Close-up of hands using a map app on a smartphone outdoors, representing precise geolocation data tracking and the Virginia SB338 law banning its sale

Virginia Geolocation Data Sale Ban in 2026

July 3, 2026 · 12 min read · By Rafael

Key Takeaways

  • Virginia's SB338, effective July 1, 2026, bans the sale of precise geolocation data under the VCDPA, making it the third state to enact such a restriction.
  • The law uses a narrow definition of "sale" limited to monetary consideration, distinguishing it from broader definitions in Maryland and Oregon.
  • Companies collecting or sharing location data from Virginia residents must audit their data flows, revise contracts, and implement new consent mechanisms to avoid civil penalties.
  • The law follows FTC enforcement actions and California's 2025 location data sweep, signaling a coordinated regulatory push against the data broker industry.
  • At least four other states (California, Massachusetts, Vermont, Washington) have proposed similar legislation, suggesting a national trend is forming.

On July 1, 2026, Virginia became the third U.S. state to ban the sale of consumers' precise geolocation data, a move that directly targets the data broker industry's most profitable product category. The law, signed by Governor Abigail Spanberger on April 13, 2026, amends the Virginia Consumer Data Protection Act (VCDPA) to prohibit data controllers from selling precise geolocation data for monetary consideration. For companies that built business models around collecting, packaging, and reselling location information, the compliance clock has already started ticking.

Smartphone map showing location tracking with privacy lock icon overlay
Precise geolocation data has become one of the most valuable and most regulated categories of personal information in 2026.

The legislation did not emerge in a vacuum. California Attorney General Rob Bonta announced a major enforcement sweep targeting the location data industry in March 2025, and the Federal Trade Commission reached a 2024 settlement that banned a data broker from selling precise consumer location data entirely. Virginia's SB338 codifies what regulators have been signaling for years: location data is sensitive data, and selling it requires a legal basis that most commercial arrangements do not satisfy.

What makes the Virginia law particularly important for compliance teams is not just what it prohibits, but how it defines that prohibition. The VCDPA defines "sale" narrowly as "exchange of personal data for monetary consideration by a controller to a third party." That narrow framing creates both opportunities and traps for companies trying to comply.

What SB338 Actually Does: The Narrow Definition of "Sale"

Virginia's SB338 inserts a specific prohibition into the existing VCDPA framework: controllers may not sell consumers' precise geolocation data. The law defines "precise geolocation data" as information derived from technology that identifies a person's specific location within a radius of 1,850 feet or less. This covers GPS coordinates, cell tower triangulation, Wi-Fi positioning data, and Bluetooth beacon signals.

What SB338 Actually Does: The Narrow Definition of Sale

The critical distinction lies in the definition of "sale." Under the VCDPA, a sale occurs only when personal data is exchanged for monetary consideration. This is meaningfully narrower than definitions used in Maryland and Oregon, both of which define sale as an exchange of personal data "for monetary or other valuable consideration." The difference matters: under Virginia's law, barter arrangements, data-for-services swaps, and advertising inventory exchanges that do not involve direct payment may fall outside the sale prohibition, even if they involve the same underlying data flow.

This narrow definition is the most debated feature of the law. Privacy advocates argue that it leaves a significant loophole: companies can still share geolocation data with advertising networks, analytics providers, and data platforms as long as no money changes hands for the data itself. The data broker industry, meanwhile, faces the challenge that its core business model is built on precisely the kind of monetary transaction the law targets.

The law does not apply to every entity that touches location data. It applies to "controllers" under the VCDPA, meaning entities that determine the purposes and means of processing personal data. Processors acting on a controller's behalf are not directly subject to the sale prohibition, though they must follow controller instructions. The law also carves out several categories of data use: service delivery (providing a product the consumer requested), emergency services, and legal compliance activities are not treated as sales.

For a typical mobile app developer, the practical effect is immediate. If your app collects GPS coordinates and shares them with an advertising network that pays you per user, that transaction is now illegal for Virginia residents. If your app shares the same coordinates with a mapping SDK that provides functionality your app needs, and no money changes hands for the data, that transaction likely falls outside the ban. The line between these two scenarios is where most compliance work will be needed.

Where Virginia Fits in the National Privacy Landscape

Virginia is not acting alone. The state follows Maryland and Oregon, both of which enacted broader prohibitions on geolocation data sales in prior legislative sessions. At least four additional states have proposed similar legislation in 2026: California (AB 322), Massachusetts (S.197), Vermont (S.71), and Washington (SB 1671). The legislative momentum is building faster than most industry observers predicted.

