Pryvii
All Posts
Best Practices
February 20, 2026

Oregon's Geolocation Ban: Why Precise Location Data Just Got Riskier

Oregon now prohibits selling geolocation data accurate within 1,750 feet—a major win for consumer privacy with real compliance implications. Learn what counts as 'precise location,' how this affects analytics and ad tech, and how to audit your data practices.

Share:

The Geolocation Landscape Just Changed in Oregon

If your business collects, processes, or sells location data, you're operating in a fundamentally different regulatory environment than you were six weeks ago. On January 1, 2026, Oregon's amended Consumer Privacy Act (OCPA) took effect with a sweeping prohibition: the sale of precise geolocation data is now banned outright, regardless of whether consumers consent.1 2 This isn't a consent-and-disclose framework like most privacy laws. It's a hard stop.

For data brokers, ad tech platforms, analytics providers, and any business that monetizes location insights, this represents a significant operational shift. And given Oregon's track record of setting privacy trends that other states follow, this may be just the beginning.

Understanding Oregon's Precise Geolocation Definition

The first step to compliance is understanding what Oregon actually prohibits. The law defines precise geolocation data as data that "accurately identifies within a radius of 1,750 feet a consumer's present or past location, or the present or past location of a device that links or is linkable to a consumer" by means of GPS, cell tower triangulation, or similar technologies.2

That 1,750-foot radius is critical. It's specific enough to pinpoint a consumer at a particular store, office building, or neighborhood, but not so granular that every location technology falls under the ban. Here's what this means in practice:

  • GPS coordinates: Banned
  • Cell tower data: Banned (if it meets the 1,750-foot precision threshold)
  • WiFi-based location: Banned (typically accurate within 30-150 feet)
  • Aggregated, neighborhood-level data: Likely permitted (if it doesn't identify specific locations within 1,750 feet)
  • IP-based geolocation: Permitted (typically accurate only to city or regional level, not precise enough to meet the definition)

The distinction between precise and approximate location data is crucial for compliance strategy. A business that anonymizes location data to zip code or city level may avoid the ban entirely, while one sharing block-level or street-level precision crosses the line.1

The "Sale" Definition Expands the Ban's Reach

Oregon's law defines "sale" broadly: any exchange of personal data for monetary or other valuable consideration.2 3 This is broader than it sounds. It includes not just direct purchases of location datasets, but also:

  • Bundled data packages: Selling location data as part of a larger customer profile
  • Licensing arrangements: Providing location data to third parties under license agreements
  • Ad tech sharing: Disclosing location data to advertising partners for location-based targeting
  • Data partnerships: Exchanging location data with other companies for mutual benefit

The practical implication is stark: if you're currently sharing precise location data with advertising networks, data brokers, or analytics partners—even as part of a larger data exchange—that arrangement likely violates Oregon law as of January 1, 2026.3

Who This Affects (And How Broadly)

The geolocation ban applies to any business that processes data from Oregon residents, not just those headquartered in the state. This includes:

  • Publishers and app developers: If your site or app collects location data and monetizes it through ad networks or data sales
  • Ad tech platforms: Networks, exchanges, and DSPs that buy, sell, or trade location data
  • Data brokers: Aggregators and resellers of consumer data
  • Analytics providers: Services that collect and sell location insights
  • Retail and location-based services: Businesses that track customer movements and share that data
  • Marketing platforms: Tools that use location data for audience segmentation and targeting

The key threshold is whether your business has actual knowledge that it's processing Oregon residents' data, or willfully disregards that possibility.1 In practice, most online businesses should assume they're handling Oregon consumer data.

Compliance Strategies: From Audit to Implementation

Bringing your practices into compliance requires a structured approach:

1. Data Inventory and Audit

Start by mapping all location data flows:

  • Identify every source of geolocation data (GPS, cell tower, WiFi, IP-based)
  • Document where that data is stored
  • Trace every recipient or downstream use
  • Categorize by precision level (is it within 1,750 feet?)

