|
| | 104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
HB3712 Introduced 2/18/2025, by Rep. Ann M. Williams SYNOPSIS AS INTRODUCED:
| | | Creates the Privacy Protections for Location Information Derived from Electronic Devices Act. Makes it unlawful for a covered entity to collect or process an individual's location information except for a permissible purpose. Provides that before collecting or processing an individual's location information for one of those permissible purposes, a covered entity shall provide the individual with a copy of the location privacy policy and obtain consent from that individual Authorizes a civil action in which if the plaintiff prevails, the court may award (1) actual damages including damages for emotional distress, or $5,000 per violation, whichever is greater; (2) punitive damages; and (3) any other relief. Provides that in addition to any relief awarded, the court shall award reasonable attorney's fees and costs to any prevailing plaintiff. Defines terms. Makes other changes. |
| |
| | A BILL FOR |
|
|
| | HB3712 | | LRB104 12247 JRC 22354 b |
|
|
| 1 | | AN ACT concerning civil law.
|
| 2 | | Be it enacted by the People of the State of Illinois, |
| 3 | | represented in the General Assembly:
|
| 4 | | Section 1. Short title. This Act may be cited as the |
| 5 | | Privacy Protections for Location Information Derived from |
| 6 | | Electronic Devices Act.
|
| 7 | | Section 5. Legislative intent. The General Assembly |
| 8 | | intends to protect the reproductive health access, safety of |
| 9 | | LGBTQ lives, religious liberty, and freedom of movement by |
| 10 | | passage of this Act.
|
| 11 | | Section 10. Definitions. As used in this Act: |
| 12 | | "Application" means a software program that runs on the |
| 13 | | operating system of a device. |
| 14 | | "Collect" means to obtain, infer, generate, create, |
| 15 | | receive, or access an individual's location information. |
| 16 | | "Consent" means freely given, specific, informed, |
| 17 | | unambiguous, opt-in consent. "Consent" does not include (i) |
| 18 | | agreement secured without first providing to the individual a |
| 19 | | clear and conspicuous disclosure of all information material |
| 20 | | to the provision of consent, apart from any privacy policy, |
| 21 | | terms of service, terms of use, general release, user |
| 22 | | agreement, or other similar document; or (ii) agreement |
|
| | HB3712 | - 2 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | obtained through the use of a user interface designed or |
| 2 | | manipulated with the substantial effect of subverting or |
| 3 | | impairing user autonomy, decision making, or choice. |
| 4 | | "Covered entity" means any individual, partnership, |
| 5 | | corporation, limited liability company, association, or other |
| 6 | | group, however organized. "Covered entity" includes all agents |
| 7 | | of the entity. "Covered entity" does not include a State or |
| 8 | | local government agency, or a State court, a clerk of the |
| 9 | | court, or a judge or justice. "Covered entity" does not |
| 10 | | include an individual acting in a noncommercial context. |
| 11 | | "Device" means a mobile telephone or any other electronic |
| 12 | | device that is or may commonly be carried by or on an |
| 13 | | individual or that is a component part of a motor vehicle and |
| 14 | | is capable of connecting to a cellular, bluetooth, or other |
| 15 | | wireless network. |
| 16 | | "Disclose" means to make location information available to |
| 17 | | a third party, including, but not limited to, by sharing, |
| 18 | | publishing, releasing, transferring, disseminating, providing |
| 19 | | access to, or otherwise communicating such location |
| 20 | | information orally, in writing, electronically, or by any |
| 21 | | other means. |
| 22 | | "Individual" means a person located in the State. |
| 23 | | "Location information" means information derived from a |
| 24 | | device or from interactions between devices, with or without |
| 25 | | the knowledge of the user and regardless of the technological |
| 26 | | method used, that pertains to or directly or indirectly |
|
| | HB3712 | - 3 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | reveals the present or past geographical location of an |
| 2 | | individual or device within the State with sufficient |
| 3 | | precision to identify street-level location information within |
| 4 | | a range of 1,850 feet or less. "Location information" |
| 5 | | includes, but is not limited to, (i) an internet protocol |
| 6 | | address capable of revealing the physical or geographical |
| 7 | | location of an individual, (ii) Global Positioning System |
| 8 | | (GPS) coordinates; and (iii) cell-site location information. |
| 9 | | "Location information" does not include location information |
| 10 | | identifiable or derived solely from the visual content of a |
| 11 | | legally obtained image, including the location of the device |
| 12 | | that captured such image or publicly posted words. |
| 13 | | "Location privacy policy" means a description of the |
| 14 | | policies, practices, and procedures controlling a covered |
| 15 | | entity's collection, processing, management, storage, |
