- So let's say a Delaware incorporated company sells location data that happens to be collected in Virginia, but its sold from the corporation with no operations in Virginia. What happens? On the other hand us-east-1 is in Virginia with who knows how many payment processing servers running.
- The same thing that happens in court cases across state lines. It goes to one of the jurisdictions in a lawsuit unless it qualifies for diversity jurisdiction and goes to a federal court.
- Okay I tend to agree with the CivPro analysis here, but the parent was probably more concerned with the result on the merits.
- If the Delaware company has zero presence in Virginia then the state of Virginia can't do anything about it.
The presence of us-east-1 in Virginia probably will complicate the matter considerably and I'm guessing it's something the courts would need to sort out.
- whoever collected it in virginia, selling it to the delaware company would be screwed though?
- Yeah, someone is at risk of trafficking the gps data out of Virginia initially.
- Most likely the vendor will make a judgement call about whether they care to comply. If they do want to comply, they will likely exempt all Virginia data from the collected data set and contractually require and downstream user to indemnify them if a Virginia person is affected by their data set.
- So, they are collecting geolocation data to avoid selling geolocation data.
BRILLIANT
- from the Youtube kids business, its pretty clear that even when they pretend to not know the details of whos being targeted, they still do, and sell targeted data as such
soo, might as well have the proper details be collected and not sellable, than collected/inferred and still sellable
- The article is misleading. The sale of geolocation data can still take place but not for precise locations. The bill prevents the sale of data that can identify you within 1750ft. You can still be tracked just not precisely. i.e. companies will just sell fuzzy geolocation data.
- So, the fact that you went to a medical center just not the specific doctors office?
This seems weak.
- Yeesh. Collect enough fuzzy data and you can identify a lot about someone.
- Yes. This general problem is known as "k-anonymity". It's worth everyone who works with any sort of personally-identifiable data to read the original paper because the framework they identified is still really helpful for thinking about these issues. https://dataprivacylab.org/dataprivacy/projects/kanonymity/p...
- Indeed, I am pretty sure an algorithm exists which both complies with the law and decompiles fuzzy data to 'less fuzzy' data, i.e. identifying data, thus obviating the ban.
- Yeah I don't understand how something like this makes any sense. Just average out the data points and you're going to get pretty much a straight line path of where and what somebody did. Maybe if there's like one data point per week per person, but even that's going to be pretty informative when averaged as to exactly where somebody lives, works, and so on.
- It's a classic legislation move to look like you're doing something in order to shut down public displeasure, while not actually doing anything.
- Depends on if the independent events are uncorrelated. For example, if they had to be quantized to a grid of length 1750ft and quantized sufficiently in time as well, it might be impossible to average out since the various data points provide no new information.
- This is why I posted the k-anonymity paper. A dataset is k-anonymous if using the dataset is is not possible to distinguish a given person in the dataset from k other people. Then we set a value of k we feel comfortable with and from that we can back into the areas which intuitively you would think would need to vary in size based on time of day and how many people travel through each area in the dataset.
It’s a lot of work but this is what you need to do to guarantee a given (non-zero) level of privacy. It can be done if people are serious about it.
- I assume this depends if 1750ft means the location you can derive from the data (together with other data) or the precision of the individual data point
- knowing and consequences are apparently two entirely different things
we know every single person that went to Epstein Island from their cellphone geolocation data being sold
absolutely nothing has happened to any of them
* https://www.wired.com/story/jeffrey-epstein-island-visitors-...
- That’s effectively always the point in this fake America (and no, that’s not a recent characteristic), misleading; or more specifically false confession, preemptive narrative control, and a form of poisoning the well.
See, peasants, we passed a bill to stop location data selling and the organs of the state called the mainstream media have triangulated and validated that for you; so now you can stop talking about your location data or that you live in a surveillance state that is inherently legitimizing of this fake American government that is a contradiction to the Constitution and the revolution in every single possible way.
- Would love if someone with experience could chime in. I've been reading about the geo data market for over two decades now but still have no real sense of its value. What does this data typically cost? And can you specify particular locations/targeting points, or do you just get whatever's available in a broader dataset?
