Written by Nameir Abbas
Unique and detailed data protection legislation is currently under consideration by the Chicago City Council. If passed in its current form, the Data Collection and Protection Ordinance (the “Ordinance”) would impose consent, notification, and registration obligations on regulated companies, as well as require a prescribed notice to users of location services on mobile devices and express consent for use of geolocation data by mobile applications.
The consent provisions would apply to “operators,” defined to include any entity that (1) “owns a website on the internet, or an online service” operated for commercial purposes; and (2) collects and maintains customer personal information from a customer residing in Chicago who uses or visits the website or online service.
“Customer” is defined broadly and covers Chicago residents who provide personal information in the course of (among other things) obtaining a product or service from a private entity, including “advertising or other content.” The Ordinance defines “customer personal information” broadly to include a wide range of data, from government-issued identifiers to “device identifiers, such as [a] media access control (MAC) address.”
The Ordinance would require operators to obtain prior, opt-in consent for the processing of customer personal information, and to provide a clear and conspicuous mechanism for requesting and revoking consent. The consent would need to include specified information regarding the type of information to be processed, the purpose of processing, and the categories of entities to which the information will be disclosed or sold, or who will be permitted access. Notably, operators would not be permitted to refuse or limit services to a customer who refuses to provide consent.
The Ordinance would include breach notification provisions that in many ways resemble those found in the existing Illinois state breach notification law, though the Ordinance would only apply to breaches involving Chicago residents. Key differences include:
- A rebuttable “presumption of unreasonable delay” where notice is delayed by 15 days or more from the date of discovery of the breach;
- A requirement to notify the Commissioner of the Department of Business Affairs and Consumer Protection, in the event that any Chicago residents are to be notified;
- A generally applicable requirement to provide public notice in one or more newspapers of general circulation; and
- An obligation to “update affected persons as information about the breach is received, as any corrective actions are taken, and as remedies become available, until the consumer opts out of those updates or agrees that the matter has been resolved.”
The registration requirements would apply to a “data broker,” a commercial entity that “collects, assembles, and possesses” personal information on “Consumers who are not customers or employees” in order to “sell, trade, or otherwise share” the information. “Personal information” is broadly defined to include any information that “can be used to distinguish or trace an individual’s identity,” and “is linked or linkable” to a Chicago resident. The Ordinance would require data brokers to register with Chicago’s Department of Business Affairs and Consumer Protection, and to annually provide certain information to the Department.
Notice for location services
The Ordinance would require cellular or mobile device retailers to provide a “notice and awareness posting” that includes information on location services capabilities to each customer who buys or leases a cell phone or wireless communication device with location services. Retailers would also be required to prominently display the notice at the point of sale.
The Ordinance would require companies to obtain “affirmative express consent” from individuals prior to collection, use, storage, or disclosure of geolocation information from an individual’s device. The Ordinance specifies that the consent would need to follow a notice that contains specified information.