| 16 | | retention, and deletion of location information. |
| 17 | | "Monetize" means to collect, process, or disclose an |
| 18 | | individual's location information for profit or in exchange |
| 19 | | for monetary or other consideration. "Monetize" includes, but |
| 20 | | is not limited to, selling, renting, trading, or leasing |
| 21 | | location information. |
| 22 | | "Person" means any natural person. |
| 23 | | "Permissible purpose" means one of the following purposes: |
| 24 | | (i) provision of a product, service, or service feature to the |
| 25 | | individual to whom the location information pertains when that |
| 26 | | individual requested the provision of such product, service, |
|
| | HB3712 | - 4 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | or service feature by subscribing to, creating an account, or |
| 2 | | otherwise contracting with a covered entity; (ii) initiation, |
| 3 | | management, execution, or completion of a financial or |
| 4 | | commercial transaction or fulfill an order for specific |
| 5 | | products or services requested by an individual, including any |
| 6 | | associated routine administrative, operational, and |
| 7 | | account-servicing activity such as billing, shipping, |
| 8 | | delivery, storage, and accounting; (iii) compliance with an |
| 9 | | obligation under federal or State law; or (iv) response to an |
| 10 | | emergency service agency, an emergency alert, a 911 |
| 11 | | communication, or any other communication reporting an |
| 12 | | imminent threat to human life. |
| 13 | | "Process" means to perform any action or set of actions on |
| 14 | | or with location information, including, but not limited to, |
| 15 | | collecting, accessing, using, storing, retaining, analyzing, |
| 16 | | creating, generating, aggregating, altering, correlating, |
| 17 | | operating on, recording, modifying, organizing, structuring, |
| 18 | | disposing of, destroying, deidentifying, or otherwise |
| 19 | | manipulating location information. "Process" does not include |
| 20 | | disclosing location information. |
| 21 | | "Reasonably understandable" means of length and complexity |
| 22 | | such that an individual with an 8th-grade reading level, as |
| 23 | | established by the State Board of Education, can read and |
| 24 | | comprehend. |
| 25 | | "Service feature" means a discrete aspect of a service |
| 26 | | provided by a covered entity, including, but not limited to, |
|
| | HB3712 | - 5 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | real-time directions, real-time weather, and identity |
| 2 | | authentication. |
| 3 | | "Service provider" means an individual, partnership, |
| 4 | | corporation, limited liability company, association, or other |
| 5 | | group, however organized, that collects, processes, or |
| 6 | | transfers location information for the sole purpose of, and |
| 7 | | only to the extent that such service provider is, conducting |
| 8 | | business activities on behalf of, for the benefit of, at the |
| 9 | | direction of, and under contractual agreement with a covered |
| 10 | | entity. |
| 11 | | "Third party" means any covered entity or person other |
| 12 | | than (i) a covered entity that collected or processed location |
| 13 | | information in accordance with this Act or its service |
| 14 | | providers or (ii) the individual to whom the location |
| 15 | | information pertains.
|
| 16 | | Section 15. Protection of location information. |
| 17 | | (a) It is unlawful for a covered entity to collect or |
| 18 | | process an individual's location information except for a |
| 19 | | permissible purpose. Before collecting or processing an |
| 20 | | individual's location information for one of those permissible |
| 21 | | purposes, a covered entity shall provide the individual with a |
| 22 | | copy of the location privacy policy and obtain consent from |
| 23 | | that individual; however, this shall not be required when the |
| 24 | | collection and processing is done in (i) compliance with an |
| 25 | | obligation under federal or State law or (ii) in response to an |
|
| | HB3712 | - 6 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | emergency service agency, an emergency alert, a 911 |
| 2 | | communication, or any other communication reporting an |
| 3 | | imminent threat to human life. For purposes of this |
| 4 | | subsection, a consumer accessing, procuring, or searching for |
| 5 | | services regarding contraception, pregnancy care, including, |
| 6 | | but not limited to, abortion services, does not constitute an |
| 7 | | imminent threat to human life. |
| 8 | | (b) If a covered entity collects location information for |
| 9 | | the provision of multiple permissible purposes, it should be |
| 10 | | mentioned in the location privacy policy and individuals shall |
| 11 | | provide discrete consent for each purpose; however, this shall |
| 12 | | not be required for the purpose of collecting and processing |
| 13 | | location information to comply with an obligation under |
| 14 | | federal or State law or to respond to an emergency service |
| 15 | | agency, an emergency alert, a 911 communication, or any other |
| 16 | | communication reporting an imminent threat to human life. |
