On June 27, 2017, the Illinois General Assembly passed a bill seeking to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent. This notable bill, the Geolocation Privacy Protection Act (“GPPA”), is on its way to Illinois Governor Bruce Rauner’s desk – although it is unclear if it will be signed or vetoed. If signed, this bill would mark the first state geolocation privacy protection bill in the country—and represent the most stringent requirements related to geolocation data in the nation, potentially creating complex issues for the rapidly proliferating variety of mobile Internet of Things devices.
The bill would require private entities collecting geolocation data to first obtain the person’s “affirmative express consent” after providing individuals with “clear, prominent, and accurate notice” that: (1) informs the person that his or her geolocation information will be collected, used, or disclosed; (2) informs the person “in writing” of the specific purposes for the collection, use, or disclosure; and (3) provides the person with a hyperlink or other easy access to the geolocation information collected, used or disclosed.
Under the GPPA, geolocation data would be defined as non-content information “generated or derived from, in whole or in part,” the operation of a mobile device, and is sufficient to “infer” precise location of the mobile device. Notably, IP addresses are specifically exempted from the geolocation data definition.
It is unclear to what extent linking the definition of geolocation data to data derived from a “mobile device” will limit the application to Internet of Things technologies where notice opportunities are significantly limited. Indeed, many Internet of Things devices may not have any screen large enough to display such a notice.
This bill comes on the heels of President Trump signing a bill to repeal the Federal Communication Commission’s Broadband Privacy Rules on April 3, 2017. Originally promulgated in October 2016 – but was not set to take into effect until later this year – the rules would have required internet service providers to obtain opt-in consent from consumers to collect and use various types of data, including web-browsing data. (For more background, see A Farewell to the FCC Broadband Privacy Rules (April 4, 2017)). This development was reportedly cited by some of the bill’s sponsors as justification for the expansive and first-in-nation proposal.
This justification, however, is at odds with some of the GPPA’s material exceptions. The bill exempts a number of regulated entities, such as covered entities under HIPAA, financial institutions regulated by the GLBA, and internet and telecommunications providers. There are also a few limited uses that are exempt, including parents to locate a minor child or an incapacitated person, emergency services such as fire or medical, or “providing storage, security, or authentication services.”
If it becomes a law, the GPPA would be enforced by the State’s Attorney General, but would not provide a private right of action. The law also builds in a 15 day opportunity to cure once being notified of a violation by the Attorney General’s office.