Virginia Strengthens Privacy Protections for Reproductive and Sexual Health Information

Defining “Reproductive or Sexual Health Information”

SB 754 adopts a sweeping definition of “reproductive or sexual health information,” encompassing both clinical and non-clinical information, including:

• Efforts to obtain services or supplies related to reproductive or sexual health.

• Reproductive or sexual health conditions, status, diseases, or diagnoses (e.g., pregnancy, ovulation).

• Reproductive and sexual health-related surgeries and procedures, including abortion.

• Use of contraceptives or medications, such as abortifacients.

• Bodily functions or symptoms (e.g., menstruation, hormone levels, basal temperature).

The definition also includes information derived from non-health-related information, such as inferred or algorithmic data, to the extent it provides insight into a consumer’s reproductive or sexual health. For example, if geolocation data from a non-health-related application indicates a consumer visited a fertility clinic or abortion provider, that inferred information would be within the scope of the statute.

The law provides data-level exemptions for certain health records regulated by Virginia law, protected health information subject to the federal Health Insurance Portability and Accountability Act (HIPAA), and substance use disorder records under 42 C.F.R. Part 2. These exemptions reflect an intent to protect personal information collected from entities outside the traditional health care regulatory ecosystem. Examples of such entities include developers of fertility tracking and other consumer health applications and wearable devices, which typically are not regulated under HIPAA.

Applicability and Enforcement

Under SB 754, a supplier commits a fraudulent act or practice if, in connection with a consumer transaction, the supplier obtains, discloses, sells, or disseminates any personally identifiable reproductive or sexual health information without the consumer’s consent. The VCPA defines a “supplier” to include sellers, lessors, licensors, and professionals who advertise, solicit, or engage in consumer transactions. A “consumer transaction” includes the sale, lease, or advertisement of goods or services primarily for personal, family, or household use.

Notably, this framework is broader than Virginia’s separate Consumer Data Protection Act (VCDPA), which applies only to businesses that meet certain data volume and revenue thresholds. Because SB 754 amends the VCPA instead of the VCDPA, it may apply to small and mid-sized businesses that would otherwise be exempt from Virginia’s comprehensive privacy law.

Noncompliance with SB 754’s amendments to the VCPA may result in significant penalties and liabilities. The Virginia Attorney General, or an attorney of any Virginia municipality, may seek civil penalties of up to $2,500 per willful violation of the VCPA and up to $5,000 for a second or subsequent willful violation. In contrast to the VCDPA, the VCPA also allows consumers to initiate private lawsuits. If a consumer suffers a loss from a violation, the consumer is entitled to recover $500 or the consumer’s actual damages, whichever is greater. If a violation was willful, a consumer may recover $1,000 or three times the consumer’s actual damages, whichever is greater. Given the availability of statutory damages, the law could become an attractive basis for class-action litigation in circumstances where a supplier’s noncompliance was systematic and large-scale.

Despite their differences, the VCPA and VCDPA are aligned in how they define “consent.” Under both statutes, consent must be freely given, specific, informed, unambiguous, and evidenced by an affirmative act. Generic acceptance of a privacy policy, for example, is not valid.

Key Takeaways

SB 754 signals a continued shift toward stronger state-level protections for reproductive and sexual health information, as is evident with the recent adoption of legislation in California, Nevada, Washington, and other states to expressly protect such information. Businesses should review their data processing practices to determine if SB 754 applies to their operations. Where SB 754 applies, suppliers should implement robust consent mechanisms, maintain clear, transparent privacy policies, and develop a comprehensive privacy compliance program to mitigate compliance risks.

If you have questions about whether SB 754 applies to your business or how to comply with its requirements, reach out to one of the authors or your usual ArentFox Schiff attorney.