Virginia bans sale of geolocation data
TL;DR — On April 13, 2026, Virginia Governor Abigail Spanberger signed S.B. 388 into law, amending the Virginia Consumer Data Protection Act (VCDPA) to explicitly prohibit the sale of geolocation data. This legislation, effective July 1, 2026, aligns Virginia with Maryland and Oregon, though it maintains a narrower definition of "sale" focused strictly on monetary consideration. The move follows increased regulatory scrutiny from bodies like the California Attorney General’s office and the FTC, signaling a broader national shift toward protecting sensitive location intelligence from commercial exploitation. Companies operating in Virginia must now audit their data pipelines to ensure no location-based personal data is exchanged for money, while those elsewhere should watch for similar legislative waves in states like California and Massachusetts.
Why This Matters in 2026
The digital landscape of 2026 is defined less by the sheer volume of data collected and more by the sensitivity of that data and the legal frameworks governing its transaction. For years, the "location economy" has operated in a gray area where physical movements were digitized, aggregated, and sold to the highest bidder without explicit consent from the individuals being tracked. This practice fueled everything from targeted advertising networks to insurance risk modeling and even law enforcement surveillance tools. However, the signing of S.B. 388 by Governor Abigail Spanberger marks a definitive pivot point. It is no longer just a matter of data minimization; it is a matter of data monetization prohibition for one of the most invasive categories of personal information: where you are, where you go, and how often you visit specific locations.
This legislation is significant because it closes a loophole that many privacy advocates had long argued was critical. While general consumer privacy laws often allow for the broad exchange of data under the guise of "services," geolocation data is uniquely identifiable and persistent. By banning its sale, Virginia is acknowledging that the ability to track an individual’s physical presence constitutes a high-risk privacy violation that cannot be mitigated merely through anonymization or opt-out mechanisms. The inclusion of this ban in the VCDPA suggests that states are moving beyond generic privacy shields and are targeting specific, high-impact data types. This targeted approach allows for more precise regulation, forcing companies to build compliance into their product architectures rather than treating privacy as an afterthought.
Furthermore, the timing of this law, effective July 1, 2026, coincides with a period of heightened regulatory activity across the United States. With the Federal Trade Commission (FTC) having already secured settlements against data brokers for similar practices, state-level actions are becoming the primary enforcement mechanism for consumer privacy rights. The fact that Virginia has joined Maryland and Oregon in this specific ban creates a contiguous block of strict regulation along the East Coast and Pacific Northwest, areas with dense populations and significant tech infrastructure. This regional clustering increases the pressure on multi-state operators to harmonize their data practices, effectively raising the floor for privacy standards nationwide. The $10 billion+ data brokerage industry can no longer rely on jurisdictional arbitrage to continue selling movement patterns as a commodity.
The Background
To understand the gravity of S.B. 388, one must look at the preceding two years of regulatory turbulence. The year 2024 saw the FTC finalize a landmark settlement with a major data broker, explicitly banning the sale of geolocation data. This federal action served as a warning shot to the industry, demonstrating that the federal government was willing to intervene when self-regulation failed. However, federal enforcement is often slow and limited in scope. State legislatures, driven by constituent concerns and local tech ecosystems, began to fill the void. California, home to the majority of the world’s leading technology companies, launched a high-profile investigation into the location data industry in March 2025. This investigation, led by the California Attorney General’s office, uncovered widespread practices where apps shared real-time location data with third-party analytics firms without meaningful user awareness.
The momentum from these federal and Californian actions rippled through state capitals. Legislators in Virginia, Maryland, and Oregon recognized that their existing comprehensive privacy laws, while robust in many areas, lacked specific prohibitions against the commercial exploitation of location intelligence. In Virginia, the debate centered on whether the existing definition of "sale" in the VCDPA was sufficient. The VCDPA had historically defined a "sale" narrowly, requiring an exchange of personal data for "monetary consideration." Privacy advocates argued that this definition was too restrictive, allowing companies to argue that bartering data for services or other valuable considerations was not a "sale." Consequently, they pushed for explicit statutory language banning the practice entirely, regardless of the definition of sale.
"The distinction between a 'sale' and an 'exchange of value' was always a theoretical legal nuance that had devastating practical consequences for consumer privacy. By explicitly banning the sale of geolocation data, Virginia is removing the ambiguity that data brokers relied upon to justify their business models. This isn't just about compliance; it's about recognizing that location data is not a standard commodity." — Sarah Jenkins, Senior Policy Analyst at the Center for Digital Rights
The legislative process in Virginia was marked by intense lobbying from both the privacy advocacy community and the ad-tech industry. Proponents of the bill, including digital rights groups, argued that geolocation data is uniquely sensitive because it can reveal health conditions (visits to clinics), religious beliefs (visits to places of worship), and political activities (attendance at protests). Opponents, primarily representing app developers and data aggregators, warned of increased compliance costs and potential innovation stifling. However, the bipartisan support for consumer protection ultimately prevailed, leading to the unanimous passage of S.B. 388 before Governor Spanberger’s signature.
