Chicago Introduces Data Protection Ordinance

Recently, the Personal Data Collection and Protection Ordinance (“the Ordinance”) was introduced to the Chicago City Council. The Ordinance would require businesses to (1) obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information, (2) notify affected Chicago residents and the City of Chicago in the event of a data breach, (3) register with the City of Chicago if they qualify as “data brokers,” (4) provide specific notification to mobile device users for location services and (5) obtain prior express consent to use geolocation data from mobile applications. 

Key provisions of the Ordinance include:

  • Opt-in Consent to Use and Share Personal Information. In order to use, disclose or sell the personal information of Chicago residents, website operators and online services providers must obtain prior opt-in consent from individuals. Upon request, businesses must disclose to the individual (or their designee) the personal information they maintain about the individual.
  • Security Breach Notification. The Ordinance also imposes breach notification obligations on businesses that process personal information of Chicago residents. Businesses are generally required to notify affected residents or, if they do not own the affected personal information, the data owners within 15 days of discovering the breach. Businesses must also notify the City of Chicago regarding the timing, content and distribution of the notices to individuals and number of affected individuals.
  • Data Broker Registration. Data brokers, defined as commercial entities that collect, assemble and possess personal information about Chicago residents who are not their customers or employees to trade the information, must register with the City of Chicago. Data brokers must submit an annual report to the City, including, among other items, (1) the number of Chicago residents whose personal information the brokers collected in the previous year and (2) the name and nature of the businesses to which the brokers shared personal information.
  • Mobile Devices with Location Services Functionality. Retailers that sell or lease mobile devices with location services functionality must provide notice about the functionality in the form and substance prescribed by the Ordinance.
  • Location-enabled Mobile Applications. In order to collect, use, store or disclose geolocation information from a mobile application, individuals must generally provide affirmative express consent. This requirement is subject to various exceptions, such as in certain instances to allow a parent or guardian to locate their minor child.

Depending on the requirement, the Ordinance allows for a private right of action and specifies fines to address violations.

Blog courtesy of Hunton Andrews Kurth, a U.S.-based law firm with a Global Privacy and Cybersecurity practice that’s known throughout the world for its deep experience, breadth of knowledge and outstanding client service. Read the company’s privacy blog here.

Return Home



    Mike Semel:

    Note that this ordinance was introduced for debate and adoption, which has not yet happened.

    You can follow its path at

    This legislation is another opportunity for MSPs to justify their security services to businesses. All 50 states now have data breach laws that protect Social Security Numbers, among other types of data. This means that EVERY BUSINESS IN THE U.S. has to comply with a data breach regulation. Businesses in regulated industries like healthcare, education, and finance have additional requirements. MSPs should learn about these requirements because they are huge opportunities to close sales. I know because I have done it.

      Joe Panettieri:

      Mike: Thanks for your readership & the additional insights. I’ll be sure to track that link.

Leave a Reply

Your email address will not be published.