Massachusetts bans precise geolocation sales

Massachusetts passed the Location Shield Act companion language inside its 2026 privacy rights bill. The statute bans the sale, lease, trade, or rental of precise geolocation data - defined as any data resolving a device or person to within 1,850 feet. It applies to data brokers, mobile advertising SDKs, and any third party that aggregates location signals collected from devices physically present in the Commonwealth. The compliance deadline lands inside this calendar year. The penalty regime authorises the Attorney General to pursue civil enforcement at $5,000 per violation, calculated per record. This is not a notice-and-consent regime. It is a market shutdown for a specific data class within a specific jurisdiction.

Precise geolocation is a primitive in the offensive toolkit. It is not a privacy abstraction. The data class enables target selection, pattern-of-life development, and physical-world correlation against logical-world identifiers. A buyer with a clean ad-tech contract can acquire device-level latitude and longitude at update intervals between thirty seconds and fifteen minutes, joined to a mobile advertising identifier - the IDFA on iOS, the AAID on Android - which is itself joinable to email, phone number, and home address through any number of identity graphs sold in the same market. The MAID-to-PII linkage is the pivot. Once it is made, the location feed becomes a surveillance feed against a named human.

The operational use cases are well-documented. Vice reported on the U.S. military purchasing Muslim Pro location data via X-Mode in 2020. The Wall Street Journal published the Catholic priest outing case in 2021, where Grindr signals sold through the ad-tech pipeline were de-anonymised and joined to a specific person at a specific residence. The Markup mapped data broker SafeGraph selling Planned Parenthood visit data after Dobbs. These are not edge cases. They are demonstrations of the data class behaving as it was built to behave. The Massachusetts statute treats the data class itself as the harm, which is the correct threat model. Consent-based regimes failed because the consent flow is upstream of the secondary market and invisible to the data subject by the time the feed reaches a buyer.

The attacker tradecraft maps cleanly to MITRE ATT&CK reconnaissance and resource development tactics. T1591, gather victim org information, including physical location. T1589, gather victim identity information. T1596.005, search open technical databases - scan databases - which in the broker market means subscribing to a feed. The post-acquisition workflow against a high-value target is straightforward. Acquire a sample feed scoped to a geographic polygon around the target’s likely residence or workplace. Filter for MAIDs appearing inside that polygon during expected dwell windows. Cross-correlate against MAIDs appearing at other locations of interest - a corporate campus, a SCIF-adjacent parking lot, a courthouse, a clinic. Identity-graph resolve to a name and address. The signal chain is months of paid feeds and a few hours of SQL. The cost is in the low four figures for a continental U.S. broker subscription.

The physical compromise vector is where this stops being theoretical for security teams. An adversary with precise location on a target executive can time a SIM swap to the window the device is known to be inside a residence and not in active use. Pattern-of-life data tells the operator when the principal is on a flight, when a security detail rotates, when a residence is empty. For a red team engagement that includes physical access, the difference between guessing and knowing is the difference between a contested entry and a clean one. For a real adversary running against a hardware-bearing engineer at a defense contractor, the same delta determines whether a targeted device extraction succeeds. The Strava heatmap incident in 2018 already demonstrated this against military installations - aggregated fitness data revealing the perimeter patrol routes of forward operating bases the public did not know existed. The Strava case used aggregate data. The broker market sells device-level data.

Supply chain targeting is the second-order use. Knowing the precise location of a logistics asset - a truck, a container yard, a substation maintenance vehicle - at update intervals measured in minutes is a tasking primitive. The operator does not need to compromise the asset’s communications. The driver’s personal phone, running a weather app with an ad SDK, emits the signal. Correlate the device against a known route and the asset is geolocated in near-real time. The same technique applies to threat actor surveillance of incident response teams during active intrusions. The IR consultant’s phone arriving at a client site is observable through the broker market within hours. Adversaries who notice the IR engagement starting can accelerate destructive actions before containment lands.

The defensive telemetry implications cut both ways and the cut against defenders is sharper. Threat intelligence vendors and a category of attack surface management products consume the same broker feeds. They use the data to identify employee devices appearing at adversary infrastructure, exposed corporate assets, and pattern-of-life anomalies against insiders. Those workflows lose a data source inside Massachusetts. The visibility loss is concrete. If a defender was correlating MAIDs of named insiders against MAIDs observed at locations associated with foreign intelligence service activity, that correlation breaks at the state line. Counterintelligence-adjacent detections that depend on aggregate location signals - pattern-of-life baseline shifts, unusual co-location with hostile state diplomatic facilities, abnormal cross-border movement signals - degrade. The capability that enabled the abuse also enabled some of the detection. Both go away under the statute.

What remains operational for defenders is the on-device and on-network signal. MDM-managed location on corporate devices is not affected because it is not sold. EDR telemetry from agent-instrumented endpoints is not affected. Network-level signals - VPN egress geography, cell tower attachment data from carrier partnerships, badge access logs - remain in scope. The gap is specifically in the secondary market for advertising-derived signal, which is where the broad-aperture, low-friction, low-cost data was. Replacing that capability requires either contracted access to carrier-grade location, which is expensive and access-controlled, or first-party telemetry from devices the organisation owns and instruments. Neither covers the same surface the broker market did.

The statute’s residual exposure is in the joins. The ban targets the sale of precise location. It does not retroactively unmake the identity graphs already built from prior years of feeds. A broker that sold MAID-to-address mapping in 2024 still has the mapping in 2026. A purchaser who acquired Massachusetts-scoped feeds before the effective date still holds the historical data. The pattern-of-life baseline is durable. The capability degrades over time as devices roll, MAIDs reset, and identity graphs decay, but it does not collapse on the effective date. Adversary models that built their target packages from feeds purchased before enforcement retain operational value for twelve to thirty-six months depending on target lifestyle stability.

The enforcement model is the part to watch. Massachusetts has chosen ex-post civil enforcement, which has historically failed against data brokers because brokers operate in jurisdictions that decline to cooperate, structure entities to limit U.S. nexus, and rebrand faster than enforcement actions resolve. The California Consumer Privacy Act has been in force since 2020 and a working broker market still sells California-resident location data on the dark and gray markets. The Massachusetts statute will likely produce the same outcome for the same reasons. The above-board ad-tech market will exit Massachusetts location data. The compliant SDKs will geofence the Commonwealth out of their collection footprint, which is technically trivial. The data class will continue to exist in the criminal and adversarial markets, sourced from non-compliant SDKs, malware-embedded location collectors, and threat actor toolkits that already operate outside U.S. jurisdiction.

The net change for an offensive operator targeting a Massachusetts-resident principal is a marginal cost increase. The clean commercial broker market is foreclosed. The gray and criminal markets remain accessible to anyone willing to pay them. For defenders, the change is a real visibility loss in a category of detection that was already brittle and is now structurally unavailable inside the state. For an executive protection team, the practical guidance is unchanged. Assume location data on principals and their household devices is acquirable through channels that do not respect the statute. Treat MAID emission as a continuous OPSEC failure on any device permitted near sensitive operations. Strip ad-tech SDKs from devices that cross sensitive geographies. Treat the personal mobile device as a beacon, because it is.

The statute is the right policy. It does not change the threat. The data was the attack vector before the law passed. It remains the attack vector for any adversary unconstrained by Massachusetts civil enforcement. The defenders who relied on the same feeds for detection lose ground. The market reshapes around the boundary and the work continues underneath it.