Original title: On April 13, 2026, Virginia Governor Abigail Spanberger signed into law S.B. 388
Article
Virginia Governor Abigail Spanberger signed S.B. 388 into law on April 13, 2026, amending the Virginia Consumer Data Protection Act to ban the sale of geolocation data, with the prohibition taking effect July 1, 2026. The law’s key detail is a narrow definition of “sale” as the exchange of personal data for monetary consideration by a controller to a third party, a choice users compare to broader approaches in Maryland and Oregon. The change is presented alongside a wider legislative wave in states such as California, Massachusetts, Vermont, and Washington and is framed against renewed enforcement pressure after a 2025 California investigation and a 2024 FTC broker settlement over geolocation data. Commenters treat the measure as a meaningful but limited first step rather than a full ban on all location monetization, and they repeatedly test whether the narrower wording preserves loopholes for non-sale uses, internal first-party collection, or cross-border corporate structures. The discussion also highlights uncertainty over practical scope, including whether broad IP-derived location falls under “precise geolocation” and how compliance will work for firms with no physical presence in the state but operations affecting Virginians. Broad concern is that enforcement clarity will determine whether the law materially alters broker behavior or mostly creates symbolic progress.
Readers broadly welcomed the direction of lawmaking, saying sale-based limits help protect people from opaque location-tracking practices, including anti-abortion ad targeting and insurance underwriting examples. Many support stronger penalties and clearer standards, arguing current consent models are often coercive in practice and can force users to trade privacy for functionality. A large share of the comments praises the policy as overdue, but several argue that only banning “sale” is incomplete and that sharing, brokerage, and other non-monetary transfers can still expose sensitive patterns. Practical ambiguities drew sustained attention, including whether out-of-state companies with Virginia-origin data can evade the rule, how “precise” geolocation differs from broader IP location data, and how background app permissions enable collection. Some explicitly differentiate acceptable first-party use from third-party resale, while others fear app ecosystems and so-called free services can still route data to profit channels. There is also skepticism that broad bans will be weak without aggressive enforcement, and a recurring question about whether the law meaningfully changes user outcomes versus serving as symbolic progress.