Virginia has set a new precedent in reproductive and sexual health privacy, passing a sweeping law that is poised to transform how businesses—far beyond the healthcare sector—handle sensitive consumer data. The move reflects an escalating trend toward increased protection of reproductive health data across the United States, raising important considerations for both American and international entities, including those in Thailand with U.S. business ties.
The new law, known as SB 754, was signed by Virginia’s governor on March 24, 2025, and amends the state’s longstanding Virginia Consumer Protection Act. With an effective date of July 1, 2025, the law expands the definition of “reproductive or sexual health information” well beyond traditional medical records and introduces strict consent requirements for any company classified as a “supplier” participating in consumer transactions within Virginia. This change aligns Virginia with a small but growing group of U.S. states—such as Washington, Nevada, and Connecticut—that have enacted similarly broad consumer health privacy protections. However, experts note Virginia’s law is particularly robust and unusually wide in its business impact (quarles.com).
For Thai readers and business leaders, the significance of this development stems from several factors. Firstly, Thai companies—including technology firms, e-commerce sellers, and manufacturers engaged in transactions with Virginia consumers—will likely need to adapt internal data policies or risk fines and lawsuits. Secondly, Virginia’s new approach exemplifies the global shift toward recognizing reproductive and sexual health data as requiring higher levels of privacy and consent, echoing similar debates around Thailand’s own Personal Data Protection Act (PDPA).
Key features of the law include a sweeping, non-exclusive definition of reproductive or sexual health information, such as data on efforts to research or obtain services or supplies, location data that may indicate an attempt to access such services, and information on conditions and diagnoses related to pregnancy or menstruation. It also covers purchase history, including seemingly routine items—condoms, birth control, or over-the-counter menstrual products—that could reveal private health choices. The law encompasses commercial data, geolocation information collected outside healthcare settings, browsing behavior, purchase data, and even wellness program details or employee applications involving fertility treatments.
Notably, the legislation mandates opt-in consent for any collection, sharing, selling, or other dissemination of this data—even when it is necessary to fulfill a consumer’s own request. This means that companies cannot process such information without first obtaining a clear, informed, and unambiguous “yes” from the consumer. This standard, borrowed from the state’s separate consumer privacy law, raises the bar for operational compliance, demanding significant changes to consent management systems, marketing practices, and employee data processing.
Crucially, the scope of the law is not limited to healthcare providers or insurance companies. Any business selling, leasing, licensing, advertising, or reselling goods or services “primarily for personal, family, or household purposes”—including foreign companies targeting Virginia residents—must comply. While data governed by federal health privacy rules (such as HIPAA), substance use disorder confidentiality regulations, or the state’s health records privacy law are exempt, everything else falls under the regulation, and there are no exemptions based solely on company size or business model.
Violations carry substantial risk. Consumers can bring private lawsuits seeking actual damages and legal fees, while willful violations may result in triple damages. The Virginia Attorney General can also seek civil penalties and injunctive relief in court. According to U.S. privacy law specialists, this dual enforcement mechanism strengthens both individual and government oversight (quarles.com).
Legal and privacy experts from the U.S. underscore the novelty and breadth of the law. As one technology regulation advisor notes, “This statute is unique in how it brings even non-healthcare commercial actors under strict consent requirements for sensitive health data. The challenge for global businesses is understanding when everyday consumer information—like retail transactions or a smartphone’s location—crosses into regulated territory.” Another compliance consultant adds, “For companies with any online presence in Virginia, or even indirect sales through resellers, reviewing data collection and consent mechanisms is not optional. The potential for private lawsuits significantly ups the ante.”
For Thailand, several domestic implications emerge. The country’s own data privacy landscape, guided by the PDPA, is still evolving, with ongoing public debates about consent, exceptions for necessary processing, and cross-border data transfers. Virginia’s opt-in rule—requiring explicit user consent with no exception even for service delivery—contrasts with Thailand’s more flexible “legitimate interests” and “contract necessity” clauses, prompting local policymakers and business leaders to observe U.S. trends for clues about tightening requirements at home (pdpa.io). Thai e-commerce and health tech firms operating globally are now under greater obligation to map out where their data practices might trigger foreign legal exposure.
Historically, the journey toward reproductive health privacy in the U.S. intensified after the Supreme Court’s Dobbs decision, which removed constitutional protections for abortion. This fueled a wave of state-level actions to shore up privacy rights, particularly where fear of law enforcement access to reproductive health data grew among consumers. Virginia’s legislative move continues this momentum, providing a framework that prioritizes consent and strictly regulates commercial access to sensitive information.
Industry analysts predict Virginia’s law will not remain unique for long. As more U.S. states consider similar measures—and as broader international standards (including Europe’s General Data Protection Regulation, or GDPR) exert influence—it is likely that companies will face a patchwork of consent and disclosure obligations, requiring robust data governance. Businesses engaged in cross-border activity, such as those in Thailand’s vibrant international tech sector, will need to closely monitor both domestic and foreign regulatory trends to avoid costly missteps.
Looking ahead, experts urge immediate action. Any business with customers or users in Virginia should conduct a comprehensive review of what constitutes reproductive or sexual health information in their records, regardless of sector. Re-engineering consent flows, upgrading privacy policies, and training staff on new compliance obligations is essential. For Thai firms with U.S. exposure, seeking specialized cross-border privacy counsel is now a prudent investment. For policymakers and civil society, Virginia’s approach is a timely case study in the balance between health privacy, service access, and regulatory overreach.
For the general public in Thailand, the broader lesson is clear: expectations for privacy around reproductive and sexual health data are rising worldwide. Individuals should be vigilant about how their commercial interactions—whether online shopping, using a health app, or participating in workplace wellness—might reveal sensitive personal information, especially when dealing with foreign companies. Understanding rights, consent options, and risks associated with data sharing is increasingly part of modern health and digital literacy in both local and global contexts.
In practical terms, Thai companies should immediately audit data activities tied to the U.S., specifically identifying if reproductive health-related data could be inadvertently processed or sold. Updating privacy notices to clearly explain new rights and consent choices is essential. For those considering expansion into U.S. markets, embedding privacy by design—ensuring that all systems prioritize user consent from the ground up—will not only ensure legal compliance but also build trust with consumers concerned about sensitive health data.
For more information, businesses and readers are encouraged to consult specialized privacy resources, track developments from the Virginia Attorney General’s office, and learn from the evolving regulatory landscape in both the United States and Thailand.