ARTICLE
2 October 2025

Virginia Is For Lovers (Of Privacy): VCDPA Amendments Merge Components Of Consumer Data Health Laws To Better Protect Reproductive And Sexual Health Information

TS
Taft Stettinius & Hollister

Contributor

Taft Stettinius & Hollister logo
Established in 1885, Taft is a nationally recognized law firm serving individuals and businesses worldwide, in both mature and emerging industries.
Explore Firm Details
On July 1, 2025, the Virginia Consumer Data Protection Act (VCDPA) amendments took effect, implementing several changes to the existing privacy law, including adding new protections to reinforce consumers' sexual...
United States Virginia Privacy
Jordan Jennings
Your Author LinkedIn Connections
Jordan Jennings’s articles from Taft Stettinius & Hollister are most popular:
  • within Privacy topic(s)
  • with Inhouse Counsel
  • with readers working within the Healthcare, Technology and Construction & Engineering industries

On July 1, 2025, the Virginia Consumer Data Protection Act (VCDPA) amendments took effect, implementing several changes to the existing privacy law, including adding new protections to reinforce consumers' sexual and reproductive health information. While other consumer health data laws exist, such as Washington's My Health My Data Act (MHMDA), which generally protects a broad category of "consumer health data," the VCDPA amendments take a more narrow approach and only focus on reproductive and sexual health information. Here is what you need to know.

Reproductive or Sexual Health Information, Defined

"Reproductive or sexual health information "means information relating to the past, present, or future reproductive or sexual health of an individual, including:

  • Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies;
  • Reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex;
  • Reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy;
  • Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients;
  • Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels;
  • Any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described above; and
  • Any information described above that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data.

Additionally, while employee data are generally exempt under the VCDPA, the use of the word "individual" rather than "consumer" within the "reproductive or sexual health information" definition likely signals that such data belonging to employees is within the scope, deviating from other sections of the VCDPA. Thus, retailers, entities in the fitness, nutrition, wellness, and health space and employers with Virginia residents are subject to the VCDPA's reproductive or sexual health information amendments.

Notably, the "reproductive or sexual health information" definition does not cover protected health information that is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), health records under Virginia Code Title 32.1, or patient identifying information under the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (Part 2).

Regulated Entitles

Despite being a Virginia law, the reach of the VCDPA continues to extend far beyond companies based in the Commonwealth. The VCDPA regulates any person who:

  • Conducts business in the Commonwealth or targets products or services to Virginia residents;
    and
  • During a calendar year:
    • controls or processes personal data of at least 100,000 Virginia residents;
      or
    • controls or processes personal data of at least 25,000 Virginia residents and derives over 50 percent of gross revenue from the sale of personal data.

Thus, companies subject to the VCDPA will need to ensure the Act's reproductive and sexual health obligations are satisfied. The same exemptions under the VCDPA apply to the amendments. Therefore, (i) state agencies, boards, commissions or political subdivisions, (ii) non-profit organizations and (iii) institutions of higher education remain exempt under the amendments.

Explicit Consent Requirement

For companies subject to the VCDPA, the Act's existing requirements remain (e.g., providing consumers rights with respect to their personal data, privacy notice obligations, and so on). However, the VCDPA amendments create a new consent requirement for reproductive or sexual health information. Before collecting, disclosing, selling or disseminating personally identifiable reproductive or sexual health information, entities must obtain the consumer's consent.

Other Sensitive Data Requirements Apply

While the amendments are silent on whether "reproductive or sexual health information" is "sensitive data" under the VCDPA, the existing sensitive data definition likely encompasses such information.

Under the VCDPA, "Sensitive Data" means a category of personal data that includes "personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status." Given the overlap, the sensitive data obligations under the VCPDA, such as conducting documented data protection assessments, will also apply.

Risks of Noncompliance

The amendments to the VCDPA impose the same violations under the general statute. The VCDPA does not have a private right of action (meaning individuals cannot sue for violations under the Act). However, Virginia's Attorney General has the exclusive authority to enforce violations. Additionally, Virginia residents may submit a complaint to the Virginia Attorney General requesting that the Commonwealth take action. The Attorney General must provide 30 days' written notice to a controller or processor stating the specific provisions violated and provide a chance to cure the violations and cease all prohibited activity, before initiating any action. If the violations are not cured, the Attorney General may bring suit resulting in statutory damages of $7,500 per violation and attorneys' fees.

Business Considerations

Businesses collecting any form of health data, including reproductive or sexual health information, should consider the following steps.

  • Determine the Purpose for Collecting Reproductive and Sexual Health Information – businesses must identify the reason for collection health data, specifically reproductive or sexual health information as collection of such information attaches heightened responsibilities. Businesses should consider whether collecting such information is necessary for the business' goals.
  • Update Risk Assessments – existing risk assessments should be updated to explicitly include processing of reproductive or sexual health information for Virginia residents and consumer health data generally.
  • Update Privacy Policies – existing privacy policies (including consumer health privacy policies required under other consumer health data laws) should be updated to inform individuals whether reproductive or sexual health information is collected and processed by the business.
  • Conduct Data Mapping – given the sensitive nature of consumer health data, businesses should determine where this information is stored, and further limit access to this category of data. Heightened access privileges should be applied to any database storing health data, including reproductive or sexual health information.
  • Revise and Test Consent Mechanisms – businesses should scrutinize their consent mechanism used (e.g., pop-up window with "I accept" button) to ensure the language of the consent adequately informs individuals of (i) the type of health data (e.g., reproductive or sexual health information) being processed by the company before collection. Based on the language of the VCDPA amendments, an existing sensitive personal data consent option likely does not meet the VCDPA amendments. Specifically calling out reproductive or sexual health information is required.

Looking Ahead

States laws and federal regulators, like the Federal Trade Commission (FTC), are taking more steps to protect consumer health data that is otherwise not protected under HIPAA. The VCDPA amendments and the consumer health data laws of Connecticut, Maryland, Nevada and Washington signal how important health data is and how this information should be safeguarded – especially health data collected on apps and other emerging technologies. Entities doing business in Virginia – significant or not – must evaluate whether the VCDPA applies and get up to speed on their obligations quickly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Jordan Jennings
Jordan Jennings
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More