A new Virginia law marks a major milestone in protecting reproductive and sexual health data, with implications that reach far beyond the healthcare sector. The measure expands how businesses handle highly sensitive consumer information and adds strict consent requirements for many entities doing business in Virginia. The move mirrors a growing trend in the United States toward stronger privacy protections for health-related data and offers a clear signal to international firms, including Thai companies with U.S. operations.
Effective July 1, 2025, SB 754 amends the Virginia Consumer Protection Act. It broadens the definition of “reproductive or sexual health information” to cover not only medical records but also data about services sought, location data indicating access to such services, and details about conditions related to pregnancy or menstrual health. It also includes purchase histories and geolocation, browsing behavior, wellness program data, and even certain employment applications tied to fertility care. The law applies to any business selling or advertising goods or services primarily for personal use, not just healthcare providers, and includes foreign firms targeting Virginia residents.
One key feature is opt-in consent for collecting, sharing, selling, or otherwise processing this data. Consent must be clear, informed, and unambiguous. This standard aligns with Virginia’s broader privacy framework and requires substantial updates to consent management, marketing practices, and internal data processing. In Virginia, violations can trigger private lawsuits for actual damages and attorneys’ fees, with the possibility of treble damages for willful violations. The state attorney general may also pursue civil penalties and injunctive relief.
Experts note the law’s breadth is unusual. It brings non-healthcare commercial actors under tight consent requirements for sensitive health information, posing new compliance challenges for companies with simple online operations or indirect sales channels in Virginia. Global businesses with a Virginia footprint should reassess data collection and consent mechanisms to avoid costly disputes.
Thai readers can draw several parallels with Thailand’s evolving data privacy regime under the Personal Data Protection Act (PDPA). While Thailand allows certain processing under legitimate interests or contract necessity, Virginia’s opt-in framework goes further by eliminating exceptions for routine service delivery. Thailand’s policymakers and business leaders may watch how this U.S. standard unfolds, especially for cross-border data transfers and global e-commerce.
The law’s scope extends beyond health insurers and clinics. Any business that handles personal items for home use—or that collects data associated with personal, family, or household activities—could be affected. Exemptions exist for data governed by other privacy rules, such as certain federal health privacy protections, but many firms remain within reach of this regulation. The emphasis on consent raises the bar for consent management across marketing, product development, and customer services.
In response to the Dobbs decision, Virginia positioned itself to strengthen privacy protections for health data amid concerns about access to sensitive information. The new law provides a framework that prioritizes explicit consent and tighter controls on who can access health-related data in commercial contexts.
Industry observers expect similar measures to appear in other states, and international standards like the GDPR continue to influence policy. For companies with cross-border operations, including those connected to Thailand’s digital economy, it will be important to monitor regulatory developments and build robust data governance to avoid missteps.
What should Thai businesses do now? Start with an internal data inventory to identify whether reproductive or sexual health data could be processed in Virginia or via Virginia-based transactions. Revisit consent flows and privacy notices to ensure they clearly reflect user rights and choices. Consider privacy-by-design principles in product development and e-commerce platforms, so consent is obtained and honored from the outset. Engage cross-border privacy counsel to address how U.S. and Thai regulations interact.
For the broader public, the core takeaway is clear: privacy expectations for health-related data are rising globally. Consumers should understand their rights and how consent choices affect data sharing when interacting with apps, health services, or workplace wellness programs—especially with foreign companies.
The evolving landscape suggests a proactive approach: audit data practices, strengthen consent mechanisms, and maintain transparent communications about how health information is collected and used. This not only supports compliance but builds trust with consumers who are increasingly cautious about sensitive data.