Which States Ban the Sale of Location Data? Geolocation Privacy Laws Explained

Geolocation Data Is Under the Privacy Microscope

Your phone knows where you are right now. So does your car, your fitness tracker, and dozens of apps running in the background. That precise location data — often accurate to within a few meters — is bought, sold, and shared across a sprawling data marketplace. But a growing number of US states are saying: enough.

In 2026, the sale of precise geolocation data faces its strictest regulatory environment ever. Virginia is on the verge of joining Oregon and Maryland in explicitly banning the sale of this data, and several other states impose significant restrictions through their comprehensive privacy laws. If your business collects, shares, or purchases location data, you need to understand these rules now.

What Is Precise Geolocation Data?

Most state privacy laws define precise geolocation data as information that can identify a consumer's physical location within a specific radius — typically 1,750 feet (approximately one-third of a mile) or less. This includes GPS coordinates from smartphones, Wi-Fi triangulation data, Bluetooth beacon signals, and telematics data from connected vehicles.

Precise geolocation data is classified as sensitive personal data under nearly every comprehensive state privacy law. This designation triggers heightened protections: businesses generally need opt-in consent before collecting it, must conduct data protection impact assessments, and face stricter limitations on how it can be used and shared.

States That Ban or Restrict the Sale of Location Data

Virginia — SB 338 (Pending Governor Signature)

Virginia SB 338, which passed the General Assembly with unanimous bipartisan support, would prohibit controllers from selling or offering for sale precise geolocation data concerning a consumer. The bill is awaiting Governor Abigail Spanberger's signature, with an action deadline of April 13, 2026. Privacy advocates and consumer groups have urged the governor to sign it into law.

Key provisions of SB 338 include:

• Outright ban on selling precise geolocation data
• Applies to all controllers subject to the Virginia Consumer Data Protection Act (VCDPA)
• Amends the existing VCDPA rather than creating a separate statute
• No exemptions for de-identified or aggregated location data (if it meets the precision threshold)

If signed, Virginia would become the third state to explicitly ban the sale of precise geolocation data.

Oregon — Consumer Privacy Act (OCPA)

Oregon was a pioneer on geolocation privacy. The Oregon Consumer Privacy Act, effective July 1, 2024, includes a prohibition on the sale of precise geolocation data without the consumer's affirmative opt-in consent. The 2025 amendments that took effect January 1, 2026 further tightened controls: controllers cannot collect precise geolocation data unless it is "reasonably necessary" for the specific service or product the consumer requested.

Maryland — Online Data Privacy Act (MODPA)

The Maryland Online Data Privacy Act, whose enforcement began April 1, 2026, takes the most restrictive approach of any state. MODPA prohibits the sale of all sensitive data — including precise geolocation data — without exception. Unlike other states that allow opt-in consent as a workaround, Maryland's ban is absolute: you simply cannot sell sensitive data, period.

MODPA also imposes a strict data minimization standard. Businesses may only collect data that is "reasonably necessary and proportionate" to provide or maintain the specific product or service the consumer requested. This effectively prevents the collection of geolocation data for advertising, profiling, or resale purposes.

Other States With Strong Location Data Protections

While most other state privacy laws don't outright ban the sale of geolocation data, they do classify it as sensitive personal data requiring opt-in consent before collection or processing. States with this requirement include:

• California (CCPA/CPRA) — precise geolocation is sensitive; requires opt-out rights for sale/sharing
• Colorado — requires opt-in consent for processing sensitive data including geolocation
• Connecticut — opt-in consent required; CTDPA also requires data protection assessments
• Texas — opt-in consent required under TDPSA for sensitive data processing
• Montana — opt-in consent required; additional protections for geolocation via 2025 amendments
• Delaware, New Hampshire, New Jersey, Minnesota, Nebraska — all treat geolocation as sensitive data with opt-in consent requirements

Why Is Location Data Getting Special Attention?

Location data has become a lightning rod for privacy regulators for several reasons:

Intimate details revealed: Geolocation data can reveal visits to doctors' offices, places of worship, political rallies, domestic violence shelters, and addiction treatment centers. Even "anonymized" location data has been shown to be easily re-identifiable — researchers have demonstrated that as few as four location data points can uniquely identify 95% of individuals.