| 17 | | (c) A covered entity that directly delivers targeted |
| 18 | | advertisements as part of its product or services shall |
| 19 | | provide individuals with a clear, conspicuous, and simple |
| 20 | | means to opt out of the processing of their location |
| 21 | | information for purposes of selecting and delivering targeted |
| 22 | | advertisements. |
| 23 | | (d) Consent provided under this Section expires (i) after |
| 24 | | one year, (ii) when the initial purpose for processing the |
| 25 | | information has been satisfied, or (iii) when the individual |
| 26 | | revokes consent, whichever occurs first, as long as the |
|
| | HB3712 | - 7 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | consent may be renewed pursuant to the same procedures. Upon |
| 2 | | expiration of consent, any location information possessed by a |
| 3 | | covered entity must be permanently destroyed. |
| 4 | | (e) It shall be unlawful for a covered entity or service |
| 5 | | provider that lawfully collects and processes location |
| 6 | | information to: |
| 7 | | (1) collect more precise location information than |
| 8 | | necessary to carry out the permissible purpose; |
| 9 | | (2) retain location information longer than necessary |
| 10 | | to carry out the permissible purpose; |
| 11 | | (3) sell, rent, trade, or lease location information |
| 12 | | to third parties; |
| 13 | | (4) derive or infer from location information any data |
| 14 | | that is not necessary to carry out a permissible purpose; |
| 15 | | or |
| 16 | | (5) disclose, cause to disclose, or assist with or |
| 17 | | facilitate the disclosure of an individual's location |
| 18 | | information to third parties, unless such disclosure is |
| 19 | | (i) necessary to carry out the permissible purpose for |
| 20 | | which the information was collected or (ii) requested by |
| 21 | | the individual to whom the location data pertains. |
| 22 | | (f) It is unlawful for a covered entity or service |
| 23 | | providers to disclose location information to any federal, |
| 24 | | State, or local government agency or official unless: |
| 25 | | (1) the agency or official serves the covered entity |
| 26 | | or service provider with a valid warrant; |
|
| | HB3712 | - 8 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | (2) disclosure is mandated under federal or State law; |
| 2 | | (3) the data subject requests such disclosure; or |
| 3 | | (4) a natural person is at risk or danger of death or |
| 4 | | serious physical injury, as long as: |
| 5 | | (A) the request is approved by a high-ranking |
| 6 | | agency officer for emergency access to a consumer's |
| 7 | | personal information; |
| 8 | | (B) the request is based on the agency's good |
| 9 | | faith determination that it has a lawful basis to |
| 10 | | access the information on a nonemergency basis; and |
| 11 | | (C) the agency agrees to petition a court for an |
| 12 | | appropriate order within 3 days and to destroy the |
| 13 | | information if that order is not granted. |
| 14 | | For purposes of this subsection, a consumer accessing, |
| 15 | | procuring, or searching for services regarding |
| 16 | | contraception, pregnancy care, and perinatal care, |
| 17 | | including, but not limited to, abortion services, does not |
| 18 | | constitute a natural person being at risk or danger of |
| 19 | | death or serious physical injury. |
| 20 | | (g) A covered entity shall maintain and make available to |
| 21 | | the data subject a location privacy policy, which shall |
| 22 | | include, at a minimum, the following: |
| 23 | | (1) the permissible purpose for which the covered |
| 24 | | entity is collecting, processing, or disclosing any |
| 25 | | location information; |
| 26 | | (2) the type of location information collected, |
|
| | HB3712 | - 9 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | including the precision of the data; |
| 2 | | (3) the identities of service providers with which the |
| 3 | | covered entity contracts with respect to location data; |
| 4 | | (4) any disclosures of location data necessary to |
| 5 | | carry out a permissible purpose and the identities of the |
| 6 | | third parties to whom the location information could be |
| 7 | | disclosed; |
| 8 | | (5) whether the covered entity's practices include the |
| 9 | | internal use of location information for purposes of |
| 10 | | targeted advertisement; |
| 11 | | (6) the data management and data security policies |
| 12 | | governing location information; and |
| 13 | | (7) the retention schedule and guidelines for |
| 14 | | permanently deleting location information. |
| 15 | | (h) A covered entity in lawful possession of location |
| 16 | | information shall provide notice to individuals to whom that |
| 17 | | information pertains of any change to its location privacy |
| 18 | | policy at least 20 business days before the change goes into |
| 19 | | effect and shall request and obtain consent before collecting |
| 20 | | or processing location information in accordance with the new |
| 21 | | location privacy policy. |
| 22 | | (i) It shall be unlawful for a governmental entity to |
| 23 | | monetize location information.
