The editorial argues SB 854 is fundamentally different from other state privacy laws because it bans the sale outright rather than requiring consent. No amount of dark-pattern UX or cookie banner engineering can achieve compliance — the entire location-data resale market becomes non-viable in Virginia for data at the 1,750-foot precision threshold.
The editorial emphasizes that Virginia's original VCDPA was the softest enforcement regime in the country (AG-only, 30-day cure period). SB 854 keeps AG authority but adds a private right of action specifically for geolocation and health data, with no cure period — meaning plaintiffs' lawyers can now go directly after data brokers, which is a categorical shift in enforcement risk.
The law firm's analysis (the underlying source article) highlights the amendments to VCDPA as significant precisely because they expand consumer remedies beyond AG-only enforcement. Their coverage frames the private right of action for sensitive-data categories as the most consequential departure from Virginia's previously business-friendly privacy framework.
The editorial points out that the CCPA-style radius definition sweeps in cell-tower triangulation, IP-geo lookups above ZIP+4, and effectively every ad SDK that transmits lat/long. Developers who assumed 'precise geolocation' meant only raw GPS will find that routine ad-tech telemetry now falls under the sale ban.
The submitter surfaced the Hunton legal analysis to a developer audience, where it drew 696 points and 117 comments. The strong engagement suggests developers recognize that a sale ban makes their existing consent-management tooling irrelevant for Virginia location data — a categorical shift in how privacy compliance work looks.
On March 24, Virginia governor Glenn Youngkin signed SB 854 into law, amending the Virginia Consumer Data Protection Act (VCDPA) to add what is, functionally, the strictest state-level restriction on location data yet enacted in the US. Rather than requiring consent for the sale of precise geolocation data, Virginia has banned the sale outright. The law takes effect January 1, 2027.
The definition of "precise geolocation data" is the load-bearing part. Virginia adopted the CCPA-style threshold: any data that identifies a consumer's location within a radius of 1,750 feet — roughly a third of a mile. That's not "your GPS coordinates." That's most cell-tower triangulation, most IP-geo lookups above the ZIP+4 level, and effectively every ad SDK that fires a lat/long over the wire. The law also carves out a specific category of "reproductive or sexual health information" and applies the same sale ban to it, plus creates fresh restrictions on processing minors' data for anyone under 16.
The enforcement teeth are what separate SB 854 from the other 19-odd state privacy laws currently on the books. Virginia's original VCDPA was enforcement-by-AG-only, with a 30-day cure period — the softest regime in the country. SB 854 keeps the AG's authority but adds a private right of action for the geolocation and health-data provisions, which means end users can sue directly. The cure period doesn't apply. Statutory damages haven't been fully clarified in the text, but the mere existence of civil standing is the story: for the first time in Virginia, a class-action bar can go after data brokers without waiting for the AG's office to decide it cares.
The HN thread on this ran hot (696 points) for a reason developers should pay attention to: this isn't a consent-management problem you can solve with a bigger cookie banner. A sale ban is categorically different from a consent regime — no amount of dark-pattern UX gets you to compliance, because the transaction itself is prohibited.
Compare the landscape. California's CPRA lets you sell precise geo data if you offer a "Do Not Sell or Share My Personal Information" link and honor Global Privacy Control signals. Colorado, Connecticut, and the other VCDPA-clones require opt-in consent for "sensitive" categories, which precise geo qualifies for — but consent is obtainable, and most apps get it via a first-run modal nobody reads. Virginia has now said: doesn't matter what the user clicks. If it's precise geolocation, you can't sell it. Full stop.
The practical blast radius is much larger than "data brokers." The definition of "sale" under VCDPA is exchange for "monetary or other valuable consideration," which the AG's office has consistently interpreted broadly. That sweeps in:
- Ad SDKs that pass lat/long to a DSP in exchange for fill rate. That's a sale. - Weather apps whose "free" tier is subsidized by selling location logs to hedge funds. That's a sale. - Analytics vendors that offer discounts in exchange for aggregated location telemetry. Arguably a sale. - B2B "data enrichment" APIs that append geo signals to CRM records. Almost certainly a sale.
