Has your business team proposed selling consumer data that includes geolocation information? Not sure? If you have Virginia-based consumers, beware. SB 338, which was recently signed into law, will amend Virginia’s privacy law.
Starting July 1, 2026, companies covered by the law may not sell (or offer to sell) a consumer’s precise geolocation data. Before SB 338, geolocation data was treated like any other sensitive identifier. Meaning that, in the first instance, as a type of personal information people needed be given notice and the opportunity to opt out of data sales. Additionally, as a sensitive identifier, companies also had to get consent to use the data elements. As amended, geolocation data will be treated in a way unlike other personal or sensitive identifiers. Sales will be prohibited regardless of the notices and choices provided.
In sum, what the amendment covers:
- Only “precise” location data. The change applies only to precise location data. Meaning data that can pinpoint someone’s location within about a 1,750-foot radius. More general or grouped (aggregated) location data may not fall under the ban.
- It bans “sale,” not all sharing. Virginia’s law defines a “sale” as an exchange for money, and it includes some exceptions. Still, many data-licensing deals and some ad-tech transfers can count as a sale
- Buyers have risk too. If your company buys or receives precise location datasets, you should make sure the data was collected and shared legally.
This change mirrors concerns about precise location data we have seen expressed by regulators, including the FTC. And, changes we have seen in the state privacy laws of Maryland and Oregon.
Putting it into Practice: This change could signal a growing trend to banning sales of precise geolocation data. These laws are a reminder to review current geolocation data practices. Finding the business teams who may be collecting this information, and matching them with the teams that might be involved in data sharing, is a good place to start.