This inventory is essential because you need to know what you have before you can change how you handle it.1

2. Segregate Oregon Data

Data brokers and large platforms should consider technical segregation strategies:

  • Store Oregon resident location data separately from other states' data
  • Tag or flag Oregon records in your databases
  • Apply restricted processing rules to Oregon-specific datasets
  • Implement geographic filtering at the point of sale or transfer3

3. Obfuscate or Aggregate

If you need to continue offering location-based insights, consider:

  • Removing precise identifiers: Strip exact coordinates and replace with zip code or neighborhood-level aggregations
  • Aggregating across multiple consumers: Report patterns (e.g., "foot traffic to this retail corridor increased 15%") rather than individual locations
  • De-identifying data: Remove or encrypt the link between location data and individual consumers

The challenge here is that obfuscation reduces the value of location data significantly. A retail analytics platform that can only report neighborhood-level trends is far less useful than one offering block-level insights.3

4. Revise Data Processing Agreements

If you work with vendors, partners, or customers who handle location data:

  • Update data processing agreements (DPAs) to explicitly prohibit the sale of precise geolocation data for Oregon residents
  • Require vendors to certify their compliance
  • Include audit rights and indemnification clauses
  • Document which parties are responsible for Oregon compliance1

5. Update Privacy Notices and Policies

Your privacy policy should clearly disclose:

  • What location data you collect
  • The precision level (if applicable)
  • Whether and how you share or sell that data
  • For Oregon residents specifically, confirm that you do not sell precise geolocation data

Transparency is both a legal requirement and a practical safeguard—it demonstrates good-faith compliance efforts.1

The Broader Privacy Context

Oregon's geolocation ban doesn't exist in isolation. It's part of a larger tightening of privacy regulations:

The OCPA already prohibited the sale of personal data belonging to children under 16 as of January 1, 2026, regardless of consent.2 Combined with the geolocation ban, this creates a significant restriction on data monetization strategies that target minors or rely on location-based profiling.

Additionally, Oregon implemented a universal opt-out mechanism effective January 1, 2026, allowing consumers to signal their preference not to have data sold or used for targeted advertising through a browser setting or extension.4 5 Businesses must honor these signals, further limiting the viability of location-based data sales.

The "cure period"—a 30-day grace period for violations—also expired on January 1, 2026, meaning the Oregon Department of Justice can now enforce violations immediately without warning.6

Key Takeaways and Next Steps

Oregon's geolocation ban represents a significant escalation in privacy regulation. Unlike GDPR's consent-based framework or CCPA's opt-out model, Oregon takes a prohibition approach: certain data simply cannot be sold, period.

Here's what you need to do:

  • Audit immediately: Map all location data flows and identify which fall within Oregon's 1,750-foot definition
  • Assess business impact: Determine which revenue streams or service offerings depend on selling precise location data
  • Implement technical controls: Segregate, obfuscate, or remove precise geolocation data for Oregon residents
  • Update legal documentation: Revise privacy policies, data processing agreements, and vendor contracts
  • Monitor for similar laws: Watch for other states adopting comparable restrictions—Maryland already has similar provisions under consideration3

The regulatory pendulum has swung decisively toward restricting location data monetization. Businesses that treat this as a compliance checkbox rather than a strategic shift in how they handle location data will likely face enforcement action. Those that build privacy-by-design principles into their location data practices will navigate this new landscape more successfully.

Sources

Footnotes

  1. commlawgroup.com

  2. dwt.com

  3. proskauer.com

  4. jamn1075.iheart.com

  5. doj.state.or.us

  6. mslawgroup.com

Share:

Related Posts

Best Practices

FTC Age Verification Workshop: Website Compliance Steps

Break down the FTC's February 2026 age verification workshop insights on COPPA integration and scalable tech, offering website owners actionable steps to audit banners and implement verification without blocking users.

Best Practices

FTC Cracks Down on Dark Patterns: Cookie Banner Red Flags to Fix Now

The FTC's February 2026 enforcement action against a major retailer over manipulative cookie consent interfaces highlights what makes consent legally invalid. Practical fixes for your consent management.

Stay Compliant with Pryvii

Scan your website for privacy compliance issues across 17 regulations including GDPR, CCPA, and UK GDPR. Get actionable recommendations and fix problems before regulators find them.