Illinois General Assembly passes bill to restrict collection, use of geolocation data
Whether a new bill would actually strengthen privacy protections, or merely encourage lawsuits, burden businesses and suppress innovation are open questions.
Illinois has some of the strictest privacy regulations in the nation. And in June, Illinois lawmakers waded further into privacy legislation by passing House Bill 3449, the country’s first geolocation privacy protection bill.
Introduced by state Rep. Ann Williams, D-Chicago, the “Geolocation Privacy Protection Act” requires individuals, businesses and other groups to obtain a person’s express consent before collecting, using, storing or disclosing that person’s precise geolocation information. The General Assembly has not yet sent the bill to the governor.
The bill as passed does not provide a private right of action to enable individuals to sue for money damages, although the original version of the bill did include such a provision. But the measure would allow the Illinois attorney general and state’s attorneys to sue people, groups and businesses that run afoul of the act, and would thus almost certainly increase legal and compliance costs for businesses.
Although ostensibly drafted to enhance protection for mobile device users’ location information, it is not clear whether the bill would actually benefit these people. And if HB 3449 became law, it could burden businesses, suppress job creation and innovation, and potentially serve as a vehicle for drumming up business for plaintiffs’ attorneys in the event the attorney general or state’s attorneys outsource the prosecution of geolocation privacy litigation.
Geolocation Privacy Protection Act: How it works
HB 3449 prohibits a private entity – defined as an individual, partnership, corporation, limited liability company, association or other group – from collecting, using, storing or disclosing geolocation information from a location-based application on a person’s device unless the private entity first receives the person’s “affirmative express consent.”
“Geolocation information” does not include the contents of a communication, but is generated by or derived from the operation of a mobile device such as a smart phone, tablet or laptop computer. The information must be sufficient to determine or infer the precise location of that device, and internet protocol addresses are not considered “geolocation information” for these purposes.
The private entity can only obtain the device user’s consent after providing “clear, prominent and accurate notice” that: (1) informs the person that his or her geolocation information will be collected, used or disclosed; (2) informs the person in writing of the specific purposes for which his or her geolocation information will be collected, used or disclosed; and (3) provides the person a hyperlink or comparably easily accessible means to access the information.
Violations under the act constitute violations of Illinois’ Consumer Fraud and Deceptive Business Practices Act, and the bill limits enforcement of the act to state’s attorneys and the Illinois attorney general.
The bill gives parties that violate the act, other than individuals, 15 days after being notified of a violation to correct the violation before the attorney general or state’s attorney can seek an enforcement action against that party.
In the event the attorney general or a state’s attorney does take action to enforce the act, Illinois’ Consumer Fraud and Deceptive Business Practices Act provides that courts may grant relief in the form of: injunctions against the practice; revocation, forfeiture or suspension of any license, charter, franchise or certificate to do business in the state; and restitution, among other actions.
The Consumer Fraud and Deceptive Business Practices Act also allows the attorney general or state’s attorney to seek a civil penalty up to $50,000. In the event the court finds the act in question was entered into with the intent to defraud, the court may impose a civil penalty up to $50,000 per violation. If the violation was committed against a person 65 years of age or older, the court may impose an additional civil penalty up to $10,000 for each violation.
The attorney general or the state’s attorney can also recover costs under the Consumer Fraud and Deceptive Business Practices Act.
These protections would only apply to device users in Illinois, but the legislation, if enacted, could result in companies altering their procedures generally to avoid Illinois litigation and the publicity and regulatory scrutiny that go with it.
Implications of new geolocation privacy legislation
It is uncertain whether, if it became law, HB 3449 would do much to provide additional protection for people’s geolocation information – or just spur more lawsuits, while imposing new compliance and legal costs on businesses.
Many device applications, such as maps, running trackers and restaurant finders, already provide extensive information about their collection and use of data and ask users for their permission to collect and use the information.
By compelling companies to obtain users’ consent even more frequently or provide additional information, the bills’ requirements would likely annoy many consumers, as well as “aggravate the ‘notice fatigue’ that so many users experience,” according to a Forbes article by University of Chicago law professor Omri Ben-Shahar. Ben-Shahar notes that evidence demonstrates that consumers express little interest in companies’ privacy notices and are unlikely to find even more frequent and longer disclosure forms helpful.
Tech companies and business and trade groups have voiced concerns over this legislation, which would add compliance and legal costs for companies and possibly alienate consumers who might tire of the new pop-up consent requests. Moreover, if it becomes law, the bill could create legal complications for the development of “internet of things” devices (such as “smart” home thermostats), according to a summary of the bill by lawyers at Sidley Austin LLP.
According to Consumer Affairs, proponents of the bill include the American Civil Liberties Union, which is concerned with privacy issues, the Illinois attorney general and the Digital Privacy Alliance, a digital privacy advocacy group. The Digital Privacy Alliance’s board members include a partner at Edelson PC, the law firm that has brought several privacy-law class-action lawsuits, including some under Illinois’ Biometric Information Privacy Act.
As Ben-Shahar noted in his article, the new legislation could benefit the class-action bar more than consumers, and one of the bill’s chief aims might well be “to perpetuate litigation.” The possibility that the Illinois attorney general or a state’s attorney could engage plaintiffs’ attorneys, such as Edelson lawyers, to conduct litigation under the Geolocation Privacy Protection Act supports this notion.
If HB 3449 is enacted, it is unclear whether users genuinely concerned about the transmission of their personal information would avail themselves of the privacy protection provisions in the bill, or whether the legislation would merely put up more expensive hoops for companies to jump through and become one more vehicle for lawsuits against online companies.