requirements under data protection law. Consequently, mobile apps are forced to obtain two separate consents, resulting in excessively complex consent collection for the user.
While these systems require two acceptances to grant lawful consent, the denial of consent needs only to be given once.
While third-party publishers have to collect double consent, such a structure does not apply to Apple’s own apps. Since small adjustments could have prevented this asymmetry, the Autorité found it unnecessary and noncompliant with competition law.

The Autorité noted that the ATT system affects all app publishers, but it is particularly harmful for smaller publishers without other targeted advertising methods for revenue.

This collaboration between the Autorité and CNIL, pursuant to its joint December 2023 statement and CNIL’s recommendations for mobile apps, highlights the agencies’ willingness to act jointly to investigate and enforce matters that impact competition and privacy law.

The case also represents the need for platform providers with market power to consider implementing privacy frameworks that not only safeguard consumers but also safeguard against the potential harmful economic impacts to competitors. Such privacy frameworks should not be unnecessarily complex for users and should not place higher burdens on third parties than the platform provider places on itself.

Susan Hintze is Co-Managing Partner at Hintze Law PLLC. Recognized by Chambers, Legal 500, & Best Lawyers, Susan and her firm are leaders in their field. Susan serves on the International Association of Privacy Professionals (IAPP) Board of Directors and is an IAPP Westin Emeritus Fellow. She is also co-chair of the firm’s Regulatory Defense Group.

Hansenard Piou is an Associate at Hintze Law PLLC with experience in global data protection issues, including kids’ global privacy laws, AADC, privacy impact assessments, GDPR, and privacy statements.

Fourth Circuit Publishes Landmark Ruling on 21st Century Cures Act “Information Blocking”

March 24, 2025 in Data Privacy, Health + Biotech Privacy

By Cameron Cantrell and Kate Black

On March 12, 2025, the Fourth Circuit Court of Appeals ruled that (1) the information blocking prohibition in the federal 21st Century Cures Act (“Cures Act”) was plausibly violated when an Electronic Health Record (EHR) provider blocked bot access to its systems without sufficient justification, and (2) this violation may support a Maryland state law unfair competition claim, despite the Cures Act not having its own private right of action. This decision notably appears to be the first Circuit Court decision concerning the information blocking prohibition and, for parties subject to the rule, raises the risk that information blocking may be enforceable through a de facto state privacy right of action.

Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night

February 14, 2025 in Data Privacy, State Legislation, Health + Biotech Privacy

By Felicity Slater and Kate Black

The Maryland Online Data Privacy Act (“MODPA” or the “Act”), which takes effect October 1, 2025, establishes a set of novel requirements that will have a particular impact for companies operating in the health and wellness sectors.

Hintze & Partners Recognized by Chambers in 2025 Global Rankings

February 13, 2025 in Data Privacy, Health + Biotech Privacy, Hintze Law Recognitions

Hintze Law and its lawyers have once again been recognized in Chambers & Partners for expertise in Privacy and Data Security in the 2025 Chambers Global Guide. These recognitions include Hintze Law’s fifth year being ranked as an Elite Law Firm for Privacy and Data Security as well as the firm’s second year receiving recognition for Privacy and Data Security: Healthcare.

Hintze Law PLLC Attorneys Selected for 2025 LCLD Fellows and Pathfinder Programs

February 11, 2025 in Hintze Law Recognitions

Hintze Law is pleased to announce the two attorneys that have been chosen to participate in the Leadership Council on Legal Diversity’s (LCLD) professional development programs for 2025! Partner Sam Castic has been selected for the LCLD Fellows Program, designed for high-potential mid-career attorneys that have demonstrated strong leadership capabilities. Senior associate Emily Litka will represent Hintze Law in the LCLD Pathfinders Program, which recognizes early-career attorneys who exhibit signs of an emerging leader within their organization.

Final COPPA Rule Amendments: Definitional Changes

February 06, 2025 in COPPA, Data Privacy

By Susan Hintze, Emily Litka, and Amy Lanchester

This is Part 2 in a series of blog posts about the 2025 COPPA Final Rule. It provides a comprehensive review of the revised definitional changes to the Rule. Subsequent posts in the coming days will delve more deeply into the direct and online notice, parental consent, and data governance requirements. Our unofficial redlined copy of the Final Rule can be found here.

Susan Hintze Appointed to the 2025 IAPP Board of Directors

January 31, 2025

Susan Hintze, Founder and Co-Managing Partner of Hintze Law PLLC, has been appointed to the IAPP’s Board of Directors for a five-year term beginning 2025.

