Virginia enacts ban on precise geolocation data sales as momentum for similar prohibitions builds

The governor of Virginia on Monday signed a law banning the sale of citizens’ precise geolocation data, a sign of growing momentum for such laws at the state level.

The legislation bars the sale of geolocation within a 1,750 foot radius, a buffer large enough to keep data brokers from pinpointing where consumers live, work, worship, shop and otherwise travel.

The bill, which was passed as an amendment to Virginia’s existing comprehensive data privacy law, received unanimous bipartisan support in the state’s legislature and takes effect on July 1.

Maryland and Oregon currently have similar laws on the books. Several other states are debating enacting their own bans with legislation now pending in the California, Connecticut, Massachusetts and Vermont legislatures.

"Virginia's unanimous, bipartisan support of [this bill] is just another indicator of the growing momentum for stricter location data rules at the state level,” Matt Schwartz, a policy analyst at Consumer Reports, said via email. “These protections are critical, especially at a time when the risk of stalking, individualized scams, and unwanted targeting has never been clearer.”

Data brokers selling precise geolocation information have been under scrutiny and several news outlets have published reports showing how the data has been used to track the location of national security officials and people visiting abortion clinics.

In February 2024, Sen. Ron Wyden (D-OR), announced that his staff found evidence that an anti-abortion organization “targeted misinformation” to citizens who visited some 600 reproductive health clinics in 48 states by leveraging mobile phone location data.

The Federal Trade Commission (FTC) in the Biden administration issued several enforcement actions against companies selling location data, but the Trump FTC has not pursued new cases.

In February, the Trump FTC told an Idaho federal judge it supported a proposed settlement with the geolocation data broker Kochava — a case brought by the Biden administration — but the settlement has not been finalized and its terms are not public. 

An Idaho federal judge made details of the FTC’s complaint against Kochava public in November 2023, revealing that the data broker sold nearly real-time geolocation data within 10 meters of consumers as well as their yearly income, app usage and mobile device IDs.

The agency charged that Kochava’s practices violated Section 5 of the FTC Act, which prohibits firms from engaging in unfair and deceptive practices.