Illinois “Geolocation Privacy Protection Act” Passes Both Houses, Headed to Governor’s Desk

Download IconDownload Print IconPrint

Illinois “Geolocation Privacy Protection Act” Passes Both Houses, Headed to Governor’s Desk

Blog WilmerHale Privacy and Cybersecurity Law

On Tuesday, June 27, the Illinois legislature passed HB 3449, the “Geolocation Privacy Protection Act.” If signed by Governor Bruce Rauner (R), the bill would prohibit a “private entity” from collecting, using, storing or disclosing “geolocation information from a location-based application on a person’s device” unless the entity has first obtained that person’s “affirmative express consent.” As amended, the bill does not contain a private right of action. Instead, violations of the bill may be pursued by the Attorney General or a State’s Attorney under Illinois’s Consumer Fraud and Deceptive Business Act. Before filing a suit, however, the Attorney General or State’s Attorney must provide the business with a 15-day right to cure. 

The bill defines “geolocation information” as information (other than the “contents of a communication”) that is “generated by or derived from” the operation of a “mobile device” (a category that includes smart phones, tablets, and laptops) and that is “sufficient to determine or infer the precise location of that device.” IP addresses are specifically exempted from the definition of “geolocation information.” The bill does not further define “precise location.” 

Under the bill, entities collecting geolocation information must provide individuals with: (1) a “clear, prominent, and accurate notice” explaining that geolocation information will be collected, used, or disclosed; (2) the specific purposes for which the individual’s geolocation information will be collected, used, or disclosed; and (3) “a hyperlink or comparably accessible means to access the information” required by the law. The company must also obtain the individuals’ “affirmative express consent” (an undefined term) to the activities described in the notice. A limited number of uses are exempted from this notice and consent requirement, including allowing parents and guardians to locate minor children or legally incapacitated persons, providing emergency services (i.e., fire, police, ambulance, etc.), or “providing storage, security, or authentication services.” A number of regulated entities are also exempt from the bill, including covered entities under HIPAA, internet and telecommunications providers, financial institutions regulated by the GLBA, private detectives, public utilities, and political campaigns. 

Related Solutions

We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.

More from this series

Explore the Full Series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel