by Cameron Cantrell and Felicity Slater
On March 24, 2025, Governor Youngkin (R) of Virginia signed SB 754—which amends the Virginia Consumer Protection Act (VCPA) to restrict the collection and processing of “reproductive or sexual health information” and is enforceable through a private right of action—into law. The law will take effect July 1, 2025.
Entities covered by SB 754, which applies broadly across consumer-facing and business-to-business organizations, will need to implement substantially the same compliance measures in Virginia that they have put in place in Washington State to comply with the My Health, My Data Act. In particular, organizations will need to obtain individuals’ consent before collecting and transferring their personal information when it has even an attenuated relationship to reproductive or sexual health.
Governor Youngkin signed SB 754 into law on the same day he vetoed a bill that would have regulated high-risk AI systems and social media use by children and teenagers under the age of 16, taking many by surprise. We expect that state legislatures will push the legal envelope with respect to health and reproductive data throughout the year and beyond.
Scope
The Virginia Consumer Protection Act (VCPA) —which SB 754 modifies—governs “supplier(s) in connection with…consumer transaction[s],” including advertisements, sales, and offers of consumer and business goods and services. A “supplier” is an entity that “advertises, solicits, or engages in consumer transactions, or ... advertises, sells, leases, or licenses goods or services to be resold, leased, or sublicensed by others in consumer transactions.”
The VCPA does not establish volume or revenue requirements, so this law will apply to a significantly broader range of organizations than those that are currently subject to the Virginia Consumer Data Protection Act (VCDPA), including to entities that operate only in the business-to-business context. The VCPA’s limited exemptions will excuse only a small set of entities such as banks, credit unions, and real estate licensees, from compliance.
Restricted processing
For in-scope entities and transactions, the law prohibits “[o]btaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer.”
“Reproductive or sexual health information” broadly includes “information relating to the past, present, or future reproductive or sexual health of an individual” even if it “is derived or extrapolated from non-health related information.” This includes “[e]fforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies” and “[b]odily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy.”
“Reproductive and sexual health information” is defined to exclude HIPAA-covered information as well as records governed by 42 U.S.C. § 290dd-2, which applies to records of patients seeking treatment or being treated for substance use disorders, or Virginia’s health code. SB 754 incorporates the VCDPA’s definition of “consent,” which requires “a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer,” including electronic consent. The VCPA does not explicitly define “sale.”
Enforcement
Violating SB 754’s prohibition on the collection or transfer of reproductive or sexual health information is a per se violation of the VCPA, which may be enforced by the state or through a private right of action. Penalties under the private right of action may include the greater of actual damages or $500 (if violation is willful, this increases to the greater of treble actual damages or $1,000), as well as attorney fees and costs.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.
Cameron Cantrell is an Associate at Hintze Law PLLC representing companies on AI, privacy, and cybersecurity issues.
Felicity Slater is an Associate at Hintze Law PLLC. Felicity has experience with global data protection issues, including data breach notification laws, privacy impact assessments, GDPR, and privacy statements.