Keypoint: As introduced, the Ohio Personal Privacy Act would provide Ohio residents with some rights regarding their personal data, but it is not as extensive as the CPRA, CPA, and VCDPA.
As first reported by the IAPP’s Joe Duball, on July 13, 2021, Ohio lawmakers introduced the Ohio Personal Privacy Act (House Bill 376).
The bill’s primary sponsors are Republicans Rick Carfagna and Thomas Hall. The bill also has eight Republican co-sponsors in the House. For reference, Republicans have overwhelming majorities in Ohio’s House and Senate, and Ohio has a Republican Governor. In announcing the introduction of the bill, Kirk Herath, Chairman of CyberOhio, emphasized the large group of individuals involved in crafting the bill, including Ohio Lt. Governor Jon Husted. Ohio’s legislature closes in December.
Below is an analysis of the bill (as introduced).
The Act would apply to “businesses” that conduct business in Ohio, produce products or services targeted to Ohio consumers, and that satisfy one of the following conditions: (1) have annual gross revenues generated in Ohio in excess of $25,000,000; (2) during a calendar year, control or process the personal data of 100,000 or more consumers; or (3) during a calendar year, derive over 50% of their gross revenue from the sale or personal data and process or control the personal data of 25,000 or more consumers.
“Consumer” is defined as an Ohio resident acting only in an individual or household context. It does not include an individual acting in a business capacity or employment context.
“Personal data” is defined as “any information that relates to an identified or identifiable consumer processed by a business for a commercial purpose.” It excludes publicly available data and pseudonymized, deidentified or aggregated data.
Among other carveouts, the Act would not apply to GLBA financial institutions or data, HIPAA covered entities or business associates, higher education institutions, and business-to-business transactions. The Act also would not apply to certain types of data sets, including but not limited to HIPAA PHI, certain types of FCRA data, personal data regulated by FERPA, and employment-related data.
Right to Know
Right to Access
Consumers would have the right to request access to and the disclosure of personal data that a business collected about that consumer for the preceding 12-month period. Upon a consumer’s request, the business would need to provide the personal data in an electronic, portable, and readily usable format. The exercise of this right would be subject to verification of the consumer’s identity.
Right to Delete
Subject to twelve exemptions, consumers would have the right to request that a business delete their personal data “that the business has collected from the consumer for commercial purposes and that the business maintains in an electronic format.” The exercise of this right would be subject to verification of the consumer’s identity.
Right to Opt Out of Sales
Consumers would have the right to opt out of a business’s sale of personal data to third parties. Notably, businesses would be required to verify the identity of the individual making the request. Businesses would not be required to provide a “Do Not Sell My Personal Information” or similar link and there is no discussion of a universal opt-out mechanism.
“Sale” is defined as the “exchange of personal data for monetary or other valuable consideration by a business to a third party.” Sales do not include disclosures of personal data to (1) processors, (2) third parties for the purposes of providing a product or service, (3) another business without monetary or other valuable consideration, (4) affiliates of the business, and (5) third parties as an asset in a merger, acquisition, bankruptcy or similar transaction. It also does not include the disclosure of “information that a consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience.”
Right to Nondiscrimination
Businesses would be prohibited from discriminating against consumers for exercising their rights; however, businesses could charge different prices or rates for goods or services for individuals who exercise their rights “for legitimate business reasons or as otherwise permitted or required by applicable law.”
The Act does not (1) provide for a right to correct inaccurate data, (2) allow consumers to opt out of targeted advertising or profiling, (3) include any provisions relating to the collection and treatment of sensitive data, and (4) require data protection assessments.
Data Processing Agreements
Businesses would be required to enter into written contracts with processors that prohibit the processor from processing personal data “except to provide services to the business.” However, processors would be able to “use data as otherwise permitted by this chapter.”
The Attorney General would have exclusive authority to enforce the law. Prior to initiating an action, the Attorney General would be required to provide a 30-day right to cure. The Act specifically states that it does not create a private right of action.
The Attorney General’s office would be permitted to use $250,000 of an existing appropriation item in fiscal years 2022 and 2023 for enforcement.
A business would have an affirmative defense against allegations of violations of the law if it “creates, maintains, and complies with a written privacy program that reasonably conforms to the national institute of standards and technology privacy framework entitled ‘A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.'”
The bill does not set forth an effective date.