Virginia Governor Signs Reproductive Health Data Restrictions into Law

April 02, 2025 in Data Privacy, Health + Biotech Privacy, State Legislation

On March 24, 2025, Governor Youngkin (R) of Virginia signed SB 754—which amends the Virginia Consumer Protection Act (VCPA) to restrict the collection and processing of “reproductive or sexual health information” and is enforceable through a private right of action—into law. The law will take effect July 1, 2025.

Entities covered by SB 754, which applies broadly across consumer-facing and business-to-business organizations, will need to implement substantially the same compliance measures in Virginia that they have put in place in Washington State to comply with the My Health, My Data Act. In particular, organizations will need to obtain individuals’ consent before collecting and transferring their personal information when it has even an attenuated relationship to reproductive or sexual health.

Governor Youngkin signed SB 754 into law on the same day he vetoed a bill that would have regulated high-risk AI systems and social media use by children and teenagers under the age of 16, taking many by surprise. We expect that state legislatures will push the legal envelope with respect to health and reproductive data throughout the year and beyond.

Scope

The Virginia Consumer Protection Act (VCPA) —which SB 754 modifies—governs “supplier(s) in connection with…consumer transaction[s],” including advertisements, sales, and offers of consumer and business goods and services. A “supplier” is an entity that “advertises, solicits, or engages in consumer transactions, or ... advertises, sells, leases, or licenses goods or services to be resold, leased, or sublicensed by others in consumer transactions.”

The VCPA does not establish volume or revenue requirements, so this law will apply to a significantly broader range of organizations than those that are currently subject to the Virginia Consumer Data Protection Act (VCDPA), including to entities that operate only in the business-to-business context. The VCPA’s limited exemptions will excuse only a small set of entities such as banks, credit unions, and real estate licensees, from compliance.

Restricted processing

For in-scope entities and transactions, the law prohibits “[o]btaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer.”

“Reproductive or sexual health information” broadly includes “information relating to the past, present, or future reproductive or sexual health of an individual” even if it “is derived or extrapolated from non-health related information.” This includes “[e]fforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies” and “[b]odily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy.”

“Reproductive and sexual health information” is defined to exclude HIPAA-covered information as well as records governed by 42 U.S.C. § 290dd-2, which applies to records of patients seeking treatment or being treated for substance use disorders, or Virginia’s health code. SB 754 incorporates the VCDPA’s definition of “consent,” which requires “a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer,” including electronic consent. The VCPA does not explicitly define “sale.”

Enforcement

Violating SB 754’s prohibition on the collection or transfer of reproductive or sexual health information is a per se violation of the VCPA, which may be enforced by the state or through a private right of action. Penalties under the private right of action may include the greater of actual damages or $500 (if violation is willful, this increases to the greater of treble actual damages or $1,000), as well as attorney fees and costs.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Cameron Cantrell is an Associate at Hintze Law PLLC representing companies on AI, privacy, and cybersecurity issues.

Felicity Slater is an Associate at Hintze Law PLLC. Felicity has experience with global data protection issues, including data breach notification laws, privacy impact assessments, GDPR, and privacy statements.

Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night

February 14, 2025 in Data Privacy, State Legislation, Health + Biotech Privacy

By Felicity Slater and Kate Black

The Maryland Online Data Privacy Act (“MODPA” or the “Act”), which takes effect October 1, 2025, establishes a set of novel requirements that will have a particular impact for companies operating in the health and wellness sectors.

New York Legislature Passes Extraordinarily Restrictive Health Data Privacy Bill

January 22, 2025 in State Legislation, Health + Biotech Privacy

By Mike Hintze and Felicity Slater

Last year, we wrote about a proposed New York State law that would have significant impacts for entities that process health and wellness related data. That bill failed to pass before the 2024 legislative session ended. But today, in the early days of the 2025 session, the New York State legislature has passed Senate Bill S929 (SB S929), which is essentially unchanged from last year’s bill.

10 areas for US-based privacy programs to focus in 2025

January 15, 2025 in Data Privacy, Global Privacy & Security, Online Advertising, State Legislation, Kid's Online Privacy

By Sam Castic

The post below was originally published by the IAPP at https://iapp.org/news/a/10-areas-for-privacy-programs-to-focus-in-2025.

This past year was another jammed one for privacy teams and it was not easy to stay on top of all the privacy litigation, enforcement trends, and new laws and regulations in the U.S.

