HN Debrief

Virginia bans sale of geolocation data

  • Privacy
  • Regulation
  • Security
  • Advertising

The post points to Virginia’s new privacy rule banning the sale of “precise geolocation data,” a category the law defines broadly enough to cover device-derived location that can identify where a person is within a 1,750-foot radius. The linked article notes Virginia follows Maryland and Oregon, and commenters also flagged that the law is already in force as of July 1, not just proposed.

If your product, vendor stack, or ad pipeline touches precise location data, treat state-by-state restrictions as a live compliance issue now, not a future one. The bigger strategic point is that lawmakers are narrowing in on data-broker business models first, while leaving plenty of room for first-party collection and contractual workarounds that will likely be the next target.

Discussion mood

Strongly positive and impatient. Most people think banning location-data sales is obvious and overdue, but they also think the law is incomplete because “sale” is narrower than the real ways data gets traded and weaponized.

Key insights

  1. 01

    The law reaches more than GPS pins

    By defining precise geolocation as any technology-derived data that can identify a person’s location within 1,750 feet, the statute catches far more than a narrow stream of phone GPS coordinates. That matters because companies cannot rely on a casual distinction between “precise” mobile settings and other device-level location mechanisms to stay outside the rule.

    Review every source of location inference in your stack, not just obvious latitude and longitude fields. If your systems can place a person at building or venue level, assume the law is relevant.

      Attribution:
    • mathgeek #1
    • kube-system #1
  2. 02

    Broker resale is the real target

    The useful distinction is not “all location use is bad.” It is whether the company collected the data to provide the service or whether it is turning that data into a separate product for outsiders. That framing makes the law easier to read strategically. It is aimed at AT&T-style resale and broker markets, not at every first-party product feature that depends on location.

    Separate first-party product use from any secondary monetization path in both architecture and contracts. The closer your business looks to a broker, the more exposed it is as other states copy this approach.

      Attribution:
    • avarun #1
  3. 03

    Compliance will likely be operational, not philosophical

    Most companies are unlikely to litigate abstract jurisdiction questions unless Virginia revenue is material. The practical expectation is geofencing records out of sellable datasets, adding contract language to shift liability downstream, and keeping enough state tagging to know what must be excluded. That irony stood out because avoiding illegal location sales may require even more location classification internally.

    Expect vendors to respond with dataset segregation, contract rewrites, and indemnity clauses. Ask data providers exactly how they identify Virginia-covered records and where that liability lands if they get it wrong.

      Attribution:
    • dv_dt #1
    • thephyber #1
    • HoldOnAMinute #1
  4. 04

    Connected cars weakened meaningful consent

    Location collection is no longer just an app-permission problem. Commenters pointed out that many newer cars with cellular links default drivers into telemetry programs, which turns “consent” into a buried vehicle setup choice rather than a clear opt-in. That broadens the regulatory blast radius from ad tech into automotive and insurance ecosystems.

    If you build on vehicle telemetry, assume regulators will scrutinize default enrollment and bundled consent flows next. Clean up onboarding language before that sector becomes the next headline example.

      Attribution:
    • gruez #1
    • malfist #1

Against the grain

  1. 01

    Some location sharing supports legitimate pricing

    Not all downstream use looks predatory. Insurers can use driving time, speed, and night driving patterns to price risk more accurately, and banning every transfer outright would remove a dataset that some see as directly tied to actuarial fairness. That does not answer the consent problem, but it does explain why lawmakers may have stopped at “sale” instead of outlawing all sharing.

    If you depend on location data for underwriting or safety use cases, build a narrow justification around that specific function. Broad data monetization and risk-based operational use are getting separated in law and public opinion.

      Attribution:
    • Frost1x #1
    • polski-g #1
  2. 02

    Data buyers still claim efficiency gains

    One dissenting view held that companies using more data simply make better decisions, and that the existence of a market for location data is not inherently harmful. That argument is out of step with the rest of the reaction, but it is still the core defense behind data brokerage and helps explain why firms will keep searching for legal structures that preserve access.

    Do not expect the commercial appetite for location data to fade because one state passed a ban. If you are designing policy or products, plan for persistent pressure to repackage the same trade under a different label.

      Attribution:
    • charcircuit #1 #2 #3

In plain english

actuarial
Related to estimating risk and pricing, especially in insurance.
ad tech
Advertising technology, the tools and companies used to target, measure, and deliver digital ads.
first-party
Data collected and used by the company directly providing the service to the user, rather than sold or shared to outsiders.
GPS
Global Positioning System, a satellite-based system used to determine a device’s location.
precise geolocation data
Location information from a device or similar technology that can identify where a person is within a relatively small area.
telemetry
Automatic collection and transmission of data from a device or vehicle back to a company or service.

Reference links

Law and regulation

Examples of location-data abuse

Analogy and historical loopholes