Preparing for Virginia’s SB 754: Essential considerations for compliance

Effective from July 1 2025, Virginia’s SB 754 amends the Virginia Consumer Protection Act (VCPA) to prohibit the collection, use, or disclosure of reproductive or sexual health information without affirmative consumer consent.

Subject to a Private Right of Action, businesses have a duty to comply with the amendment or risk legal action from consumers for non-compliance.

But the question remains: Are businesses taking the necessary steps to meet compliance requirements, or are they leaving themselves vulnerable to significant legal and reputational risk?

Jump to:

• Key provisions of SB 754
• How does SB 754 compare to other state-level health data laws?
• Implications for businesses operating in Virginia
• Consent requirements under SB 754
• How to stay compliant

Key provisions of SB 754

This isn’t the first health data legislation we’ve encountered in 2025. Alongside the announcement of New York’s Health Information Privacy Act (NYHIPA) back in January, this new wave of health data legislation raises several compliance concerns for businesses handling sensitive health information.

Serving to protect the personal health information of Virginia residents, SB 754 modifies the Virginia Consumer Protection Act by prohibiting businesses from “Obtaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer.”

SB 754 applies a broad definition of “reproductive or sexual health information” relating to the “past, present, or future reproductive or sexual health of an individual”, encompassing a range of listed examples such as:

• “Efforts to research or obtain reproductive or sexual health information services or supplies”
• “Reproductive or sexual health conditions, status, diseases, or diagnoses”
• “Reproductive and sexual health-related surgeries and procedures”
• “Use or purchase of contraceptives, birth control, or other medication related to reproductive health”

How does SB 754 compare to other state-level health data laws?

In comparison to other US health data laws, such as Washington’s My Health My Data Act and the Health Insurance Portability and Accountability Act (HIPAA), SB 754 is more narrowly focused on reproductive health information. Both Washington’s law and HIPAA, on the other hand, provide broad protections for all consumer health data, including mental and physical health conditions.

Given its niche focus, businesses should stay well-informed about updates to the amendment to avoid being caught out by non-compliant practices.

Implications for businesses operating in Virginia

At first glance, SB 754 might appear to be solely relevant to healthcare entities and related services. However, the reality is that the amendment applies to a wide array of businesses operating within Virginia.

For example, any business that maintains records of customer purchases of contraception or other reproductive health products must comply with the new regulations. This includes pharmacies, retail stores, online marketplaces, and even data analytics firms that process this information.

Business obligations aside, the amendment also grants consumers the right to take legal action should their reproductive or sexual health information be mishandled, with SB 754 being subject to a Private Right of Action.

All this considered, businesses have a duty to review their privacy practices in light of SB 754 to ensure compliance requirements are met, or face ramifications if not.

Consent requirements under SB 754

With consumer consent at the forefront of the amendment, the pressure is on for businesses to get their consent practices into shape, or risk severe penalties for non-compliance.

Similar to the requirements of CCPA and GDPR, businesses must obtain affirmative consent from consumers before collecting any health information under SB 754.

Implementing a consent management solution is the first step. Allowing businesses to collect and manage consumer consent choices in one centralized platform, a CMP is a non-negotiable for compliance with numerous global privacy regulations, including SB 754.

For businesses with pre-existing or in-house-built consent solutions, it will be essential to review and amend consent collection processes to comply with SB 754.

Without clear, affirmative consent, businesses are at risk of non-compliance, risking legal action and loss of consumer trust. And whilst some businesses may trivialize the latter, the value of consumer trust cannot be ignored amidst increasing consumer privacy concerns.

How to stay compliant

Non-compliance with the amendment, as well as any data privacy legislation, has repercussions that go well beyond fines and legal penalties, starting with consumer trust.

So, what can Virginia businesses do in order to meet the requirements of SB 754?

• Ensure affirmative consent is obtained: Utilize consent collection tools, such as a Consent and Preference Management Platform (CMP) to ensure the relevant level of consent is obtained from consumers before processing sexual or reproductive health information.
• Audit data privacy practices to maintain compliance: Ensure the correct privacy practices are in place to safeguard consumer health information, from multi-factor authentication to data encryption.
• Stay informed about changing legislation: Future-proof your privacy practices by staying informed about changes to legislation, and implement the relevant measures to maintain compliance.
• Prioritize transparency: Keeping consumers in the dark when it comes to their personal data is a sure-fire way of damaging trust. Instead, communicate any changes to your privacy practices to consumers to demonstrate your commitment to compliance.

Customers are eager to invest in businesses and brands they trust. From a data privacy perspective, this trust cannot be earned nor maintained with patchwork compliance and lacking privacy practices.

Starting with consent, businesses have a duty to make consumers fully aware of how their sensitive information is used, and how they can take control of it. By prioritizing compliance with SB 754, businesses can not only avoid legal action, but also maintain consumer trust.