On June 27, 2017, the governor of Illinois signed the Geolocation Privacy Protection Act. If your app collects geolocation data along with any other personal information, you are likely required to comply with it.
Here is what you need to know about the Geolocation Privacy Protection Act and how to comply with it.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
Requirements of the act
The act defines "geolocation information" as data generated by a mobile device that sufficiently indicates location of the device - and its user.
It does not include communication methods, like email or text, or Internet protocol addresses.
If your app collects this type of information you owe specific duties to your users.
The act requires developers using geolocation information to:
- Inform users that geolocation information is collected, used or disclosed (depending on what your app does),
- Inform users in writing of your purposes in collecting the data, and
- Provide a hyperlink or other accessible means to access this information
Once you obtain consent to collect geolocation information from users, you do not have to secure it again, as long as you meet the requirements listed above.
Violations fall under the Consumer Fraud and Deceptive Business Practices Act. There is no private cause of action and only the attorney general can enforce penalties. If your practices do not comply with the act, you will receive a notice from the attorney general's office and granted 15 days to fix the violation.
Does it apply to you?
The act applies to all private entities, much like the California Online Privacy Protection Act. That is defined as any individual, partnership, corporation, limited liability company or other group or association. It does not include government agencies.
While that appears to be a wide definition, there are organizations that do not have to comply with this act. They include health care providers, financial institutions and their affiliates, telecommunications companies, public utilities, video service providers, and licensed private detectives.
If your organization does not fall under any exceptions for private entities, the next step is to determine whether your app is location-based.
This definition includes any app that uses location information. Examples include trip-planning apps that use GPS to determine whether you are near interesting sites or apps that inform customers that their service provider is on their way.
Some location-based apps are not required to comply. They usually involve apps designed for safety or emergency reasons. This includes apps used to track children and incapacitated adults, so they are less likely to get lost. The same is true for any app that guides emergency services to people who need them or uses this information only for storage, security, and authentication services.
If you do not fall under the exceptions and your app will be available for use in the United States, it is in your best interest to comply with this act.
Best compliance practices
Since Illinois enacted this law very recently (June 2017), there are not many examples of notices connected with geolocation data. There are several geolocation apps and they normally discuss geolocation data in their Privacy Policies or through pop-up warnings.
Here are examples of how this is handled now and recommendations for doing better to assure compliance.
Examples of current notices
App platforms may also include a notice. If you post a geolocation app on Google Play, users will see this before downloading your app. Notice it informs users that Glympse (an app used by service providers) needs access to location:
While these practices are likely in compliance with the new law, it is difficult to say for certain this soon after its enactment. It is prudent to take extra steps to assure compliance and avoid that 15-day warning from the attorney general.
Take these steps to assure you provide proper notice to your users regarding geolocation data.
Add your own notice
Even if you already mention "location data" change that term to "geolocation information" just so you are consistent with the act.
The New Statesman Tech offers an excellent example of this approach:
The point of taking all these steps is to strengthen your approach to giving notice regarding geolocation data usage. This leaves little doubt that users have access to your geolocation information policies and that enhances your compliance with the act.
Consider the Geolocation Privacy Protection Act as an opportunity to review your privacy practices. As more apps use geolocation data to assist users, it is important to keep them fully informed of your information practices. This not only supports legal compliance but also goodwill in your marketplace.