Virginia just made selling location data illegal — and it's stricter than California

5 min read 1 source clear_take
├── "A sale ban is categorically different from consent regimes and forces structural changes to data broker business models"
│  └── top10.dev editorial (top10.dev) → read below

The editorial argues SB 854 is fundamentally different from other state privacy laws because it bans the sale outright rather than requiring consent. No amount of dark-pattern UX or cookie banner engineering can achieve compliance — the entire location-data resale market becomes non-viable in Virginia for data at the 1,750-foot precision threshold.

├── "The private right of action is the real teeth — enabling class-action lawsuits without waiting on the AG"
│  ├── top10.dev editorial (top10.dev) → read below

The editorial emphasizes that Virginia's original VCDPA was the softest enforcement regime in the country (AG-only, 30-day cure period). SB 854 keeps AG authority but adds a private right of action specifically for geolocation and health data, with no cure period — meaning plaintiffs' lawyers can now go directly after data brokers, which is a categorical shift in enforcement risk.

│  └── Hunton Andrews Kurth Privacy Blog (hunton.com) → read

The law firm's analysis (the underlying source article) highlights the amendments to VCDPA as significant precisely because they expand consumer remedies beyond AG-only enforcement. Their coverage frames the private right of action for sensitive-data categories as the most consequential departure from Virginia's previously business-friendly privacy framework.

├── "The 1,750-foot precision threshold captures far more than 'GPS coordinates' — it hits routine ad-tech and IP-geo"
│  └── top10.dev editorial (top10.dev) → read below

The editorial points out that the CCPA-style radius definition sweeps in cell-tower triangulation, IP-geo lookups above ZIP+4, and effectively every ad SDK that transmits lat/long. Developers who assumed 'precise geolocation' meant only raw GPS will find that routine ad-tech telemetry now falls under the sale ban.

└── "This story resonates with developers because it signals a shift from consent-management engineering to structural bans"
  └── @toomuchtodo (Hacker News, 696 pts) → view

The submitter surfaced the Hunton legal analysis to a developer audience, where it drew 696 points and 117 comments. The strong engagement suggests developers recognize that a sale ban makes their existing consent-management tooling irrelevant for Virginia location data — a categorical shift in how privacy compliance work looks.

What happened

On March 24, Virginia governor Glenn Youngkin signed SB 854 into law, amending the Virginia Consumer Data Protection Act (VCDPA) to add what is, functionally, the strictest state-level restriction on location data yet enacted in the US. Rather than requiring consent for the sale of precise geolocation data, Virginia has banned the sale outright. The law takes effect January 1, 2027.

The definition of "precise geolocation data" is the load-bearing part. Virginia adopted the CCPA-style threshold: any data that identifies a consumer's location within a radius of 1,750 feet — roughly a third of a mile. That's not "your GPS coordinates." That's most cell-tower triangulation, most IP-geo lookups above the ZIP+4 level, and effectively every ad SDK that fires a lat/long over the wire. The law also carves out a specific category of "reproductive or sexual health information" and applies the same sale ban to it, plus creates fresh restrictions on processing minors' data for anyone under 16.

The enforcement teeth are what separate SB 854 from the other 19-odd state privacy laws currently on the books. Virginia's original VCDPA was enforcement-by-AG-only, with a 30-day cure period — the softest regime in the country. SB 854 keeps the AG's authority but adds a private right of action for the geolocation and health-data provisions, which means end users can sue directly. The cure period doesn't apply. Statutory damages haven't been fully clarified in the text, but the mere existence of civil standing is the story: for the first time in Virginia, a class-action bar can go after data brokers without waiting for the AG's office to decide it cares.

Why it matters

The HN thread on this ran hot (696 points) for a reason developers should pay attention to: this isn't a consent-management problem you can solve with a bigger cookie banner. A sale ban is categorically different from a consent regime — no amount of dark-pattern UX gets you to compliance, because the transaction itself is prohibited.

Compare the landscape. California's CPRA lets you sell precise geo data if you offer a "Do Not Sell or Share My Personal Information" link and honor Global Privacy Control signals. Colorado, Connecticut, and the other VCDPA-clones require opt-in consent for "sensitive" categories, which precise geo qualifies for — but consent is obtainable, and most apps get it via a first-run modal nobody reads. Virginia has now said: doesn't matter what the user clicks. If it's precise geolocation, you can't sell it. Full stop.