|
| 24 | | Section 20. Prohibition against retaliation. A covered |
| 25 | | entity may not take adverse action against an individual |
|
| | HB3712 | - 10 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | because the individual exercised or refused to waive any of |
| 2 | | such individual's rights under this Act, unless location data |
| 3 | | is essential to the provision of the good, service, or service |
| 4 | | feature that the individual requests, and then only to the |
| 5 | | extent that this data is essential. This prohibition includes, |
| 6 | | but is not limited to: |
| 7 | | (1) refusing to provide a good or service to the |
| 8 | | individual; |
| 9 | | (2) charging different prices or rates for goods or |
| 10 | | services, including through the use of discounts or other |
| 11 | | benefits or imposing penalties; or |
| 12 | | (3) providing a different level or quality of goods or |
| 13 | | services to the individual.
|
| 14 | | Section 25. Enforcement. |
| 15 | | (a) A violation of this Act or a rule adopted by the |
| 16 | | Department of Innovation and Technology regarding an |
| 17 | | individual's location information constitutes an injury to |
| 18 | | that individual. |
| 19 | | (b) Any individual alleging a violation of this Act by a |
| 20 | | covered entity or service provider may bring a civil action in |
| 21 | | State court. |
| 22 | | (c) An individual protected by this Act may not be |
| 23 | | required, as a condition of service or otherwise, to accept |
| 24 | | mandatory arbitration of a claim arising under this Act. |
| 25 | | (d) In a civil action in which the plaintiff prevails, the |
|
| | HB3712 | - 11 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | court may award: |
| 2 | | (1) actual damages, including damages for emotional |
| 3 | | distress, or $5,000 per violation, whichever is greater; |
| 4 | | (2) punitive damages; and |
| 5 | | (3) any other relief, including, but not limited to, |
| 6 | | an injunction or declaratory judgment that the court deems |
| 7 | | to be appropriate. |
| 8 | | (e) For purposes of subsection (e) of Section 15, a |
| 9 | | covered entity that, in more than one instance, violates |
| 10 | | (1) through (4) of Section 15, from the same person using |
| 11 | | the same method of collection or sale in violation of |
| 12 | | subsection (e) of Section 15 has committed a single |
| 13 | | violation of subsection (e) of Section 15 for which the |
| 14 | | aggrieved person is entitled to, at most, one recovery |
| 15 | | under this Section. |
| 16 | | (f) For purposes of subsection (f) of Section 15, the |
| 17 | | court shall consider each instance in which a covered |
| 18 | | entity or service provider collects, processes, or |
| 19 | | discloses location information in a manner prohibited by |
| 20 | | subsection (f) of Section 15 as constituting a separate |
| 21 | | violation of this Act or rule adopted under this Act. |
| 22 | | (g) Upon motion, a court shall award reasonable |
| 23 | | attorney's fees and costs, including expert witness fees |
| 24 | | and other litigation expenses, to a plaintiff who is a |
| 25 | | prevailing party in any action brought under this Act. In |
| 26 | | awarding reasonable attorney's fees, the court shall |
|
| | HB3712 | - 12 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | consider the degree to which the relief obtained relates |
| 2 | | to the relief sought. |
| 3 | | (h) For the purpose of this Act, "prevailing party" |
| 4 | | includes any party: |
| 5 | | (1) who obtains some of the requested relief |
| 6 | | through a favorable judicial judgment; |
| 7 | | (2) who obtains some of the requested relief |
| 8 | | through any settlement agreement approved by the |
| 9 | | court; or |
| 10 | | (3) whose pursuit of a nonfrivolous claim was a |
| 11 | | catalyst for a unilateral change in position by the |
| 12 | | opposing party relative to the relief sought. |
| 13 | | (i) Any provision of a contract or agreement of any kind, |
| 14 | | including a covered entity's terms of service or policies, |
| 15 | | including, but not limited to, the location privacy policy, |
| 16 | | that purports to waive or limit in any way an individual's |
| 17 | | rights under this Act, including, but not limited to, any |
| 18 | | right to a remedy or means of enforcement, is deemed contrary |
| 19 | | to State law and is void and unenforceable. |
| 20 | | (j) No private or government action brought under this Act |
| 21 | | precludes any other action under this Act.
|
| 22 | | Section 30. Nonapplicability. This Act does not apply to |
| 23 | | location information collected from a patient by a health care |
| 24 | | provider or health care facility, or collected, processed, |
| 25 | | used, or stored exclusively for medical education or research, |
|
| | HB3712 | - 13 - | LRB104 12247 JRC 22354 b |
|
|
| 1 | | public health or epidemiological purposes, health care |
| 2 | | treatment, health insurance, payment, or operations, if the |
| 3 | | information is protected from disclosure under the federal |
| 4 | | Health Insurance Portability and Accountability Act of 1996 or |
| 5 | | other applicable federal and State laws, rules, and |
| 6 | | regulations. |
Translate