- Note that this article is from April and the ban went into effect July 1.
- Given the actual informed and uncoerced choice, people say no to this kind of collection and especially its sale or use for any purpose other than the explicit service they thought they were allowing it for (navigation, setting the time, etc etc). This is true for basically all information collected. I'm glad to see there is some minor protection language being included but it needs to have real teeth and get to the point. If you collect data from me under false pretenses or using coercive methods (you can't use the thing you just paid a lot of money for if you say no) you will not only be fined but criminally prosecuted.
- Completely agreed. Even for people who are like "I have nothing to hide", the only people who think this way are simply unaware of just how much harm can come to them without the protection of privacy (and laws that ensure this)... or they just have no self-preservation instinct, I guess?
- So, aside from nothing to hide domestic/family violence and stalking, the fact that they can and will build an inference about you to attempt to influence your choices is fundamentally menacing to every person.
Corporate stalking has become so normalised (and provides so many livings) that we are through the other side.
Half a millennium ago they tried to control us by restricting our access to information to control what we think, now they bombard us with it to control what we think.
- > or they just have no self-preservation instinct
I actually feel this way very often when talking to some younger people online. I wonder if they really competely lack this skill, or their desire for upvotes online leads to them expressing compassionate, but stupid and dangerous, conclusions.
- They didn’t grow up before all this was completely normal. And before we throw too many stones at them, we should all maybe consider how many of us in this thread contribute to the “attention economy” in one form or another, most of which drives everyone into the corral to have their data collected.
It’s easy to point fingers at young people and treat them as ignorant/not caring about what matters, but they were born into and grew up in the world we built and continue to build.
- The "I have nothing to hide people" are the reason our privacy rights have eroded.
- If I was rich, wouldn't I just pay the fines though? I hear about megacops fined billions of dollars every year for doing this shit they don't give a fuck
Edit: Okay my brain processed the information now, criminal prosecution sounds like slightly more deterrence. (Nobody would do an illegal thing, after all ;)
- Criminal prosecution isn't even an issue because it does not extend to the executives. PG&E somehow keeps paying fines to resolve murder charges.
https://liberationnews.org/pges-rap-sheet-the-criminal-histo...
- Hence, the alleged action of Luigi Mangione.
If the law of the government doesn't catch up, eventually the law of the jungle will. But maybe not in their lifetimes.
As President John Fitzgerald Kennedy said: "Those who make peaceful revolution impossible, make violent revolution inevitable."
- it remains hard to imagine a jury that would convict, fully knowing he actually killed the mass murderer. reasonable doubt might almost work againt mangione
- Yup. All it will take is one juror who understands Jury Nullification [0,1], and they've got at best a hung jury mistrial...
- What's the limit of coercion?
Can someone provide a product that loudly says "we will sell your geolocation data" on checkout?
Is it coercion if you simply want the product?
- Yes. Paying the money the data is worth isn’t coercive, linking some other transaction to selling your location data is.
This includes having a discount larger than what your location data is worth. IE: I’ll sell you this car for 50k, o you want it without location tracking that will be 150k.
- I think the practice of tying the use of one product to coerce the loss of rights of your private data has some comparables (noted below).
The law seems to recognize that companies coercing someone to give up money using tie-ins may be illegal but is not yet recognizing data as a monetary equivalent. Because it’s not money it’s not regulated.
Isn’t it time that our data be treated as the exchange of value that it is? And the coercion should be something we are protected against?
1. abuse of monopoly power in tie-in sales.
https://www.ftc.gov/advice-guidance/competition-guidance/gui...
2. Freebie marketing
https://en.wikipedia.org/wiki/Razor-and-blades_model
3. RESPA
https://www.investopedia.com/terms/r/real-estate-settlement-...
- If thats the standard, then I suggest people find a less polarizing word with a clearer definition.
Putting the semantics aside, Who decides what it is worth and to whom?
Why wouldn't a company sell a car without geodata for what it is worth? Maybe it is worth 150k to them because that is what some people will pay the maximum return price point for that package?
- One of the major things courts do is price stuff, ie how much is a lost leg worth.
