Virginia bans sale of geolocation data

toomuchtodo 663 points 114 comments July 02, 2026
www.hunton.com · View on Hacker News

Discussion Highlights (20 comments)

toomuchtodo

Bill: https://lis.virginia.gov/bill-details/20261/SB338/text/SB338 > Virginia follows Maryland and Oregon in banning the sale of geolocation data. Both Maryland and Oregon more broadly define “sale” to mean the exchange of personal data “for monetary or other valuable consideration.” Virginia joins several other states that have recently proposed legislation with similar bans, including California, Massachusetts, Vermont and Washington State. The legislative activity follows regulatory scrutiny on the sale of geolocation data, including the California Attorney General’s investigation into the location data industry in March 2025, and a 2024 FTC settlement banning a data broker from selling geolocation data. (i could not find a state legislation tracker regarding this type of legislation, please feel free to drop it in a reply if you find one!)

janalsncm

Note that this article is from April and the ban went into effect July 1.

nekusar

So, instead you buy a "custom computer", and the data is completely free! Its like how FLOCK gets around pesky data laws. The devices coat a lot, but the software dashboard access is "Completely free*"

peter303

NYTimes article a few years ago on how car insurance companies were using such data. Tracking sudden stoos, driving at night, driving faster than 80 mph, etc.

dv_dt

So let's say a Delaware incorporated company sells location data that happens to be collected in Virginia, but its sold from the corporation with no operations in Virginia. What happens? On the other hand us-east-1 is in Virginia with who knows how many payment processing servers running.

raychis

Honestly, it’s wild that selling people’s precise location data was ever treated like a normal business model. We already know massive data harvesting has happened. Laws like this are just the bare minimum for catching up. Would be nice if they could bring in laws that would punish these companies out of existence, but I doubt it.

danielrmay

A good start. From 2024: "A company allegedly tracked people’s visits to nearly 600 Planned Parenthood locations across 48 states and provided that data for one of the largest anti-abortion ad campaigns in the nation, according to an investigation" - https://www.politico.com/news/2024/02/13/planned-parenthood-...

petercooper

I was intrigued, because even a broad location given for an IP address is "geolocation data", but the law says "precise geolocation data" which limits it to device-reported data, I assume.

lysace

This is going to spread like wildfire. ("We can do that?")

heroprotagonist

Great, now you have to ban sharing of it, or banning sale is worthless. Or rather, only worthwhile as a straw-man you can point to and say "Look, we stopped it!" when you know that's false.

throwaway85825

*except sale to the government?

jmward01

Given the actual informed and uncoerced choice, people say no to this kind of collection and especially its sale or use for any purpose other than the explicit service they thought they were allowing it for (navigation, setting the time, etc etc). This is true for basically all information collected. I'm glad to see there is some minor protection language being included but it needs to have real teeth and get to the point. If you collect data from me under false pretenses or using coercive methods (you can't use the thing you just paid a lot of money for if you say no) you will not only be fined but criminally prosecuted.

avarun

As long as this is actually about "sale" of data and actually imposes strict limits on data brokers and all the nefarious actors out there, I am all for it. If it's more similar to the California law, which just calls all uses of data "selling data" and just ends up muddying the waters without actually imposing any regulations of value on the bad actors in the industry, then that would be a shame. There is value to actually keeping the meaning of words clear and consistent. I have no issues with Google using its first-party Google Maps data to serve me better recommendations. I have massive issues with AT&T selling aggregated geolocation data that makes it easy to identify individuals to third parties. I hope this is a clear path towards banning the latter without touching the former.

nickvec

Have any other states banned the sale of geolocation data?

erentz

What is the rationale for going to the trouble of such a law but only banning sale, rather than all sharing?

macinjosh

What a coincidence that northern Virginia is spy central.

CodeByBryant

This is an actually great move.

deaton

I cant wait for the feds to sue them for.. something

bflesch

That's a step into the right direction. I can only imagine how much pain has been inflicted with metadata.

Pxtl

What I find confusing is that I know an infinite plethora of companies have geolocation data in everyone.... But I look at my fairly-stock Pixel phone and the only things with background geolocation permissions are Google apps, and I know google famously hoards that data like a dragon. Is it just that people are happily allowing every app access to live geoloc data even in background? Is there some edge where "while in use" apps are "in use" during cases you wouldn't think they are? Is it my Samsung watch?

Semantic search powered by Rivestack pgvector
14,015 stories · 131,331 chunks indexed