It’s increasingly difficult to do anything on your phone nowadays without sharing your geolocation information. Certain Snapchat filters, Facebook status updates, Instagrams, and even text messages are all potentially tied to geolocation data. It’s relatively simple for app developers to build in geolocation functionality—and many services require users to opt-in to sharing location data. But now the state of Illinois wants ensure that all companies extracting geolocation data from individuals must provide an opt-in, or else they’ll have to pay up.
Last week, both houses of the Illinois state legislature passed the Geolocation Privacy Protection Act (HB3449), a bill that would make it illegal for companies to siphon up geolocation data that can be used to determine the precise location of a device, without the express permission of users. Now, it’s on the desk of Governor Bruce Rauner, waiting to be signed into law
If signed, companies would be required to inform users of how they’re using the location data they collect, if the users decides to share it. Companies who don’t adhere would be in violation of the Consumer Fraud and Deceptive Business Practices Act and would face criminal penalties and damages of at least $1,000 (plus attorney fees and court costs).
There are a few exceptions to the law. For instance, private entities can collect geolocation data without consent if the information will help parents find missing children or aid firefighters, police, or medical professionals.
The new law might not have a huge real-world impact, given that most devices and apps already ask people for permission before they start using location data. But this might encourage more tech companies and app developers to give users the option to opt out of being tracked.
There have been plenty of times in the past when companies have faced repercussions for tracking users without their consent. For instance, Apple and Uber have been sued for allegedly tracking un-notified users.
Ari Scharg, director of the Digital Privacy Alliance (DPA), told Gizmodo that the organization has done reports on the apps Selfie.ai and Rate Selfie Pic Hot Or Not, which give developers precise GPS coordinates whenever a person uploads a photo.
“When a person is just browsing through the photos to rate them, if they were intercepting the backend traffic, they would be able to get the GPS coordinates of each person they viewed,” Scharg said. “Overall, a person could use this information to stalk someone or the owner of the picture could retaliate against a person that left a bad comment if they were capturing the traffic.”
The DPA urges app developers to be transparent with users by clarifying how location data is being used. The organization has been advocating for the bill, and even wrote an open letter to Governor Rauner, which was signed by more than 20 representatives of Chicago-area tech companies.
Illinois has a reputation of passing strict data privacy legislation. The state’s Biometric Information Privacy Act prohibits tech companies from using biometric identifiers—like face scans and fingerprints—without consent. Their Right To Know Act—which passed in May, but was put on hold—requires companies such as Facebook, Amazon, and Google to disclose what data has been collected from consumers and shared with third parties.