Rauner Vetoes Bill Requiring User Opt-In for Selling Geolocation Data

Posted on September 24, 2017

The Chicago Tribune reports that Illinois Governor Bruce Rauner has vetoed a bill which would have required tech companies and other businesses whose products or services handle geolocation data to receive explicit consent from users or customers before that data can be collected, stored, or transferred to other entities. If signed, the bill, known as the Geolocation Privacy Protection Act (HB 3449) and which CCDBR covered in a previous piece, would have been the first in the nation to regulate the collection of user geolocation data by ensuring that users exercise a real and informed choice as to how their data is used. The language of the bill required that private entities collecting user geolocation data inform users of the purposes for the data collection, and any third-parties who will gain access to the data, before users consent to geolocation data processing.

While tech companies and other private entities currently disclose the general fact of their handling of user geolocation data, users are often kept in the dark regarding what is done with that data. Both the iOS and Android mobile operating systems notify users when an application or program attempts to access geolocation data and prompt users to approve or deny this access, but users are afforded no further or more granular means of limiting geolocation data processing. Once users approve application permission for geolocation data, the application is free to collect, store, and transmit that data at any and all times and for any reasons. In other words, geolocation data collection is currently an all-or-nothing choice for users. 

Rauner defended his veto by arguing that the modest restrictions imposed by the legislation would stifle innovation and economic growth in the state’s burgeoning tech sector. One vociferous lobbying force against the bill was CompTIA, an immensely powerful information technology (IT) trade group based in Illinois which, among other things, issues some of the most highly prized certifications in the industry.  CompTIA’s resistance to the bill likely had considerable impact on Rauner’s decision.

The Illinois House and Senate have yet to announce whether or not they will pursue a veto override, but considering the support it received in its initial passage by both chambers, the prospects for such a measure are very much in doubt–the initial House vote of 69-42 with one abstention and Senate vote of 33-22 leaves each body just short of the two-thirds threshold for a successful override. Compounding this challenge is the legislature’s evidently tepid reception of other pieces of digital privacy legislation, whose legislative progress CCDBR has also covered. Both the Right to Know Act (HB 2774) and the Microphone-Enable Devices Act (HB3819) have sputtered and remain inactive. Even so, similar restrictive measures targeting geolocation data are currently under consideration in other states, and the fact that the first major push toward effective regulation reached the governor’s desk is an encouraging sign for legislators in other states, and certainly for those in Illinois who may yet mount another challenge to Rauner’s veto pen. 

You can read the full story from the Chicago Tribune here

Jonathan Terrasi has been a Research Assistant with the Chicago Committee to Defend the Bill of Rights since January 2017. His interests include computer security, encryption, history, and philosophy. In his writing, he regularly covers topics on current affairs and political developments, as well as technical analyses and guides on security issues, published on his blog, Cymatic Scanning, and Linux Insider.