What Virginia Actually Signed Into Law
On April 13, 2026, Governor Abigail Spanberger signed S.B. 338 into law, amending the Virginia Consumer Data Protection Act to prohibit the sale of geolocation data. The ban takes effect July 1, 2026, giving businesses fewer than three months from signing to reach compliance.
Virginia did not create a standalone geolocation privacy statute. Instead, S.B. 338 layers the new prohibition directly onto the existing VCDPA framework. That architectural choice matters: every definition, exemption, and enforcement mechanism from the parent law applies to the geolocation restriction as well. The law’s reach extends exactly as far as the VCDPA reaches — and stops exactly where the VCDPA stops.
One of those inherited definitions carries significant weight. The VCDPA defines “sale” as the exchange of personal data for monetary consideration by the controller to a third party. That standard is narrower than the language other states have adopted. Maryland and Oregon, the two states that moved first to ban geolocation data sales, both define “sale” to cover exchanges for monetary or other valuable consideration — a broader formulation that captures barter arrangements, data-for-data trades, and non-cash compensation.
Virginia’s stricter, cash-only definition means the geolocation ban targets a specific slice of the data marketplace: transactions where a company receives direct payment for handing location data to a third party. Arrangements structured around non-monetary value — access to platforms, reciprocal data sharing, advertising inventory, or other in-kind benefits — fall outside the VCDPA’s definition of “sale” and therefore outside the new prohibition entirely.
Virginia joins a growing list of states tightening rules around precise location data privacy, including California and Massachusetts, which have proposed similar restrictions. But the state enters that group with a narrower statutory hook than its predecessors, a gap that privacy advocates and data brokers alike will study closely once the law goes live.
The Critical Fine Print: How Virginia Defines ‘Sale’
Virginia’s geolocation data ban carries a definition of “sale” that does most of the limiting work — and most coverage of S.B. 338 glosses right over it.
The Virginia Consumer Data Protection Act defines “sale” as “the exchange of personal data for monetary consideration by the controller to a third party.” That language is precise to the point of being restrictive. Only direct cash-for-data transactions qualify. A company must receive actual money from a third party in exchange for geolocation information before the prohibition applies.
That is a significantly narrower threshold than the standard set by Maryland and Oregon, the two states that passed geolocation data sale bans before Virginia. Both states define “sale” to capture exchanges made for “monetary or other valuable consideration.” That extra phrase — “other valuable consideration” — pulls in a wide range of commercial arrangements: data shared in exchange for advertising inventory, platform access, audience targeting services, or reciprocal data arrangements between companies. Virginia’s definition captures none of those transactions.
The practical consequence is substantial. The data broker ecosystem runs largely on non-cash exchanges. Location data frequently changes hands through programmatic advertising pipelines, data co-ops, and service-for-data agreements where no invoice is ever generated. Under Virginia’s personal data protection framework, those transfers are not “sales.” Companies that share precise geolocation data — defined under the VCDPA as information identifying a consumer’s location within a radius of 1,750 feet — through barter-style commercial arrangements operate entirely outside the new ban’s reach.
California and Massachusetts have proposed similar geolocation privacy legislation, and how those states define “sale” will determine whether their laws carry real enforcement weight or mirror Virginia’s structural gap. Virginia consumers gaining protection against the direct sale of their location data is meaningful. But the broader consumer data privacy problem — the commercial ecosystem that monetizes movement patterns without writing a check — remains largely untouched by S.B. 338.
The Loophole the Data Broker Industry Will Notice
The data broker industry runs on complexity by design. Companies that traffic in location data rarely structure their deals as simple cash-for-data exchanges. Instead, they operate through licensing arrangements, data-sharing partnerships, programmatic advertising ecosystems, and audience intelligence platforms where geolocation feeds into targeting algorithms without any direct monetary payment changing hands for that specific data transfer.
Virginia’s definition of “sale” under the amended VCDPA captures only one slice of that ecosystem: “the exchange of personal data for monetary consideration by the controller to a third party.” That language leaves a significant gap. A company that shares precise geolocation data with an ad-tech partner in exchange for better audience reach, preferential platform access, or reciprocal data feeds has transferred commercially valuable location information — but not necessarily for monetary consideration. Under Virginia’s framework, that transaction falls outside the ban entirely.
Maryland and Oregon drew the line differently. Both states define “sale” as the exchange of personal data for “monetary or other valuable consideration,” language that closes the workaround Virginia left open. That single phrase — “other valuable consideration” — captures barter-style data deals, data-for-services arrangements, and the kind of cross-platform data partnerships that define modern ad-tech infrastructure.
The restructuring path is straightforward. A data broker operating in Virginia could shift from a direct geolocation data sale to a licensing model, a data co-op arrangement, or an API access agreement where location data flows in exchange for something other than a direct cash payment. The commercial outcome — third-party access to Virginians’ precise physical movements — remains identical. The legal exposure disappears.
Privacy law advocates and compliance professionals tracking state-level geolocation data regulations have flagged this definition gap as one of the most consequential drafting choices in Virginia’s legislation. The ban on selling consumer location data creates real obligations for straightforward transactions. For the more sophisticated commercial structures that dominate the data broker market, the July 1, 2026 effective date may arrive with less disruption than Virginia lawmakers anticipated.
