Recently, the Personal Data Collection and Protection Ordinance (“the Ordinance”) was introduced to the Chicago City Council. The Ordinance would require businesses to (1) obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information; (2) notify affected Chicago residents and the City of Chicago in the event of a data breach; (3) register with the City of Chicago if they qualify as “data brokers”; (4) provide specific notification to mobile device users for location services; and (5) obtain prior express consent to use geolocation data from mobile applications.
Key provisions of the Ordinance include:
- Opt-in Consent to Use and Share Personal Information. In order to use, disclose or sell the personal information of Chicago residents, website operators and online services providers must obtain prior opt-in consent from individuals. Upon request, businesses must disclose to the individual (or their designee) the personal information they maintain about the individual.
- Security Breach Notification. The Ordinance also imposes breach notification obligations on businesses that process personal information of Chicago residents. Businesses are generally required to notify affected residents or, if they do not own the affected personal information, the data owners within 15 days of discovering the breach. Businesses must also notify the City of Chicago regarding the timing, content and distribution of the notices to individuals and number of affected individuals.
- Data Broker Registration. Data brokers, defined as commercial entities that collect, assemble and possess personal information about Chicago residents who are not their customers or employees to trade the information, must register with the City of Chicago. Data brokers must submit an annual report to the City, including, among other items, (1) the number of Chicago residents whose personal information the brokers collected in the previous year and (2) the name and nature of the businesses to which the brokers shared personal information.
- Mobile Devices with Location Services Functionality. Retailers that sell or lease mobile devices with location services functionality must provide notice about the functionality in the form and substance prescribed by the Ordinance.
- Location-enabled Mobile Applications. In order to collect, use, store or disclose geolocation information from a mobile application, individuals must generally provide affirmative express consent. This requirement is subject to various exceptions, such as in certain instances to allow a parent or guardian to locate their minor child.
Depending on the requirement, the Ordinance allows for a private right of action and specifies fines to address violations.