Jul 52017

Illinois Becomes the First State to Pass a Geolocation Privacy Protection Bill

Colleen Theresa Brown, Edward R. McNicholas and Stephen W. McInerney
, , ,

On June 27, 2017, the Illinois General Assembly passed a bill seeking to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent.  This notable bill, the Geolocation Privacy Protection Act (“GPPA”), is on its way to Illinois Governor Bruce Rauner’s desk – although it is unclear if it will be signed or vetoed.  If signed, this bill would mark the first state geolocation privacy protection bill in the country—and represent the most stringent requirements related to geolocation data in the nation, potentially creating complex issues for the rapidly proliferating variety of mobile Internet of Things devices. 

The bill would require private entities collecting geolocation data to first obtain the person’s “affirmative express consent” after providing individuals with “clear, prominent, and accurate notice” that: (1) informs the person that his or her geolocation information will be collected, used, or disclosed; (2) informs the person “in writing” of the specific purposes for the collection, use, or disclosure; and (3) provides the person with a hyperlink or other easy access to the geolocation information collected, used or disclosed.

Under the GPPA, geolocation data would be defined as non-content information “generated or derived from, in whole or in part,” the operation of a mobile device, and is sufficient to “infer” precise location of the mobile device.  Notably, IP addresses are specifically exempted from the geolocation data definition.

It is unclear to what extent linking the definition of geolocation data to data derived from a “mobile device” will limit the application to Internet of Things technologies where notice opportunities are significantly limited.  Indeed, many Internet of Things devices may not have any screen large enough to display such a notice.

This bill comes on the heels of President Trump signing a bill to repeal the Federal Communications Commission’s Broadband Privacy Rules on April 3, 2017.  Originally promulgated in October 2016 – but was not set to take into effect until later this year – the rules would have required internet service providers to obtain opt-in consent from consumers to collect and use various types of data, including web-browsing data.  (For more background, see A Farewell to the FCC Broadband Privacy Rules (April 4, 2017)).  This development was reportedly cited by some of the bill’s sponsors as justification for the expansive and first-in-nation proposal.

This justification, however, is at odds with some of the GPPA’s material exceptions.  The bill exempts a number of regulated entities, such as covered entities under HIPAA, financial institutions regulated by the GLBA, and internet and telecommunications providers.  There are also a few limited uses that are exempt, including parents to locate a minor child or an incapacitated person, emergency services such as fire or medical, or “providing storage, security, or authentication services.”

If it becomes a law, the GPPA would be enforced by the State’s Attorney General, but would not provide a private right of action.  The law also builds in a 15 day opportunity to cure once being notified of a violation by the Attorney General’s office.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Edward R. McNicholas

emcnicholas@sidley.com

Stephen W. McInerney

Chicago

smcinerney@sidley.com

You might also like
Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

Unpacking Digital Data Laws Across Europe: Addressing the Digital Markets Act

The EU Digital Markets Act (DMA) is set to revolutionize the way in which so-called ‘Big Tech’ is regulated in the EU, shifting toward ex-ante rulemaking and away from traditional after-the-fact enforcement. The DMA imposes a stringent regulatory regime on large online platforms (so-called “gatekeepers”) and gives the European Commission (Commission) new enforcement powers, including an ability to impose severe fines and remedies for noncompliance.