Keypoint: A new Virginia law prohibits the collection, use, or sharing of reproductive or sexual health information without consent and provides Virginians with a private right of action for at least $500 per violation.
As we previously reported, on March 24, 2025, Virginia Governor Glenn Youngkin signed SB 754 into law, adding Virginia to the list of states that restrict the use or disclosure of certain health information. Importantly, this is not an amendment to Virginia’s well-known Consumer Data Protection Act (“VCDPA”). Rather, SB 754 amends Sections 59.1-198 and 59.1-200 of the Virginia Consumer Protection Act (“VCPA”), Virginia’s general consumer protection law.
In the article below, we provide an overview of the new law and identify some of its potential implications, including the law’s creation of a private right of action that includes statutory damages.
Reproductive and Sexual Health Information: A Potentially Broad Definition of a Category of Health Information
The law amends the consumer protection law to prohibit businesses, “in connection with consumer transactions,” from “obtaining, disclosing, selling, or disseminating personally identifiable reproductive or sexual health information” without the individual’s consent.
The law incorporates the VCDPA’s definition of “consent,” which is defined as a “clear and affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data related to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”
The law defines “reproductive and sexual health information” as information related to an individual’s “past, present, or future reproductive or sexual health.” It then provides specific examples of what information qualifies as reproductive and sexual health information:
- Efforts to research or obtain reproductive or sexual health services or supplies
- Location information indicative of an attempt to acquire such services or supplies
- Reproductive or sexual health, status, disease, or diagnosis, including pregnancy, menstruation, ovulation, conception, and sexual activity.
- The use or purchase of contraceptives, birth control, or other medications, or receipt of reproductive health-related surgeries or procedures, including termination of a pregnancy
- Information about bodily functions, vital signs, measurements, and symptoms related to menstruation or pregnancy
Like Washington’s My Health My Data Act (“MHMD”), the definition includes reproductive and sexual health information that is “derived or extrapolated” from non-health-related information through algorithms or inferences. Unlike MHMD, however, the information cannot merely be “derivable” from non-health information—the act of deriving the information must have actually occurred. Additionally, the law includes a standard data-level exclusion for protected health information under the Health Insurance Portability and Accountability Act (“HIPAA”), which means reproductive health information in the hands of most healthcare providers, insurers, and their service provider will not be affected by SB 754.
Given the law’s scope, it could be argued that the law captures a broad range of activities such as an individual’s web browser searches for common reproductive health products, their use of menstrual tracking applications, or location information if the company used that information to infer the consumer’s receipt of reproductive health products or services.
Further, the law’s applicability to online tracking technologies is unclear. As noted, the law prohibits obtaining, disclosing, or selling covered information without consent. Whether the use of third-party advertising cookies, for example, constitutes a disclosure or sale of covered information is an open question. Litigation under wiretapping laws such as California’s CIPA or the Federal ECPA suggests plaintiffs will allege such use does constitute a disclosure or sale of covered information. Ultimately, entities operating in this space will want to carefully consider their use of online tracking technologies, including whether the use of GDPR-like cookie consent is warranted to mitigate potential risk.
The Law’s Prohibition Only Applies When Covered Information Is Used “in Connection with a Consumer Transaction” and Is Not Subject to VCDPA Exclusions
Because this data protection provision is promulgated through the VCPA, rather than the VCDPA, it is subject to unique conditions and exceptions.
Virginia’s consumer protection law does not have the same threshold applicability requirements as the state’s data privacy law. While Virginia’s data privacy law only applies if a company collects the personal data of at least 100,000 residents, the consumer protection law under which SB 754 is attached does not. In other words, a company does not need to collect the personal data of 100,000 state residents for the consumer protection law to apply. In addition, the state privacy law’s exemptions and exceptions for certain categories of data (e.g., patient safety work product under the Health Care Quality Improvement Act of 1986, information derived from health information, information used only for public health activities, and data regulated by the Family Educational Rights and Privacy Acts) are inapplicable.
Moreover, unlike Virginia’s data privacy law, which requires consumer consent for the processing of a consumer’s sensitive personal data, the VCPA only requires consumer consent if the collection, disclosure, sale, and dissemination of covered information is done “in connection with a consumer transaction.” The VCPA defines “consumer transaction” as, among other things, transactions involving “the advertisement, sale, lease, license, or offer for sale, lease, or license of goods or services to be used primarily for personal, family, or household purposes.” For instance, if a menstrual cycle tracking application uses data gathered on a consumer’s cycle to time an advertisement for a particular product, it could be argued that this would constitute the use of covered information in connection with a consumer transaction and would require the consumer’s prior consent.
Although the VCPA does not include any express exception for disclosures to other entities that are necessary to fulfill or facilitate the consumer transaction (e.g., data processors), courts have found the VCPA not to apply to merchant-to-merchant transactions. Baker v. Elam, 883 F. Supp. 2d 576, 579 (E.D. Va. 2012). However, the VCPA has also been interpreted broadly to encompass consumer transactions even without direct contact between the consumer and the business. Alexander v. Se. Wholesale Corp., 978 F. Supp. 3d 615, 622 (E.D. Va. 2013). Thus, it is unclear exactly how the law will apply, if at all, to ordinary transfers of personal data to data processors under the state’s privacy law.
Finally, the law is subject to the VCPA’s exclusions at Va. Code Ann. § 59.1-199. This means the law does not apply in certain consumer transactions, including, but not limited to, when:
- The consumer transaction is regulated by the Federal Consumer Credit Protection Act.
- The entity using covered information is a bank, savings institution, credit union, small loan company, insurance company, or another entity regulated by the Virginia State Corporate Commission or a similar federal regulator.
- The consumer transaction is regulated by the Virginia Residential Landlord and Tenant Act.
The VCPA’s Private Right of Action
Because this prohibition has been added to the VCPA it is enforceable through the VCPA’s private right of action (“PRA”). Va. Code Ann. § 59.1-204 allows any person who suffers a loss due to a violation of the VCPA to bring a suit to recover the greater of their actual damages or $500. If the violation was willful, the minimum damages amount is increased from $500 to $1,000. The law also allows for the recovery of attorneys’ fees and costs.
Because the PRA allows plaintiffs to assert a minimum statutory damage, this law presents a higher risk of class action litigation than laws that do not include statutory damages. If plaintiffs pursue damages beyond the $500 statutory amount, however, defendants may have arguments against class certification because the law requires a plaintiff demonstrate a loss and each plaintiff’s specific loss may differ. Moreover, at least one court has held that such loss includes recovery for emotional distress, further complicating the calculation of damages under the PRA where there are multiple plaintiffs. Barnette v. Brook Road, Inc., 429 F. Supp. 2d 741, 751-52 (E.D. Va. 2006) (“Under the Supreme Court of Virginia’s definition of ‘actual damages,’ the Court finds that the VCPA authorized recovery for emotional distress.”).
The law can also be enforced by the Virginia Attorney General, the attorney for the Commonwealth, or the attorney for the county, city, or town for the Literary Fund, all of whom may petition the court for a civil penalty of up to $2,500 per violation of the VCPA, with penalties of up to $5,000 for willful second or subsequent violations. The court may also award any costs and reasonable expenses incurred by the state or local agency in investigating and preparing the case against the violator up to $1,000 per violation, as well as attorney’s fees—which have no maximum limitation.
Importantly, willful violations may be demonstrated by the violator’s decision to continue an activity for which they have received written notice from the Attorney General indicating their belief that the activity constitutes a violation of the VCPA.
Effective Date
The law goes into effect on July 1, 2025.
[View source.]
