Geolocation Privacy Protection Act Awaits Action by Rauner
Does a messaging app, or one that serves up your favorite podcasts, need to know what corner you’re standing on? Probably not. Yet odds are that all of your mobile apps are collecting geolocation data – location-based information used to determine the physical the location of your phone.
While most apps specify how and when this data is being accessed and shared in their terms of service or privacy policies, a bill approved by the Illinois General Assembly strives to make the notifications more apparent.
“People are so unaware of how their information is collected,” said Rep. Ann Williams, who sponsored HB3449, the Geolocation Privacy Protection Act. “We get so attached to our cellphones that we sometimes forget about the opportunity for data to be collected.”
Under the proposed bill, apps would be required to seek users’ permission before collecting and sharing geolocation data. “Our requirement is that an app provides a pop-up box that appears when you use the mobile app for the first time. The text would say to the consumer what data is being collected and for what purposes,” Williams said. “It’s a responsible way for consumers to know what their data is being collected for.”
Illinois Chamber of Commerce President Todd Maisch says the bill is unnecessary. “It’s a solution looking for a problem,” he said. “Right now geolocation is something consumers can regulate themselves easily. ... We think that this will be a frustration for consumers and a huge burden for app developers – many of which are small businesses that are looking to grow in the state of Illinois.”
“Tracking can still happen. This bill is about notifying and empowering users.”
The Internet Association, a trade group that represents companies such as Google, Amazon and Facebook, is also opposed to the bill, saying it will “create costly, duplicative disclosure and consent requirements.”
But not all tech companies feel this way. More than two dozen Illinois tech startups sent a letter to Rauner urging him to sign the bill. They say the bill protects citizens’ right to privacy and is necessary to gain consumers’ trust.
“I see this as an important step that needs to be taken. There are companies in the tech sector that aren’t self-regulating,” said DataMade founder Derek Eder, whose business employs six full-time workers.
Eder, a board member of the advocacy group Digital Privacy Alliance, was among those who signed the letter to Rauner. He says while most tech companies do self-regulate, this bill will hold everyone accountable.
“Many apps do a good job of notifying [users] when they’re tracking location and what they do with the information, and they do so responsibly,” Eder said. “This is meant to catch all the bad actors – to sort of push them to expose what they’re doing.”
While Eder acknowledges that many apps allow users to manage if and when their geolocation data is accessed, he says those controls are “buried levels down in interfaces” that some may not know how to find.
Creating custom notifications about how users’ geolocation data is being accessed and shared wouldn’t be difficult or costly, Eder said.
But it could be bad for users’ experience, says Carl Szabo, senior policy counsel for the trade association NetChoice which advocates for fewer restrictions on online businesses.
“Having more pop-ups when you use your device or different pop-ups can create confusion,” Szabo said. “[This bill] begins messing with the notices we’ve become accustomed to using and become familiar with. It requires custom notifications for each app.”
Szabo is also concerned about the language in the bill, which says geolocation information includes the “precise” location of the device. “[HB3449] doesn’t define precise. Is it exactly where I am now? Is it the address? Is it the city block? ... Without that that definition I worry there can be abuses of the gaps in the legislative language,” Szabo said. “[The bill] has undefined terms that leave businesses open to legal action.”
Only the state’s attorney and Illinois attorney general can enforce the Geolocation Privacy Protection Act. Those found in violation would have 15 days to comply with the law and be treated as they are under the Consumer Fraud and Deceptive Business Practices Act. Users whose rights are violated could recover up to $1,000 in damages, compensation for attorney’s fees and costs, and other appropriate relief, according to the bill.
“I think it’s a powerful piece of legislation and part of the challenge is educating consumers and how apps used, collected and shared their data,” said Williams, the bill’s sponsor. “There are multimillion-dollar companies that are doing nothing but collecting and distributing personal data for sale.”
“Do you want to develop a new app in the state of Illinois when we’re the only state in the nation that restricts or creates hurdles to geolocation-related apps?”
Opponents, like Szabo, say consumers are already protected under the federal legislation, specifically Section 5 of The Federal Trade Commission Act.
“We already have the laws on the books to address the concerns being raised by sponsors and supporters of the bill,” Szabo said. “The FTC Act is decades old, well established and enforced vigorously. ... It prohibits unfair or deceptive trade practices.”
Both the federal government and states’ attorneys can enforce the act, according to Szabo. “Complaints are filed fairly often by consumer advocate groups not only with the state attorney general but with the Federal Trade Commission itself,” he said.
If additional consumer protections are necessary, Maisch, the chamber president, says they should come from the federal government, not on a state-by-state basis. “For Springfield to try and regulate the internet is a crazy idea, frankly,” Maisch said. “Do you want to develop a new app in the state of Illinois when we’re the only state in the nation that restricts or creates hurdles to geolocation-related apps?”
Proponents say the bill isn’t meant to deter business or stop the collection of geolocation information.
“Tracking can still happen. This bill is about notifying and empowering users,” Eder said.
The bill passed the Illinois General Assembly in late July. Rauner has until Sept. 25 to sign or veto the measure.
Follow Kristen Thometz on Twitter: @kristenthometz
July 27: Buying a bag of chips or logging onto your computer with a wave of your hand will soon be possible at one Wisconsin company.
April 4: President Donald Trump signed a law Monday night allowing internet providers to sell your browser history. How worried should you be?
March 29: How Hardik Bhatt wants to protect state agencies from hackers.