Enforcement actions: The FTC has taken multiple actions against companies selling location data. In 2024, the FTC banned X-Mode Social (now Outlogic) and InMarket from selling sensitive location data. State attorneys general have also targeted location data brokers.

Real-world harms: Location data has been used to track individuals visiting abortion clinics, identify protest attendees, and surveil specific communities. These harms have accelerated legislative action.

Who Needs to Worry About These Laws?

These restrictions affect a wide range of businesses, not just obvious "location data companies":

• Mobile app developers that request location permissions
• Advertising networks that use location-based targeting
• Retail chains that track foot traffic or use geofencing
• Connected vehicle manufacturers that collect driving and location data
• Data brokers that buy or sell datasets containing coordinates
• Analytics platforms that process location signals for measurement
• Real estate and proptech companies using location intelligence

Compliance Steps for Businesses

1. Audit Your Location Data Practices

Map everywhere your business collects, stores, processes, and shares geolocation data. Include mobile SDKs, analytics tools, advertising pixels, and third-party vendor integrations. Use our Privacy Law Calculator to determine which state laws apply to your business.

2. Implement Opt-In Consent Where Required

For states that require opt-in consent for sensitive data (most of them), ensure you collect affirmative, informed consent before processing precise geolocation data. This means a clear, specific disclosure — not buried in a terms-of-service document.

3. Stop Selling Location Data in Ban States

If you operate in Maryland, Oregon, or (soon) Virginia, you must not sell precise geolocation data. Review your vendor agreements and data-sharing arrangements to ensure no downstream sale is occurring.

4. Conduct Data Protection Assessments

Most state laws require a data protection impact assessment before processing sensitive data like geolocation. Document the purpose, necessity, and safeguards for your location data processing.

5. Update Your Privacy Policy

Disclose your geolocation data practices clearly: what you collect, why, who you share it with, and how consumers can opt out or withdraw consent.

6. Honor Opt-Out Signals

In states requiring universal opt-out mechanisms, ensure your systems detect and honor Global Privacy Control (GPC) signals. Use our GPC Compliance Checker to assess your obligations.

What's Coming Next

The trend toward restricting location data sales is accelerating. Bills in several states — including Maine and Connecticut — would add additional location data protections. At the federal level, bipartisan concern over location data surveillance continues to grow.

Businesses that proactively limit their location data collection and sharing will be better positioned as these laws expand. The safest approach: collect location data only when you need it, get clear consent, never sell it, and delete it when you're done.

Frequently Asked Questions

What counts as "precise" geolocation data under state privacy laws?

Most states define it as data derived from a device that identifies a consumer's location within 1,750 feet (approximately one-third of a mile). GPS coordinates, Wi-Fi positioning, and Bluetooth beacon data typically qualify. City-level or ZIP code-level location data generally does not meet the precision threshold.

Can I sell location data if I get consumer consent?

It depends on the state. In Maryland, you cannot sell sensitive data including geolocation even with consent. In Oregon, consent may allow processing but the sale of precise geolocation remains restricted. In most other states, opt-in consent allows processing but you must still honor opt-out requests for sales.

Does Virginia SB 338 apply to all businesses?

SB 338 applies to entities already subject to the Virginia Consumer Data Protection Act — generally businesses that control or process the personal data of at least 100,000 Virginia consumers, or 25,000 consumers if they derive over 50% of gross revenue from personal data sales. Use our calculator to check.

What about connected vehicle location data?

Yes — location data from connected vehicles is subject to the same restrictions. Ford's recent $375K CCPA fine and multiple FTC actions against automakers demonstrate that regulators are paying close attention to connected car data practices. Utah also recently passed HB 357 specifically targeting motor vehicle manufacturers.

How do I know which state location data laws apply to my business?

Use our Privacy Law Calculator — enter your company details and it will show you every state law that applies, including those with geolocation-specific requirements. You can also compare state laws side-by-side to see how sensitive data rules differ.

Last updated: March 29, 2026.