Rauner vetoes bill to restrict collection, use of geolocation data

The governor has vetoed a bill that opponents warned would encourage lawsuits, burden businesses and suppress innovation, without meaningfully strengthening privacy protections for mobile device users.

Gov. Bruce Rauner vetoed a bill Sept. 22, which would have made Illinois home to the country’s first geolocation privacy protection law. The governor said in a statement, “This bill would result in job loss across the state without materially improving privacy protections for Illinoisans or making devices and their apps safer for children,” according to the Chicago Tribune.

Introduced by state Rep. Ann Williams, D-Chicago, House Bill 3449, the “Geolocation Privacy Protection Act,” would have required individuals, businesses and other groups to obtain a person’s “affirmative express consent” before collecting, using, storing or disclosing that person’s geolocation information generated by a mobile device such as a smartphone or laptop computer.

Williams told WTTW the bill was necessary because “[w]e get so attached to our cellphones that we sometimes forget about the opportunity for data to be collected.” But Illinois Chamber of Commerce President Todd Maisch said, “Right now geolocation is something consumers can regulate themselves easily.” Maisch characterized HB 3449 as a “frustration for consumers and a huge burden for app developers – many of which are small businesses looking to grow in the state of Illinois.” Carl Szabo, senior policy counsel for the e-commerce trade association Net Choice, warned that the language of the bill was too vague for companies to know how to comply with it, and that it was an unnecessary attempt to regulate practices already covered under federal law.

The measure would have allowed the Illinois attorney general and state’s attorneys to sue individuals, groups and businesses that run afoul of the bill under Illinois’ Consumer Fraud and Deceptive Business Practices Act. Illinois’ consumer fraud law allows the imposition of penalties up to $50,000, along with costs, and in the event of intentional fraud, the act provides for penalties of up to $50,000 per violation.

These provisions would only have applied to device users in Illinois, but the legislation, if enacted, could have resulted in companies altering their procedures generally to avoid Illinois litigation and the publicity and regulatory scrutiny that go with it.

Many device applications, such as maps, running trackers and restaurant finders, already provide extensive information about their collection and use of geolocation data and ask users for their permission to collect and use the information.

By compelling companies to obtain users’ consent even more frequently or provide additional information, the bill’s requirements would likely have annoyed many consumers, as well as “aggravate[d] the ‘notice fatigue’ that so many users experience,” according to a Forbes article by University of Chicago law professor Omri Ben-Shahar.

Moreover, had HB 3449 become law, the bill could have resulted in legal complications for the development of “internet of things” devices (such as “smart” home thermostats), according to a summary of the bill by lawyers at Sidley Austin LLP.

As Ben-Shahar noted in his article, the proposed legislation might have benefited the class-action bar more than consumers, and one of the bill’s chief aims might well have been “to perpetuate litigation.”

This possibility is supported by the fact that one of the bill’s major proponents was the Digital Privacy Alliance, a digital privacy advocacy group whose board members include a partner at the law firm Edelson PC. Edelson lawyers have filed several privacy-law class-action lawsuits, including some under Illinois’ Biometric Information Privacy Act.

Had the Geolocation Privacy Protection Act become law, the Illinois attorney general or state’s attorneys could have engaged private attorneys, such as Edelson lawyers, to conduct geolocation privacy litigation on behalf of the state or local governments. Further, the original version of the bill included a provision allowing individuals to sue and collect the greater of $1,000 or actual damages, along with attorneys’ fees. This provision was removed from the bill that ultimately passed the General Assembly.

Proponents claim HB 3449 would have enhanced protection for mobile device users’ location information. But it is possible the bill would have put up more expensive regulatory hoops for companies to jump through, suppressed job creation and innovation, and become one more vehicle for lawsuits against businesses – while offering little in the way of meaningful protection for consumers.