GeoAI and the Law Newsletter

Tracking Developments in AI Laws and Regulations for Geospatial Professionals

GeoAI and the Law is not legal advice. The reader should consult with a trained lawyer on legal matters associated with GeoAI.

What’s New

Virginia Becomes Third State to Ban Sale of Consumers’ Precise Geolocation Data (Regulatory Oversight)

On April 13, 2026, Virginia Governor Abigail Spanberger signed SB338 into law, amending the Virginia Consumer Data Protection Act (VCDPA) to prohibit data controllers from selling consumers' precise geolocation data, defined as information identifying a person's location within a 1,750-foot radius. The amendment, which takes effect July 1, 2026, replaces the prior consent-based regime for this category of sensitive data with an outright sales ban and makes Virginia the third state, after Maryland and Oregon, to adopt this approach.

GAO Report on Federal AI Acquisitions: Lessons from NGA's Maven Program (U.S. Government Accountability Office)

The GAO released report GAO-26-107859 on April 13, 2026, examining how the Department of Defense, Department of Homeland Security, General Services Administration, and Department of Veterans Affairs are acquiring AI capabilities. The report finds that agencies are repeatedly learning the same lessons in isolation and uses the National Geospatial-Intelligence Agency's Maven program, which applies machine learning and computer vision to geospatial imagery for object detection and target identification, as a benchmark of mature federal AI procurement, while flagging persistent challenges around defining requirements, securing IP and data rights, and maintaining vendor accountability under Agile development cycles.

Deep Dive

Why Every Geospatial Organization Should Pay Attention to the Royal Institution of Chartered Surveyors (RICS) AI Guidance

On September 2025, the Royal Institution of Chartered Surveyors (RICS) published its first-ever professional standard on the responsible use of artificial intelligence in surveying practice, effective March 9, 2026. At first glance, this may seem like a narrow document aimed at the surveying profession. But it is a useful tool for geospatial professionals across all disciplines.

This Deep Dive unpacks what the RICS standard requires, maps those requirements against the emerging legal and regulatory landscape, and explains why every geospatial organization should treat this document as a model for its own AI governance.

What the RICS Standard Requires

The standard is organized around seven pillars, each of which maps directly to an area of active regulatory development:

1. Baseline Knowledge. Members who use AI systems should develop and maintain a basic understanding of the different types and subsets of AI systems and their limitations, the risk of erroneous output, the inherent risk of bias, and data usage and data risks

2. Data Governance. Firms should safeguard private and confidential data by storing it securely, restricting access to staff who strictly need it, training staff at least annually on privacy and confidentiality risks, preparing data in ways that protect privacy such as anonymization, and refraining from uploading private and confidential data to AI systems except where there is express written consent and the firm has taken reasonable steps to confirm the system does not pose an unacceptable risk.

3. System Governance. Before using an AI system with material impact, firms should carry out and record in writing an assessment of whether AI is the most appropriate tool, considering the nature of the task, alternative tools, environmental and stakeholder impact, data risks, and the risk of erroneous or biased output. Firms should also maintain a written register of every AI system used, the purpose for which it is used, the date of first use, and the date on which its appropriateness will next be reviewed. And they should develop responsible use policies that detail roles, responsibilities, and liabilities, require at least annual training, state how human control and judgment will interact with AI, and provide guidance on identifying and mitigating risks.

4. Risk Management. Firms should create and operate a risk register documenting overarching risks, such as bias, erroneous outputs, data quality limitations, and retention of input data. Each risk should be rated by likelihood, impact, and mitigation plan and updated at least quarterly.

5. Procurement, Due Diligence, and Use. Before procuring a third-party AI system, firms should conduct detailed due diligence including written requests for information about the system's environmental impact, development stakeholders, data law compliance, permissions for individual data, the accuracy, relevance, and diversity of training datasets including known gaps and bias risks, and the type and extent of the provider's liability. Firms should apply professional judgment to assess the reliability of every AI output with material impact and document that assessment in writing, including assumptions, key reliability concerns, and a conclusion on whether the output can reasonably be used for its intended purpose.

6. Transparency and Client Communication. Firms should make clear to clients, in writing and in advance, when and for what purpose AI is to be used. Engagement terms must detail which parts of the service involve AI, the extent of professional indemnity cover for AI use, internal processes to contest AI use, processes for client redress, and how a client can opt out of AI use. Firms must be able to explain the type of AI system used, its basic workings and limitations, the due diligence carried out, how risks are managed, and the reliability decisions made about its outputs.