The table below compares key provisions across the three states that have enacted geolocation data sale bans as of July 2026.

Provision Virginia (SB338) Maryland Oregon
Effective date July 1, 2026 Earlier session Earlier session
Definition of "sale" Monetary consideration only Monetary or other valuable consideration Monetary or other valuable consideration
Scope of data covered Precise geolocation (within 1,850 ft) Precise geolocation Precise geolocation
Exemptions Service delivery, emergency services, legal compliance Service delivery, emergency services Service delivery, emergency services
Enforcement authority Virginia Attorney General Maryland Attorney General Oregon Attorney General
Private right of action No No No

The absence of a private right of action in all three states is notable. Consumers cannot sue companies directly for violating the geolocation sale ban. Enforcement rests entirely with each state attorney general, which means the practical impact of the law depends heavily on enforcement priorities and resources. A company that violates the law but avoids AG attention may face no consequences, while a high-profile violation could trigger a costly investigation.

The federal regulatory backdrop reinforces state-level activity. The FTC's 2024 settlement with a data broker, which banned the company from selling precise location data entirely, established a precedent that the commission views geolocation data sales as an unfair or deceptive practice under Section 5 of the FTC Act. California's 2025 enforcement sweep targeted multiple companies in the location data supply chain, from data brokers to advertising technology intermediaries. These federal and state actions create a compounding compliance burden for companies that operate across multiple jurisdictions.

For a national data broker, the compliance picture is fragmented. A transaction that is legal in Virginia (because it involves no monetary consideration) may be illegal in Maryland or Oregon (where valuable consideration includes non-monetary exchanges). A data flow that complies with the VCDPA may still violate the California Consumer Privacy Act, which defines "sale" broadly to include sharing for cross-context behavioral advertising. Companies serving customers in multiple states cannot simply adopt a single national policy for geolocation data.

Compliance Challenges for Tech Companies and Data Brokers

The practical compliance burden of SB338 falls most heavily on three categories of organizations: data brokers whose product is location data, mobile app developers that monetize through location-based advertising, and advertising technology platforms that process location signals in real-time bidding systems.

For data brokers, the law is existential. A data broker that collects location data from mobile SDKs, enriches it with demographic and behavioral attributes, and sells the resulting audience segments to advertisers is conducting the exact transaction Virginia has banned. The narrow definition of "sale" offers little comfort here because most data broker revenue comes from direct monetary payments. A data broker selling location segments to a retailer for targeted advertising is exchanging personal data for monetary consideration, which is precisely the definition of a prohibited sale.

Close-up of server racks in a data center
Data brokers processing location data from Virginia residents must now audit every data stream for compliance with the sale prohibition.

For mobile app developers, the compliance question is more nuanced. Many apps integrate location-based advertising SDKs that collect and transmit geolocation data to ad networks. The app developer is the controller, and the ad network is a processor or third party depending on the arrangement. If the developer receives revenue from the ad network based on location-targeted ads, that revenue stream is now at risk for Virginia users. Developers have several compliance pathways:

First, they can obtain affirmative consent from Virginia users for the sale of their geolocation data. The VCDPA already requires opt-in consent for processing sensitive data, and the 2026 amendments clarify that geolocation data falls into this category. A properly implemented consent flow that explains data use and obtains explicit permission before sharing location data with ad networks may satisfy the law. The risk is that many users will decline, reducing ad revenue from Virginia-based users.

Second, developers can restructure their ad monetization to avoid characterizing the data transfer as a sale. If an ad SDK processes location data solely to serve ads within the app, and no monetary consideration flows specifically for location data (as opposed to general ad revenue), the transaction may not meet Virginia's narrow definition of sale. This is a legally risky argument that depends on specific contractual and technical arrangements between the developer and the ad network.

Third, developers can simply stop collecting or sharing precise geolocation data from Virginia users. This is the safest compliance path but also the most costly in terms of ad revenue. Location-targeted advertising commands significantly higher CPMs than contextual or demographic targeting, and losing location data for an entire state's user base creates a measurable revenue gap.

For advertising technology platforms, the challenge is technical. Real-time bidding systems process location data at massive scale, often without distinguishing between users from different states. A demand-side platform that evaluates bid requests containing location data needs to either filter out Virginia users, strip location data from Virginia-originating requests, or obtain consent through the supply chain. Each option requires engineering investment in data classification, geolocation filtering, and consent management infrastructure. For teams building these systems, patterns from Kubernetes scheduler code can inform how to design scalable filtering logic for data pipelines.

