Virginia's amended Consumer Data Protection Act (VCDPA) took effect on July 1, 2026, formally prohibiting the sale of consumers' precise geolocation data. The change comes three months after Governor Abigail Spanberger signed Senate Bill 338 into law on April 13, making Virginia the third US state — after Maryland and Oregon — to outlaw the commercial trade of location information precise enough to identify a person within a 1,750-foot radius.
The law is the most concrete US response yet to a decade of revelations about how smartphone location data has been packaged and resold by data brokers, often without meaningful consumer knowledge. It is also one of the first state-level actions to explicitly take aim at the location data supply chain that has powered ad-tech, retail-analytics, and even government contracting in recent years.
What the new VCDPA amendment actually does
Senate Bill 338 amends the VCDPA — Virginia's comprehensive consumer privacy statute that took effect in January 2023 — to add a single hard prohibition: a controller of personal data may not sell or offer to sell precise geolocation data concerning a consumer. The bill defines "precise geolocation data" as information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet (about a third of a mile).
Notably, the amendment does not require companies to delete the data they hold, nor does it impose a private right of action. Enforcement sits exclusively with the Virginia Attorney General, consistent with the VCDPA's existing enforcement framework. Each violation can attract civil penalties under the state's consumer protection statutes.
The change is narrower than what consumer advocates initially proposed. An earlier version of the bill would have modified the VCDPA's enforcement provisions to give the Attorney General faster injunctive tools. That language was stripped during the legislative process; the law that passed the General Assembly unanimously in both chambers (Senate 39-0, House 96-0) focuses on the substantive prohibition alone.
Why Virginia, why now
Virginia was the second US state, behind California, to enact a comprehensive consumer privacy law, and the VCDPA has been a frequent template for newer state statutes. The decision to add a geolocation ban reflects two converging pressures.
First, documented broker activity. Investigative reporting and FTC enforcement actions over the last three years have repeatedly shown that even after consumers decline location tracking on a single app, the same data is often repackaged by software development kits (SDKs) embedded in weather, navigation, and seemingly innocuous utilities, then sold through brokers to hedge funds, marketers, and law enforcement. The Virginia amendment is built around the assumption that opt-in consent at the app level has not worked as a containment mechanism.
Second, federal inertia. Congress has failed to advance a federal comprehensive privacy law, and the American Privacy Rights Act reintroduced in 2024 has not progressed. That has forced state legislatures to fill the gap with targeted statutes, often focused on the most sensitive data categories. Geolocation, in this framing, is the second-tier fight after biometric data, which several states have already constrained.
Spanberger, a Democrat who took over from Republican Glenn Youngkin in January, framed the bill signing as a consumer protection priority. Her predecessor had a record of vetoing bills that sought to constrain the technology industry, including a similar measure that passed the legislature in 2025 but was never advanced in the House.
How Virginia's law compares to Maryland and Oregon
Maryland and Oregon both enacted similar prohibitions earlier in this legislative cycle, but the three statutes differ in scope, in ways that will matter to compliance teams operating nationally.
| State | Virginia (SB 338) |
| Effective date | July 1, 2026 |
| Definition of "sale" | Exchange for monetary consideration only |
| Enforcement | Virginia Attorney General only |
| Private right of action | No |
| Exempt entities | HIPAA-covered entities, GLBA-regulated financial institutions, Driver's Privacy Protection Act scope |
Virginia defines "sale" more narrowly than either Maryland or Oregon. Both of those states treat the exchange of personal data for "monetary or other valuable consideration" as a sale, which is broad enough to capture data-for-access and data-for-services swaps. Virginia's narrower monetary-only definition means that purely barter-based transfers of location data may not trigger the prohibition, although a separate analysis would be required for any specific arrangement. For controllers operating across multiple states, the most defensible posture is the Maryland/Oregon standard, which satisfies all three.
The national map of geolocation legislation
Virginia now joins a growing patchwork. According to the National Conference of State Legislatures, at least California, Connecticut, Massachusetts, Maine, Vermont, and Washington state are considering comparable bans during the 2026 session. Consumer Reports has released model legislation — the State Location Privacy Act — and is actively lobbying in several of those states. The legislative trend is bipartisan: even in states with Republican-controlled legislatures, location-data restrictions have polled strongly among both parties.
The federal picture remains less clear. The Federal Trade Commission has stepped up enforcement against data brokers in recent years, securing settlements with firms including Kochava and InMarket over the sale of sensitive location data tied to reproductive health clinics, religious organizations, and political gatherings. But the FTC's actions have been reactive, tied to specific harm cases, and the Commission has not yet promulgated a blanket location-data rule of the kind the FTC's Section 5 authority would allow.
What this means for India and global readers
The US state-level approach to geolocation matters internationally for two reasons. First, US data brokers are global suppliers: a location dataset collected from a US user's phone can be resold to firms in Europe, India, and Latin America, and the rights attached to that data are governed by the jurisdiction of collection. As more US states restrict the sale of precise geolocation, the effective global supply of that data is contracting — which will force ad-tech platforms and analytics vendors to re-engineer their supply chains.
Second, the categories being defined in US state law are becoming de facto templates for jurisdictions elsewhere. India's Digital Personal Data Protection Act, 2023, already treats location data as a category of personal data requiring consent, and the new rules notified in 2025 explicitly list location as a data item that triggers higher processing requirements. Indian compliance teams that have been waiting for clearer subcategories of sensitive data should now treat geolocation as firmly in the high-risk column.
Frequently Asked Questions
What is "precise geolocation data" under the new Virginia law?
Information that can identify a person's location within a 1,750-foot (about 0.33-mile) radius, including GPS latitude and longitude coordinates and similar high-accuracy signals. Coarse location data — city-level, ZIP-code-level, or IP-derived location — is not covered by SB 338.
Does the law apply to my business if I'm not based in Virginia?
The VCDPA applies to controllers that conduct business in Virginia or that produce products or services targeted to Virginia residents, and that meet at least one of several thresholds, including processing the personal data of at least 100,000 Virginia consumers in a calendar year. The geolocation amendment inherits that scope.
Is there a private right of action?
No. SB 338 follows the VCDPA's existing enforcement model, which is limited to the Virginia Attorney General. Consumers cannot sue directly, but they can file complaints with the Office of the Attorney General, which has the authority to investigate and bring civil actions.
How does this compare to India's DPDP rules?
India's Digital Personal Data Protection Act, 2023, requires explicit consent for the processing of personal data, including location. The 2025 Draft Rules classify certain data items as requiring higher safeguards. Geolocation is not yet on India's official "sensitive" list, but the US state-level precedents make it increasingly likely that location data will be treated as a heightened-risk category when India's final rules are notified.
Sources:
- Hunton Andrews Kurth — Virginia Bans Sale of Geolocation Data (April 16, 2026)
- Regulatory Oversight — Virginia Becomes Third State to Ban Sale of Consumers' Precise Geolocation Data
- Consumer Reports — Virginia Governor signs landmark location privacy bill into law (April 14, 2026)
- The Record — Virginia enacts ban on precise geolocation data sales as momentum for similar prohibitions builds
- Code of Virginia — Consumer Data Protection Act, Chapter 53
- PrivacyLawMap — Virginia SB 338: Banning the Sale of Precise Geolocation Data
Related on Voxlogue: How Age Verification Laws Are Reshaping Online Privacy in 2026 · Countries Compete to Build the Most Powerful Mass Surveillance Systems



