Jul 52017

Illinois Becomes the First State to Pass a Geolocation Privacy Protection Bill

Stephen W. McInerney, Colleen Theresa Brown and Edward R. McNicholas
, , ,

On June 27, 2017, the Illinois General Assembly passed a bill seeking to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent.  This notable bill, the Geolocation Privacy Protection Act (“GPPA”), is on its way to Illinois Governor Bruce Rauner’s desk – although it is unclear if it will be signed or vetoed.  If signed, this bill would mark the first state geolocation privacy protection bill in the country—and represent the most stringent requirements related to geolocation data in the nation, potentially creating complex issues for the rapidly proliferating variety of mobile Internet of Things devices. 

The bill would require private entities collecting geolocation data to first obtain the person’s “affirmative express consent” after providing individuals with “clear, prominent, and accurate notice” that: (1) informs the person that his or her geolocation information will be collected, used, or disclosed; (2) informs the person “in writing” of the specific purposes for the collection, use, or disclosure; and (3) provides the person with a hyperlink or other easy access to the geolocation information collected, used or disclosed.

Under the GPPA, geolocation data would be defined as non-content information “generated or derived from, in whole or in part,” the operation of a mobile device, and is sufficient to “infer” precise location of the mobile device.  Notably, IP addresses are specifically exempted from the geolocation data definition.

It is unclear to what extent linking the definition of geolocation data to data derived from a “mobile device” will limit the application to Internet of Things technologies where notice opportunities are significantly limited.  Indeed, many Internet of Things devices may not have any screen large enough to display such a notice.

This bill comes on the heels of President Trump signing a bill to repeal the Federal Communications Commission’s Broadband Privacy Rules on April 3, 2017.  Originally promulgated in October 2016 – but was not set to take into effect until later this year – the rules would have required internet service providers to obtain opt-in consent from consumers to collect and use various types of data, including web-browsing data.  (For more background, see A Farewell to the FCC Broadband Privacy Rules (April 4, 2017)).  This development was reportedly cited by some of the bill’s sponsors as justification for the expansive and first-in-nation proposal.

This justification, however, is at odds with some of the GPPA’s material exceptions.  The bill exempts a number of regulated entities, such as covered entities under HIPAA, financial institutions regulated by the GLBA, and internet and telecommunications providers.  There are also a few limited uses that are exempt, including parents to locate a minor child or an incapacitated person, emergency services such as fire or medical, or “providing storage, security, or authentication services.”

If it becomes a law, the GPPA would be enforced by the State’s Attorney General, but would not provide a private right of action.  The law also builds in a 15 day opportunity to cure once being notified of a violation by the Attorney General’s office.

Stephen W. McInerney

Chicago

smcinerney@sidley.com

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Edward R. McNicholas

emcnicholas@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).