On June 28, 2017, the Illinois General Assembly passed a bill limiting the collection and use of geolocation information obtained via smartphones. The bill now heads to Governor Bruce Rauner’s desk for signature or veto. 

The bill (HB-3449), titled the “Geolocation Privacy Protection Act,” was approved by the Illinois Senate in May of this year. The Geolocation Privacy Protection Act imposes limitations on app developers disclosing “geolocation information from a location-based application on a person’s device” unless they first receive consent from the person who is the owner of the device. The notice itself must inform the person in writing of the “specific purposes” for which his or her geolocation information will be collected, used, or disclosed.

Under the legislation, companies would retain the right to collect, use, store, or disclose geolocation information without receiving consent in the following circumstances: (i) to allow a parent or legal guardian to locate an unemancipated minor child; (ii) to allow a court-appointed guardian to locate a legally incapacitated person; (iii) for the provision of fire, medical, public safety, or other emergency services; or (iv) for the limited purpose of providing storage, security, or authentication services.

“Geolocation information” is defined to mean information that is: (i) not the contents of a communication; (ii) generated by or derived from, in whole or in part, the operation of a mobile device, including, but not limited to, a smart phone, tablet, or laptop computer; and (iii) sufficient to determine or infer the precise location of that device. Internet protocol addresses were excluded from the definition of geolocation information.

Violations of the Geolocation Privacy Protection Act would constitute a violation of the Illinois Consumer Fraud and Deceptive Businesses Act. There would be no private right of action for violation of the Act, which can only be enforced by an Illinois State’s Attorney or the Attorney General. In addition, violators are permitted 15 days after notice from an Illinois State’s Attorney or the Attorney General to cure such violation.

Entities not subject to the Geolocation Privacy Protection Act include health care providers and other covered entities subject to the HIPAA; certain financial institutions; Internet, wireless, or telecommunications service providers; and licensed private detectives. 

Passage of the Geolocation Privacy Protection Act follows the narrow passage of another privacy-related piece of legislation in Illinois, the “Right to Know Act,” by the Illinois State Senate in May of this year. The Right to Know Act requires that operators of commercial websites or online services disclose how personal information, especially information relating to children, is shared by businesses. The disclosure would be required when customers sign up for services and also any time upon request.