Virginia Puts Additional Restrictions on Consumer Health Data

Throughout this year, we have covered several state laws and updates implemented to protect consumer data privacy in New Jersey, Delaware, New Hampshire, and Iowa. Virginia is joining the recent list of states adding or expanding consumer protection policies in 2025. Recent amendments to Virginia’s Consumer Protection Act, or Senate Bill 754, will limit the disclosure of certain health information. The bill was introduced in January 2025, approved by the Senate, and signed into law by Governor Glenn Youngkin on March 24, 2025.

An overview of SB 754

SB 754 takes effect on July 1, 2025. Notably, the bill amends the Virginia Consumer Protection Act (VCPA) rather than the Virginia Consumer Data Protection Act (VCDPA). It focuses on consumer health data and provides guidelines to align businesses with the amendment's requirements.

Restrictions on Health Information

Suppliers engaged in consumer transactions cannot collect, disclose, sell, or disseminate reproductive or sexual health information without the consumer’s explicit opt-in consent. SB 754 defines qualifying reproductive and sexual health data as follows:

• Research information on health: Efforts to research or obtain reproductive or sexual health information, services, or supplies.
• Use or purchase of contraceptives: Including birth control or other medications related to reproductive health, including abortifacients.
• Health status: Including diagnoses, sexually transmitted diseases, pregnancy, menstruation, ovulation, whether an individual is sexually active, if they are capable of conceiving, and whether an individual engages in unprotected sex.
• Health treatments: Reproductive or sexual health treatments or surgeries, including pregnancy terminations.

• Bodily functions: Including vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels.

• Related health information from other sources: Any information from the list of restricted information that SB 754 provides that is extrapolated from non-health-related data, such as derived, inferred, or algorithm-based information.

Information protected under HIPAA is excluded from these restrictions.

Employer requirements under the amendment

• Opt-In Consent: Businesses must obtain clear, affirmative, opt-in consent from consumers before collecting, using, or sharing reproductive or sexual health information.
• Private Right of Action: The new requirement is subject to a private right of action.
• Enforcement: Enforceable by the Virginia Attorney General, who may seek civil penalties of up to $2,500 per willful violation. Local government attorneys may also bring enforcement actions.

To see the full list of restrictions and requirements under the act, you can find the bill's full text here.

Shifting focus to health data privacy

Virginia’s SB 754 is not the first law to narrow the data privacy lens and focus on fine-tuned details of handling consumer health data. Washington’s “My Health Data Act” was one of the first laws to focus specifically on handling data specific to consumer health. Following Washington, several other states, such as Massachusetts, New York, and Illinois, implemented similar laws. The CFPB then released a final rule to remove medical bills from U.S. credit reports in February 2025.

With a growing focus on privacy for consumer medical information and biometric data, other states may expand restrictions on how businesses handle consumer health information in the future. Employers should stay vigilant when dealing with evolving consumer privacy laws—and as always, readers should consult their legal counsel before taking any action.

This content is for informational purposes only and shall not constitute legal 
opinion or advice. Consult your legal counsel to ensure compliance.