Virginia's Reproductive and Sexual Health Data Law: Who Is Covered and What It Changes

Virginia's Reproductive and Sexual Health Data Law: Who Is Covered and What It Changes

Cybersecurity & Privacy By Valley Legal

General Information Only. This article is for general informational purposes and does not constitute legal advice. Laws may have changed since publication. Your situation may differ; consult a licensed Virginia attorney about your specific matter.

The information in this article is for general informational purposes only and does not constitute legal advice. Laws change and individual circumstances vary. Consult a licensed Virginia attorney about your specific situation. Reading this article does not create an attorney-client relationship nor does merely contacting our office through this website or any other means.

Reproductive and sexual health data has become one of the most closely watched categories of personal information in the United States over the past several years. Legislatures across the country, including in Virginia, have responded to concerns about the collection, sale, and misuse of this information by enacting specific legal protections that go beyond what general consumer privacy laws require.

For businesses in the New River Valley operating in healthcare-adjacent industries, wellness technology, pharmacy services, or any field that touches on this category of data, understanding both Virginia’s specific legal requirements and the broader federal enforcement environment is an important part of responsible operations.

Reproductive and Sexual Health Data Under the VCDPA

The Virginia Consumer Data Protection Act (VCDPA), Va. Code § 59.1-571 et seq., establishes a special category of sensitive data that includes personal data concerning an individual’s mental or physical health conditions, as well as data concerning sexual orientation. Amendments and related legislation have expanded the scope of protection for health-related data more generally.

Sensitive data under the VCDPA requires opt-in consent before it may be processed. This is a meaningfully higher bar than the opt-out framework that applies to most other personal data. If your business collects or processes information about a consumer’s reproductive health, pregnancy status, contraceptive use, or sexual health, you may be processing sensitive data under the VCDPA.

The consent requirement means that before you can collect or use this information for any purpose beyond what is strictly necessary to provide a requested service, the consumer must affirmatively agree. Pre-checked boxes, blanket terms of service acceptance, and implicit consent based on continued use of a platform are unlikely to satisfy this standard.

What Constitutes Reproductive and Sexual Health Data

The category of reproductive and sexual health data includes, but may not be limited to:

  • Information about pregnancy, pregnancy history, abortion, or miscarriage
  • Contraceptive use or reproductive health decisions
  • Fertility treatment records or related health history
  • Sexual orientation or gender identity
  • Diagnoses or treatment related to sexually transmitted infections
  • Menstrual cycle or ovulation tracking data collected by apps or wearables
  • Location data that could be used to infer visits to reproductive health providers

The last item on that list is particularly significant. Location data collected by mobile apps, navigation services, or devices is often treated as ordinary commercial data. However, when that data could reveal that a person visited a reproductive health clinic, a planned parenthood facility, or a similar provider, it may be treated as sensitive health data under some interpretations of Virginia and federal law.

Prohibition on Selling This Data

The VCDPA gives consumers the right to opt out of the sale of personal data, defined as exchanging personal data for monetary or other valuable consideration. Controllers must honor opt-out requests and may not sell personal data that a consumer has declined to have sold.

For sensitive data, including reproductive and sexual health information, the consent requirements effectively prohibit selling this category of information without explicit, affirmative consumer agreement. Many privacy lawyers interpret the sensitive data consent requirement as making it very difficult in practice to build a legal basis for selling this information.

Businesses that have revenue models dependent on data monetization should carefully analyze whether their practices are compatible with the VCDPA’s consent requirements for sensitive data categories.

Intersection with HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) provides strong protections for health information held by covered entities such as physicians, hospitals, and health insurers, and by their business associates. If your business qualifies as a HIPAA-covered entity or business associate, the HIPAA Privacy Rule governs the use and disclosure of protected health information (PHI), including reproductive health records.

However, HIPAA does not cover all entities that handle health information. Fitness apps, period-tracking applications, fertility planning tools, and wellness platforms may collect detailed health information without being subject to HIPAA if they do not qualify as covered entities or business associates.

The FTC has addressed this gap. The FTC’s Health Breach Notification Rule applies to vendors of personal health records and their service providers, including many apps that handle health data outside of HIPAA’s coverage. The FTC has made clear through enforcement actions and policy statements that deceptive or unfair practices involving health data, including reproductive health data, can constitute violations of Section 5 of the FTC Act, even without a specific breach.

Federal Enforcement Activity

The FTC has significantly increased its scrutiny of companies that collect and share sensitive health data. Notable enforcement actions have addressed:

  • Apps that shared menstrual cycle and pregnancy data with advertising networks without adequate disclosure or consent
  • Location data brokers that sold data capable of revealing visits to reproductive health facilities
  • Telehealth companies that shared patient data with third-party advertising platforms through tracking pixels embedded in their websites

In each of these cases, the FTC found that companies had represented their data practices as protective of user privacy while engaging in sharing practices that contradicted those representations. The agency characterized these practices as deceptive acts or unfair practices under the FTC Act.

For businesses in Christiansburg, Blacksburg, and the broader New River Valley that operate health-adjacent digital services, these enforcement actions provide a clear signal about the level of scrutiny this category of data attracts.

What Healthcare-Adjacent Businesses Should Review

If your business collects, processes, or shares any data that could constitute reproductive or sexual health information, a compliance review should address the following:

  • Identify where sensitive health data flows. Conduct a data inventory specifically focused on reproductive and sexual health information, including data collected through forms, apps, integrations with third-party services, and tracking technologies on your website.
  • Review your consent mechanisms. Confirm that opt-in consent is in place for processing sensitive data and that your consent language clearly explains the purposes for which the data will be used.
  • Audit third-party data sharing. Review contracts with analytics providers, advertising networks, and data brokers to identify any arrangements that involve sharing this category of information.
  • Evaluate location data practices. If your app or service collects precise geolocation data, assess whether that data could reveal visits to healthcare providers and whether it is treated as sensitive accordingly.
  • Review your privacy notice. Ensure that your privacy policy accurately describes what reproductive or sexual health data you collect, how it is used, and what rights consumers have.
  • Terminate or renegotiate problematic arrangements. If you identify data sharing arrangements that are inconsistent with consent requirements, work with counsel to address those arrangements before they become an enforcement issue.

Obtaining meaningful consent is not merely a legal formality. It requires designing user interfaces that present choices clearly, explain what is being consented to in plain language, and give users a genuine opportunity to decline without losing access to core services.

Consent mechanisms that bury disclosures in lengthy terms of service, use confusing double-negative language, or make opting out technically cumbersome are unlikely to satisfy regulators. Both the FTC and the Virginia Attorney General have expressed interest in “dark patterns,” meaning interface designs that manipulate users into providing consent they would not otherwise give.

Businesses that collect sensitive health data and want their consent mechanisms to hold up under scrutiny should have those mechanisms reviewed by legal counsel familiar with both state and federal requirements.

This article is general information only and is not legal advice. Do not rely on this article to make decisions about your specific situation. Contact Valley Legal or another licensed Virginia attorney to discuss your case. Attorney advertising.

Valley Legal, PLLC is located at 107 Pepper St SE, Christiansburg, Virginia 24073, and serves clients throughout the New River Valley of Virginia, including Montgomery County, Blacksburg, Radford, Pulaski, and surrounding communities.