The question isn’t what’s the value of not being tracked, the question is what’s tracking data itself is worth. Here what the company actually makes selling the data puts an actual price on what that data is worth.
If you can make 50$/year selling the data and want to pay someone 40$ to be tracked that’s a reasonable transaction, if you want to charge them 1,000$/year not to be tracked than it’s no longer about what the data itself is worth.
- A court will decide the cost of a leg someone lost in an accident.
However, If Elon wants your leg as a sex toy, a court won't set a price and force you to sell it.
- Finding the actual value has nothing to do with forcing the sale.
The point is Elon can’t price Starlink at 1 billion dollars a month then give a 999,999,900 discount if you give up your privacy. At that point the bundle is coercive.
- I dont think that is coercive. I dont think coercion has anything to do with finding the value. It is "coercive" if he puts a bullet in your brain if you buy neither option.
- Legally have “sex with me or lose your job” is considered coercion without any direct threat of force. Sleep with me and I’ll pay you 10k isn’t.
The difference is leveraging something else in the transaction not just payment.
- By that definition a 150k car clearly isnt. It is obviously payment inside the transaction
- There is a valid debate but the example I gave clearly coerced the consumer. They had paid for something with the expectation of use and then were hit with a requirement to give consent after the transaction. We shouldn't let some grey area prevent us from stopping the ongoing harm. One side has clearly been abusing the other. If a law goes just a little to far in favor of the consumer I think we can all agree that is better than letting the consumer be completely abused without protections. You don't let an attacker keep punching their victim because we gotta get the laws perfect to act to stop them. Act and reduce the harm and then adjust to get the balance right.
- GDPR does a great job defining this iirc?
gating the product on unrelated data access is coercive
- As long as this is actually about "sale" of data and actually imposes strict limits on data brokers and all the nefarious actors out there, I am all for it.
If it's more similar to the California law, which just calls all uses of data "selling data" and just ends up muddying the waters without actually imposing any regulations of value on the bad actors in the industry, then that would be a shame.
There is value to actually keeping the meaning of words clear and consistent. I have no issues with Google using its first-party Google Maps data to serve me better recommendations. I have massive issues with AT&T selling aggregated geolocation data that makes it easy to identify individuals to third parties. I hope this is a clear path towards banning the latter without touching the former.
- To be fair, the reason the CA laws are much more expansive on all uses of data is because companies have tried a number of arrangements to get around the definition of "sale". This was Sephora's defense back in the first CCPA case, that their data sharing relationship in exchange for targeted marketing services was not "selling" data:
- The biggest issue is that enforcement and litigation is limited to the VA AG. You and I as wronged citizens can't go sue.
That's corny capitalism. A sibling post that talked about 1750 ft or whatever is just noise.
- Honestly, it’s wild that selling people’s precise location data was ever treated like a normal business model.
We already know massive data harvesting has happened. Laws like this are just the bare minimum for catching up.
Would be nice if they could bring in laws that would punish these companies out of existence, but I doubt it.
- What is the rationale for going to the trouble of such a law but only banning sale, rather than all sharing?
- Good question, I’m curious too. 911 services and cell providers come to mind, as well as subpoenaed data from law enforcement? Perhaps?
Third party commercial entities like cell providers are collecting and sharing it out of necessity but I’m guessing not selling it?
But that opens an interesting loop hole it seems where you could open a share agreement and then through other mechanisms recover the fee you’d otherwise charge for.
Provider A wants to sell data to provider B and provider B wants to buy from provider A but they legally can’t. So instead provider A just tucks the cost in some other unrelated contract with provider B with a wink wink, handshake, nod, their “relationship” then just makes them want to share the data at “no charge.” Both know the fees are tucked in other agreements, although only provider A knows the itemized cost, provider B just wonders if the cost of the other package + their friendship handshake sharing of geolocation data is worth that total cost.
To be fair, until money comes into play people tend to be less nefarious about their uses of information and intentions. Not always, but on average.
- Because the data is very helpful in pricing risk of drivers in insurance premiums. Obviously risky drivers should be charged a higher rate.
- Companies who want to use this data should gather it themselves, and transparently. Insurance companies do this, my dad had a little tracking unit in his car that I assume allowed him to pay a lower rate.
