5 Reasons Virginia’s New Reproductive and Sexual Health Privacy Law is a BFD for Business (Spoiler: There’s a Private Right of Action) | Wyrick Robbins Yates & Ponton LLP

In a development that seems to have flown mostly under the radar this week, Virginia’s governor signed on Monday SB754, a bill passed by the state’s General Assembly that amends the state’s Consumer Protection Act to strictly regulate the collection and disclosure of “reproductive or sexual health information” by any “supplier” in connection with a “consumer transaction” covered by the Act. The law will have sweeping consequences for any company collecting personally identifiable information that falls within the broad scope of the definition of “Reproductive or sexual health information” in connection with consumer transactions that have a Virginia nexus. And the stakes will be high: the law includes a private right of action.

Below, we offer five reasons why SB754 will be a big deal for companies that do business in Virginia when it becomes effective on July 1, 2025.

1. The term “Reproductive or sexual health information” is much broader than you think.

SB754 defines “Reproductive or sexual health information” in a surprisingly broad way that could sweep in lots of information that one would not expect to be covered by that term. The definition begins with a broad concept: “information relating to the past, present, or future reproductive or sexual health of an individual,” and then is followed by a (seemingly non-exclusive) list of certain types of information that would be covered by that concept. Notable examples from that list include:

• “Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies” (emphasis added);
• “Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients;”
• “Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels;” and
• “Any information described in [the other descriptions of types of information] that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data.”

The definition thus casts a wide net that could unexpectedly cover information collected by businesses that don’t consider themselves to be engaged in the delivery of “reproductive or sexual health” products or services. For example, the definition could extend to:

• A mobile app operator’s collection of precise geolocation information, even if the app isn’t health-related, if that information could “indicate an attempt” by an individual to acquire reproductive or sexual health information or supplies, such as by reflecting that an individual’s location was near a reproductive health clinic (an approach that formed the basis for allegations against Amazon in a recent health privacy suit and that has been pursued by the FTC in enforcement actions against data brokers X-Mode and Kochava);
• A brick-and-mortar grocery store’s creation of a transaction record on its point-of-sale system reflecting that a customer purchased condoms, tampons, or over-the-counter pain relievers that can be used to treat menstrual cramps;
• An online book seller’s maintenance of an online shopping cart used by a customer to purchase a book about reproductive or sexual health; and
• The use by an advertiser or online advertising technology company of non-health information, such as browsing behavior or purchase data, to infer that an individual might be interested in sexual or reproductive health products or services, and the use of that inference to target online advertisements to that individual.

The definition does, however, exclude three narrow categories of information:

• Protected Health Information that is subject to HIPAA;
• “Health Records” for the purpose of Virginia’s health records privacy law; and
• “Patient-identifying records” for the purpose of 42 U.S.C. § 290dd-2, which governs the confidentiality of records relating to the treatment of substance use disorder.

2. Collecting, disclosing, or selling reproductive or sexual health information in connection with a consumer transaction requires opt-in consent, even if necessary to deliver a product or service the consumer requested.

SB754 prohibits any “supplier” from “obtaining, disclosing, selling, or disseminating” personally identifiable reproductive or sexual health information in connection with any “consumer transaction” without the consent of the consumer. SB754 borrows the VCDPA’s definition of “consent” for this purpose: “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer,” which may include “a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”

Virginia’s Consumer Protection Act defines a “consumer transaction” to include, in relevant part, “[t]he advertisement, sale, lease, license, or offering for sale, lease, or license, of good or services to be used primarily for personal, family, or household purposes.”  It in turn defines “supplier” to include any “seller, lessor, licensor, or professional that advertises, solicits, or engages in consumer transactions.”

Thus, any organization subject to the law that advertises or sells products or services to be used for personal, family or household services, and that collects reproductive or sexual health information in connection with that advertisement or sale, must first obtain the individual’s freely given, specific, informed, and unambiguous agreement to that collection of that information, and also to any subsequent sales or disclosures of that information—even (apparently) to processors or service providers.

Notably, and in stark contrast to Washington’s restrictive My Health My Data Act (MHMDA), SB754 requires consent even when collection or disclosure of the information is necessary to deliver the product or service requested by the consumer. The absence of an MHMDA-style exception to the law’s consent requirement could present significant practical challenges for businesses. For example, any business subject to the law that sells contraceptives, menstrual products, or medication meant to treat “bodily functions” related to menstruation or pregnancy, such as cramps, will be required under SB754 to first obtain the consumer’s unambiguous agreement to the collection of information in connection with the transaction that is “personally identifiable.”

3. SB754 is not subject to the VCDPA’s thresholds for applicability or other express limitations —any consumer transaction that falls within the reach of Virginia’s long-arm statute can be covered.

Unlike Virginia’s comprehensive consumer privacy law, the Virginia Consumer Data Protection Act (VCDPA), Virginia’s Consumer Protection Act does not include any applicability thresholds or other jurisdictional criteria, and SB754 does not create any with respect to the new restrictions on reproductive and sexual health information. As a result, we expect that the law will be interpreted to apply to a business the same extent that Virginia’s long-arm statute and the Due Process Clause of the United States Constitution would allow a Virginia court to exercise personal jurisdiction over that business.

Thus, the law could be enforced against any business located in Virginia, but also to non-resident defendants if they are subject to general personal jurisdiction in the state or engage in consumer transactions that have a Virginia nexus sufficient for the exercise of specific personal jurisdiction.

4. SB754 is not subject to the VCDPA’s entity- or data-level exemptions.

As we discussed when the VCDPA was adopted several years ago, that law includes several helpfully broad exemptions, some of which apply based on the nature of the entity (e.g., covered entities and business associates governed by HIPAA, financial institutions subject to GLBA, and nonprofits), and some of which apply based on the nature of the data (e.g., clinical trial data). By contrast, the Virginia Consumer Protection Act, and the new restrictions on the collection and disclosure of reproductive and sexual health information created by SB754, are not subject to those same exemptions.

As noted above, the definition of “reproductive and sexual health information” in SB754 expressly excludes information subject to HIPAA and other health information privacy laws. And the Consumer Protection Act does include its own set of exclusions, including an entity-level exclusion for banks, credit unions, and other financial institutions and exclusions for certain specified categories of transactions.

5. Violations of SB754 are subject to the Consumer Protection Act’s private right of action, in addition to being enforceable by the Attorney General.

As currently enacted, the Virginia Consumer Protection Act provides that “any person who suffers loss as the result of a violation of [the Act] shall be entitled to initiate an action to recover actual damages, or $500, whichever is greater.” If the violation is found to be willful, a court can increase those damages “to an amount not exceeding three times the actual damages sustained, or $1,000, whichever is greater.” The Act also provides that in addition to damages, a plaintiff may also be awarded reasonable attorneys’ fees and court costs.

Because SB754 inserts its restrictions on the collection and disclosure of reproductive and sexual health information into the Consumer Protection Act, violations of those restrictions will also give rise to a claim if a person can show they “suffered loss” as a result.

The Consumer Protection Act also provides for enforcement by the Attorney General, who is authorized to sue to enjoin violations and to recover civil penalties for willful violations. SB754’s restrictions will also be enforceable by the Attorney General under those provisions.