Stock photo by Getty Images)
In the General Assembly session earlier this year, the legislature, controlled by Democrats, and the Republican governor came to one of those rare and gratifying moments of accord on a new law intended to protect Virginians’ privacy. Virginia consumers probably noticed it for the first time when they saw pop-up notices while they were shopping online.
Senate Bill 754, the Virginia Consumer Protection Act, put protections in state law from having an individual’s health information sold or shared with third parties without that person’s consent. That was particularly welcome for women in an age when draconian assaults on reproductive rights in some states includes vacuuming up the most private of data, from menstrual cycles to birth control preferences.
The legislation passed by a 21-17 Senate vote on Jan. 24. One Republican joined 20 Democrats voting for the bill; all 17 nay votes were Republican. One Democrat and one Republican did not vote.
New Va. law protecting reproductive health data prompts Walmart’s online data collection pop-ups
Three weeks later, it cleared the House on a 52-43 vote. Two Republicans broke ranks and joined 50 Democrats in support. Four of the five delegates who did not vote were Republicans.
On this one, Gov. Glenn Youngkin differed from most in his party and, in March, chose the greater good, signing the bill patroned by Senate Democrats Barbara Favola of Arlington and Scott Surovell of Fairfax. It took effect on July 1, the start of Virginia’s new fiscal year.
O happy day!
Alas, Virginia, no good deed goes unpunished.
On the bill’s effective date earlier this month, customers shopping their favorite online retailers started seeing notices pop up on their computer monitors. They vary, but in essence they inform consumers that they must consent to have their online data harvested if they wish to continue shopping.
Some were quite up-front about it, such as the one initially posted by Walmart. The world’s largest retailer was remarkably straightforward in describing limitations that Virginia’s brand-new VCPA applies to consumer data about sexual and reproductive health merchandise. It explained that by clicking the “Continue shopping” button and proceeding to browse the site, users consent to Walmart using their data to complete the purchase, provide the requested feature and for general analytics, operations and fraud prevention.
Janet Peyton, a McGuireWoods attorney* who advises clients on data privacy issues, noted that Walmart’s advisory isn’t proposing to provide the data to third parties, only for its own internal use. Virginians have more robust data privacy protections under a slightly older state law, she said, and nothing in Walmart’s disclaimer waives those.
“It doesn’t say anything about your other privacy rights under the Virginia Consumer Data Protection Act and, in fact, there are lots of other (rights),” she said. The Walmart pop-up, she said, constitutes “a very limited consent specific to this health information that they’re gathering.”
Walmart has significantly pared down its pop-up since early July, dropping the references to the family-planning and intimate products.
Other big chains that offer those products are far less conspicuous in letting Virginians know about the newer privacy law.
The CVS drugstore chain, for example, has a small, obscure disclaimer at the bottom of its landing page under the curious heading “Improving your site experience.” It says in miniscule type that by continuing to shop on the site, you give the pharmacy giant the right to share your data with “trusted third parties, including our marketing, analytics and research partners.”
Its rival apothecary chain, Walgreens, similarly requires users to do a lengthy scroll downward to find its privacy link nestled in the sub-basement of its webpage. There, one finds a “Your Privacy Choices” link that jumps to a consumer rights box outlining non-specific rights afforded customers in Virginia and 15 other states. In that box, there are links to pages that allow consumers to access, correct and delete their data, and to opt out of the sale, sharing or use of their data for targeted advertising, rights Virginians have had since the VCDPA took effect Jan. 1, 2023.
Those pages ask users to jump through multiple hoops just to verify their identity and, after that’s done, opt out of sharing, selling or bartering your data.
I undertook the exercise on several big chain retailers’ websites, including the aforementioned. I had to confirm unsettlingly specific personal information, including an approximate range for my mortgage payments, which of several random home addresses was once mine, banks where I held accounts decades ago, names of relatives and more. It’s precisely the sort of info you don’t want out there. With that completed, I was informed that I would be updated on the progress of the request or, in one case, get an email I could use to complete the process within a couple of weeks. I’m not holding my breath.
Creepy? Sure felt that way.
Confusing? Yes, on any number of levels, not the least of which is a state-to-state patchwork of statutes that even legal professionals find challenging because there’s no nationwide data privacy law.
Burdensome? Sure.
“It can be done. It is a little bit cumbersome — not particularly consumer friendly — but it’s not saying anything here about waiving your right to make a data access request or opt out of those other things,” Peyton said, referencing the Walmart disclaimer.
Data in large-scale retailing is money. Huge money. Ask Jeff Bezos, the founder of the all-online Amazon, the planet’s second-largest retailer after Walmart.
E-commerce retail sales ballooned from $5.6 billion in the first quarter of 2000 to $300.2 billion in the first quarter of 2025, according to the Federal Reserve Bank of St. Louis.
Data are essential to that. As Charlotte Rene Woods explained in her reporting on July 8, pop-ups informing users about “cookies,” or other data that websites collect and store aren’t uncommon in online transactions. Some are necessary to complete them.
That’s been true for more than 30 years, back in the phone-modem days when many folks of a certain age got their first excursions into cyberspace via America Online with its cheery “You’ve got mail!” log-in greeting. The age of Amazon, Google and Meta is built on data.
It’s no mystery, then, that there’s no incentive other than the law’s baseline requirements for retailers to make it as easy as allowing consumers to click one icon to keep their private data private.
On the other hand, some of them have made relinquishing at least a slice of your privacy exactly that easy.
*(Point of personal disclosure: From my years at McGuireWoods, I have known Janet as a top intellectual property/data privacy and security lawyer with a long list of national accolades.)
GET THE MORNING HEADLINES.
Click this link for the original source of this article.
Author: Bob Lewis
This content is courtesy of, and owned and copyrighted by, https://www.virginiamercury.com and its author. This content is made available by use of the public RSS feed offered by the host site and is used for educational purposes only. If you are the author or represent the host site and would like this content removed now and in the future, please contact USSANews.com using the email address in the Contact page found in the website menu.
