In a continued push to refine state-level consumer data protections, two Democratic governors recently signed targeted amendments to their states’ comprehensive privacy statutes. On April 13, 2026, Virginia Governor Abigail Spanberger signed Senate Bill 338, which prohibits the sale of precise geolocation data under the Virginia Consumer Data Protection Act (VCDPA). Meanwhile, Kentucky Governor Andy Beshear signed House Bill 692, amending the Kentucky Consumer Data Protection Act (KCDPA) to address privacy risks from smart television technology by defining “automatic content recognition” (ACR) and classifying the data it generates as sensitive.

These amendments reflect a growing trend among states with existing privacy laws: rather than overhauling entire frameworks, lawmakers are making surgical updates to close specific loopholes and respond to emerging surveillance technologies. Both changes add meaningful consumer safeguards while maintaining the business-friendly core of the original statutes.

Virginia Bans Sale of Precise Cellular Location Data

Senate Bill 338, introduced by Senator Russet Perry, amends the VCDPA to explicitly prohibit controllers from selling or offering for sale precise geolocation data concerning a consumer. The bill defines precise geolocation data as information that identifies a consumer’s location within a radius of 1,750 feet or less. The prohibition takes effect July 1, 2026.

Advocates, including the Electronic Privacy Information Center (EPIC) and Consumer Reports, strongly supported the measure. EPIC urged Governor Spanberger to sign the bill, stating that banning the sale of precise geolocation data would “put a stop to some of the most harmful abuses of our personal data happening today.” The group highlighted recent reports of federal agencies, including Immigration and Customs Enforcement (ICE), purchasing access to location-tracking tools that monitor millions of Americans’ movements—often bypassing traditional Fourth Amendment protections.

Consumer Reports led a coalition letter emphasizing that while geolocation data powers useful services like navigation, it is frequently collected and sold by ad networks and data brokers without consumer awareness or direct relationship. The coalition argued the ban would curb secret sharing of highly sensitive location information.

The advertising industry pushed back. Groups including the American Association of Advertising Agencies and the Digital Advertising Alliance urged a veto, warning that the restriction could disrupt legitimate targeted advertising and location-based services. Despite this opposition, the bill passed the Virginia General Assembly with strong bipartisan support and was signed into law.

This amendment builds on Virginia’s existing treatment of precise geolocation as sensitive data, which already requires consumer consent for processing in many cases. By outright banning its sale, Virginia joins Maryland and Oregon in taking a stricter stance against the commercial trade in detailed location tracking data.

Kentucky Adds Protections Against Smart TV Tracking

In Kentucky, House Bill 692 addresses privacy concerns arising from Automatic Content Recognition (ACR) technology embedded in smart televisions and monitors. The bill, signed by Governor Andy Beshear on April 13, 2026, amends the KCDPA by adding definitions for “automatic content recognition” and “smart monitor” and classifying ACR data as sensitive data.

Under the amendment, “automatic content recognition” refers to technology in internet-connected smart TVs or monitors that identifies displayed content in real time by analyzing audio or video fingerprints. This includes content from broadcast, cable, satellite, streaming services, or external inputs, using techniques such as digital fingerprinting or watermark detection. A “smart monitor” is defined as a digital display device with integrated hardware and software enabling independent internet connectivity, app execution, and media streaming.

Controllers are now prohibited from collecting automatic content recognition data without the consumer’s consent. This aligns ACR data with other categories of sensitive data under the KCDPA—such as health information, biometric data, or precise geolocation—which already require express consent for processing.

The bill includes targeted exclusions: it does not apply to data collected directly by the service provider providing the content, data generated from a consumer-requested feature, or data used solely to enforce terms of service or legal obligations. The changes take effect July 1, 2027, giving businesses time to update compliance programs.

Privacy advocates view the measure as a timely response to the invisible tracking capabilities of modern smart TVs, which can generate detailed viewing histories without users realizing the extent of data collection. Similar concerns have prompted legislative attention in other states, and Kentucky’s amendment positions it as an early mover on this specific technology risk.

Context Within the Evolving U.S. State Privacy Patchwork

These amendments highlight how states with comprehensive privacy laws are iteratively strengthening protections without starting from scratch. Virginia’s VCDPA, one of the earliest comprehensive statutes (effective 2023), has seen multiple refinements, including enhanced children’s privacy rules. Kentucky’s KCDPA, effective January 1, 2026, is among the more recent additions to the 21-state patchwork and now joins the trend of targeted updates.

Compared to Alabama’s newly passed law (set for 2027 effectiveness), which features lower coverage thresholds and unique sale exemptions, Virginia and Kentucky’s changes focus on specific high-risk data types rather than broad applicability tweaks. Virginia’s outright sale ban on precise geolocation goes further than many states, where such data is treated as sensitive but not fully prohibited from sale. Kentucky’s consent requirement for ACR data mirrors sensitive-data rules elsewhere but directly targets a consumer electronics privacy gap that few laws have yet addressed.

Both amendments maintain exclusive enforcement by state attorneys general and avoid creating a private right of action—consistent with the business-oriented approach common in most non-California state privacy laws. They also preserve existing consumer rights to access, delete, and opt out of data sales or targeted advertising.

Implications for Businesses and Consumers

For businesses, the Virginia change means data brokers, ad tech companies, and any controller handling precise location data must review contracts and data-sharing practices to ensure no prohibited sales occur after July 1, 2026. Location-based services that rely on aggregated or non-precise data remain unaffected.

In Kentucky, smart TV manufacturers, streaming platforms, and companies integrating ACR technology will need to implement consent mechanisms for data collection. Privacy notices and data processing agreements should be updated to reflect the new sensitive-data classification. The one-year implementation period provides a reasonable window for compliance adjustments.

Consumers in both states gain clearer protections against particularly invasive tracking methods. Virginians will have stronger safeguards against the commodification of their real-time movements, while Kentuckians will have greater control over whether their television viewing habits are monitored and used by ACR systems.

Privacy experts note that these bills demonstrate responsive governance: addressing concrete harms—secret location sales and passive TV tracking—without broadly disrupting innovation. However, critics argue that piecemeal amendments can add complexity to the already fragmented national privacy landscape, making multistate compliance more challenging for companies.

Broader Trends in State Privacy Legislation

The Virginia and Kentucky actions fit into a larger pattern of 2026 state privacy activity. Alabama recently passed its first comprehensive law with distinctive thresholds and exemptions, while Oklahoma enacted its statute earlier this year. Meanwhile, states with mature laws like Virginia continue fine-tuning to keep pace with technological developments.

Issues such as precise geolocation, biometric data, and emerging surveillance tools in consumer devices are receiving heightened scrutiny. Consumer advocacy groups continue pressing for stronger limits on data brokers and ad tech practices, while industry representatives caution against overly restrictive rules that could limit beneficial services.

As more states amend or enact privacy statutes, businesses operating nationally are advised to maintain flexible compliance programs capable of adapting to these incremental changes. For now, the amendments in Virginia and Kentucky represent pragmatic steps that enhance consumer trust without fundamentally altering the balance struck in the original laws.