Sportsbook Geolocation Compliance — GeoComply, Xpoint, and Operator Decision Framework (2026)

Every US online sportsbook needs geolocation technology that proves players are physically within a licensed jurisdiction at the exact moment of bet placement. This is not optional — it is a hard regulatory mandate baked into every state sports-betting licence, from New Jersey's pioneering 2018 framework to the latest entrants in Kentucky, North Carolina, and Vermont. Get it wrong and you face six-figure fines, suspension orders, and the kind of regulator scrutiny that follows a brand for years. GeoComply currently dominates the market with an estimated 80% share of US-licensed sportsbook integrations, but the operator landscape is broader than most buyers realise: Xpoint, LocationSmart, ContinentEight, and even self-hosted stacks are viable depending on jurisdiction, traffic profile, and budget. This post is the operator buyer guide — what each vendor actually does, where spoof attacks come from, and how geolocation data should flow into your affiliate-attribution layer to prevent cross-state bonus stacking.

Why Geolocation Is Non-Negotiable for US Sportsbooks

US sports betting is regulated at the state level, not the federal level. Each state that has legalised online wagering — currently 30+ jurisdictions — issues its own licence with its own technical-standards document, and every one of those documents includes a section on player-location verification. The New Jersey Division of Gaming Enforcement set the original template with NJ DGE Rule 13:69D-1.27, which mandates continuous geolocation checks throughout a wagering session. The Pennsylvania Gaming Control Board and the Illinois Gaming Board followed with similar, slightly stricter regimes. The result: an operator running in multiple states needs a vendor whose detection layers map to the most demanding state, not the most lenient.

• State licence mandates: NJ DGE Rule 13:69D-1.27, PA Gaming Control Board Title 58 Chapter 1408, IL IGB Sports Wagering Act Rules, MI MGCB Internet Sports Betting Rules, MA GC 205 CMR 247, with broadly aligned but state-specific spoof-detection requirements.
• Federal Wire Act considerations: while the 2018 DOJ opinion narrowed Wire Act scope to sports betting only, interstate transmission of bets remains a federal offence — geolocation prevents operators from inadvertently facilitating cross-border wagering.
• Audit and enforcement reality: state regulators conduct test buys, send investigators with VPNs and spoofed devices, and review geo-check logs during periodic compliance reviews — this is not a paper exercise.
• Brand-damage exposure: a single high-profile geo-failure (someone wagering from a non-licensed state and being paid out) can trigger emergency suspension orders and front-page coverage that destroys multi-million-dollar marketing investment.
• Cross-state stacking risk: players who exploit a permissive geo vendor to claim new-account offers across states represent both compliance exposure and a direct affiliate-payout drain.

How Sportsbook Geolocation Actually Works

Modern sportsbook geolocation is not a single signal — it is a stack of six layers designed so that defeating one (spoofing GPS, for instance) still leaves five others to catch the player. A compliant Player Location Check (PLC) at bet-placement combines device-side measurements with network-side and behavioural signals, then collapses them into a single allow/deny decision that is logged for regulator audit. The six layers below are roughly the consensus stack across GeoComply, Xpoint, and serious self-hosted builds.

1. L1 — GPS plus Wi-Fi triangulation (device-side): the SDK pulls hardware GPS coordinates and surveys nearby Wi-Fi BSSIDs, comparing both against a known-location database. Defeats casual location-services manipulation but not rooted-device GPS spoofers.
2. L2 — IP geolocation plus ASN check (network-side): the player's public IP is mapped against carrier and ISP ranges and the autonomous-system number is checked against datacentre/hosting blocklists.
3. L3 — VPN detection: Tor exit nodes, known commercial VPN endpoints, datacentre ASNs, and published proxy services are blocked outright. This layer alone catches the bulk of amateur spoof attempts.
4. L4 — Remote-desktop detection: latency anomalies, mouse-jitter patterns, and screen-sharing protocol fingerprints flag sessions where the player is operating a machine in a licensed state from a non-licensed location.
5. L5 — GPS coherence: the device GPS reading is cross-checked against the network-derived IP location — a Houston IP with a Las Vegas GPS lock is a hard deny, not a tunable score.
6. L6 — Behavioural fingerprinting: device history, prior session locations, time-of-day patterns, and account-age signals feed a risk score that catches the sophisticated end of the attack distribution (residential proxies plus matched GPS spoof plus clean device).

Vendor Comparison Table

GeoComply — The Market Leader

GeoComply was founded in 2011, and by the time Nevada and New Jersey legalised online wagering it had already become the regulator-preferred geolocation stack. Today, industry sources put its share of US-licensed sportsbook integrations at roughly 80%. The product surface is broad: the GeoGuard SDK ships across iOS, Android, and web; the Player Location Check (PLC) API runs continuously through a wagering session; and the back-end produces real-time plus post-event audit logs in formats that state regulators already know how to review. The company was acquired by Blackstone in 2021, which gave it the balance sheet to keep extending into peripheral markets (online lottery, iGaming, fantasy sports).

