Virginia SB 338: Banning the Sale of Precise Geolocation Data
Virginia Moves to Ban Geolocation Data Sales
Virginia's General Assembly has unanimously approved Senate Bill 338, which would amend the Virginia Consumer Data Protection Act (VCDPA) to prohibit the sale of consumers' precise geolocation data. The bill passed both chambers with bipartisan support and was transmitted to Governor Abigail Spanberger with an action deadline of April 13, 2026.
If signed, Virginia would join a growing number of states restricting how businesses can monetize location data — a category of personal information that privacy advocates have called uniquely sensitive because it can reveal where people live, work, worship, seek medical care, and spend their time.
What SB 338 Would Do
The bill adds a straightforward prohibition to the existing VCDPA: businesses may not sell consumers' precise geolocation data. Precise geolocation is generally defined as data that can identify a consumer's physical location within a radius of 1,750 feet (approximately one-third of a mile).
Key provisions include:
- Prohibition on sale — controllers may not sell precise geolocation data to third parties
- No private right of action — enforcement remains exclusively with the Virginia Attorney General, consistent with the VCDPA's existing framework
- Original enforcement amendment removed — an earlier version of the bill would have modified VCDPA enforcement provisions, but this was stripped during the legislative process
Why Geolocation Data Is Getting Special Attention
Precise geolocation data has become a flashpoint in privacy regulation for several reasons. Location data collected from smartphones and apps can track individuals to specific locations — medical clinics, places of worship, political events, and private residences. Data brokers have been caught selling location data that was used to identify individuals visiting sensitive locations. Unlike browsing data, location data is difficult to anonymize because movement patterns are uniquely identifying.
These concerns have driven multiple states to restrict geolocation data beyond what their general privacy frameworks require.
How Virginia Compares to Other States
Virginia is not alone in targeting geolocation data. Several states have enacted or proposed similar restrictions.
Maryland (MODPA)
Maryland's Online Data Privacy Act, effective October 1, 2025, takes the most aggressive approach. It prohibits the sale of all sensitive data — not just geolocation — and applies data minimization requirements that limit collection of geolocation data to what is strictly necessary for the service being provided.
Oregon (OCPA Amendments)
Oregon amended its Consumer Privacy Act to restrict the sale of precise geolocation data within a 1,750-foot radius, effective July 1, 2025. The restriction applies specifically to data brokers and includes enhanced penalties for violations involving minors' data.
California (CCPA/CPRA)
California classifies precise geolocation as sensitive personal information. Consumers have the right to limit its use and disclosure, and businesses must obtain opt-in consent before processing it. However, California has not enacted an outright ban on its sale.
Connecticut (Proposed SB 4)
Connecticut is considering SB 4, which would add geolocation data restrictions to its existing CTDPA, alongside data broker registration requirements. The bill passed committee in March 2026 and continues to advance.
What Businesses Should Do Now
Whether or not you operate specifically in Virginia, the trend toward geolocation data restrictions is clear. Here are practical steps to prepare:
- Audit your geolocation data practices — identify everywhere your business collects, processes, or shares precise location data. This includes mobile apps, in-store analytics, advertising platforms, and third-party SDKs embedded in your products.
- Review data sharing agreements — if you share geolocation data with third parties (including advertising partners, analytics providers, and data brokers), determine whether those transfers constitute a "sale" under applicable state definitions.
- Implement geolocation-specific consent — treat precise geolocation as sensitive data everywhere, not just in states that require it. Obtain explicit opt-in consent before collecting it.
- Reduce geolocation precision where possible — if your business only needs approximate location (city or zip code), configure your systems to collect coarse location rather than precise GPS coordinates.
- Update your privacy notice — clearly disclose your geolocation data practices, including what you collect, how you use it, and whether you sell or share it.
Use our privacy law calculator to check which state laws currently apply to your business, and review the state law comparison tool to understand how geolocation requirements differ across jurisdictions.
Timeline and Next Steps
Governor Spanberger has until April 13, 2026, to sign, veto, or allow SB 338 to become law without her signature. Given the bill's unanimous bipartisan support, signing appears likely. If enacted, the effective date will depend on the bill's language — Virginia laws typically take effect on July 1 of the year following enactment unless an emergency clause is included.
We will update this page and the Virginia VCDPA state page once the governor acts. Check our compliance deadlines tracker for the latest dates.
Last updated: March 28, 2026.
Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.