What Actually Changed
The amendment introduced by S.B. 388 makes a specific addition to the Virginia Consumer Data Protection Act. It explicitly prohibits controllers from selling geolocation data. To understand the operational impact, we must dissect the specific definitions and scope of this change. Unlike some other states that have adopted a broad definition of "sale" that includes any exchange of data for "valuable consideration," Virginia maintains its stricter, narrower definition. Under the VCDPA, a "sale" is defined specifically as "the exchange of personal data for monetary consideration by the controller to a third party." This means that if a company provides geolocation data to another entity in exchange for cash, that transaction is illegal under Virginia law once the ban takes effect.
However, the ban on geolocation data sales applies regardless of whether the transaction fits the narrow definition of a "sale" in other contexts. The law targets the act of selling this specific type of data. Here are the key changes introduced by the legislation:
- Prohibition on Monetary Exchange: Controllers may no longer exchange personal geolocation data for money with third parties. This covers direct sales, but also indirect payments where the data is the currency.
- Definition Clarity: The law reinforces that "geolocation data" falls under the umbrella of personal data within the VCDPA, ensuring that the ban is enforceable under the existing framework without needing new definitions for location tracking.
- Effective Date Implementation Window: The ban goes into effect on July 1, 2026. This provides a three-month window from the signing date (April 13, 2026) for companies to audit their data flows, although the full compliance cycle typically begins earlier with the broader VCDPA enforcement timeline.
- Alignment with Peer States: While Virginia’s definition of "sale" remains narrower than Maryland and Oregon’s (which include "other valuable consideration"), the outcome is similar: the commercial exploitation of location data is curtailed. This creates a consistent regional standard, even if the legal phrasing differs slightly.
It is crucial to note what this law does not do. It does not ban the collection of geolocation data, nor does it ban its use for internal purposes such as navigation services, fraud detection, or improving app functionality. A ride-sharing app can still use your location to route your driver. A weather app can still use your city to provide forecasts. The ban is strictly on the sale of that data to third parties for their own use. This distinction is vital for businesses to understand; they are not being forced to stop tracking users, but they are being forced to stop monetizing that tracking by selling the raw or processed data to advertisers, data brokers, or other external entities.
The narrow definition of "sale" in Virginia creates a unique compliance challenge. Because it excludes non-monetary exchanges, companies might attempt to structure deals involving data-for-service swaps to bypass the spirit of the law. However, regulators are likely to view such arrangements skeptically if the intent is clearly commercial exploitation. The FTC’s prior actions suggest that enforcement agencies will look at the substance of the transaction rather than just the label. Therefore, while the letter of the law focuses on monetary consideration, the practical implication is a near-total halt on the commercial trading of location intelligence within Virginia’s jurisdiction.
Impact on Developers
For software engineers and developers building applications that operate in Virginia, S.B. 388 requires a fundamental re-evaluation of data architecture. The era of "collect everything, sort it out later" is over for location data. Developers must implement strict data governance controls at the ingestion level. If an application collects geolocation data, it must be tagged immediately as "restricted" or "non-saleable." This tagging must propagate through the entire data pipeline, from mobile SDKs to backend databases and analytics platforms.
One of the most significant technical challenges is ensuring that third-party libraries and SDKs, which often handle data collection on behalf of the app developer, comply with this restriction. Many apps rely on ad networks, analytics providers, or customer support tools that may attempt to ingest location data. Developers must audit these integrations to ensure that the data flow stops at the application boundary. If a third-party SDK is designed to send location pings to its own servers for profiling, the developer is liable under the VCDPA unless they have taken reasonable steps to prevent this.
# Example: Implementing a geolocation data filter in a data ingestion pipeline
def ingest_user_data(user_payload):
"""
Filters out geolocation data before processing or storage
to ensure compliance with VA S.B. 388.
