Ohio Personal Privacy Act Introduced-Privacy
Key Point: As introduced, Ohio’s Personal Privacy Act provides Ohio residents with some rights to their personal data, but not as broadly as CPRA, CPA, and VCDPA.
The main sponsors of the bill are Republicans Rick Carfagna and Thomas Hall. The bill also has eight Republican Republican supporters in the House of Representatives. For reference, the Republican Party is overwhelmingly dominated by the Ohio Statehouse and the Senate, and Ohio has a Republican Governor. In announcing the introduction of the bill Kirk Hellas, Chairman of Cyber Ohio, highlighted a number of individual groups involved in drafting the bill, including Ohio Lieutenant Governor Jon Husted. The Ohio General Assembly will close in December.
Below is an analysis of the bill (As introduced).
This law applies to “businesses” that operate in Ohio, produce products or services intended for Ohio consumers, and meet any of the following conditions: (1) Have annual total income Generated in Ohio Over $ 25,000,000; (2) Manage or process personal data of more than 100,000 consumers during a calendar year. Or (3) During the calendar year, we will sell or withdraw more than 50% of our total revenue from personal data and process or manage the personal data of more than 25,000 consumers.
A “consumer” is defined as a resident of Ohio who acts only in an individual or family situation. This does not include individuals who act in the context of business capacity or employment.
“Personal data” is defined as “information related to an identified or identifiable consumer processed by a business for commercial purposes.” Public data and data that is pseudonymized, anonymized, or aggregated are excluded.
Among other carve-outs, this law does not apply to GLBA’s financial institutions and data, HIPAA-covered entities and business associates, higher education institutions, and business-to-business transactions. This law does not apply to certain types of datasets, including but not limited to HIPAA PHI, certain types of FCRA data, personal data regulated by FERPA, and employment-related data.
Right to know
Consumers reserve the right to request access and disclosure of personal data that companies have collected about them over the last 12 months. At consumer demand, businesses need to provide their personal data in an electronic, portable and ready-to-use format. The exercise of this right is subject to confirmation of the consumer’s identity.
Right to delete
Subject to the 12 exemptions, the consumer reserves the right to require the company to delete the personal data it collects. From consumers It is for commercial purposes and is maintained by the company in electronic form. The exercise of this right is subject to confirmation of the consumer’s identity.
Right to opt out of sales
Consumers have the right to opt out of the company’s sale of personal data to third parties. In particular, businesses need to verify the identity of the individual who made the request. Companies do not have to “sell personal information” or provide similar links, and there is no discussion of a universal opt-out mechanism.
“Sales” is defined as “the exchange of personal data by a company for financial or other valuable consideration to a third party.” Sales include (1) processors, (2) third parties for the purpose of providing products or services, (3) other businesses of financial or other value without consideration, and (4) business associations. Companies and (5) third parties as assets in mergers, acquisitions, bankruptcies or similar transactions. It also does not include disclosure of “information that consumers have deliberately made publicly available through mass media channels and not limited to a particular audience.”
Companies are prohibited from discriminating against consumers by exercising their rights. However, a company may charge different prices or charges for goods or services to individuals exercising their rights “for legitimate business reasons or when permitted or required by applicable law”. There is sex.
The law does not provide for (1) the right to correct inaccurate data, (2) allows consumers to opt out of targeted advertising or profiling, and (3) collects sensitive data and It does not include any processing-related provisions. (4) Data protection evaluation is required.
Data processing contract
The company must enter into a written contract with the processor that prohibits the processor from processing personal data “except when servicing the company”. However, the processor can “use the data allowed in this chapter”.
The Attorney General has the exclusive power to enforce the law. The Attorney General must provide 30 days of healing rights before proceeding with the proceedings. The law specifically states that it does not create the right to private action.
The General Attorneys’ Office will be allowed to use $ 250,000 of existing budget items for enforcement in fiscal years 2022 and 2023.
Companies violate the law if they create, maintain, and comply with a written privacy program that reasonably complies with the National Institute of Standards and Technology’s privacy framework entitled “Tools for Improving Privacy Through the Company.” We will make a positive defense against the allegations. Risk management version 1.0. ‘”
The bill does not set an effective date.
The content of this article is intended to provide a general guide to the subject. Expert advice should be sought for certain situations.