Historic Data Privacy Bill Reaches Governor's Desk

Illinois has become the first state where a groundbreaking internet privacy bill has reached the governor’s desk, according to data privacy experts, and advocates are urging Gov. Bruce Rauner to sign it into law.

House Bill 3449 – the Geolocation Privacy Protection Act – would require internet companies and entities to tell consumers what geolocation data they are collecting, why they are gathering that information and with whom they are sharing it.

Privacy experts contend that popular mobile apps used by consumers, including children, are frequently collecting geolocation data without a consumer’s knowledge and sending that data to third-party companies to turn a profit.

“Geolocation data is in some ways the holy grail of personal data,” said Peter Hanna, co-founder of the Digital Privacy Alliance and a data privacy attorney. “Where we are, where we go – it’s among the most intimately private information about our day-to-day lives.”

The bill’s advocates said the measure would not bar companies from gathering geolocation data but would empower consumers by giving them the right to know that this collection is happening.

Opponents said the language in the bill does not provide additional protections to consumers.

“Location controls are already very strong,” said Downers Grove-based internet trade association CompTIA, which is urging Rauner to veto the bill. “The Federal Trade Commission oversees all regulation in regard to geolocation technology and has put forth guidance regarding the collection of device location information that includes clear and concise notification that the app collects user location.”

The debate is unfolding at a time when some companies are facing potential consequences.

A California parent has sued The Walt Disney Company, alleging the company collected personally identifying information about children who were playing online games via smart phone apps. The lawsuit states the games have trackers that gather data, including geolocation information, and in turn selling it to third party companies for “future commercial exploitation.”

The complaint accuses The Walt Disney Company of violating the federal Children’s Online Privacy Protect Act, which prohibits developers of child-focused apps from obtaining personal information of children under 13 years of age without first obtaining verifiable consent from their parents.

A Disney spokesperson said the complaint is based on a “fundamental misunderstanding of COPPA principles.”

“Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families,” a spokesperson said. “We look forward to defending this action in Court.”

The lawsuit states that Disney subsidiary Playdom paid a $3 million civil penalty in 2011 for violating COPPA when it allegedly collected and disclosed personal information from hundreds of thousands of children without getting parental consent.

The popular AccuWeather app has also come under fire for reportedly collecting geolocation information and sending it to a third party, even though a user said he disabled location services. The issue was first reported by tech security researcher Will Strafach.

AccuWeather in a statement said no GPS coordinates are collected without opt-in permission from the consumer. But the company said it will be removing third party trackers from the app until it is fully compliant with appropriate requirements.

Parents said the transparency that would come from the Geolocation Privacy Protection Act is not a big ask.

“It’s just a basic right to know issue,” said Andre Delattre. “If someone is going to collect and store information about me or my daughter or both of us, then the very least I ought to be afforded is to know that that’s the case.”

Contact Us