A new Virginia privacy law creates significant compliance challenges for companies far outside traditional healthcare. Meghan O’Connor of Quarles examines SB 754, which requires explicit opt-in consent for obtaining or sharing “reproductive or sexual health information” in consumer transactions. The law’s expansive definition includes retail purchases like contraceptives and menstrual products, location data near health clinics and even algorithmic data derived from non-health information. With enforcement beginning in July through both state action and a private right of action, affected companies face an urgent timeline to implement technical and operational compliance measures.
In March, Virginia Gov. Glenn Youngkin signed SB 754, which amends the Virginia Consumer Protection Act to regulate obtaining and disclosing “reproductive or sexual health information” by any “supplier” in connection with a “consumer transaction” subject to the act. SB 754 will require significant technical and operational compliance steps for companies doing business in Virginia. The compliance net is not limited to traditional healthcare businesses, and a July 1, 2025 effective date leaves little time in advance of state enforcement and a private right of action.
‘Reproductive or sexual health information’ is broadly defined and includes more data than you think
Following in the footsteps of other state consumer health privacy laws (including Washington, Nevada and Connecticut), Virginia’s law broadly defines “reproductive or sexual health information” as information relating to the past, present or future reproductive or sexual health of an individual and includes a seemingly non-exclusive list of data, including (emphasis added):
- Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies.
- Reproductive or sexual health conditions, status, diseases or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active and whether an individual is engaging in unprotected sex.
- Reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy.
- Use or purchase of contraceptives, birth control or other medication related to reproductive health, including abortifacients.
- Bodily functions, vital signs, measurements or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge or hormone levels.
- Any information about diagnoses or diagnostic testing, treatment or medications or the use of any product or service relating to the matters described in 1 through 5.
- Any information described in 1 through 6 that is derived or extrapolated from non-health-related information, such as proxy, derivative, inferred, emergent or algorithmic data.
As drafted, this definition is broad enough to include data collected by companies that are not traditionally part of “reproductive or sexual health” product or service delivery:
- Commercial transaction data, e.g., purchase of condoms and other contraceptives, menstrual products or over-the-counter pain relievers for cramps.
- Geolocation data collected in a non-healthcare setting if the data could indicate an attempt to acquire reproductive or sexual health services or supplies, e.g., location near a reproductive health clinic and geolocation data used by brick-and-mortar stores to provide pick up for a prescription or OTC supplies.
- Browsing behavior and purchase data and any subsequent use of such data for marketing.
- Employment applications and certain employee data regarding wellness initiatives and fertility treatments.
The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening
Despite the absence of comprehensive federal privacy legislation, American businesses face mounting regulatory pressure from multiple directions. Brian McGinnis and Maddie San Jose of Barnes & Thornburg map the evolving privacy enforcement landscape, where federal agencies like the FTC are taking action against data brokers
Read moreDetailsOpt-in consent is required to obtain, disclose, sell or disseminate reproductive or sexual health information, even if such information is necessary to deliver a product or service requested by the consumer
The law will prohibit any “supplier” from obtaining, disclosing, selling or disseminating “personally identifiable” reproductive or sexual health information in connection with a “consumer transaction” without the “consent” of the consumer.
The Virginia Consumer Protection Act has been in effect since 1977, and it is not to be confused with the Virginia Consumer Data Protection Act (VCDPA), the state’s comprehensive consumer privacy law enacted in 2021. However, SB 754 borrows VCDPA’s consent standard, which requires a clear, affirmative, specific, informed and unambiguous opt-in.
“Consumer transactions” include advertisement, sale, lease, license or offering for sale, lease or license, goods or services to be used primarily for personal, family or household purposes. As such, “suppliers” including sellers, lessors, and licensors that advertise, solicit or engage in such consumer transactions (or manufacturers and distributors vis-à-vis resale, sublease or sublicense) must comply with SB 754.
Importantly, opt-in consent is required even if the data processing is necessary to deliver the product or service requested by the consumer. Without a “necessary processing” exemption (notably found in Washington’s strict standards), as drafted, opt-in consent would be required prior to a business selling a consumer any reproductive or sexual health product or service, including contraceptives, menstrual products and other over-the-counter products and prescriptions to treat or measure bodily functions, vital signs or symptoms related to menstruation or pregnancy.
Unfortunately, SB 754 does not define “personally identifiable,” so there is no clear de-identification standard that can be applied to avoid application of SB 754.
SB 754 has limited data exemptions and no threshold or entity exemptions
Data subject to HIPAA, 42 CFR Part 2 (substance use disorder confidentiality regulations) and “health records” pursuant to Virginia’s health records privacy law are exempt from SB 754. Other than these data exemptions, SB 754 does not have entity-level exemptions or a threshold requirement akin to VCDPA. Thus, any entity that meets the definition of a “supplier” and does business in Virginia, including non-resident companies that engage in consumer transactions in Virginia, may be caught in SB 754’s broad compliance net.
Entities subject to HIPAA are also currently subject to a HIPAA-related privacy rule on reproductive healthcare despite ongoing litigation and the Trump Administration’s reevaluation of its policy on reproductive health data.
Compliance violations (not just data breaches) are subject to a private right of action and regulatory enforcement
Under the Virginia law, any person who suffers a loss as a result of a violation shall be entitled to actual damages (with willful violations leading to treble damages) and reasonable attorneys fees and court costs. The Virginia Attorney General’s Office may also sue to enjoin violations and recover civil penalties for willful violations.
SB 754 will go into effect July 1, which leaves little time for entities to analyze applicability and prepare technical and operational opt-in consent processes for the wide variety of transactions that may be caught in SB 754’s compliance scope.
Meghan O’Connor is a partner in the Milwaukee office of Quarles. She is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals and co-chairs the firm’s data privacy & security industry team and the artificial intelligence industry team. 
