chevron-down Created with Sketch Beta.

    ARTICLE

    Top Ten Column: New Reproductive and Sexual Health Privacy Law: Surprisingly Broad Applicability and Operationally Challenging

    Meghan O’Connor, Simone Colgan Dunlap, Sarah Erdmann, and Kaitlyn Fydenkevez

    Apr 25, 2025

    1 min read

    Cybersecurity Privacy & Security Public Health & Policy Reproductive Care
    Top Ten Column: New Reproductive and Sexual Health Privacy Law: Surprisingly Broad Applicability and Operationally Challenging
    istock.com/TommL

    At the end of March, Virginia amended its Virginia Consumer Protection Act (“Act”) to regulate obtaining and disclosing “reproductive or sexual health information” by any “supplier” in connection with a “consumer transaction” subject to the Act. While at first glance many organizations may not think these amendments impact them, these updates cast a surprisingly wide net.

    The Act continues to broadly define “supplier” to include all entities that advertise, solicit or otherwise engage in consumer transactions and entities that advertise, sell, lease, or license goods or services to be resold, leased, or sublicensed by third parties in consumer transactions. This broad definition consequently sweeps in both resident (e.g., DTC retailers) and non-resident businesses that engage in consumer transactions or indirectly engage in consumer transactions in Virginia through their relationship with a third party that is engaged in regulated transaction. Notably, there are no threshold requirements related to the volume of data processed or revenue requirements.

    The March 2025 amendment to the Act requires suppliers to obtain consent (i.e., a clear affirmative act) from consumers prior to obtaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information. The broad definition of “reproductive or sexual health information” includes not only data that has traditionally been considered clinical, reproductive health data (e.g., health conditions, status, diseases, diagnoses, bodily functions, prescription data), but also:

    • purchase data for items like menstrual care products, birth control, and medications related to menstruation or pregnancy like over-the-counter pain relievers for cramps;
    • geolocation data collected in a non-healthcare setting that could indicate an attempt to acquire reproductive or sexual health services or supplies (e.g., a location near a reproductive health clinic);
    • web browsing data; and
    • information about reproductive or sexual health that can be derived or extrapolated from non-health algorithmic data.

    Additionally, unlike other consumer data privacy laws, the Act does not include an opt-in exemption for “necessary processing,” i.e., processing of consumer data necessary to provide consumer-requested products and services. Thus, implementing a process to obtain consent without impairing the user experience will likely be a challenge.

    Suppliers have until July 1, 2025 to comply with the amendments or risk Attorney General enforcement and/or private actions brought by individuals.

    For more information, please see Quarles’ article here.