Virginia Privacy Law Just Got a Major Upgrade (and Businesses Need to Pay Attention)
As of March 24, 2025, Virginia officially added new restrictions on the use and disclosure of certain health information—and no, this isn’t just an update to the Virginia Consumer Data Protection Act (VCDPA) you’ve already heard about.
Instead, Governor Glenn Youngkin signed SB 754 into law, amending the Virginia Consumer Protection Act (VCPA). That’s Virginia’s general consumer protection statute—not its specific data privacy law.
The result? A brand-new set of obligations around reproductive and sexual health information—and a brand-new risk of lawsuits under Virginia’s private right of action.
What Does Virginia’s New Privacy Law Actually Cover?
The law restricts businesses from obtaining, disclosing, selling, or sharing personally identifiable reproductive or sexual health information without clear, affirmative consumer consent.
Here’s what qualifies as “reproductive and sexual health information” under Virginia’s updated privacy law:
– Researching or obtaining reproductive or sexual health services or products
– Location data suggesting someone sought these services
– Diagnoses or status related to pregnancy, menstruation, ovulation, conception, or sexual activity
– Use of contraceptives, fertility treatments, or related surgeries
– Bodily measurements or symptoms tied to pregnancy or menstruation
Important: The law doesn’t just protect data you directly collect. If you derive or extrapolate reproductive health information from other data (through tracking tools or AI inference), that can trigger compliance obligations too.
Notably: unlike Washington State’s My Health My Data Act, Virginia’s law only applies if your system actually derived the information—not just if it could. This is helpful as it narrows the scope of application.
Where HIPAA Fits (and Where It Doesn’t)
HIPAA-covered entities are largely exempt under Virginia’s new law.
But if you’re outside the traditional healthcare world (hello, wellness apps, e-commerce brands, and location tracking services!)—this law absolutely applies to you.
Tracking, Targeting, and Consent: The Gray Areas
Under the new Virginia privacy law, businesses must get affirmative consent before collecting or disclosing covered health information. But, as usual, we have some “gray areas” where businesses may or may not need that consent.
Some unanswered “gray areas:”
– Whether standard online tracking tools (think cookies, ad pixels, analytics) qualify as “obtaining” or “disclosing” reproductive health information
– Whether inferred data (like timing ads around menstrual cycles) without explicit disclosure counts as a violation
Translation: If you’re using tracking technologies and targeting based on user behavior—even indirectly—you need to review your cookie policies, consent practices, and adtech contracts ASAP.
When Does the New Virginia Privacy Law Apply?
Not every business operating in Virginia is automatically on the hook. But here’s where things get tricky:
- There’s no minimum resident threshold like the VCDPA’s 100,000-consumer trigger.
- The law applies “in connection with a consumer transaction.” That means if you advertise, sell, license, or offer goods/ services for personal or household use, you’re likely covered.
- Even indirect collection can trigger coverage. Courts have interpreted the VCPA broadly—so you don’t have to sell directly to consumers to get caught under this law.
Exceptions and Exemptions: Limited and Narrow
While the VCPA includes a few carve-outs (exemptions for banks, insurance companies, HIPAA covered entities, and transactions regulated under the Fair Credit Reporting Act) the list isn’t long.
Unlike the VCDPA, this law doesn’t automatically exclude things like public health data, educational records, or patient safety information unless they clearly fall into an enumerated exception.
Translation: Don’t count on existing exemptions, if you’re under them. You need to re-evaluate this law specifically.
Enforcement: Here’s Where It Gets Risky
Virginia’s new privacy law isn’t just symbolic. It comes with teeth—including a private right of action. This means that individuals (competitors, even) can sue for violations, and they don’t just have to wait on the Attorney General’s office.
Here’s what that means for businesses:
– Consumers can sue if they suffer a loss tied to a violation.
– Statutory damages are set at $500 minimum—or $1,000 if the violation is deemed “willful.”
– Attorney’s fees and costs can be awarded separately (and there’s no cap. This is the “big money” part that makes attorneys excited to file– see below).
On top of that, the Virginia Attorney General or local prosecutors can bring enforcement actions seeking civil penalties—up to $2,500 per violation, or $5,000 for repeat offenses.
And if regulators send a warning letter about a potential violation and you ignore it? That’s Exhibit A for proving willfulness.
Virginia’s Privacy Law and Class Actions: A Real Risk
Because SB 754 allows for statutory damages, plaintiffs’ attorneys will be very interested in filing class actions under this law.
If even minor technical violations lead to guaranteed financial penalties—expect class action litigation to explode around data practices that touch reproductive and sexual health information.
Effective Date: Mark Your Calendar
Virginia’s new privacy law goes live July 1, 2025.
If you collect consumer health-related data—or if you use digital marketing tools that might touch this kind of information—you need a compliance plan in place before then. Don’t wait for the letters to roll in.
The Bottom Line on Virginia’s Privacy Law
Virginia’s latest privacy law isn’t just another regulatory blip on the radar. It’s a serious compliance risk for businesses handling consumer health information, and we need to address it.
If your company collects, shares, or infers sensitive reproductive health data, even if you’re not directly tied to healthcare, you need to:
- Audit your data collection practices
- Update consent flows to require clear affirmative action
- Reevaluate tracking tools, cookies, and ad platforms
- Create a strategy to defend against class actions and enforcement risks
Need Help Complying with Virginia’s New Privacy Law?
Contact CJFox Law. We help businesses navigate changing privacy laws with smart, practical strategies—without the confusion or the panic. Let’s build your compliance plan before July 1st sneaks up.