It is not gathering or using the data that is a problem, it is gathering or sharing it without awareness and consent. To be fair, even sharing/selling it would be fine assuming it happens with awareness and consent. Not buried in some ToS, but active consent.
- Unless they're disclosing exactly how the location data is being used to measure driver risk, my assumption is that it's a form of redlining. Filing my racial discrimination lawsuit nnnnnnow.
- Cry me a river, insurance companies have managed to do just fine without massive privacy violations and creating a data trough for police and other pigs, ever since car insurance became a thing.
- Is that just point of sale geolocation data, vendor location, or…datacenter location facilitating the transaction
- NYTimes article a few years ago on how car insurance companies were using such data. Tracking sudden stoos, driving at night, driving faster than 80 mph, etc.
- As an aside…
I wonder why “80 mph” was picked as an arbitrary value. In rural areas of Utah we have 80 mph posted limits and prima facie speed laws. A lot of Utah drivers regularly exceed 80 MPH and I’d argue they do so legally. It’s just a weird number for them to pick.
- They may be looking at a correlation between speed and claims rather than whether or not the speed is legal. Accidents at 80 mph will tend to be more severe, and possibly also more frequent.
Note that they are also looking at night driving, which as far as I know is legal everywhere, but someone who spends a higher percentage of their time driving at night probably is a bigger risk for the insurance company than a similar person who doesn't drive as much at night.
- I'd surmise it's because several states (CA comes to the top of mind) set speeds in excess of 80 as a potential felony enhancement.
iirc in CA it's 20mph over the speed limit, or speeds over 80.
The insurance companies probably want to know who to raise rates on.
- Which is crazy because when I do 80 in Mostly PA and NJ I am getting passed constantly.
- I just looked and both PA and NJ, have way below natl average car accident deaths per 100K drivers, even if death in over speeding seems to be a a significant contributing factor to overall rates.
Interesting to me. I wonder what are they doing right.
- It's not arbitrary, there are limits of physics to how fast you can slow down on rubber wheels no matter how good your brakes are. The stopping distance starts to grow dramatically around these speeds.
- Even it it's legal, it's probably less safe. Insurance companies care about your likelihood of being in an accident that they will have to pay for, not strictly whether your driving is legal.
- people that drive on those high speed roads are more likely to be involved in more dangerous/harmful collisions?
legally and unlikely-to-make-expensive-consequences are separate items that insurance exists to differentiate
why shouldnt people driving on such dangerous roads have to pay higher insurance rates?
- It's not arbitrary. In Virginia that's a guaranteed reckless driving charge.
- Texas: we set the speed limit at 85.
- Meanwhile Germany: that's the target speed you should aim for, but if you want to drive faster, you absolutely can.
- Not anymore. It got moved to 85 because speed limit on interstates moved to 70.
- How do one know this? I don't know where to get this information and whether to trust it.
- In jurisdictions where 65MPH is the highway speed limit, 80MPH is usually the "reckless driving" threshold. And in Virginia, reckless driving is a felony misdemeanor.
- Exactly. Exchanging private and personal user data without consent and without users being aware of it, for their profits.
- It’s important to understand that in the USA, data is owned by the collector (eg. The app or SaaS who generated it), not the person who is described by it.
Until this legal regime changes, we will constantly be playing whack-a-mole with laws like this.
- That sounds like something Europeans would do, so it's anti american.
- In Europe, who owns the copyright of a photograph? The subject or the photographer?
- If a company writes down my personal information do they now own it?
- The economy is not 0 sum. Someone else profiting doesn't hurt you.
- You’re right and wrong: today’s economy is often negative sum from total utility perspective. It hurts society and the person but it helps Mark Suckerberg and Scam Altman and the private equity firms.
It’s positive sum from a wealth-weighted utility calculation though. And that’s why it happens.
- Seems you missed that part that DOES hurt us:
> Exchanging private and personal user data without consent and without users being aware of it
- This information allows other companies to make more informed decisions. Other companies making better decisions doesn't "hurt us".
- Companies’ executives and top investors should let us see their location data then. And open up every part of their internal comms that don’t directly disclose trade secrets. At least the metadata!
