On June 27, 2017, the governor of Illinois signed the Geolocation Privacy Protection Act. If your app collects geolocation data along with any other personal information, you are likely required to comply with it.
Fortunately, the adjustments you need to make to your sign-in process and Privacy Policy are minor.
Here is what you need to know about the Geolocation Privacy Protection Act and how to comply with it.
Requirements of the act
The act defines "geolocation information" as data generated by a mobile device that sufficiently indicates location of the device--and its user.
It does not include communication methods, like email or text, or Internet protocol addresses.
If your app collects this type of information you owe specific duties to your users.
The act requires developers using geolocation information to:
- Inform users that geolocation information is collected, used or disclosed (depending on what your app does),
- Inform users in writing of your purposes in collecting the data, and
- Provide a hyperlink or other accessible means to access this information
Once you obtain consent to collect geolocation information from users, you do not have to secure it again, as long as you meet the requirements listed above.
Violations fall under the Consumer Fraud and Deceptive Business Practices Act. There is no private cause of action and only the attorney general can enforce penalties. If your practices do not comply with the act, you will receive a notice from the attorney general's office and granted 15 days to fix the violation.
Does it apply to you?
The act applies to all private entities, much like the California Online Privacy Protection Act. That is defined as any individual, partnership, corporation, limited liability company or other group or association. It does not include government agencies.
While that appears to be a wide definition, there are organizations that do not have to comply with this act. They include health care providers, financial institutions and their affiliates, telecommunications companies, public utilities, video service providers, and licensed private detectives.
If your organization does not fall under any exceptions for private entities, the next step is to determine whether your app is location-based.
This definition includes any app that uses location information. Examples include trip-planning apps that use GPS to determine whether you are near interesting sites or apps that inform customers that their service provider is on their way.
Some location-based apps are not required to comply. They usually involve apps designed for safety or emergency reasons. This includes apps used to track children and incapacitated adults, so they are less likely to get lost. The same is true for any app that guides emergency services to people who need them or uses this information only for storage, security, and authentication services.
If you do not fall under the exceptions and your app will be available for use in the United States, it is in your best interest to comply with this act.
Best compliance practices
Since Illinois enacted this law very recently (June 2017), there are not many examples of notices connected with geolocation data. There are several geolocation apps and they normally discuss geolocation data in their Privacy Policies or through pop-up warnings.
Here are examples of how this is handled now and recommendations for doing better to assure compliance.
Examples of current notices
Geolocation data provisions are usually in a Privacy Policy. This meets the second requirement of this act; that geolocation data practices are written down and accessible to the user. Since you likely already supply a link to the Privacy Policy, you likely already meet this requirement.
When the user visits your Privacy Policy, the geolocation data should be mentioned directly.
Booking.com presents this in its Privacy Policy this way. It offers users a heads-up that the app collects mobile device data including location:
App platforms may also include a notice. If you post a geolocation app on Google Play, users will see this before downloading your app. Notice it informs users that Glympse (an app used by service providers) needs access to location:
While these practices are likely in compliance with the new law, it is difficult to say for certain this soon after its enactment. It is prudent to take extra steps to assure compliance and avoid that 15-day warning from the attorney general.
Doing better
Take these steps to assure you provide proper notice to your users regarding geolocation data.
Add your own notice
Even if you use Google Play and enjoy the benefits of its notice, do not rely on that alone. Post a notice that pops up before users open an account on your app. Indicate that you are using geolocation data and provide a link to your Privacy Policy so users can find more details.
Check your Privacy Policy
This is a good time to audit your Privacy Policy to assure it is in compliance with this new law. In addition to describing how you use personal data, also mention geolocation data specifically and indicate how it is collected, used, and disclosed and why.
Even if you already mention "location data" change that term to "geolocation information" just so you are consistent with the act.
If your use of geolocation is extensive, consider placing a description of that use in its own agreement or a separate webpage. You can link to it from your Privacy Policy or offer a link at sign-up so users understand how the app will affect them.
Add click-wrap
You should have a clear means of assuring users accept the terms of your Privacy Policy. If not, now is a good time to modify that.
The most reliable way of securing acceptance is through clickwrap. Sometimes this is passive, like with Memebox. Users merely signing up for its services constitutes agreement to the Terms and Conditions and Privacy Policy:
With this new law, it is best to use an active approach since it demands "affirmative express consent." The best approach is to include a checkbox to assure users accept the Privacy Policy and link to it in that dialog window.
The New Statesman Tech offers an excellent example of this approach:
Take the same approach when you modify your Privacy Policy. Rather than just announcing changes, Meetup provides links and an "accept" button indicating that users will go along with the new Privacy Policy:
The point of taking all these steps is to strengthen your approach to giving notice regarding geolocation data usage. This leaves little doubt that users have access to your geolocation information policies and that enhances your compliance with the act.
Consider the Geolocation Privacy Protection Act as an opportunity to review your privacy practices. As more apps use geolocation data to assist users, it is important to keep them fully informed of your information practices. This not only supports legal compliance but also goodwill in your marketplace.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.