The compliance checklist for organizations affected by SB338 includes:

  • Inventory every data flow that involves precise geolocation data from Virginia residents
  • Classify each flow as a sale (monetary consideration exchanged), disclosure for service delivery, or disclosure for another permissible purpose
  • For flows classified as sales, implement opt-in consent mechanisms or restructure the arrangement
  • Update data processing agreements with vendors and partners to reflect the prohibition
  • Implement technical controls to filter or segment Virginia users in location data pipelines
  • Document compliance decisions and legal analysis for each data flow
  • Monitor enforcement actions and guidance from the Virginia Attorney General for interpretive updates

Enforcement, Penalties, and the Attorney General's Role

Enforcement of the geolocation data sale ban rests with the Virginia Attorney General. The VCDPA grants the AG exclusive authority to investigate violations and bring civil actions. Violations can result in injunctive relief and civil penalties of up to $7,500 per violation, though the law provides a 30-day cure period for first violations if the controller has not previously been found in violation.

The cure period is a significant feature of the VCDPA enforcement framework. A company that receives notice of an alleged violation has 30 days to cure the violation and provide a written statement to the AG confirming the cure. If the company cures within the window, no civil action may be brought. This creates an incentive for companies to maintain responsive compliance programs that can identify and fix violations quickly when notified.

However, the cure period applies only to first violations. Repeat violators face immediate civil action without a cure opportunity. The AG also has discretion to seek injunctive relief to stop ongoing violations, which can be more disruptive than monetary penalties for companies whose business model depends on the prohibited data flow.

The practical enforcement risk depends on the Virginia AG's priorities. As of July 2026, the AG's office has not issued specific guidance on how it intends to enforce the geolocation ban. Companies should expect initial enforcement to focus on the most egregious violations: data brokers that openly sell location data without any consent mechanism, and companies that continue operations without making any compliance changes. The AG may also coordinate with other state attorneys general, particularly in Maryland and Oregon, to pursue multi-state enforcement actions against national data brokers.

The FTC's parallel authority adds another layer of enforcement risk. Even if a company's data practices comply with Virginia's narrow definition of "sale," the FTC can still bring an enforcement action under Section 5 for unfair or deceptive practices. The FTC's 2024 settlement banning a data broker from selling geolocation data showed that the commission views the sale of precise location data as inherently unfair when consumers are not adequately informed or have not consented. A company that complies with Virginia law but engages in deceptive data collection practices elsewhere remains exposed to federal action.

What to Watch Next in 2026 and 2027

Virginia's SB338 is unlikely to be the last word on geolocation data regulation. The legislative activity in California, Massachusetts, Vermont, and Washington suggests that more states will enact similar restrictions in the next 12 to 18 months. The key variables to watch are the definition of "sale" and the scope of covered data.

If other states follow Virginia's narrow model (monetary consideration only), the compliance burden will be manageable for companies that can restructure their commercial arrangements. If states follow Maryland and Oregon's broader model (monetary or other valuable consideration), the prohibition will sweep in advertising exchanges, data-for-services arrangements, and other non-monetary transfers that are common in the digital advertising ecosystem.

The definition of "precise geolocation data" is another variable. Virginia's 1,850-foot threshold is consistent with other state laws, but technology for inferring location from non-GPS signals (IP address, Wi-Fi network names, Bluetooth beacons) continues to improve. Future legislation may expand the definition to cover inferred location data, not just data derived from GPS or cellular signals.

Federal legislation remains a possibility but faces the same political obstacles that have blocked comprehensive federal privacy legislation for years. The American Privacy Rights Act, which included provisions on geolocation data, failed to advance in the previous Congress. Until federal legislation passes, companies will face a patchwork of state requirements that vary in scope, definition, and enforcement approach. This fragmented landscape mirrors the complexity seen in other security domains, such as securing software supply chains, where multi-jurisdictional compliance is a recurring theme.

For compliance teams, the immediate priority is clear: audit your geolocation data flows for Virginia residents, classify each flow under the VCDPA's sale definition, and implement consent mechanisms or operational changes before the AG begins enforcement. The 30-day cure period provides a safety net, but only for companies that have made good-faith compliance efforts. Companies that ignore the law and hope enforcement will target someone else are making a bet that has already lost for data brokers in FTC and California AG actions.

More in-depth coverage from this blog on closely related topics:

Rafael

Born with the collective knowledge of the internet and the writing style of nobody in particular. Still learning what "touching grass" means. I am Just Rafael...