• Detection breadth: all six layers with mature anti-spoof tuning and one of the largest known-VPN/proxy datasets in the industry.
• Regulator relationships: state regulators have evaluated GeoComply audit-log formats for nearly a decade — fastest path to licence approval in a new state.
• Browser plugin requirement: desktop web requires a small browser plugin (the controversial piece), historically a friction point for first-time depositors.
• Pricing: per-check fees reportedly in the $0.01-$0.05 range, with monthly minimum commits scaling by operator size — the most expensive option for high-volume operators.
• Coverage: US sportsbook plus iGaming plus DFS plus growing international (Ontario, parts of LATAM).

Xpoint — Growing Challenger

Xpoint launched in 2021 with an explicit pitch: same compliance posture as GeoComply, no browser plugin. The company markets itself as the modern alternative, with native mobile and browser SDKs that rely on GPS, Wi-Fi, IP, and behavioural signals without forcing the desktop-plugin install that GeoComply requires. Footprint is growing — reportedly approved or in active deployment with operators in New Jersey, Pennsylvania, and Indiana — though the regulator track record is naturally shorter than GeoComply's. For operators evaluating turnkey sportsbook software in fresh markets, Xpoint is increasingly the price-anchor competitor in vendor RFPs.

• Detection: GPS + Wi-Fi + IP + VPN + behavioural signals, no browser plugin on desktop web.
• Pricing: reportedly lower per-check and lower monthly minimums than GeoComply (specifics are deal-by-deal).
• Regulator footprint: live in NJ, PA, IN per public reporting, with active certification paths in additional states.
• Trade-off: shorter audit-log history with regulators — a tier-1 operator with multi-state exposure may still choose GeoComply for risk-management reasons.
• Best fit: new entrants in 1-3 states, operators where desktop-web conversion friction is a measured pain point, and challenger brands that want to differentiate on UX.

LocationSmart, ContinentEight, and Self-Hosted Options

Beyond the two main commercial players, three other paths exist. LocationSmart is a carrier-data specialist — its core technology comes from mobile-network triangulation supplied via the major US carriers, which gives it a different signal source than the GPS-plus-IP stack used by GeoComply and Xpoint. ContinentEight is a hosting-and-infrastructure provider with European DNA that bundles geolocation into broader hosting contracts; it sees more EU/UK adoption than US sportsbook adoption, but is a credible option for European operators making tentative US entry. Self-hosting is a fourth path — and a path almost no operator should take unless they are tier-1 with multi-vertical complexity.

• LocationSmart: carrier-data (mobile-network) triangulation as the primary signal, supplemented by IP and limited spoof-detection. Strong fit for mobile-heavy operators in single states; weaker fit for desktop-web traffic and multi-state operators.
• ContinentEight: bundled geolocation as part of hosting + DDoS + security offering. EU/UK-mature; less US sportsbook track record. Reasonable for EU operators with a single US state pilot.
• Self-hosted: only viable for tier-1 operators with mature engineering and direct regulator relationships. You buy VPN/proxy feeds, build the SDK, run the audit-log pipeline, and accept the engineering carry. Cost of failure is enormous — most operators who have considered this path have walked back to GeoComply.

State-by-State Mandate Map

Each US state with online sports betting publishes its own technical standards and approved-vendor list. The table below summarises the public position across the largest markets — operators should always confirm current requirements with the state regulator before integration. For a fuller view of state-by-state licence costs, tax rates, and market structure, see our US sports betting state-by-state operator map.

Integration with Affiliate Platform — Why It Matters

Geolocation is usually framed as a compliance problem, but it is also an attribution problem. Affiliate-attributed players need a geo-check at first-deposit, not just at every bet-placement — because the bonus-stacking attack vector is signing up across multiple states with the same identity, claiming a new-account offer in each one, and pocketing the affiliate-funded bonus before the operator notices. Without geolocation signal flowing into the affiliate-attribution ledger, affiliate fraud detection operates blind to the most expensive abuse pattern in US sportsbook marketing.

• First-deposit geo-check: every affiliate-attributed signup should trigger a PLC before bonus credit posts — not just the first bet — because bonus liability is incurred at deposit, not at wager.
• Cross-state bonus-stacking prevention: a single player ID hitting new-account offers in NJ then PA then MI inside 30 days is the canonical stacking pattern; geolocation history is the primary detection signal.
• Residential-proxy traffic flagging at the affiliate cohort level: if 12% of one affiliate's referred players light up the L3 VPN-detection signal, that affiliate has a traffic-quality problem that should affect their commission tier — not just the individual player accounts.
• Audit-log unification: regulators sometimes ask for the full chain (referral source → click ID → deposit → first bet → geolocation) when investigating affiliate complaints; a unified ledger answers that in minutes, not weeks.

Spoof Attack Vectors and How Vendors Catch Them

Understanding what the vendor stack defends against also matters when comparing options. Different vendors handle different attack vectors with different levels of maturity, and the gap between commercial VPN detection (easy) and sophisticated multi-layer spoofing (hard) is large.