In ‘Holy Redeemer’ Settlement Agreement, OCR Continues to Prioritize Privacy Protections for Reproductive Health Information

December 05, 2024 in HIPAA, State Legislation, Health + Biotech Privacy

by Felicity Slater and Kate Black

On November 26, 2024, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a resolution agreement and corrective plan with Pennsylvania’s Holy Redeemer Hospital (Holy Redeemer). The agreement settles OCR’s claim that Holy Redeemer disclosed a patient’s protected health information (PHI)—including intimate reproductive health details—without a permissible purpose or valid authorization from the patient in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

California Legislature Passes the Delete Act

September 19, 2023 in CPPA, CCPA, State Legislation

By Taylor Widawski

On September 15, 2023, the California Legislature passed Senate Bill 362, known as the Delete Act, which amends the California data broker law. The bill now awaits a signature from the governor. If signed, certain aspects of the law will go into effect as soon as January 31, 2024.

Florida's Comprehensive Privacy Law Enacted

June 08, 2023 in State Legislation

By Leslie Veloz

Florida’s SB 262 was signed into law Tuesday, June 6, 2023, making it the 10th comprehensive state privacy law enacted in the United States. SB 262 consists of several parts.

Washington My Health My Data Act - Part 8: Notice Obligations

May 13, 2023 in State Legislation

By Mike Hintze

When it comes into effect, the Washington My Health My Data Act (MHMDA or the Act) will impose new privacy notice obligations on regulated entities. The Act requires specific privacy disclosures relating to data that meets the very broad definition of “consumer health data.” It appears to require regulated entities to draft, post, link to, and maintain a separate “Consumer Health Data Privacy Policy” that will be largely, but not entirely, redundant of their existing privacy statement(s).

Because the Consumer Health Data Privacy Policy will be publicly available and easily scrutinized by plaintiffs’ lawyers and the Washington Attorney General, mistakes implementing this obligation are likely to be a key source of costly and disruptive litigation. Regulated entities will therefore need to take great care in meeting the Act’s notice requirements which are, in some respects, unusual and unexpected.

Washington My Health My Data Act – Part 7: Biometric Data

April 27, 2023 in State Legislation

By Mike Hintze & Jevan Hutson

Biometric data is among the broad range of “consumer health data” regulated by the Washington My Health My Data Act (MHMDA). In light of MHMDA’s broad definition of biometric data, GDPR-level consent requirements, new obligations, and private right of action, the Act dramatically changes and complicates the regulation of biometric data in Washington state and is poised to become the most disruptive change in U.S. biometric privacy law since Illinois’ BIPA.

Washington My Health My Data Act - Part 6: Data Subject Rights

April 24, 2023 in State Legislation

By Mike Hintze

The Washington My Health My Data Act provides consumers with several rights, including a right of access, a right to delete, a right to withdraw consent, and a right to not be discriminated against for exercising their rights. While each of these rights can be found in other privacy laws and so, at a high level, do not seem particularly surprising here, the ways they are included in this Act are unique, create uncertainty, and in some cases go well beyond what exists in any other privacy law. As a result, regulated entities seeking to comply with them will face difficult, costly, and disruptive implementation challenges (and with respect to the deletion right, the potential for catch-22 situations where full legal compliance may be impossible). These challenges, along with the Act’s private right of action, set up a significant risk of expensive legal claims and litigation.

Washington My Health My Data Act - Part 5: Consent Requirements

April 19, 2023 in State Legislation

By Mike Hintze

When it comes into effect, the Washington My Health My Data Act will impose strict consent requirements on a wide range of common data collection and processing activities. In essence, the Act requires affirmative (opt-in) consent for any collection, use, disclosure, or other processing of consumer health data beyond what is necessary to provide a consumer-requested product or service. For anything that could be considered a data “sale,” the authorization requirements are so onerous and risky that they, in effect, create a prohibition.

Washington My Health My Data Act - Part 4: Effective Dates

April 18, 2023 in State Legislation

By Mike Hintze

Yesterday the amended Senate version of the Washington My Health My Data Act was approved by the Washington State Legislature. Now that it is a near certainty the Act will become law in its current form, entities subject to the Act need to start preparing to comply. The key factor in determining deadlines for having compliance measures in place is the effective date of the Act. The Act purports to come into effect on March 31, 2024 (and for small businesses, three months later on June 30, 2024). However, contrary to stated legislative intent, and due to what one can only conclude is, at least in part, a drafting error, some of the key substantive provisions of the Act may come into effect much sooner than expected - as soon as July 2023.