It doesn’t hurt them, just lets us make better decisions, after all. There does not exist a good reason they’d object!
- You can buy it from a data broker. They aren't obligated to give you this data for free.
- We collect your data, sell it to the highest bidder and sun ourselves on a yacht we bought with the proceeds ... "to help you".
- And when those "informed decisions" are denying healthcare/insurance/loans/what have you?
- I personally see it as similar to fraud if you are deliberately hiding a piece of information that makes you riskier to insure or loan money to. In order to accurately assess risk you need personalized data. So I see this as being a more fair deal.
It's like when the internet made it possible to look up the price of good easily how it made it less likely for buyers to be able to lowball people. These price guides may be bad for these buyers, but it provides a more fair deal for these seller.
- I agree. If someone is found to be employed by a data broker, for example, they should be uninsurable and should not receive loans.
- More informed decision to raise revenue. Is that necessarily helping us? When you say its not affecting us, us as who? Just sounds like a karma farmer.
- A good start. From 2024: "A company allegedly tracked people’s visits to nearly 600 Planned Parenthood locations across 48 states and provided that data for one of the largest anti-abortion ad campaigns in the nation, according to an investigation" - https://www.politico.com/news/2024/02/13/planned-parenthood-...
- It gets so awful. Here's one of the worst I remember, 2019: https://www.nbcnews.com/news/us-news/missouri-health-directo...
- As someone who works in a space where we buy ads, I love things like this. Data points like this just shouldn't be on the table for sale. Just makes sure that we don't depend on best intentions alone to make sure we protect people. A step in the right direction.
- I didn't read the law but the article referred to it as "personal data". It's important to note that Big Tech believes it can "anonymize" fine-grained location data but just stripping PII and assigning a semi-stable random ID. They'll then argue this law doesn't apply because of that.
That's absolute crap because geolocation data is extremely easy to de-anonymize. I wonder whose phone is at my house 12am-8am everyday, takes more or less the same route through the city, and spends hours in my office everyday. I wonder.
- So, what sort of gymnastics do alpr companies need to play to defend their activities don't break this new ban?
My puny brain can't understand why it wouldn't be relevant. Or is it?
- I am intrigued as an outsider, that state in US can have much stronger authority to restrict sale of such personal data.
- The thing to remember about US states is that conceptually they are countries bound together in a Federation. There's a crap ton of complicated rules, but generally your state has a lot more power over your life than the US Federal Government does.
- I was intrigued, because even a broad location given for an IP address is "geolocation data", but the law says "precise geolocation data" which limits it to device-reported data, I assume.
- It likely fits the definition of precise location data that you can configure on mobile settings (it's a finer grained option you can enable when sharing your location).
- Laws typically define terms like this, and this law is no exception.
> "Precise geolocation data" means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet. "Precise geolocation data" does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
https://law.lis.virginia.gov/vacode/title59.1/chapter53/sect...
- >"Precise geolocation data" does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
What exactly does this mean?
- Smart meters. https://en.wikipedia.org/wiki/Smart_meter
- Just wondering why that would be relavant to exclude
- My guess is that these devices are stationary, so their location is known.
- Yep, definitely fits with plenty of space. Thanks for confirming.
- I'm sure any coordinates would do. So long as it's not "behind the maple tree that stands across the road from Ross Dress for Less"
- Why not make selling any personal data illegal in the entire country?
- Have any other states banned the sale of geolocation data?
- Great, now you have to ban sharing of it, or banning sale is worthless.
Or rather, only worthwhile as a straw-man you can point to and say "Look, we stopped it!" when you know that's false.
- Bill: https://lis.virginia.gov/bill-details/20261/SB338/text/SB338
> Virginia follows Maryland and Oregon in banning the sale of geolocation data. Both Maryland and Oregon more broadly define “sale” to mean the exchange of personal data “for monetary or other valuable consideration.” Virginia joins several other states that have recently proposed legislation with similar bans, including California, Massachusetts, Vermont and Washington State. The legislative activity follows regulatory scrutiny on the sale of geolocation data, including the California Attorney General’s investigation into the location data industry in March 2025, and a 2024 FTC settlement banning a data broker from selling geolocation data.
