On Tuesday, June 27, the Illinois legislature passed HB 3449, the “Geolocation Privacy Protection Act.” If signed by Governor Bruce Rauner (R), the bill would prohibit a “private entity” from collecting, using, storing or disclosing “geolocation information from a location-based application on a person’s device” unless the entity has first obtained that person’s “affirmative express consent.” As amended, the bill does not contain a private right of action. Instead, violations of the bill may be pursued by the Attorney General or a State’s Attorney under Illinois’s Consumer Fraud and Deceptive Business Act. Before filing a suit, however, the Attorney General or State’s Attorney must provide the business with a 15-day right to cure.

The bill defines “geolocation information” as information (other than the “contents of a communication”) that is “generated by or derived from” the operation of a “mobile device” (a category that includes smart phones, tablets, and laptops) and that is “sufficient to determine or infer the precise location of that device.” IP addresses are specifically exempted from the definition of “geolocation information.” The bill does not further define “precise location.”

Under the bill, entities collecting geolocation information must provide individuals with: (1) a “clear, prominent, and accurate notice” explaining that geolocation information will be collected, used, or disclosed; (2) the specific purposes for which the individual’s geolocation information will be collected, used, or disclosed; and (3) “a hyperlink or comparably accessible means to access the information” required by the law. The company must also obtain the individuals’ “affirmative express consent” (an undefined term) to the activities described in the notice. A limited number of uses are exempted from this notice and consent requirement, including allowing parents and guardians to locate minor children or legally incapacitated persons, providing emergency services (i.e., fire, police, ambulance, etc.), or “providing storage, security, or authentication services.” A number of regulated entities are also exempt from the bill, including covered entities under HIPAA, internet and telecommunications providers, financial institutions regulated by the GLBA, private detectives, public utilities, and political campaigns.