Virginia’s Privacy Protections for Reproductive and Sexual Health Data

Senate Bill 754 was signed into law by Virginia Governor Glenn Youngkin on March 24, 2025, and will take effect on July 1, 2025. The Bill introduces important changes to the Virginia Consumer Protection Act (VCPA), strengthening privacy protections for Virginians by requiring businesses to obtain opt-in consent before collecting, using, or sharing their sensitive reproductive and sexual health information.

The VCPA, distinct from the Virginia Consumer Data Protection Act (VCDPA), is a broad consumer protection law aimed at preventing deceptive, fraudulent, and harmful business practices across various industries. While the two laws serve different purposes, SB 754 brings the VCPA closer to the VCDPA by borrowing its strong consent standards.

Key Provisions Under SB 754

A. New Definitions

SB 754 introduces the definition of “consent” in VCPA as defined in VCDPA. It specifies that the consent must be clear, freely given, specific, informed, and unambiguous. It can include a written or electronic statement, or any unambiguous action demonstrating an agreement.

Additionally, the bill adds a comprehensive definition of “reproductive or sexual health information”, which refers to personal data concerning an individual's reproductive or sexual health, including:

1. Attempts to access reproductive or sexual health services or products, including location data that may suggest such attempts.
2. Conditions, diagnoses, diseases, or statuses related to reproductive or sexual health, e.g., pregnancy, menstruation, ovulation, and sexual activity.
3. Reproductive or sexual health surgeries or procedures, including abortion.
4. Use or purchase of medications related to reproductive health, including contraceptives and birth control.
5. Physical symptoms or functions related to menstruation or pregnancy, e.g., temperature, cramps, and hormone levels.
6. Information about diagnoses, treatments, or products connected to reproductive or sexual health.
7. Any reproductive or sexual health information derived from non-health-related sources, such as predictive or algorithmic data.

Importantly, reproductive or sexual health information does not include the health information protected by the Health Insurance Portability and Accountability Act (HIPAA), health records under Title 32.1 of the Code of Virginia, and patient-identifying records under federal law (42 U.S.C. § 290dd-2).

B. Processing Reproductive or Sexual Health Information

VCPA already prohibits a wide range of deceptive business practices, such as false advertising, misleading contracts, and the sale of unsafe products. It also includes protections around subscription services, refunds, and disclosures in various industries. SB 754 builds on these protections by prohibiting the collection, disclosure, sale, or dissemination of reproductive or sexual health information without the consumer’s explicit consent.

Implications for Businesses

SB 754 is an important step in enhancing the protection of consumers’ sensitive health information, bringing major development to businesses in Virginia. With this amendment, the processing of reproductive and sexual health information is now regulated under both the VCPA and the VCDPA, each offering the same high consent standard for this category of sensitive data.

It is important to note that even if a business is exempt from the VCDPA or falls below its applicability thresholds, it may still be subject to the VCPA. This demonstrates that a business, falling under the definition of “supplier” as per the VCPA, must adhere to the new requirement of obtaining explicit opt-in consent prior to handling consumers’ reproductive or sexual health information. This emphasizes the necessity for businesses to review their data practices to comply with the VCPA and prioritize consumers’ privacy.

How Securiti Can Help

Navigating ever-evolving privacy requirements can be complex. Fortunately, Securiti’s suite of automation modules offers a comprehensive solution for organizations seeking to ensure compliance with Virginia’s privacy laws.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.