Already facing a surge of lawsuits under a state technology privacy law, business groups have expressed relief at Illinois Gov. Bruce Rauner’s decision to veto a new state technology privacy law regulating how and when smartphone apps and the businesses that develop and deploy them must notify users their physical locations are being logged – a law the business groups say will only offer the same trial lawyers another avenue to sue them.
In late September, Rauner, a Republican, vetoed the Illinois Geolocation Privacy Protection Act, legislation passed by the Democrat-controlled General Assembly.
Supporters of the bill have said the legislation would grant new protections to consumers to prevent businesses from using the geolocation information logged by their smartphones to more directly and efficiently market goods and services to them, or from selling that information to other would-be marketers.
The legislation passed the state House of Representatives 63-38, and the state Senate 33-22.
Illinois Gov. Bruce Rauner
In vetoing the legislation, however, Rauner said in a prepared statement that he believed the legislation “would result in job loss across the state without materially improving privacy protections for Illinoisans or making devices and their apps safer for children.” Particularly, he said he believed the legislation would “hurt Illinois’ growing reputation as a destination for innovation-based job creation.”
The veto was blasted by supporters of the legislation, such as the Digital Privacy Alliance, a Chicago-based organization that lobbies legislators for enhanced “consumer privacy online,” according to its website.
The DPA said the legislation is needed to address “corporate disregard for consumers’ privacy.” In a release, it pointed to a report accusing AccuWeather of “continuing to collect and share location information even though a user previously denied the app’s request for access.” And it pointed to other reports indicating domestic violence victims had been tracked through “a stalking app” on their smartphones, and that “half” of children’s apps failed tests to determine if they were protecting location data.
“The governor’s veto is a betrayal of consumer trust and total failure to people who value their personal privacy,” the DPA said in a statement issued after the veto. “The governor’s action is a clear message that he values his Silicon Valley friends more than the people and small businesses in Illinois.”
Jason Schwent, an attorney with the firm of Thompson Coburn in St. Louis, whose practice centers on technology and cybersecurity issues, said he believes the bill was intended by supporters to further bolster Illinois’ reputation as a pacesetter for legislation ostensibly designed to protect the privacy rights of technology users.
“Illinois is a recognized leader across the country on these issues of protection of privacy rights,” said Schwent. “It’s very possible the legislature could see themselves as a carrier of that banner, if you will, which may have really helped this bill along.”
However, at the same time, business groups said they also worry over how trial lawyers may use the proposed law to further another of Illinois’ reputations, as a hotbed for class action lawsuits.
“Consumer privacy is important,” said Michael Reever, acting president and CEO of the Chicagoland Chamber of Commerce, in a statement supplied in response to questions from The Cook County Record. “But this law is only designed for one thing – to open up businesses of all sizes to litigation. Period.”
In recent months, for instance, a growing number of businesses have been taken to court to face class action lawsuits, as lawyers, led by such Chicago firms as Edelson P.C. and Stephan Zouras LLP, who specialize in such technology-related class actions, have asserted those businesses have violated a 2008 Illinois law designed to make it illegal to misuse Illinois’ residents so-called biometric identifying information, such as fingerprints and retinal scans. As part of that law, businesses were required to provide certain notices when they acquired such biometric identifiers from people, whether customers or employees.
Now, those notice provisions stand at the center of a rising number of lawsuits alleging technical violations of the Illinois Biometric Information Protection Act (BIPA), particularly from ex-employees of businesses who scanned employee fingerprints to allow the employees to use their fingerprints to punch in and out of their daily work shifts.
Potential damages for such violations could run as high as $5,000 per violation. For some large employers, the total number of alleged violations could number in the thousands, generating potentially large returns for the legal teams bringing the cases, who typically claim fees of as much as one-third of any settlement or judgment.
In the geolocation bill, Schwent said the real risk to businesses fearing a repeat of the rising BIPA litigation tide could be significantly less than under the biometric bill.
The key question, as he sees it, comes down to how courts may interpret whether consumers could demonstrate they have been harmed by businesses merely noting where they may have traveled.
“Litigation may be filed from people attempting to capitalize on the new protections,” said Schwent. “But right now, I think it would be really difficult to demonstrate any real monetary harm suffered by people should this law be violated.”
Further, he noted the law leaves enforcement of any violations to the Illinois Attorney General or state’s attorneys in Illinois counties.
“At this point, people can sue, but it’s difficult to take geolocation information and turn it into a particular harm,” Schwent said.
Still, business groups like the Chicagoland Chamber are hoping Rauner’s veto can hold up to eliminate any chance class action lawyers could capitalize on the new law as they appear to have under the Illinois BIPA and other state and federal consumer protection laws
Reever pointed to language in the bill which would essentially create “a backdoor to individual or class action litigation by voiding the terms of service, which under contract law potentially opens up businesses of all sizes to unnecessary litigation.”
Opponents of the bill have pointed to the proposed new law’s popularity with lawyers, like the Edelson firm. Two Edelson attorneys, for instance, Ari Scharg and Jacob Wright, serve in roles at the Digitial Privacy Alliance. Scharg serves as a DPA board member, while Wright serves as legislative director, according to the DPA’s website.
As for the bill’s future, Schwent said he expects Rauner’s veto “probably” will be overturned.
“It will take very little momentum to defeat the veto,” he said.
And should that happen, he said businesses should move quickly to review and revise their privacy policies, if they have not already begun that process.
“When I talk to my clients about this, I would really emphasize the importance of taking steps to comply with this law,” Schwent said.