1. Commercial VPN: caught easily by IP and ASN checks against published VPN endpoint lists — L2/L3 in the stack. Every credible vendor catches this; the differentiator is freshness of the blocklist.
2. Residential proxy: significantly harder — residential IP ranges are real consumer IPs rented out by proxy services, indistinguishable from genuine consumer traffic on IP alone. Requires ASN behaviour patterns, session-history correlation, and L6 behavioural signals. GeoComply and Xpoint do this well; smaller vendors lag.
3. Remote-desktop tools (TeamViewer, AnyDesk, RDP): caught at L4 by latency anomaly, packet-timing fingerprints, and screen-sharing protocol signatures. The player's machine appears in the licensed state, but the human is elsewhere — vendor SDKs detect the protocol presence.
4. GPS-spoofing apps (rooted Android, Xcode location simulation): caught at L5 by the GPS-IP coherence check — a Houston public IP with a Las Vegas GPS reading is a hard deny regardless of L1 strength.
5. Device-clone via virtual machine: VM fingerprints differ from real-device fingerprints (browser canvas hash, audio context, GPU strings) — L6 behavioural fingerprinting catches this provided the vendor maintains a current VM-fingerprint dataset.
6. Browser-developer-tools location override: the browser-side Geolocation API can be overridden by anyone with five minutes and devtools open. Server-side validation against IP and SDK-reported coordinates catches this trivially; client-side-only vendors get caught short.

Operator Cost — Geolocation Stack TCO

Total cost of ownership for a US sportsbook geolocation stack is more than the line-item per-check fee. Operators should budget for the per-check unit cost, the monthly minimum, the one-time integration project, and the ongoing operational carry of audit-log review and rule tuning.

• Per-check fees: reportedly in the $0.01-$0.05 range across major vendors, varying by volume tier and contract length — material at scale (a high-traffic operator can run 100M+ checks per month).
• Monthly minimum commits: typically $5k-$50k depending on operator size and number of states; the floor matters for new entrants whose volume hasn't yet justified the contract size.
• Integration cost: 4-12 weeks of engineering effort for the initial SDK integration, regulator certification testing, and audit-log pipeline wiring; multi-state operators often run this state-by-state.
• Ongoing operational carry: audit-log review (a compliance analyst spending 25-50% of their time on geo logs is common), spoof-detection rule tuning, false-positive triage from player support, and quarterly regulator submission packaging.
• Hidden cost — conversion friction: GeoComply's browser-plugin install reportedly costs 3-8% of first-deposit conversion on desktop web; that number compounded across an affiliate program is large enough to warrant Xpoint evaluation on its own.

Decision Framework

There is no single right vendor — the right answer depends on the operator profile. Below is the decision framework most operators end up running through during a state-licence rollout, alongside their sportsbook risk-management stack evaluation.

1. US tier-1 multi-state operators (5+ states, large affiliate program): GeoComply — regulator-relationship depth, breadth of detection layers, and operational maturity outweigh the cost premium and plugin friction.
2. New entrants launching in MI/PA/NJ as initial markets: Xpoint — faster integration, lower per-check cost, no browser plugin, and a regulator footprint that already covers the target states.
3. EU operators with limited US exposure (single-state pilot): ContinentEight if you are already buying their hosting; otherwise GeoComply or Xpoint depending on which state and how aggressive your conversion-optimisation posture is.
4. Crypto sportsbooks with offshore licence and no US licence intent: self-hosted is realistic, or LocationSmart for carrier-data triangulation — the regulatory bar is different and the stack can be lighter.
5. Affiliate-attribution-heavy operators (regardless of size): any of the above plus a Track360 integration to unify geo signal with the affiliate-attribution ledger and prevent cross-state bonus stacking at the affiliate-cohort level.

Frequently Asked Questions

Key Takeaways

1. Geolocation is a hard regulatory mandate across every US state with online sports betting — continuous Player Location Checks are required under NJ DGE Rule 13:69D-1.27, PA Title 58 Chapter 1408, MA 205 CMR 247, and equivalents in every other licensed state.
2. GeoComply dominates with roughly 80% US sportsbook share thanks to regulator-relationship depth and the broadest six-layer detection stack — at a cost premium and with desktop-web browser-plugin friction.
3. Xpoint is the credible challenger in 2026 — no browser plugin, lower pricing, and a growing regulator footprint in NJ, PA, and IN; best for new entrants in 1-3 states.
4. LocationSmart, ContinentEight, and self-hosted are niche options — viable for mobile-heavy single-state operators, EU operators with hosting bundles, and tier-1 operators willing to take on the engineering carry, respectively.
5. Spoof attack vectors range from trivial (commercial VPN, browser-devtools location override) to sophisticated (residential proxy plus matched GPS spoof plus clean device fingerprint) — vendor maturity differs most at the sophisticated end.
6. Geolocation data should flow into the affiliate-attribution ledger — without that integration, cross-state bonus-stacking, residential-proxy traffic, and affiliate-cohort traffic-quality patterns go undetected even when the geo vendor is doing its job at the individual-session level.