Tech & Sourcing @ Morgan Lewis


In April, US President Donald Trump signed a bill rejecting Obama-era regulations on the consent needed for a broadband internet access service (BIAS) provider to use and disclose a consumer’s sensitive information—including geolocation data. In the wake of such regulations being blocked, some state legislatures introduced geolocation privacy bills to address the use and disclosure of consumers’ geolocation information. The Illinois House and Senate recently passed one of those efforts to regulate such use of geolocation information.

As we previously discussed, the invalidated federal regulations would have required, among other things, a BIAS provider to obtain opt-in consent from a consumer before using or sharing information related to the consumer’s precise geolocation.

On June 27, 2017, the Illinois House and Senate passed the Geolocation Privacy Protection Act (the Act). Under the Act, an “entity may not collect, use, store, or disclose geolocation information from a location-based application on a person’s device,” unless the entity receives prior affirmative, express consent after adequate notice. Such notice must include

  • a statement that the person’s geolocation information will be collected, used, or disclosed;
  • the specific purpose of such collection, use, or disclosure; and
  • accessible means, such as a hyperlink, for the person to access such information.

After the initial consent, the private entity must re-obtain the person’s consent if such information in the notice materially changes. The Act provides certain exceptions to this notice requirement; for example, in order to allow a parent to locate an unemancipated minor child, for public safety, or for authentication. Under the Act, the definition of “geolocation information” means information that is

  • in whole or in part “generated by or derived from” the use of a mobile device such as a smart phone, tablet, or laptop, and
  • “sufficient to determine or infer the precise location of that device.”

“Geolocation information” expressly excludes the content of communications and internet protocol addresses. The Act’s notice requirements apply to geolocation information received from a “location-based application,” or “a software application that is downloaded or installed onto a mobile device and collects, uses, or stores geolocation information.”

After passing the Illinois House and Senate, the Act must next be signed by Governor Bruce Rauner to become law. If signed into law, the Act gives any Illinois state’s attorney or the Illinois attorney general the power to enforce these requirements. As such, if the Act is signed into law and applies to your business practices, it is important to determine whether your business practices comply with its requirements.