Ohio Personal Privacy Act Introduced-Privacy

Ohio Personal Privacy Act Introduced-Privacy


Key Point: As introduced, Ohio’s Personal Privacy Act provides Ohio residents with some rights to their personal data, but not as broadly as CPRA, CPA, and VCDPA.

As originally reported by IAPP Joe Duball, On July 13, 2021, Ohio General Assembly introduced the Ohio Personal Privacy Act (House building 376).

The main sponsors of the bill are Republicans Rick Carfagna and Thomas Hall. The bill also has eight Republican Republican supporters in the House of Representatives. For reference, the Republican Party is overwhelmingly dominated by the Ohio Statehouse and the Senate, and Ohio has a Republican Governor. In announcing the introduction of the bill Kirk Hellas, Chairman of Cyber ​​Ohio, highlighted a number of individual groups involved in drafting the bill, including Ohio Lieutenant Governor Jon Husted. The Ohio General Assembly will close in December.

Below is an analysis of the bill (As introduced).


This law applies to “businesses” that operate in Ohio, produce products or services intended for Ohio consumers, and meet any of the following conditions: (1) Have annual total income Generated in Ohio Over $ 25,000,000; (2) Manage or process personal data of more than 100,000 consumers during a calendar year. Or (3) During the calendar year, we will sell or withdraw more than 50% of our total revenue from personal data and process or manage the personal data of more than 25,000 consumers.

A “consumer” is defined as a resident of Ohio who acts only in an individual or family situation. This does not include individuals who act in the context of business capacity or employment.

“Personal data” is defined as “information related to an identified or identifiable consumer processed by a business for commercial purposes.” Public data and data that is pseudonymized, anonymized, or aggregated are excluded.

Among other carve-outs, this law does not apply to GLBA’s financial institutions and data, HIPAA-covered entities and business associates, higher education institutions, and business-to-business transactions. This law does not apply to certain types of datasets, including but not limited to HIPAA PHI, certain types of FCRA data, personal data regulated by FERPA, and employment-related data.


Right to know

The law provides Ohio residents with the right to know the personal data that businesses collect about them. Businesses need to provide consumers with a “reasonably accessible, clear and prominently posted privacy policy.” If a company makes significant changes to its privacy policy, or decides to process personal data for purposes that are incompatible with the privacy policy, obtain positive consent from the consumer or an overview of the privacy policy changes. Must be notified and provided to affected consumers. “A reasonable means to opt out of processing or distribution of data.”

Access right

Consumers reserve the right to request access and disclosure of personal data that companies have collected about them over the last 12 months. At consumer demand, businesses need to provide their personal data in an electronic, portable and ready-to-use format. The exercise of this right is subject to confirmation of the consumer’s identity.

Right to delete

Subject to the 12 exemptions, the consumer reserves the right to require the company to delete the personal data it collects. From consumers It is for commercial purposes and is maintained by the company in electronic form. The exercise of this right is subject to confirmation of the consumer’s identity.

Right to opt out of sales

Consumers have the right to opt out of the company’s sale of personal data to third parties. In particular, businesses need to verify the identity of the individual who made the request. Companies do not have to “sell personal information” or provide similar links, and there is no discussion of a universal opt-out mechanism.

“Sales” is defined as “the exchange of personal data by a company for financial or other valuable consideration to a third party.” Sales include (1) processors, (2) third parties for the purpose of providing products or services, (3) other businesses of financial or other value without consideration, and (4) business associations. Companies and (5) third parties as assets in mergers, acquisitions, bankruptcies or similar transactions. It also does not include disclosure of “information that consumers have deliberately made publicly available through mass media channels and not limited to a particular audience.”

Indiscriminate rights

Companies are prohibited from discriminating against consumers by exercising their rights. However, a company may charge different prices or charges for goods or services to individuals exercising their rights “for legitimate business reasons or when permitted or required by applicable law”. There is sex.

The law does not provide for (1) the right to correct inaccurate data, (2) allows consumers to opt out of targeted advertising or profiling, and (3) collects sensitive data and It does not include any processing-related provisions. (4) Data protection evaluation is required.

Data processing contract

The company must enter into a written contract with the processor that prohibits the processor from processing personal data “except when servicing the company”. However, the processor can “use the data allowed in this chapter”.


The Attorney General has the exclusive power to enforce the law. The Attorney General must provide 30 days of healing rights before proceeding with the proceedings. The law specifically states that it does not create the right to private action.

The General Attorneys’ Office will be allowed to use $ 250,000 of existing budget items for enforcement in fiscal years 2022 and 2023.

Safe harbor

Companies violate the law if they create, maintain, and comply with a written privacy program that reasonably complies with the National Institute of Standards and Technology’s privacy framework entitled “Tools for Improving Privacy Through the Company.” We will make a positive defense against the allegations. Risk management version 1.0. ‘”

effective date

The bill does not set an effective date.

The content of this article is intended to provide a general guide to the subject. Expert advice should be sought for certain situations.

Source link