Chicago Considering Personal Data Collection and Protection Ordinance

We have learned that three members of the Chicago City Council introduced the Data Collection and Protection Ordinance in April to increase the privacy protections of its city residents. The Ordinance was referred to the Committee on Finance at the Chicago City Council for consideration. The proposed ordinance would regulate businesses collecting and sharing sensitive personal information through the Internet about consumers in the City of Chicago.

There are five core components of the Chicago data privacy law:

1. Website operators may not use, disclose, sell or permit acccess to customer personal information without prior opt-in consent.

2. Data collectors conducting business in Chicago must disclose data breaches involving the private information of Chicago residents within 14 days of discovery.

3. Data brokers maintaining personal information of Chicago consumers must register with the city’s Department of Business Affairs and Consumer Protection.

4. Providers selling cell phones or wireless communication devices must provide customers with notice that their phone is equipped with location services and display prominently such notice at the point of sale.

5. Private entities may not collect, use, store or disclose geographic location from a location-enabled application on a device unless the person gives express, affirmative consent after a clear, prominent and accurate notice about the data collected and shared.

The proposed law authorizes penalties for each offense, the general fine that is applicable where no other fine is set is between $100 and $250 for each offense. The penalties will add up fast however if each failure with respect to a consumer is a violation and the fine is a daily one. Some sections specify there own fine, so the ultimate extent of the applicable fines will vary by the language in each section. The law would also create a private rights of action for enforcement by customers for failure to obtain their consent for collecting, using or sharing sensitive personal information or location data.

Customer Personal Information

The consent requirement of the proposed law mandates website operators that receive information from Chicago customers not use, sell, or disclose this personal information without prior opt-in consent. The consent of the Chicago customer may be revoked at any time.

The personal information covered involves information collected during account signup or product/service purchase. It includes name, billing information, social security number and other government-issued identifiers, phone number, IP address, demographic information such as date of birth, financial information, health information, information pertaining to minors, geolocation information, information from the use of the service including web browsing history, device idnetifiers such as MAC address, or information concerning a subscription or account that is collected and maintained in personally identifiable form.

The request for consent must disclose the types of personal information for which the operator is seeking approval to use, disclose, sell or permit access; the purposes for which the information will be used; and the categories of entitities to which the operator intends to share the information.

The primary exceptions to the consent requirement involve using the information to provide the services requested by the customer, as well as to bill the customer for that service. The operator may not refuse to serve or limit services if the customer does not provide consent, or penalize the customer including charging a penalty or not giving a discount.

There must be a mechanism perpetually available to revoke consent on the internet website or mobile application. It must be clear and conspicuous, in the language primarily used to conduct business with the cusotmer, and available at no additional cost to the customer.

Data Breach Notifications

As defined by the law, data collectors conducting business in Chicago that discover or receive notice of a breach of the security of a system involving the acquisition of the private information of Chicago residents without authorization must disclose without unreasonable delay to the affected Chicago residents. The organization must also notify the Commissioner of the Department of Business Affairs and Consumer Protection. If the impacted organization does not own the personal information, they also must notify the owner or licensee of the information.

The private information of an individual includes either: (1) a user name or email address in combination with the password or security question answers to permit access to an account, unless they are encrypted and the keys to unencrypt were not obtained through the security breach; or (2) a first initial or first name in combination with the last name and either a social security number, state identification card number (driver’s license), credit or debit card number in combination with the information needed to access it, medical information, health insurance information, and unique biometric data.

Although there is no precise definition for the timing of the disclosure to Chicago residents, there is a rebuttable presumption that a delay of fifteen (15) or more days from the discovery is unreasonable. This presumption may be refuted by factors including the essential requirements of measures needed to determine the scope of the breach and restore reasonable system integrity, in addition to the investigative requirements of law enforcement.

Data Broker Registration

Vermont became the first state to require data brokers to register, and Chicago does not appear too far behind in taking a first step to impose regulation on this industry. The Chicago law would require registration of a name and address, disclosure of the number of Chicago consumers who had personal information collected about them in the previous year, and the names of the businesses (and their nature) to which personal information was sold, traded or shared in the previous year.

The interesting part of the law is that it requires disclosure of the names of the companies (or individuals) that are receiving the information from the data broker. Given consumer sentiment about data collection and sharing at the moment, the companies on the list are probably not going to be popular.

Mobile Phone Privacy

The law provides a two step process to ensure consumers are aware of potential privacy issues involving geolocation data. The process involves (1) notice at the point of sale; and (2) express, affirmative consent for data collection, usage and sharing.

Point of Sale Notice

The proposed Chicago law specifies a Location Services Notice to be provided at the point of sale of devices with location services capabilities. The specific notice is specified in the law and must be both provided to consumers as well as posted prominently at the point of sale. It informs consumers that they are purchasing a phone equipped with location services and tells consumers that they have a choice to enable or disable it on their phone. If a company does not provide this notice, the amount of fines for each violation (each phone or device sold or leased) is between $150 and $250.

Consent

Individuals and organizations (other than the government) may not collect, use, store or disclose geographic information from a location-enabled device unless they have received the person’s affirmative express consent. Notice must be provided in a clear, prominent and accurate manner information the individual that (1) his or her geolocation information will be collected, used or disclosed; (2) the specific persons for which the data will be collected, used or shared; and (3) provides a hyperlink or easily accessible means to stop collection, use and sharing of their geolocation data. If the terms upon which the person agreed have materially changed, the private entity needs to obtain the person’s consent again. There are a few exemptions to these requirements specified in the law, but it would otherwise be broadly applicable.

Origins of the Law

The bill has an extensive introductory section of recitals discussing the justifications for the ordinance. The recitals discuss the widespread collection of data, the prevalence of data breaches, and the threat of the commodification of this data to our traditional notions of privacy. The ordinance was introduced a month after the Cambridge Analytica scandal and less than a year after the 2017 Equifax cybersecurity breach, both of which are mentioned in the recitals.

It will be interesting to see how many other pieces of legislation come out of this topic at the state and local levels this year.  If momentum builds for a bill in Congress, state and local governments may hold off on proposing their own solution. If they don’t move quickly, we may see a patchwork of local laws similar to what has developed in the world of data breach notifications occur on data privacy.

Discover the Benefits of Privacy Management Software with Clarip

The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.

If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.

Other Blog Posts on Privacy Laws:

Vermont Passes Data Broker Law – First in US!
New Mexico Privacy Bill Copies CCPA
New York Considering Privacy Law – Right to Know Act
New PIPEDA Rules for Data Breach Reporting in Canada