Virginia Governor Glenn Youngkin has signed SB 754 into law, amending the Virginia Consumer Protection Act (VCPA) to prohibit the collection, sale, or sharing of reproductive and sexual health data without consent. The law takes effect July 1, 2025.
On March 24, 2025, SB 754 was signed into law in Virginia, introducing new privacy safeguards for consumers' reproductive and sexual health information. The bill modifies the VCPA—rather than the Virginia Consumer Data Protection Act—allowing broader enforcement against businesses handling such data. Under SB 754, “suppliers” engaged in consumer transactions cannot collect, disclose, sell, or disseminate reproductive or sexual health information without the consumer’s explicit, opt-in consent.
The law adopts a wide definition of protected data, including health status, pregnancy-related metrics, use of contraceptives, and even inferred data from non-health sources. It also includes a private right of action, allowing individuals to seek damages, and authorizes the Attorney General to enforce violations.
SB 754 follows a national trend of enhanced data privacy laws concerning sensitive health data, particularly post-Dobbs v. Jackson Women’s Health Organization. The bill mirrors aspects of Washington’s My Health My Data Act, reflecting growing concern around reproductive privacy and data misuse. It also comes amid growing scrutiny of data-sharing practices among digital platforms and health-related apps.
Features of SB 754 include:
According to the bill text, SB 754 prohibits “obtaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer.” The law also states: “Consent” must be “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data.”
Virginia law firm McGuireWoods commented: “SB 754 significantly expands the scope of regulated data in Virginia and could create operational challenges for entities that previously relied on narrower consent exemptions.”
For consumers—especially those seeking reproductive or sexual health services—SB 754 offers stronger control over their personal information, reducing the risk of unauthorized disclosures or targeted advertising. For companies, especially data brokers, health apps, and digital marketers, the law introduces stricter consent requirements and expands their liability under consumer protection laws. Noncompliance could now trigger enforcement actions and penalties under the Virginia Consumer Protection Act, making it crucial for organizations to re-evaluate how they collect, use, and share this sensitive data. Health providers and tech platforms operating in Virginia must also ensure their data practices align with these new obligations ahead of the July 2025 enforcement date.
Virginia’s SB 754 reflects a growing trend among states to protect reproductive and sexual health information in response to increasing public concern over data privacy. Its placement under the Virginia Consumer Protection Act—not the state’s general data privacy law—broadens its reach and introduces stronger consent requirements. Entities involved in consumer transactions should assess their data practices now to prepare for compliance by July 1, 2025.
Yes, if they engage in consumer transactions with Virginia residents.
These apps must now obtain clear, opt-in consent before collecting or sharing user health data.
Possibly, if they act as “suppliers” in consumer transactions or improperly handle sensitive data.
Yes, especially if targeting consumers based on reproductive or sexual health profiles without consent.
SB 754 fills gaps where HIPAA doesn’t apply, such as apps or platforms not covered by federal health privacy laws.