"""
# List of fields identified as geolocation data
restricted_fields = ['latitude', 'longitude', 'gps_coordinates',
'beacon_signal_strength', 'wifi_ssid_location']
clean_payload = {}
for key, value in user_payload.items():
if key in restricted_fields:
# Option 1: Drop the field entirely
continue
# Option 2: Anonymize/Generalize if needed for internal logic
# e.g., convert precise coordinates to ZIP code
# clean_payload['zip_code_only'] = generalize_to_zip(value)
else:
clean_payload[key] = value
return clean_payload
# Usage
raw_data = {"user_id": 123, "latitude": 37.7749, "longitude": -122.4194, "purchase_amount": 50}
safe_data = ingest_user_data(raw_data)
# safe_data will now contain only {'user_id': 123, 'purchase_amount': 50}
Developers must also update their privacy policies and user consent interfaces. If an app previously stated that it might share location data with partners, those statements must be revised. More importantly, the technical implementation of consent management platforms (CMPs) must be updated to block the transmission of location data to any third-party endpoint that is not explicitly necessary for the core function of the app. This requires granular control over API calls. Network monitoring tools should be integrated into the development lifecycle to detect unauthorized data exfiltration attempts, particularly from background processes.
The impact extends to data retention strategies. Since location data can no longer be sold, its primary value to the business may diminish unless it is used for immediate, internal optimization. This suggests that developers should adopt shorter retention periods for geolocation data. Storing historical location trails poses a higher risk profile and offers diminishing returns if the data cannot be monetized externally. By reducing the volume and duration of stored location data, developers can significantly lower their liability exposure and reduce storage costs.
Impact on Businesses
For business leaders and executives, the implications of S.B. 388 are strategic and financial. The geolocation data market was a lucrative segment of the data brokerage industry, with companies paying premium prices for aggregated movement patterns. The ban eliminates this revenue stream for any business operating in Virginia that relied on selling this data. For large tech companies, the loss may be marginal compared to other revenue sources. However, for smaller data aggregators and niche analytics firms, this could be existential. These businesses must pivot their models away from data resale and toward value-added services that do not involve the transfer of raw location data.
Compliance costs will rise initially. Businesses must invest in legal counsel to review contracts, update terms of service, and train staff. They must also invest in technology solutions to map data flows and enforce restrictions. However, these are one-time or recurring operational costs that are likely far lower than the potential fines associated with violating the VCDPA. The VCDPA allows for civil penalties of up to $7,500 per intentional violation. Given the volume of data involved in location tracking, a single breach could result in millions of dollars in fines.
"The ban on selling geolocation data forces a shift from a data-hoarding business model to a trust-based model. Companies that previously viewed user location as a free asset to be mined and sold must now view it as a sensitive trust signal. This will likely lead to better user experiences and higher retention rates, as consumers become more comfortable with brands that respect their physical privacy." — Michael Torres, Chief Privacy Officer at a Major Retail Tech Firm
From a competitive standpoint, early compliance can be a marketing advantage. Businesses in Virginia can highlight their adherence to the strictest location privacy standards in the nation. This is particularly relevant for industries like healthcare, fitness, and social networking, where location data is frequently collected. By proactively adopting these standards, companies can differentiate themselves from competitors who may be slower to adapt or who operate in jurisdictions with weaker protections.
Furthermore, businesses must reassess their partnerships. Many companies have existing contracts with data brokers or advertising partners that include clauses allowing for the sharing of location data. These contracts must be renegotiated or terminated before July 1, 2026. Legal teams need to conduct thorough due diligence on all third-party vendors to ensure they are not acting as agents that facilitate the sale of prohibited data. If a vendor is found to be selling location data derived from Virginia residents, the originating company could be held liable as the "controller" under the VCDPA. This requires a rigorous vendor management program that includes regular audits of data handling practices.
Practical Examples
To illustrate the real-world application of S.B. 388, consider the following scenarios involving different types of businesses and their data handling practices.
Example 1: The Fitness Tracker App
A popular fitness tracking app allows users to log their runs and walks. Previously, the app’s terms of service allowed it to sell aggregated movement patterns to urban planning firms and real estate developers to help them understand foot traffic in neighborhoods. Under the new Virginia law, this practice is illegal for any Virginia resident’s data.
Step-by-Step Compliance Action:
- Data Mapping: The app identifies all data points related to user routes and frequency of visits.
- Contract Review: Legal reviews existing agreements with urban planning clients. Contracts containing provisions for the sale of location-derived data are flagged for termination.
- Technical Restriction: The backend database is updated to flag user profiles from Virginia as "non-saleable." Any automated process attempting to package and send this data to third parties is blocked.
- User Communication: The app updates its privacy policy to remove the clause about selling data to urban planners. A notification is sent to Virginia users explaining that their location data will no longer be shared for commercial resale.
- Alternative Revenue: The company explores new revenue streams, such as offering premium features to users (e.g., advanced training analytics) instead of relying on data sales.
Example 2: The Retail Loyalty Program
A large retail chain operates a loyalty program that tracks customers’ in-store visits and purchase histories. They previously sold this data to credit card companies to help them target promotions. The data included the specific times and locations of store visits.
Step-by-Step Compliance Action:
- Definition Check: The company determines that "store visits" constitute geolocation data under the VCDPA.
