Understanding Virginia SB 754: Why It Matters for Cannabis, CBD, and Ecommerce

Virginia’s Senate Bill 754, effective July 1, 2025, amends the Virginia Consumer Protection Act (VCPA) to introduce specific protections for reproductive and sexual health data. While it does not reach the exhaustive scope of Washington’s My Health My Data Act (MHMD, 2023) nor Nevada’s SB 370, Virginia’s law is a harbinger for cannabis operators: regulators are taking a closer look at how health-related information is gathered, shared, and monitored—especially in sensitive areas such as cannabis, CBD, and medical-use registrations.

This post explores how SB 754 changes the compliance landscape for cannabis ecommerce, what investors, operators, and digital marketers need to prepare by July 2025, and how to approach consumer privacy and tech stacks in light of growing state pressure around “sensitive” data.

What Is Virginia SB 754?

SB 754, signed in March 2025, marks Virginia’s foray into regulating consumer health data beyond what is covered by HIPAA. The law prohibits:

• Obtaining, disclosing, selling, or using reproductive or sexual health information without explicit consumer consent.
• Deploying adtech (pixels, tracking scripts, cookies) in ways that could monitor/aggregate user behaviors or conditions relating to these topics on Virginia-based users—unless proper notice and consent are provided.

While the statute’s immediate trigger is reproductive health, its structure signals increasing momentum to regulate all forms of health-related data, including behavioral patterns around dispensary usage, strain preferences, and even “condition” information gathered in intake forms.

Official bill text: Virginia SB 754 (2025)

Scope: Which Cannabis Operations Must Comply?

SB 754’s requirements apply to any entity that:

• Controls or processes health-related data of Virginia consumers.
• Offers services/products online to Virginia residents—including dispensaries, MMJ programs, hemp/CBD retailers, and ancillary services collecting health information for marketing or appointment scheduling.
• Uses tracking pixels, cookies, location data, or forms to collect consumer health signals, interests, or intent.

Multi-state operators must adapt their privacy practices for Virginia and harmonize with similar requirements (see below).

Key Provisions Affecting Cannabis Ecommerce and Data Tracking

1. Data Minimization

Businesses must limit data collection, use, and sharing to what is necessary for the disclosed service.

For cannabis and CBD:

• Only collect what you need to process a medical or recreational transaction.
• Do not automatically feed data from intake forms into adtech tools or external CRM systems.

2. Explicit, Granular Consent

SB 754 requires clear, advanced consent for the use/disclosure of reproductive or sexual health data. For cannabis companies:

• Affirmative opt-in is required before collecting or sharing any sensitive health information beyond transaction basics.
• Pre-checked boxes, buried consent, or failure to separate health/condition data from basic order data are non-compliant.

3. Age Gates & Identity Confirmation

Operators should ensure robust age verification (21+ or patient eligibility) without collecting unnecessary health details at the pre-consent stage.

• Only request high-sensitivity info if legally or medically necessary to complete a transaction or service.

4. Limitations on Tracking, Pixels, and Adtech

Cannabis, CBD, and related lifestyle sites often integrate:

• Facebook, Google, and TikTok pixels;
• Cross-site behavioral analytics;
• Affiliate marketing beacons.

SB 754 prohibits the use of these technologies to infer, target, or retarget Virginia consumers regarding reproductive/sexual health status, unless:

• The consumer has opted in after being clearly notified that their activities, preferences, or health interests will be tracked.
• A compliant opt-out ("Do Not Sell or Share My Sensitive Data") is in place and functional.

5. No Selling or Sharing Without Consent

The sale or third-party sharing of health data—including data tied to dispensary visits, intake forms, or even browsing traffic—must be supported by documentation of explicit consent.

• Data brokers and loyalty programs in cannabis must revise their consumer flows to screen Virginia users and solicit effective consent.

6. Opt-Out Mechanisms

Virginia’s law, like peers in Nevada/Connecticut, recognizes the consumer’s right to:

• Opt out of data sales, transfers, or any processing of their sensitive health data for advertising.
• Revoke prior consent at any time, with effect immediately upon the business’s confirmation.

Immediate To-Do List for Cannabis Operators Before July 1, 2025

1. Map Your Data Flows

• Identify what “health-related” data (medical condition, product preferences, MMJ recommendations, intake form answers) you collect from Virginia users.
• Trace if, and how, it’s used in analytics, adtech, or shared with partners.

2. Update Privacy Notices

• Draft Virginia-specific privacy banners, consent journeys, and in-site notices.
• Add clear disclosures about tracking, the scope of data collection, and all third-party adtech or analytics platforms in use.

3. Geo-Target for Compliance

• Deploy geofencing or visitor-location logic to display Virginia-specific (and for multi-state: NV/WA/CT-compliant) banners, disclosures, and consent modals.

4. Upgrade Opt-In/Out Workflows

• Rewire forms and pixel scripts to hold off on firing or syncing any sensitive health-related data until explicit consent is provided.
• Offer real-time, user-friendly opt-out (“Do Not Sell or Share My Sensitive Data”) and process these requests without delay.

5. Train Your Teams and Vendors

• Ensure marketing, tech, and compliance teams are briefed on the law’s scope.
• Audit ad agencies, affiliates, and loyalty providers for compliance alignment.

Enforcement: Penalties and State Attorney General Oversight

SB 754 will be enforced by the Virginia Office of the Attorney General. While it does not include a private right of action, substantial civil fines can be imposed for non-compliance, especially if:

• Data is sold or transferred to third parties without requisite consent.
• User tracking or retargeting occurs before proper consent and notification.
• Opt-outs are not honored rapidly and consistently.

In practice, the Attorney General may conduct compliance sweeps or respond to consumer complaints by auditing cannabis ecommerce flows, especially those using advanced analytics or for patient intake.

Virginia vs. Other State Consumer Health Data Laws

While SB 754 is currently limited to reproductive and sexual health data, cannabis companies should note trends in other states:

• Washington (MHMD Act): Expansive coverage—almost any consumer health data, including browsing behavior on cannabis/CBD topics, triggers consent and opt-out duties. Heavy penalties.
• Nevada (SB 370): Requires explicit consent before processing consumer health data, including for most ecommerce health categories.
• Connecticut: Recent amendments to the Connecticut Data Privacy Act extend to sensitive health information, requiring robust controls for cannabis and health retail flows.

Multi-state operators must develop playbooks to quickly detect relevant user geography and deploy compliant banners, data flows, and opt-in/opt-out processes for every regulated location.

More: Nevada Health Data Law | Washington My Health My Data Act

Takeaways for Cannabis Businesses & Compliance Pros

• Act by July 1, 2025: All ecommerce, appointment, and intake flows touching health information for Virginia users must be reviewed and updated.
• Don’t wait: The enforcement trend is clear—regulators are shifting scrutiny to digital advertising, retargeting, and loyalty/CRM flows involving any health-like behavior or intent.
• Multi-state harmonization is critical: Don’t silo compliance by state. Instead, build modular, geo-specific compliance overlays informed by the strictest laws in the markets where you operate.
• Consumer trust is on the line: Transparent, upfront privacy controls aren’t just a legal requirement—they’re an opportunity to differentiate your brand in a crowded cannabis market.

For further guidance or to keep up-to-date with dynamic state-by-state cannabis regulations, visit CannabisRegulations.ai for compliance news, tracking solutions, and industry best practices.