(i could not find a state legislation tracker regarding this type of legislation, please feel free to drop it in a reply if you find one!)
- Funny how two states with a large number of elected officials living in them opt for privacy first.
- In fact, most states have a large number of elected officials in them, especially those elected officials who hold the legislative power of that state.
But if you meant the 500ish elected federal officials, most of whom are not Virginians or Marylanders, and so have neither any influence as voters nor as legislators, then... well I'm still not sure what you mean. Privacy laws are good. I don't see a reason to be cynical.
- This is an actually great move.
- They are a bit confused in the USA. For instance, flock cameras are used as mass spying tool. That also yields geolocation data. And also bypasses (parts of) the amendment. There is a lack of consistency here.
- “ Virginia follows Maryland and Oregon in banning the sale of geolocation data. Both Maryland and Oregon more broadly define “sale” to mean the exchange of personal data “for monetary or other valuable consideration.”
I didn’t know this, but I am glad my State already had this! We do some things right.
- As someone who frequently travels to Virginia, this is great news.
- What I find confusing is that I know an infinite plethora of companies have geolocation data in everyone.... But I look at my fairly-stock Pixel phone and the only things with background geolocation permissions are Google apps, and I know google famously hoards that data like a dragon.
Is it just that people are happily allowing every app access to live geoloc data even in background? Is there some edge where "while in use" apps are "in use" during cases you wouldn't think they are? Is it my Samsung watch?
- The cellular companies themselves are a source for this, as they don't even need GPS or app permissions to triangulate your rough location.
Apps that have access to look for networks can also be used to infer location. E.g., combine multiple known WiFi SSIDs or Bluetooth devices together and you can get a rough location.
Also, most people just hit "accept" for a whole bunch of app permissions and just forget about it. The fact that you even know which apps have which permissions at all means you are almost certainly more careful than the average person, even though you are saying this in the context of a stock Pixel phone.
And, oh yeah, most people have much more invasive Android phone brands than Pixel...cheap phones with a bunch of carrier/advertising partner spyware sell far better than Google's phones. Does Samsung still install the Facebook app by default like they used to? I think it used to be impossible to fully delete, even!
- That's a step into the right direction. I can only imagine how much pain has been inflicted with metadata.
- I cant wait for the feds to sue them for.. something
- What a coincidence that northern Virginia is spy central.
- This is going to spread like wildfire. ("We can do that?")
- *except sale to the government?
- [dead]
- [flagged]
- So, instead you buy a "custom computer", and the data is completely free!
Its like how FLOCK gets around pesky data laws. The devices coat a lot, but the software dashboard access is "Completely free*"
- I can't find it so it's probably just a myth, but I recall hearing about "free beer with purchase of food" at bars during prohibition. However, I think it was more than just the sale that was prohibited.
- I used to regularly go to a comedy show on the site of an old brewery in Wandsworth. The comedy cost £20 but the beer was free. Apparently the site was the oldest continuous used brewery in Europe and the head brewer decided to keep the record going after the site was sold to a property development company. However, there was a prohibition against competition and licensing issues meaning they couldn't charge for beer.
- There was a situation like this in DC for cannabis. There was a ballot measure passed that legalized recreational use and gifting but selling weed was still illegal. So there were lots of “gifting” shops where they would sell things like stickers or t-shirts and then offer you a “free gift” of cannabis. It was sort of tolerated for a little while but the authorities started cracking down and required them to get licensed for medical maraijuana sales. [1]
0: https://en.wikipedia.org/wiki/2014_Washington,_D.C.,_Initiat...
1: https://mjbizdaily.com/news/district-of-columbia-dc-gifting-...
- Raines Law in that late 1800s put restrictions on the sale of alcohol in NY on Sundays. Bartenders used a loophole of the drinks being served with a meal to get around it.
They would make a single sandwich, "serve" it to the patron along with their drink, then immediately take back the sandwich to "serve" it to the next person wanting a drink
- I've been to bars that required you to buy a bowl of popcorn or some such in order to abide by their restrictive liquor license which only allowed sale with food.