Virginia Joins a Growing but Inconsistent State-Level Trend
Virginia is not acting alone. The state joins Maryland and Oregon, which have already enacted bans on selling geolocation data, forming a cluster of states pushing location privacy protections into law. California and Massachusetts have proposed similar legislation, signaling that the legislative momentum is real and spreading.
But the consistency ends there. Each state has built its geolocation privacy framework on different legal foundations, and those differences carry serious practical consequences.
The sharpest contrast sits in how states define the word “sale.” Maryland and Oregon both prohibit the exchange of personal data for “monetary or other valuable consideration.” That broader language captures barter-style arrangements — data traded for services, platform access, or advertising inventory — not just direct cash transactions. Virginia’s definition stops short. The Virginia Consumer Data Protection Act defines a sale strictly as “the exchange of personal data for monetary consideration by the controller to a third party.” No money changing hands means no sale, at least under Virginia law.
For consumers, that distinction determines how much protection they actually receive. A Virginia resident’s location data shared in exchange for non-cash value — say, traded between data brokers as part of a reciprocal data-sharing agreement — may fall entirely outside the law’s reach. An Oregon resident in the same situation would be covered.
For businesses operating across multiple states, the inconsistency creates a compliance headache with no clean solution. A company handling location data for users in Virginia, Maryland, and Oregon must track three different definitions, three different thresholds, and potentially three different compliance workflows. Multistate data operations cannot apply a single standard across all three without defaulting to the most restrictive one — which means either building separate compliance tracks by state or treating every data transaction as if it occurred in Oregon or Maryland.
State-level location data privacy law is expanding, but the patchwork structure guarantees that where a person lives will continue to determine how much control they have over their own geolocation information.
What This Means for Virginians — and What It Doesn’t
Starting July 1, 2026, Virginians gain a concrete legal tool to challenge companies that directly sell their precise location data for cash. S.B. 338 creates real accountability in a specific, commercially significant scenario: a data broker or app company exchanging your GPS coordinates with a third party in exchange for direct monetary payment. That transaction is now prohibited under Virginia law, and consumers have a legal basis to push back against it.
The protection stops there, however, and the boundary matters.
The VCDPA defines “sale” strictly as the exchange of personal data for monetary consideration. That single word — monetary — carves out an enormous portion of how location data actually moves through the digital economy. When a free weather app shares your precise geolocation with an advertising network in exchange for ad revenue that flows back to the app, or when a navigation service trades location profiles for data partnerships and audience insights, those arrangements may fall entirely outside this law’s reach. The consideration isn’t a direct cash payment, so Virginia’s definition may not apply.
Compare that to Maryland and Oregon, which both ban the exchange of geolocation data for monetary or other valuable consideration. That broader language captures non-cash deals — data swaps, advertising arrangements, and platform partnerships that dominate the ad-supported app ecosystem most consumers rely on daily.
The result is a real but narrow win for Virginians. Direct commercial sales of location data face a genuine legal barrier. But the free apps, ad-supported platforms, and data-sharing arrangements that power targeted advertising — the channels through which most precise location tracking actually occurs — remain largely unaddressed by this legislation.
Consumers who interpret this law as a comprehensive geolocation privacy shield are reading more into it than the text supports. The law targets one specific transaction type. The broader location data ecosystem, including real-time bidding systems, data enrichment services, and behavioral tracking tied to ad delivery, operates through exactly the kind of non-cash value exchanges that Virginia’s narrow definition of “sale” leaves untouched.
The Bigger Question: Is State-by-State the Right Approach?
Virginia’s geolocation data sale ban joins a growing stack of state-level privacy rules that, taken together, reveal a fundamental structural problem: without a federal privacy law, each state drafts its own definitions, its own thresholds, and its own carve-outs. The result is a compliance patchwork that confuses consumers and hands data brokers a clear arbitrage opportunity — operate in states with looser language and avoid the stricter ones.
The difference between Virginia and its peers illustrates exactly how that arbitrage works. Maryland and Oregon both define “sale” as the exchange of personal data for monetary or other valuable consideration. Virginia’s definition stops at monetary consideration. That single omission means a company can transfer precise location data to a third party in exchange for services, data access, ad inventory, or any non-cash benefit and stay entirely within Virginia law. The headline ban exists. The gap underneath it also exists.
California and Massachusetts have proposed similar geolocation data restrictions, and each state will inevitably produce its own variation of the same definitional debate. A company operating nationally now faces at least three materially different legal standards for what counts as selling location data — and that number will grow as more states act.
This is the vacuum that a federal consumer data protection law would fill. A single national standard for what constitutes a sale of personal data, applied uniformly to geolocation information across all fifty states, would eliminate the definitional arbitrage that state-by-state legislation makes possible. Instead, companies get to treat each state’s privacy framework as a variable to optimize around rather than a floor to meet.
Virginia’s S.B. 338, signed by Governor Abigail Spanberger on April 13, 2026, is a real step. The prohibition on selling geolocation data takes effect July 1, 2026, and it will constrain direct cash-for-location transactions. But the law’s narrow drafting — a product of legislating without a federal anchor — means the protection it delivers is real in some scenarios and absent in others. Consumers in Virginia have no reliable way to know which scenario applies to their data.