Is Your Geolocation Data Ready for Virginia's Ban?

Governor Abigail Spanberger signed Virginia SB 338 on April 13, amending the Virginia Consumer Data Protection Act to prohibit the sale or offering for sale of consumers’ precise geolocation data. The amendment takes effect July 1, 2026 — 57 days from today — and replaces the VCDPA’s prior consent-based treatment of precise location with an outright ban. Virginia joins Maryland and Oregon as the third state to do this; California, Connecticut, Massachusetts, and Vermont are working on the same.

If your business monetizes location signals tied to Virginia residents, opt-in is no longer enough — you have eight weeks to re-architect data flows, processor agreements, and audience-targeting rules. The VCDPA’s definition of precise geolocation still pivots on a 1,750-foot radius.

Virginia LIS — SB 338 → · Regulatory Oversight analysis →

Governor Kay Ivey signed HB 351, the Alabama Personal Data Protection Act (ALDPA), in mid-April 2026 after unanimous passage (House 104-0; Senate 34-0). The Act takes effect May 1, 2027, applying to entities that either control or process the personal data of more than 25,000 Alabama consumers (excluding payment-transaction data) or derive more than 25% of gross revenue from the sale of personal data. Enforcement is Alabama AG-only with a 45-day cure period. Roughly 46% of the U.S. population is now covered by a comprehensive state privacy law.

Action: add Alabama to your multi-state compliance matrix and confirm whether either threshold pulls you into scope.

DLA Piper analysis → · HB 351 engrossed text (PDF) →

The Maryland Online Data Privacy Act, in effect since October 1, 2025, became enforceable by the Maryland Attorney General on April 1, 2026. MODPA is among the strictest U.S. privacy laws — sensitive-data minimization goes beyond consent (true necessity required), the sale of sensitive data is banned outright, and the sale of any consumer’s data without opt-in is banned. The discretionary 60-day cure period sunsets April 1, 2027, leaving an 11-month soft-cure window before strict-liability enforcement. Civil penalties run $10,000 per first violation, $25,000 per subsequent violation.

Action: treat the cure window as your last chance to operationalize sensitive-data minimization and opt-in flows for Maryland residents.

EPIC explainer →

On April 30, the European Data Protection Board and the European Data Protection Supervisor adopted Joint Opinion 2/2026 on the Commission’s Digital Omnibus proposal. The opinion broadly supports simplification — including welcome carve-outs for scientific research, breach notification, DPIAs, and biometric authentication where verification means stay under the individual’s sole control — but strongly opposes the proposed redefinition of personal data, calling it likely to undermine GDPR scope and create legal uncertainty.

Action: controllers should NOT yet adjust pseudonymization or DPIA scoping on the assumption the redefinition will survive trilogue.

EDPB-EDPS Joint Opinion 2/2026 →

Three privacy milestones inside 60 days:

If you sell, share, or monetize precise geolocation tied to Virginia residents — including ad-tech bid streams and analytics SDKs — pull the data-flow inventory now and identify every contract, pixel, and processor that needs to change before July 1. Eight weeks is a long enough runway to do this calmly and a short enough one that starting tomorrow is starting late.

Wednesday: AI Governance — EU AI Act high-risk obligations, the Commission’s Tech Sovereignty package preview, and U.S. state AI-safety legislation.

CyberEyeQ — Actionable Regulatory Intelligence
Reply to this email or write to [email protected] with feedback.
cybereyeq.com