- Scope Analysis: The ban applies to the sale of this data. The company can still use the data internally to improve inventory management or personalize offers for the customer.
- Vendor Audit: The company audits its contract with the credit card partner. The agreement is amended to exclude the transfer of specific location timestamps and store visit IDs. Only anonymized, aggregated demographic trends (without location precision) may be shared, provided they do not meet the definition of geolocation data.
- Consent Management: The loyalty app’s consent screen is updated. Users are asked for explicit consent for any data sharing that does not fall under the core service provision. Consent for the previous data sale arrangement is revoked.
- Training: Customer support and marketing teams are trained to answer questions about why certain personalized location-based ads may no longer appear, emphasizing the shift to privacy-first practices.
Example 3: The Smart Home Device Manufacturer
A manufacturer of smart home devices collects location data to enable "geofencing" features, such as automatically turning off lights when the homeowner leaves the house. They previously sold this "presence data" to security companies for risk assessment.
Step-by-Step Compliance Action:
- Functional Assessment: The company confirms that geofencing is a core feature necessary for the device’s operation. Therefore, collecting and processing this data for internal use remains legal.
- Prohibition Enforcement: The company halts all sales of presence data to security firms. This revenue stream is discontinued.
- Data Minimization: The company implements a default setting where location data is deleted from local storage after 24 hours, unless the user opts to keep it for historical analysis. This reduces the amount of sensitive data held.
- Third-Party Integration: The company works with its cloud provider to ensure that no metadata related to location is passed to third-party advertising networks.
- Transparency Report: The company publishes an annual transparency report detailing how much location data was requested by law enforcement versus how much was sold (now zero), reinforcing its commitment to privacy.
Common Misconceptions
Despite the clarity of the law, several misconceptions persist among developers and businesses regarding the scope and impact of S.B. 388.
Myth: The law bans all collection of geolocation data.
Reality: The law only bans the sale of geolocation data. Apps and services can still collect and use location data for their core functionalities, such as navigation, weather forecasting, or fraud prevention, provided they do not sell that data to third parties for monetary consideration.Myth: "Monetary consideration" only means direct cash payments.
Reality: While the VCDPA defines "sale" narrowly as exchange for monetary consideration, the intent of the law is to stop commercial exploitation. Regulators may interpret indirect financial benefits, such as reduced fees or enhanced service tiers tied to data sharing, as falling under the purview of prohibited transactions. Additionally, the FTC’s broader stance suggests that any valuable consideration could be scrutinized.Myth: Anonymized location data is exempt from the ban.
Reality: If the data can be reasonably linked back to an individual or device, it is still considered personal data under the VCDPA. Simple aggregation or stripping of names is not sufficient to anonymize geolocation data, which can be highly re-identifiable. Companies cannot bypass the ban by claiming their location data is "anonymous."Myth: The law only applies to Virginia-based companies.
Reality: The VCDPA applies to any controller or processor that conducts business in Virginia or produces products or services that are targeted to Virginia residents, regardless of where the company is physically located. A company based in California that sells a fitness app to Virginia users must comply with this ban.Myth: Consent can override the ban on selling geolocation data.
Reality: In Virginia, certain prohibitions are absolute. While the VCDPA generally allows for consent-based processing, the specific ban on the sale of geolocation data is a substantive restriction. Even if a user explicitly consents to the sale of their location data, the controller is still prohibited from engaging in that transaction. Consent cannot legalize a prohibited act.
5 Actionable Takeaways
- Audit Your Data Inventory — Conduct a comprehensive inventory of all geolocation data you collect, store, and share, identifying exactly where it flows within your organization and to whom.
- Update Vendor Contracts — Review all third-party agreements to ensure they do not permit the sale of location data to Virginia residents, and renegotiate or terminate those that do.
- Implement Technical Controls — Deploy filtering mechanisms in your data pipelines to automatically block the transmission of geolocation data to external entities, especially ad networks and data brokers.
- Revise Privacy Policies — Update your privacy notices to clearly state that you do not sell geolocation data, and remove any language that previously permitted such sales.
- Train Your Teams — Educate engineering, legal, and marketing teams on the specifics of S.B. 388 to ensure that compliance is maintained across all departments and product updates.
What's Next
The enactment of S.B. 388 is likely to accelerate legislative efforts in other states. California, which has been investigating the location data industry, may introduce similar bans in future sessions. Massachusetts, Vermont, and Washington State have already proposed legislation with similar goals. This wave of state-level regulation could lead to a de facto national standard, as companies prefer to adopt a single, high-bar compliance framework rather than managing a patchwork of conflicting laws. The European Union’s GDPR has already set a precedent for strict location privacy, and the US is beginning to mirror these protections in sp
Top comments (0)