On July 1, 2025, important new privacy protections for reproductive and sexual health data took effect in Virginia. This amendment to the Virginia Consumer Protection Act (VCPA) makes the Commonwealth one of the first states to provide heightened safeguards for this sensitive category of information.
What the Law Requires
The reproductive or sexual health information protection prohibit companies from “obtaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer.” The new law broadly defines “reproductive or sexual health information” and includes:
- Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies;
- Reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex;
- Reproductive and sexual health-related surgeries and procedures, including termination of a pregnancy;
- Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients;
- Bodily functions, vital signs, measurements, or symptoms related to menstruation or pregnancy, including basal temperature, cramps, bodily discharge, or hormone levels;
- Any information about diagnoses or diagnostic testing, treatment, or medications, or the use of any product or service relating to the matters described in 1 through 5; and
- Any information described above that is derived or extrapolated from non-health-related information such as proxy, derivative, inferred, emergent, or algorithmic data.
Importantly, this requirement applies even when the information is not explicitly health data but where sexual health information may be inferred from the data. For example, data can be inferred from online browsing activity, shopping behavior, or mobile app usage.
The law also establishes a private right of action, giving consumers the ability to enforce their rights directly in court. This raises the stakes for compliance, exposing business to potential litigation as well as regulatory scrutiny from the Attorney General of Virginia. Violations of the VCPA carry statutory damages of $500 for general violations and $1,000 for willful violations. This private right of action is a key distinction from the protections afforded under Virginia’s Consumer Data Protection Act (VCDPA).
Practical Impacts for Businesses
- Consent Mechanisms: Businesses engaged in consumer transactions in Virginia must review and, if necessary, overhaul their consent mechanisms. Pre-ticked boxes or implied consent will not suffice.
- Transparency: Update notices and disclosures to clearly explain how you collect and use reproductive health data.
- Retail & Online Commerce: Recent events highlight that companies as large as Walmart have already modified their Virginia-specific privacy disclosures after public concern about how product searches could be linked to reproductive health.
- Data Minimization: Organizations should carefully consider whether collecting this type of data is necessary at all, and limit retention accordingly.
Why it Matters
Virginia’s update reflects a broader national trend toward strengthening consumer data protections, particularly around health and other sensitive categories. In the wake of the U.S. Supreme Court’s Dobbs decision and evolving state-level policy, lawmakers increasingly focus on how digital information might reveal private health choices.
For businesses, this means more than just a technical compliance exercise. Privacy practices are quickly becoming a matter of reputation, trust, and litigation risk.
Next Steps
Business operating in Virgina or processing the data of Virgina residents should:
- Audit data flows to identify whether reproductive or sexual health information is collected, even indirectly.
- Update consent and privacy policies to ensure clarity and compliance.
- Train staff and vendors on new requirements to reduce inadvertent violations.
- Monitor developments, as additional amendments to the Virginia Consumer Data Protection Act (VCDPA) remain under legislative consideration.
How our Virginia Privacy Lawyers Can Help
At Moore, Christoff & Siddiqui, we help businesses of all sizes navigate Virginia’s evolving landscape of data privacy, business law, and regulatory compliance. If your organization handles consumer date in Virginia, we can help you assess risks, update policies, and implement practical compliance strategies to meet these new obligations. Contact us to schedule a consultation or learn more about our business privacy services