New York Legislature Passes Extraordinarily Restrictive Health Data Privacy Bill

January 22, 2025 in State Legislation, Health + Biotech Privacy

By Mike Hintze and Felicity Slater

Last year, we wrote about a proposed New York State law that would have significant impacts for entities that process health and wellness related data. That bill failed to pass before the 2024 legislative session ended. But today, in the early days of the 2025 session, the New York State legislature has passed Senate Bill S929 (SB S929), which is essentially unchanged from last year’s bill.

Workplace Privacy – 5 Things I’m Keeping in Mind for 2025

January 21, 2025 in Technology Law, Workplace Privacy, Artificial Intelligence, GenAI, FCRA

By Jennifer Ruehr

Many of us are returning to work this month with New Year’s resolutions, predictions, and lists top of mind, and top of inbox. As I turn back to work, I’m thinking ahead to how U.S. laws and regulations are going to impact my clients from a workforce perspective. Here’s what is top of mind for me right now:

Fair Credit Reporting Act
State law AI requirements
Biometrics in the workplace
Genetic data risk
Workplace monitoring

The FTC Issues Final COPPA Rule Amendment

January 20, 2025 in COPPA, Data Privacy

By Susan Hintze and Emily Litka

This is Part 1 in a series of blog posts about the 2025 COPPA Final Rule. It provides a high-level overview of the Final Rule. Subsequent posts in the coming days will delve more deeply into individual aspects of the Final Rule and FTC comments, the issues raised, and implications for specific industry sectors.Our unofficial redlined copy of the Final Rule can be found here.

10 areas for US-based privacy programs to focus in 2025

January 15, 2025 in Data Privacy, Global Privacy & Security, Online Advertising, State Legislation, Kid's Online Privacy

By Sam Castic

The post below was originally published by the IAPP at https://iapp.org/news/a/10-areas-for-privacy-programs-to-focus-in-2025.

This past year was another jammed one for privacy teams and it was not easy to stay on top of all the privacy litigation, enforcement trends, and new laws and regulations in the U.S.

New U.S. Regulations Impose Significant Restrictions on Cross-Border Data Flows

January 09, 2025

By Sam Castic and Hansenard Piou

The Department of Justice adopted a final Rule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons that takes effect on April 8, 2025.

The EDPB Releases an Opinion on AI Model Development and Deployment

January 08, 2025

By Emily Litka

On December 18th, in response to a request from the Irish Supervisory Authority (“SA”), the European Data Protection Board (the “EDPB”) published an opinion (the “Opinion”) on the application of the GDPR to certain aspects of AI model development and deployment.

Congratulations to Jennifer Ruehr on Promotion to Co-Managing Partner

January 06, 2025

Hintze Law PLLC is thrilled to announce Jennifer Ruehr’s promotion from Partner to Co-Managing Partner, joining forces with Susan Hintze to lead our firm into an exciting future. Together, they will oversee the day-to-day operations of the firm and provide strategic management oversight and leadership to drive our continued success.

In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

December 05, 2024 in HIPAA, State Legislation, Health + Biotech Privacy

by Felicity Slater and Kate Black

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

A Last-Minute Push for a Reproductive Health Privacy Law in Michigan

November 19, 2024 in Health + Biotech Privacy

By Mike Hintze and Felicity Slater

On November 7, 2024, the Michigan legislature introduced Senate Bill 1082 / House Bill 6077, the Reproductive Data Privacy Act (the “RDPA” or the “act”). The act was introduced in the aftermath of the 2024 election cycle as Michigan Democrats brace to lose control of the House in 2025. At a hearing in the Senate Committee on Housing and Human Services, lawmakers backing the RDPA expressed a hope to pass the act before the year’s end.

Hintze Law PLLC Recognized in 2025’s Best Law Firm Rankings

November 07, 2024 in Technology Law, Information Technology Law, Hintze Law Recognitions

We are pleased to share that Hintze Law has been recognized for excellence in Information Technology Law and Technology Law in the 2025 edition Best Law Firms® rankings. The firm has been ranked in these areas both nationally and in the Seattle area.

California Enacts "genAI" Laws That Introduce New Privacy and Transparency Requirements, Amongst Others

October 08, 2024 in CCPA, Cybersecurity

By Emily Litka

In September 2024, California Governor Gavin Newsome signed a number of new generative AI (“genAI”) bills into law. These laws address risks associated with deepfakes, training dataset transparency, use of genAI in healthcare settings, privacy, and AI literacy in schools. California is the first US state to enact such sweeping genAI regulations.

Hansenard Piou Joins Hintze Law as an Associate

September 23, 2024

Hintze Law PLLC is excited to announce that Hansenard “Hansy” Piou has joined the firm as a first-year associate* in the Seattle office.