States Step Up to Protect Privacy In Wake of FCC Ruling
Written by Michelle De Mooy
In the wake of this week’s Congressional repeal of the FCC’s broadband privacy rules, states appear poised to enact legislation aimed at protecting their citizens’ privacy. The Illinois General Assembly debated yesterday morning the merits of two bills that would give state consumers more transparency and control over the collection and sharing of their personal information. Both bills were reported out of committee with the promise that they would be discussed and amended again next week.
HB 3449, the Geolocation Privacy Protection Act, seeks to prevent companies from using geolocation derived from location-based applications on a person’s device without first giving the person notice and receiving affirmative consent that they can use that data. Personal devices and the apps they pair with have become a vast reservoir of data about individuals, recording information such as a purchases, behaviors, and habits. Location tracking technologies have become increasingly sophisticated; GPS and other tracking software are able to gather more and more granular information about a person’s location. As they have grown in sophistication, and opacity, these geolocation technologies are challenging consumers’ expectations of privacy.
The bill takes many positive steps toward protecting Illinois consumers’ geolocation information. Companies would be required to inform individuals if 1) their geolocation data will be collected; 2) the purposes for which the data would be collected; and 3) provide a link to access what was collected. Companies are also required to get affirmative consent from an individual before using their geolocation information.
The legislation is not without its faults, however. The proposed definition of “geolocation information” is overbroad.The definition includes information that “(i) is not the contents of a communication; (ii) is generated by or derived from, in whole or in part, the operation of a mobile device, including, but not limited to, a smartphone, tablet, or laptop computer; and (iii) is sufficient to determine or infer location of that device.” This definition could capture apps as innocuous as a smartphone’s clock, which provides users with timezone information. While consumers should be given enough information to feel confident consenting to data usage, flooding them with unnecessary notices risks “notice fatigue,” causing the person to ignore the notice or quit the app altogether. The bill’s language also seems to implicate location-based services that benefit consumers but that would not typically need to ask for consent, such as a chip manufacturer tracking location for distribution or functionality purposes.
By contrast, a recent proposal to amend the California Civil Code suggests a more limited definition of geolocation: “Location data generated by a consumer device capable of connecting to the Internet that directly identifies the precise physical location of the identified individual at particular times and that is compiled and retained.” This definition protects information that can most directly identify an individual and provides a limited, workable definition for companies.
CDT lauds Illinois for taking steps to return control over personal information to the consumer. With this fix, the bill would give consumers the ability to make an informed decision about a highly sensitive piece of information, and provides them with a measure of transparency and accountability. We believe the opt-in regime offers a workable solution for industry.
Also being considered in the Illinois General Assembly is HB 2774, the Right to Know Act, which would require commercial websites or online services to tell individuals what data they’ve collected about them and the categories of third parties with whom it is shared, such as data brokers. The bill also requires companies to provide an email address or toll-free number that consumers can use to request this information.
We believe this level of transparency may remove some of the opacity that currently surrounds the collection and sharing of personal information. Individuals will be able to educate themselves on the types of data collected about them, how it is used and shared by multiple parties, giving them a chance to make informed decisions about which companies they trust with their personal information.
The bill has provoked concern from tech companies who have protested that the bill is redundant, citing requirements from the Federal Trade Commission (FTC) to disclose material data practices and from other state laws, like CalOPPA, that require disclosure of all (even non-material) data practices.
But these disclosures typically end up in lengthy and confusing privacy policies, which consumers by and large do not read or comprehend. The Right to Know Act makes the disclosure more accessible for consumers, and is generated by request. Though it will undoubtedly be challenging for companies to design systems that capture all disclosures of consumer information to third parties, this process will force them to audit their data practices through the lens of consumer scrutiny – from where we sit, that’s not a bad thing.
Both bills come at a critical time in consumer privacy. The United States’ scattered sectoral approach to privacy law has resulted in uneven privacy regulations and enforcement, leaving gaping holes in protection (a trend dramatically exacerbated by the repeal of the broadband privacy rules). States across the country appear poised to fill these gaps – Nevada has introduced a similar geolocation privacy bill and states like Michigan and Alabama are expected to file comparable bills soon. And Minnesota lawmakers directly addressed the repeal of the broadband privacy rules by adding an emergency amendment to their state’s economic development bill prohibiting ISPs from selling customer data without express written consent.
Bills like the ones being debated in Illinois are a welcome start. We cannot regain control over our personal information until customers and companies are on a level playing field when it comes to what they know about data collection and sharing.