The HN commentariat's dominant reaction — some version of "finally, someone did it" — undersells the compliance chaos this will create. Every major ad-tech vendor now has to build a Virginia-resident geofence into their bid request pipeline, or accept that ~2% of US impressions become non-monetizable for location targeting. Given that Virginia is home to Ashburn (roughly 70% of the world's internet traffic transits data centers within a 20-mile radius), the routing side of this is going to be interesting too — though the law targets the *consumer* not the transit, so ISPs likely dodge the sale-ban entirely.
The private right of action is the sleeper provision. Illinois's BIPA became the most consequential US privacy law of the last decade not because of what it prohibited, but because it let individuals sue for statutory damages. Facebook paid $650M. Six Flags paid $36M. TikTok settled for $92M. Every one of those cases was a private plaintiff, not the AG. Virginia has now imported that model for location data. Expect a plaintiffs' bar to spin up specifically for this within 12 months.
If you ship a mobile app, a website with geo-personalization, or any SDK that touches location, you have 18 months to answer three questions:
1. What's your data flow, actually? Not the flow described in your privacy policy — the real one. Most engineering teams underestimate how much location data leaks out through third-party SDKs. Facebook's SDK, Google's Firebase, Branch, AppsFlyer, Adjust, Segment, Mixpanel — any of these that receive a precise lat/long and forward it downstream in exchange for their service is now a sale under the Virginia definition. You need a data-flow diagram, and you need to know which vendor contracts allow onward transfer.
2. Can you geofence Virginia at the SDK level? For most apps, the answer today is no — you can honor a per-user CCPA opt-out, but you don't have infrastructure to differentiate Virginia users from other US users pre-consent. The cleanest engineering fix is to downgrade precision for all US users to ~5-mile radius by default and only escalate to precise geo when the user's active session requires it (turn-by-turn nav, food delivery). That's more surgery than most product teams are budgeting for.
3. Do you have a defensible logging story? When the first class action lands in early 2027, the discovery request is going to be "produce all records of precise geolocation data transmitted to third parties for Virginia residents between Jan 1 2027 and today." If your answer is "we don't log outbound SDK traffic at that granularity," you're going to spend 18 months and seven figures reconstructing it from vendor invoices.
The boring-but-important move: audit your ad-tech and analytics contracts now. Any vendor whose Data Processing Addendum doesn't explicitly commit to Virginia-jurisdiction handling of precise geo needs a rider, and you need it signed before Q4 2026 when everyone else is doing the same thing.
The interesting question isn't whether other states follow — they will, because state legislators love copying whichever privacy law generates the most in-district campaign contributions. The interesting question is whether federal preemption catches up first. There's a version of the American Privacy Rights Act still floating around Congress that would preempt state privacy laws entirely, and the ad-tech lobby will now spend real money to revive it. Virginia just changed the negotiating leverage: a federal law that permits opt-in sale of geo data is now the *industry's* preferred outcome, not the *privacy advocate's* concession. Watch for that framing to flip in DC over the next 12 months.
The article is misleading. The sale of geolocation data can still take place but not for precise locations. The bill prevents the sale of data that can identify you within 1750ft. You can still be tracked just not precisely. i.e. companies will just sell fuzzy geolocation data.
Note that this article is from April and the ban went into effect July 1.
Would love if someone with experience could chime in. I've been reading about the geo data market for over two decades now but still have no real sense of its value. What does this data typically cost? And can you specify particular locations/targeting points, or do you just get whatever&#
Given the actual informed and uncoerced choice, people say no to this kind of collection and especially its sale or use for any purpose other than the explicit service they thought they were allowing it for (navigation, setting the time, etc etc). This is true for basically all information collected
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
So let's say a Delaware incorporated company sells location data that happens to be collected in Virginia, but its sold from the corporation with no operations in Virginia. What happens? On the other hand us-east-1 is in Virginia with who knows how many payment processing servers running.