Virginia’s New Sweeping Reproductive and Sexual Health Privacy Law May Affect All Companies Doing Business in the State

Newsletter

Last week, on March 24, Virginia Governor Glenn Youngkin signed SB 754, which amends the Virginia Consumer Protection Act (Act) to regulate obtaining and disclosing “reproductive or sexual health information” by any “supplier” in connection with a “consumer transaction” subject to the Act. SB 754 will require significant technical and operational compliance steps for companies doing business in Virginia. The compliance net is not limited to just traditional health care businesses, and a July 1, 2025 effective date leaves little time in advance of Attorney General enforcement and a private right of action.

Read on for important considerations for companies doing business in Virginia:

“Reproductive or sexual health information” is broadly defined and includes more data than you think.

Following in the footsteps of other state consumer health privacy laws (we’re looking at you Washington, Nevada, and Connecticut), Virginia’s law broadly defines “reproductive or sexual health information” as information relating to the past, present, or future reproductive or sexual health of an individual and includes a seemingly non-exclusive list of data, including:

  1. Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies;
  2. Reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex;
  3. Reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy;
  4. Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients;
  5. Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels;
  6. Any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described in 1 through 5; and
  7. Any information described in 1 through 6 that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data. (Emphasis added.)

As drafted, this definition is broad enough to include data collected by companies that are not traditionally part of “reproductive or sexual health” product or service delivery:

  1. Commercial transaction data, e.g., purchase of condoms and other contraceptives, menstrual products, or over-the-counter pain relievers for cramps;
  2. Geolocation data collected in a non-healthcare setting if the data could indicate an attempt to acquire reproductive or sexual health services or supplies, e.g., location near a reproductive health clinic and geolocation data used by brick-and-mortar stores to provide pick up for a prescription or OTC supplies;
  3. Browsing behavior and purchase data and any subsequent use of such data for marketing; and
  4. Employment applications and certain employee data regarding wellness initiatives and fertility treatments.

Opt-in consent is required to obtain, disclose, sell, or disseminate reproductive or sexual health information, even if such information is necessary to deliver a product or service requested by the consumer.

The law will prohibit any “supplier” from obtaining, disclosing, selling, or disseminating “personally identifiable” reproductive or sexual health information in connection with a “consumer transaction” without the “consent” of the consumer.

The Virginia Consumer Protection Act has been in effect since 1977, and it is not to be confused with the Virginia Consumer Data Protection Act (VCDPA), the state’s comprehensive consumer privacy law enacted in 2021. However, SB 754 borrows VCDPA’s consent standard, which requires a clear, affirmative, specific, informed, and unambiguous opt-in.

“Consumer transactions” include advertisement, sale, lease, license, or offering for sale, lease, or license, goods or services to be used primarily for personal, family, or household purposes. As such, “suppliers” including sellers, lessors, and licensors that advertise, solicit, or engage in such consumer transactions (or manufacturers and distributors vis-à-vis resale, sublease, or sublicense) must comply with SB 754.

Importantly, opt-in consent is required even if the data processing is necessary to deliver the product or service requested by the consumer. Without a “necessary processing” exemption (notably found in MHMDA's strict standards), as drafted, opt-in consent would be required prior to a business selling a consumer any reproductive or sexual health product or service, including contraceptives, menstrual products, and other over-the-counter products and prescriptions to treat or measure bodily functions, vital signs, or symptoms related to menstruation or pregnancy.

Unfortunately, SB 754 does not define “personally identifiable” so there is no clear de-identification standard that can be applied to avoid application of SB 754.

SB 754 has limited data exemptions and no threshold or entity exemptions.

Data subject to HIPAA, 42 CFR Part 2 (substance use disorder confidentiality regulations), and “health records” pursuant to Virginia’s health records privacy law are exempt from SB 754. Other than these data exemptions, SB 754 does not have entity-level exemptions or a threshold requirement akin to VCDPA. Thus, any entity that meets the definition of a “supplier” and does business in Virginia, including non-resident companies that engage in consumer transactions in Virginia, may be caught in SB 754’s broad compliance net.

Entities subject to HIPAA are also currently subject to HIPAA’s Privacy Rule to Support Reproductive Health Care Privacy Final Rule despite ongoing litigation and the Trump Administration's reevaluation of its policy on reproductive health data.

Compliance violations (not just data breaches) are subject to a private right of action and regulatory enforcement.

Under the Act, any person who suffers a loss as a result of a violation of an Act shall be entitled to actual damages (with willful violations leading to treble damages) and reasonable attorneys fees and court costs. The Virginia Attorney General may also sue to enjoin violations and recover civil penalties for willful violations.

SB 754 will go into effect July 1, 2025, which leaves little time for entities to analyze applicability and prepare technical and operational opt-in consent processes for the wide variety of transactions that may be caught in SB 754’s compliance scope.

If you have any questions regarding application of SB 754 or VCDPA to your company or consumer privacy laws general, please contact your Quarles privacy attorney or:

Follow Quarles

Subscribe Media Contact
Back to Main Content

We use cookies to provide you with the best user experience on our website and to analyze statistics related to our website. To understand more about how we use cookies, or for instructions to change your preference and browser settings, please see our Privacy Notice. Please note that if you choose to reject cookies, doing so may impair some of our website's functionality.