States Ramp Up Restrictions on Sale of Sensitive Consumer Data
Maryland’s law banning the sale of sensitive data signals a shift toward stricter state privacy regulation.
WASHINGTON, April 9, 2026 – Legal experts and policy advocates are calling for a delicate balance between consumer privacy and the functional necessity of location data as states begin to implement aggressive new regulations.
During a Federal Communications Bar Association panel Wednesday, experts discussed recent legislative shifts, such as a new Maryland law that implements a total ban on the sale of sensitive personal data, signaling a move away from traditional “notice and choice” frameworks toward outright prohibitions on certain data uses.
“We're starting to see these going beyond notice and choice, beyond opt-in consent to some specific complete bans on certain uses of location data,” said Cobun Zweifel-Keegan, managing director at IAPP, identifying the Maryland ban as “the most meaningful thing that's happened in recent years.”
The Maryland Online Data Privacy Act, enforceable as of April 1, grants Marylanders strong rights over personal data by limiting the data companies collect and banning the sale of users’ most sensitive data. It restricts data processing for those under 18, and mandates data protection assessments.
The law applies to entities doing business in Maryland that, during a one-year period, process personal data of at least 35,000 consumers, or process data of 10,000 consumers while deriving over 20 percent of revenue from selling data.
In Virginia, lawmakers have advanced legislation that would ban the sale of precise geolocation data. The measure, which would amend the state’s existing Virginia Consumer Data Protection Act, cleared both chambers of the legislature on March 10 and now awaits action from Gov. Abigail Spanberger, who faces an April 13 deadline to sign or veto the bill.
Several other states, including California, Connecticut, Maine, Massachusetts, Vermont, and Washington, are considering similar bans during the 2026 legislative session.
“There are a number of important discussions that are ongoing about ensuring the privacy of Americans' data, but also, how do we do that while still enabling them to continue to have access to key services?” Avonne Bell, director of connected life at CTIA questioned. She emphasized that while privacy is important, agencies have to consider that location data remains a core component of modern digital infrastructure.
Federal oversight involving national security
Federal oversight involves national security and law enforcement considerations. Section 222 of the 1996 Telecommunications Act mandates that telecommunications carriers protect the confidentiality of proprietary information and Customer Proprietary Network Information (CPNI).
It restricts carriers from using or disclosing customer data, such as location, usage, and billing, except for providing services, with customer approval, or as required by law.
“We are seeing a multi-front approach here from the FCC, the FTC, and individual state attorneys general all looking at how this data is managed,” Josh Turner, a partner at Wiley Rein LLP. Turner noted the complexity of regulating data that impacts both consumer protection and national interests.
Tyler Bridegan, a partner at Womble Bond Dickinson and former enforcement director for the Texas Attorney General, added, “Regulators will want to interpret that to require a pretty explicit consent and disclosure that lists exactly how you're using or exactly what types of geolocation data, how much you're collecting and what you're doing with it.”
Member discussion