On March 24, Virginia Governor Glenn Youngkin signed SB 754 into law. SB 754, which will take effect on July 1, 2025, amends the Virginia Consumer Protection Act (VCPA) to prohibit certain entities from, in connection with a consumer transaction, obtaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without consumer consent. SB 754 takes inspiration from the Washington My Health My Data Act in its broad definition of “reproductive or sexual health information” and is similarly enforceable through a private right of action. Furthermore, the law’s placement within the VCPA statutory scheme (rather than that of the Virginia Consumer Data Protection Act, or “VCDPA”) means that it will apply to certain entities not within the scope of the VCDPA or other data privacy laws. Finally, SB 754’s robust definition of “consent,” imported from the VCDPA, will have significant implications for companies that process reproductive or sexual health information.
In this post, we identify notable takeaways from SB 754 and summarize its key provisions.
KEY TAKEAWAYS
As noted above, SB 754 prohibits certain entities (“suppliers,” as defined by the VCPA) from, in connection with a consumer transaction, obtaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without consumer consent. Key takeaways from the law include the following:
- Broad Definition of “Reproductive or Sexual Health Information”: The law defines “reproductive or sexual health information” broadly as “information relating to the past, present, or future reproductive or sexual health of an individual,” including reproductive or sexual health conditions, diagnoses, and status; bodily functions related to menstruation or pregnancy; surgeries, purchases, and research related to reproductive or sexual health services; location information related to the acquisition of those services; and an individual’s use of a product related to the matters described in this list. The definition also includes a catchall provision for information described in the preceding list that is “derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data.”
- Health Information Exemptions: SB 754 exempts from its definition of “reproductive or sexual health information” health information protected under HIPAA, health records for the purposes of Title 32.1 of Virginia law, and patient-identifying records for the purposes of 42 U.S.C. § 290dd-2.
- Broad Applicability: Because it amends the VCPA, rather than a traditional state privacy law, SB 754’s provisions are not limited in their applicability to entities that process a certain amount of data or generate a certain amount of revenue. Rather, the law applies broadly to “suppliers,” defined as “a seller, lessor, licensor, or professional that advertises, solicits, or engages in consumer transactions, or a manufacturer, distributor, or licensor that advertises and sells, leases, or licenses goods or services to be resold, leased, or sublicensed by other persons in consumer transactions.”
- Limited Entity-Level Exemptions: In contrast to state privacy laws, the VCPA’s entity-level exemptions are relatively limited. Though it excludes certain entities (such as certain financial institutions, insurance companies, and public service corporations, among other entities), it does not include other types of entity-level exemptions typically seen in state privacy laws (such as those for HIPAA covered entities and business associates or nonprofit entities).
- Notably, the VCPA does exempt “[a]ny aspect of a consumer transaction which aspect is authorized under laws or regulations of [Virginia] or the United States.”
- Opt-In Consent: SB 754 imports the Virginia Consumer Data Protection Act’s (VCDPA’s) definition of “consent” into the VCPA. The VCDPA defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” Notably, SB 754 did not borrow any of the VCDPA’s language allowing entities to bypass consent if processing is necessary or compatible with the disclosed purposes for which the data is processed, such as providing a product or service. This consent restriction will create significant challenges for companies handling reproductive or sexual health data.
- Private Right of Action and AG Enforcement: Because a violation of SB 754’s prohibition regarding the disclosure of reproductive and sexual health information will be a per se violation of the VCPA, individuals who suffer loss due to the violation will be entitled to pursue the greater of actual damages or $500 under the VCPA’s private right of action, with treble damages or $1,000 available for willful violations.
- In addition to the private right of action, the VCPA grants the attorney general authority to pursue enforcement and recover civil penalties of up to $2,500 per willful violation.
KEY PROVISIONS OF SB 754 AND VCPA
Definitions
- Reproductive or Sexual Health Information: SB 754 defines as “information relating to the past, present, or future reproductive or sexual health of an individual,” including (see 59.1-198):
- “Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services and supplies;
- Reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active and whether an individual is engaging in unprotected sex;
- Reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy;
- Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients;
- Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels;
- Any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described above; and
- Any information described above that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data.”
- Consumer Transaction: The VCPA defines to include, among other things: (see 59.1-198):
- “The advertisement, sale, lease, license, or offering for sale, lease, or license, of goods or services to be used primarily for personal, family, or household purposes;
- Transactions involving the advertisement, offer, or sale to an individual of a business opportunity that requires both his expenditure of money or property and his personal services on a continuing basis and in which he has not been previously engaged; [and]
- Transactions involving the advertisement, offer, or sale to an individual of goods or services relating to the individual’s finding or obtaining employment[.]”
- Supplier: SB 754 defines as “a seller, lessor, licensor, or professional that advertises, solicits, or engages in consumer transactions, or a manufacturer, distributor, or licensor that advertises and sells, leases, or licenses goods or services to be resold, leased, or sublicensed by other persons in consumer transactions.” Sec. 59.1-198.
- Consent: SB 754 cross-references the VCDPA’s definition of this term, which defines “consent” as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” Secs. 59.1-198, 59.1-575.
Exemptions
- Certain Types of Health Information: SB 754 exempts the following types of health information from its definition of “reproductive or sexual health information”: “health information that is protected under [HIPAA], health records for the purposes of Title 32.1, or patient-identifying records for the purposes of 42 U.S.C. § 290dd-2.” Sec. 59.1-198.
- Financial Institutions, Insurance Companies, and Other Entities: The VCPA exempts certain financial institutions, insurance companies, and other specified entities. Sec. 59.1-199(4).
- Transactions Authorized Under Virginia or Federal Law: The VCPA exempts “[a]ny aspect of a consumer transaction which aspect is authorized under laws or regulations of the Commonwealth or the United States, or the formal advisory opinions of any regulatory body or official of the Commonwealth or the United States.” Sec. 59.1-199(1).
Substantive Requirements
- Prohibition on Disclosure of Reproductive or Sexual Health Information Without Consent: SB 754 prohibits a supplier from, “in connection with a consumer transaction … [o]btaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer.” Sec. 59.1-200(A)(83).
Enforcement
- Private Right of Action: The VCPA creates a private right of action under which “[a]ny person who suffers loss as the result of a violation of [the VCPA] shall be entitled to initiate an action to recover actual damages, or $500, whichever is greater.” Sec. 59.1-204(A).
- State AG Enforcement: The VCPA grants the state AG authority to bring actions in response to violations of the Act and to obtain civil penalties of up to $2,500 per violation. Sec. 59.1-206(A).