The practical blast radius is much larger than "data brokers." The definition of "sale" under VCDPA is exchange for "monetary or other valuable consideration," which the AG's office has consistently interpreted broadly. That sweeps in:

- Ad SDKs that pass lat/long to a DSP in exchange for fill rate. That's a sale. - Weather apps whose "free" tier is subsidized by selling location logs to hedge funds. That's a sale. - Analytics vendors that offer discounts in exchange for aggregated location telemetry. Arguably a sale. - B2B "data enrichment" APIs that append geo signals to CRM records. Almost certainly a sale.

The HN commentariat's dominant reaction — some version of "finally, someone did it" — undersells the compliance chaos this will create. Every major ad-tech vendor now has to build a Virginia-resident geofence into their bid request pipeline, or accept that ~2% of US impressions become non-monetizable for location targeting. Given that Virginia is home to Ashburn (roughly 70% of the world's internet traffic transits data centers within a 20-mile radius), the routing side of this is going to be interesting too — though the law targets the *consumer* not the transit, so ISPs likely dodge the sale-ban entirely.

The private right of action is the sleeper provision. Illinois's BIPA became the most consequential US privacy law of the last decade not because of what it prohibited, but because it let individuals sue for statutory damages. Facebook paid $650M. Six Flags paid $36M. TikTok settled for $92M. Every one of those cases was a private plaintiff, not the AG. Virginia has now imported that model for location data. Expect a plaintiffs' bar to spin up specifically for this within 12 months.

What this means for your stack

If you ship a mobile app, a website with geo-personalization, or any SDK that touches location, you have 18 months to answer three questions:

1. What's your data flow, actually? Not the flow described in your privacy policy — the real one. Most engineering teams underestimate how much location data leaks out through third-party SDKs. Facebook's SDK, Google's Firebase, Branch, AppsFlyer, Adjust, Segment, Mixpanel — any of these that receive a precise lat/long and forward it downstream in exchange for their service is now a sale under the Virginia definition. You need a data-flow diagram, and you need to know which vendor contracts allow onward transfer.

2. Can you geofence Virginia at the SDK level? For most apps, the answer today is no — you can honor a per-user CCPA opt-out, but you don't have infrastructure to differentiate Virginia users from other US users pre-consent. The cleanest engineering fix is to downgrade precision for all US users to ~5-mile radius by default and only escalate to precise geo when the user's active session requires it (turn-by-turn nav, food delivery). That's more surgery than most product teams are budgeting for.

3. Do you have a defensible logging story? When the first class action lands in early 2027, the discovery request is going to be "produce all records of precise geolocation data transmitted to third parties for Virginia residents between Jan 1 2027 and today." If your answer is "we don't log outbound SDK traffic at that granularity," you're going to spend 18 months and seven figures reconstructing it from vendor invoices.

The boring-but-important move: audit your ad-tech and analytics contracts now. Any vendor whose Data Processing Addendum doesn't explicitly commit to Virginia-jurisdiction handling of precise geo needs a rider, and you need it signed before Q4 2026 when everyone else is doing the same thing.

Looking ahead

The interesting question isn't whether other states follow — they will, because state legislators love copying whichever privacy law generates the most in-district campaign contributions. The interesting question is whether federal preemption catches up first. There's a version of the American Privacy Rights Act still floating around Congress that would preempt state privacy laws entirely, and the ad-tech lobby will now spend real money to revive it. Virginia just changed the negotiating leverage: a federal law that permits opt-in sale of geo data is now the *industry's* preferred outcome, not the *privacy advocate's* concession. Watch for that framing to flip in DC over the next 12 months.

Hacker News 933 pts 137 comments

Virginia bans sale of geolocation data

→ read on Hacker News
dv_dt · Hacker News

So let's say a Delaware incorporated company sells location data that happens to be collected in Virginia, but its sold from the corporation with no operations in Virginia. What happens? On the other hand us-east-1 is in Virginia with who knows how many payment processing servers running.

ascotan · Hacker News

The article is misleading. The sale of geolocation data can still take place but not for precise locations. The bill prevents the sale of data that can identify you within 1750ft. You can still be tracked just not precisely. i.e. companies will just sell fuzzy geolocation data.

janalsncm · Hacker News

Note that this article is from April and the ban went into effect July 1.

trentor · Hacker News

Would love if someone with experience could chime in. I've been reading about the geo data market for over two decades now but still have no real sense of its value. What does this data typically cost? And can you specify particular locations/targeting points, or do you just get whatever&#

jmward01 · Hacker News

Given the actual informed and uncoerced choice, people say no to this kind of collection and especially its sale or use for any purpose other than the explicit service they thought they were allowing it for (navigation, setting the time, etc etc). This is true for basically all information collected

// share this

// get daily digest

Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.