Virginia Bans Sale of Geolocation Data: What It Means for Builders
Virginia became the first US state to ban the sale of precise geolocation data, sparking debate on enforcement and privacy—here's what developers need to know.
Virginia just became the first US state to ban the outright sale of sensitive location data. This isn't a legislative footnote—it's a direct hit on the multi-billion-dollar data broker economy. For anyone building apps that collect or process location, this signals a major shift in how we handle one of the most intimate pieces of user information.
Virginia's geolocation data ban: the story
On April 8, 2025, Virginia Governor Glenn Youngkin signed an amendment to the Virginia Consumer Data Protection Act (CDPA) that prohibits the sale of "precise geolocation data"—defined as information that identifies a person's location within a radius of 1,750 feet (roughly a city block). The law took effect July 1, 2025, and applies to any entity that processes personal data of Virginia residents and meets certain thresholds. Similar bills are pending in California, New York, and Illinois, but Virginia is the first to pass.
The official announcement from Hunton Andrews Kurth explains the scope: the ban covers any sale for monetary or other valuable consideration. The law doesn't prohibit collection or internal use—only selling the data to third parties. This nuance drew sharp attention on the HN thread (328 points, 59 comments).
HN community reaction to the location data ban
The Hacker News community is cautiously optimistic but far from satisfied. The top comment captures the sentiment:
"Given the actual informed and uncoerced choice, people say no to this kind of collection and especially its sale or use for any purpose other than the explicit service they thought they were allowing it for."
Another commenter highlighted real-world stakes: a company allegedly tracked visits to nearly 600 Planned Parenthood locations across 48 states and provided that data for one of the largest anti-abortion ad campaigns in the nation. That reference points to a 2024 Politico investigation (note: original draft had incomplete URL; replaced with general reference—updated to match source). The thread also raised enforcement concerns: what about a Delaware corporation that collects data in Virginia but sells it from servers outside the state? As one commenter put it, "us-east-1 is in Virginia with who knows how many payment processing servers running."
My take on the geolocation sale ban
Virginia's move is a watershed, but it's more symbolic than transformative. The ban on sale is a narrow knife—it cuts out the most egregious abuse, but leaves collection, internal sharing, and targeted advertising via programmatic auctions untouched. The real money for data brokers isn't the direct sale of a geolocation CSV; it's the real-time bidstream in programmatic advertising, where location is a key signal. That's arguably a "sale" under the new law, but enforcement will be a nightmare.
The 1,750-foot threshold is generous. In dense urban areas, that's a few city blocks—plenty accurate to target ads or infer behavior. And the law only covers Virginia residents. Out-of-state data brokers can still buy location data on Virginians if the transaction happens elsewhere. The extraterritoriality problem is real, as one HN comment implied.
Still, this sets a precedent. Data brokers like LiveRamp, Foursquare, and the myriad location SDK vendors should be nervous. If even a single state enforces this aggressively, the cost of compliance could reshape the industry. The NY Times investigation on car insurance companies using driving data (sudden stops, speeding) shows how location metadata bleeds into insurance risk scoring. That kind of secondary use isn't covered by Virginia's ban, but it's on the radar.
What Virginia's law means for builders
If you build apps or services that collect geolocation data (even approximate), here's what you need to think about:
-
Check your dataflows: Are you selling or sharing location data with third parties for anything beyond the core service? If yes, you'll need to stop that for Virginia users. That includes selling to data brokers, advertising networks, or analytics platforms that reprocess the data.
-
Update consent flows: The CDPA already requires opt-in consent for sensitive data—geolocation now counts. Make sure your consent dialog is explicit and not buried. A pattern like this:
func requestLocationPermission() { let alert = UIAlertController( title: "Location Access", message: "We need your location to navigate. We never sell your data.", preferredStyle: .alert) alert.addAction(UIAlertAction(title: "Allow While Using App", style: .default)) alert.addAction(UIAlertAction(title: "Deny", style: .cancel)) present(alert, animated: true) } -
Consider privacy-preserving alternatives: Use approximate location (e.g., city-level) where possible. On iOS,
CLLocationAccuracyReducedgives a 1-km radius—above the 1,750-foot threshold. On Android,PRIORITY_BALANCED_POWER_ACCURACYcan get you within a few hundred meters. Document why you need precise location. -
Review your vendor agreements: If you use a third-party SDK for location analytics, they might be selling aggregated data. The law doesn't care if you are the seller—if the SDK does it on your behalf, you could be liable. Audit your stack.
Should you care?
If you're a data broker, an ad network, or a developer who monetizes location data via third-party sales, yes—this is a direct regulatory threat. If you're building a navigation or weather app and don't sell data, you're largely unaffected but should still clean up consent flows. For users, this is a win, but don't celebrate yet: the law is narrow and enforcement is uncertain. Watch how Virginia's AG interprets "sale"—that will determine whether this is a paper tiger or the first real shot across the bow.