Washington My Health My Data Act - Part 3: The Scope of Entities and Consumers Captured by the Act

April 17, 2023 in State Legislation

By Mike Hintze

The Washington My Health My Data Act applies to “regulated entities” that collect or process “consumer health information” from “consumers.” Part two of this series addressed the definition of “consumer health data” and how that definition results in a scope of applicability that is far beyond what we might typically think of as sensitive health data. But the other two above-quoted defined terms – “regulated entity” and “consumer” also result in a very broad (and in some ways surprising) scope and impact.

Washington My Health My Data Act - Part 2: The Scope of “Consumer Health Data”

April 12, 2023 in State Legislation

By Mike Hintze

The substantive requirements of the Washington My Health My Data Act apply to collection, use, and disclosure of “consumer health data.” While there are a few important exclusions, the stunning breath of that term's definition, means that it will be difficult to safely conclude that any category of personal data is out of scope of the Act. As a result, it is inaccurate to refer to the Washington My Health My Data Act as a “health data privacy law.” On the contrary, it is, in effect, a generally-applicable privacy law.

The Washington My Health My Data Act - Part 1: An Overview

April 10, 2023 in State Legislation

By Mike Hintze

The Washington My Health My Data Act will become the most consequential privacy legislation enacted in 2023. The sweeping scope and extreme substantive obligations, combined with vague terms and with a full private right of action, make this Act extraordinarily challenging and risky for entities seeking to comply with its requirements.

Utah's Social Media Regulation Act - Overview of Privacy & Business Impact

March 27, 2023 in State Legislation

By Alex Schlight and Leslie Veloz

Just a year after passing a comprehensive privacy law, Utah becomes the first state in the United States to pass a law that significantly regulates minors' access to, and use of, social media sites. The law is much broader than kids’ privacy laws like the federal Children’s Online Privacy Protection Act (COPPA), or California’s Age-Appropriate Design Code Act passed last year in that it significantly limits when and how minors under the age of 18 can use social media, gives parent’s broad rights to consent to and access accounts, and places extensive restrictions on social media company activities, including, prohibiting the display of ads to minors, targeting or suggesting groups, services, products, and posts and use of addictive design.

Iowa Passes Sixth State Comprehensive Privacy Law

March 20, 2023 in State Legislation

By Sheila Sokolowski

Senate File 262, a comprehensive privacy law, was signed by the Governor of Iowa on March 28, 2023, thereby becoming law. As a result, Iowa has officially become the sixth state with a comprehensive privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.

Hintze Cybersecurity + Breach Response Group Publishes U.S. State Breach Notice Guide

December 14, 2022 in Cybersecurity, State Legislation

By Sam Castic

The Hintze Cybersecurity + Breach Response Group has published a new guide to U.S. state and territory data breach notification laws – the Hintze Data Breach Notice Guide accessible here. We include in our guide an overview section with a high-level summary of the common provisions that U.S. breach notice laws contain. We also provide a set of detailed charts covering each of the 54 states and jurisdictions. We gathered our collective decades of experience working with breaches to organize these charts in a way we think is more usable in the midst of a breach crisis.

What California’s New Age-Appropriate Design Code Means for Your Business

September 15, 2022 in State Legislation

By Charlotte Lunday

On September 15, Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (CAADC). The law which received bipartisan support in the Legislature has a goal of protecting the wellbeing, data, and privacy of children, including teens, using online platforms. Businesses will be required to comply with significant new documentation and privacy by design and privacy default obligations by July 1, 2024. These obligations are largely adopted from the United Kingdom’s Age-Appropriate Design Code, and the statute’s preamble points to this law and the UK’s Information Commissioner’s Office (ICO) guidance to interpret the CAADC.

First CCPA Fine Shows Need for Cookie Governance and Vendor Management

August 30, 2022 in State Legislation

By Sam Castic

Last week the California Attorney General’s office announced a settlement with beauty retailer Sephora for $1.2 million - the AG’s first monetary penalty for CCPA violations. Sephora has also agreed to a 2-year consent decree with ongoing monitoring and reporting obligations. This enforcement action confirms the AG’s interpretation that: (1) the CCPA requires specific CCPA-mandated contractual terms with each cookie, pixel, and tracking technology provider that companies use on their websites for personal information sharing not to be a “sale” of data under the CCPA, and (2) companies that engage in “sales” of personal information on their websites must honor the Global Privacy Control signal from consumers who choose to use the GPC.