A data protection ordinance was recently proposed in the City of Chicago. The “Data Collection and Protection Ordinance” (the Ordinance), sponsored by Aldermans Burke, Hopkins and Reilly, is a response to a string of high-profile data breaches that occurred during the past year. In its current form, the Chicago Data Protection Ordinance addresses data practices of private entities in the City of Chicago in five areas. The Ordinance will affect businesses operating in the City of Chicago, specifically targeting those businesses that collect personal information from their customers.
Five Key Provisions of the Chicago Data Protection Ordinance
1. Data Collection and Disclosure
The Ordinance prohibits operators from disclosing, selling or providing access to customer personal information unless the customer provides opt-in consent. Any request for consent must disclose certain information, including the types of personal information the operator is seeking to use, disclose, sell or permit access, the purpose for which the personal information will be used, and the categories of entities the operators intend to disclose, sell or permit access to the personal information. An aggrieved customer may bring a private cause of action seeking damages or an injunction. Violations of this provision may also be punished by a fine between $250 and $1500.
2. Data Breaches
The Ordinance requires any data collector that conducts business in Chicago to disclose any security breach to Chicago residents whose private information was, or is reasonably believed to have been, acquired by a person without authorization. Similar to many state data breach notification laws, the disclosure must be made in the most expedient time possible and without unreasonable delay. A delay of more than 15 days creates a presumption of unreasonable delay. Individual residents must be privately notified, and a public notice must also be given in at least one newspaper of general circulation. The data collector must also notify the Commissioner of Business Affairs and Consumer Protection. A violation of this section shall receive a fine of between $2000 and $10,000.
3. Data Brokers
The Ordinance defines “Data Brokers” as “any commercial entity that collects, assembles, and possesses personal information concerning consumers who are not customers or employees of that entity in order to sell, trade or otherwise share the information. The Ordinance requires that Data Brokers register annually with the Department of Business Affairs and Consumer Protection. The name of Data Brokers will then be published by the Department. A failure to register will be punished by a fine of $250 per day.
4. Mobile Phone Privacy Awareness
This section of the Ordinance requires that a cell phone or mobile phone device retailer provide notice to its customers that the device the customer is buying or leasing is equipped with location services, along with certain additional information detailing how location services operate on that device. Each device that is sold without the required notice is considered a violation of the Section and punishable by a fine of between $150 and $250.
5. Geolocation Information
The Ordinance prohibits a private entity from collecting, using or storing geolocation information from a location-enabled application on a mobile device unless a person has provided affirmative consent. There are certain exceptions, such as to comply with legal process or other laws, to assist with the provision of emergency services, and to allow a parent or legal guardian to locate his or her minor child. An aggrieved party may bring a private cause of action to collect damages for violation of this Section. A violation of this Section may be punished by a fine of between $50 and $200.
Chicago Data Protection Ordinance To Increase Compliance Burden on Local Businesses
It is not surprising that certain aldermen in the City of Chicago are proposing data privacy legislation considering the public outcry in response to the high-profile data breaches that were discovered in 2017. While arguably beneficial to the public, a municipal ordinance such as the Chicago Data Protection Ordinance will add additional regulatory compliance hurdles for businesses that already must comply with the state and federal data privacy laws and regulations. The attorneys at McKenna Storer will continue to monitor the Data Collection and Protection Ordinance as it is debated by the Chicago City Council.
If you have any questions regarding data privacy legislation, regulatory compliance, or data breach response, please contact Tim Hayes at McKenna Storer.