7. AI Development. Firms directly developing AI systems should apply these provisions to the development process, record the system's identifiable application, potential risks and benefits, and other approaches to the same task. They should carry out a sustainability impact assessment, select diverse stakeholders for development, document compliance with data and confidentiality laws, obtain written permissions for personal data use, and have policies to assess data quality and reliability.

Why This Matters: Alignment with the Global Regulatory Trajectory

The RICS standard lands when AI governance is transitioning from voluntary principle to enforceable obligation across every major jurisdiction where geospatial organizations operate. For example, there are strong parallels between the RICS standard and the EU AI Act’s high-risk obligations. The RICS requirements for risk management, data governance documentation, human oversight through professional judgment, transparency to clients, and procurement due diligence all map directly onto the Act’s mandatory framework. Geospatial AI uses can fall across the EU risk spectrum, from minimal-risk map rendering to high-risk applications that influence safety-critical navigation, critical infrastructure, or significant eligibility determinations. Any geospatial organization that implements the RICS standard’s governance structure will find itself well-positioned to demonstrate compliance with the EU AI Act’s core requirements.

The RICS standard’s transparency and client communication requirements (e.g., requiring advance written disclosure of AI use, detailed terms of engagement, and explainability on request) are directly responsive to the disclosure obligations emerging across U.S. states. For geospatial professionals operating across state lines, the RICS framework provides a compliance-forward posture that anticipates the convergence these state laws are driving toward.

The Geospatial-Specific Case for Adoption

Geospatial AI demands governance because location data can be highly identifying, spatial outputs often drive consequential decisions about people and infrastructure, and spatial errors can propagate widely through dependent systems. Privacy and security are amplified by the sensitivity of precise geolocation and the risk of linkability across datasets. Fairness demands careful management of geographic and demographic disparities in data coverage and model performance. Safety and reliability require controls against false detections, and spurious correlations.

The RICS standard addresses these domain-specific risks with practical requirements that any geospatial organization can adapt. Its insistence on data governance, including restrictions on uploading confidential data and requirements for anonymization, directly addresses geolocation privacy concerns. Its due diligence requirements for training data accuracy, relevance, diversity, and known gaps in data address the spatial bias risks that are endemic to geospatial AI. [Its transparency requirements for client-facing disclosures anticipate both the EU AI Act’s user-information obligations and the U.S. state-level disclosure mandates described above. Even if your organization has no connection to RICS, the standard provides a practical governance template that positions you ahead of regulatory requirements.

Practical steps to consider include:

• Conduct a Gap Assessment. Mapping your current AI policies, processes, and controls against the RICS standard's requirements for data governance, system governance, risk management, procurement due diligence, output assurance, and client transparency. Identify where your practices fall short.

• Build Your AI Register. The RICS requirement to maintain a written register of every AI system with material impact, including its purpose, first use date, and next review date, is one of the simplest and most powerful governance controls available.

• Formalize Your Risk Management. Establish a risk register that documents bias, accuracy, data quality, and data retention risks for every AI system, with RAG ratings and quarterly reviews. Risk management should adopt spatially aware metrics for reliability, fairness, and safety and embed testing for spatial drift and adversarial behavior.

• Strengthen your procurement process. When evaluating AI vendors, adopt the RICS due diligence checklist as a baseline: demand written information about training data provenance, accuracy, diversity, known bias risks, data law compliance, and liability allocation. Third-party risk management should incorporate contract clauses for spatial data provenance, allowed territories and use cases, resolution limits, and audit rights.

• Update your client-facing disclosures. Review your terms of engagement, service agreements, and client communications to ensure they disclose when and how AI is used, what parts of the service involve AI, and how clients can seek redress or opt out.

• Invest in professional development. The RICS standard's baseline knowledge requirements is a model for any geospatial organization's training program. Geospatial organizations should integrate interdisciplinary curricula that combine geospatial science, AI methodologies, and legal requirements.

Conclusion

The RICS standard is not just another set of guidelines gathering dust in a professional body’s publication archive. The requirements it sets forth (i.e., documented risk management, structured due diligence, written output assessments, advance client disclosure, and ongoing competency development) are the same requirements now being codified into law in jurisdictions around the world. Compliance burdens are present and increasing, and AI governance will become an important part of daily life for all geospatial professionals.

Geospatial organizations that adopt these practices now will not only reduce their legal and professional risk but will also build the trust and credibility that clients increasingly demand. Those that wait may find themselves scrambling to catch up as regulation overtakes them.

Edited by Kevin Pomfret

Partner at Pierson Ferdinand, Author of Geospatial Law, Policy and Ethics: Where Geospatial Technology is Taking the Law | LinkedIn