Ohio Personal Privacy Act Introduced | Husch Blackwell LLP

Key point: As introduced, the Ohio Privacy Act would grant Ohio residents certain rights regarding their personal data, but it is not as broad as the CPRA, the CPA and VCDPA.

As first reported by the Joe Duball of IAPP, on July 13, 2021, Ohio lawmakers introduced the Ohio Personal Privacy Act (Bill 376).

The main sponsors of the bill are Republicans Rick Carfagna and Thomas Hall. The bill also has eight Republican co-sponsors in the House. For reference, Republicans have an overwhelming majority in the Ohio House and Senate, and Ohio has a Republican governor. By announcing the tabling of the bill, Kirk herath, president of CyberOhio, pointed out the large group of people involved in shaping the bill, including Ohio Lt. Gov. Jon Husted. The Ohio legislature ends in December.

Below is an analysis of the invoice (as introduced).


The law would apply to “businesses” that operate in Ohio, manufacture products or services for consumers in Ohio, and that meet any of the following conditions: (1) have annual gross revenues generated in ohio more than $ 25,000,000; (2) during a calendar year, monitor or process the personal data of 100,000 or more consumers; or (3) in a calendar year, derive more than 50% of their gross income from sales or personal data and process or control the personal data of 25,000 or more consumers.

“Consumer” is defined as a resident of Ohio acting only in an individual or family context. This does not include a person acting in the course of a business or employment.

“Personal data” is defined as “any information relating to an identified or identifiable consumer processed by a company for commercial purposes”. It excludes publicly available data and pseudonymized, anonymized or aggregated data.

Among other exceptions, the law would not apply to GLBA financial institutions or data, HIPAA-covered entities or business partners, higher education institutions, and business-to-business transactions. The law would also not apply to certain types of data sets, including but not limited to HIPAA PHI data, certain types of FCRA data, personal data regulated by FERPA and linked data. to work.


The right to know

The law would give Ohio residents the right to know what personal data a business collects about them. Businesses would be required to provide consumers with a “reasonably accessible, clear and prominent privacy policy”. If a business makes a material change to its privacy policy or decides to process personal data for purposes inconsistent with its privacy policy, it would be required to obtain affirmative consent from consumers or provide a notice outlining the changes to privacy policy and to provide affected consumers with a “reasonable way to opt out of their data being processed or disclosed”.

Permission to access

Consumers would have the right to request access and disclosure of personal data that a business has collected about that consumer during the previous 12 month period. At the request of a consumer, the business will have to provide personal data in an electronic, portable and easily usable format. The exercise of this right would be subordinated to the verification of the identity of the consumer.

Right of deletion

Subject to twelve exceptions, consumers would have the right to ask a business to delete their personal data “that the business has collected. of the consumer for commercial purposes and which the company keeps in electronic form. The exercise of this right would be subordinated to the verification of the identity of the consumer.

Right to withdraw from sales

Consumers would have the right to refuse the sale of personal data by a business to third parties. In particular, companies would be required to verify the identity of the person making the request. Businesses would not be required to provide a “Do not sell my personal information” or similar link and there is no discussion of a universal opt-out mechanism.

“Sale” is defined as “the exchange of personal data for monetary or other consideration by a company to a third party”. Sales do not include disclosures of personal data to (1) processors, (2) third parties for the purpose of providing a product or service, (3) another business without monetary or other consideration, (4) companies affiliated with the company, and (5) third parties as an asset in a merger, acquisition, bankruptcy or similar transaction. It also does not include disclosure “of information that a consumer has intentionally made available to the general public through a mass media channel and is not limited to a specific audience”.

Right to non-discrimination

Companies would be prohibited from discriminating against consumers for the exercise of their rights; however, companies could charge different prices or rates for goods or services to persons who exercise their rights “for legitimate business reasons or as otherwise permitted or required by applicable law”.

The law does not provide (1) a right to rectify inaccurate data, (2) allows consumers to opt out of targeted advertising or profiling, (3) includes provisions for the collection and processing of sensitive data, and ( 4) require data protection assessments.

Data processing agreements

Companies would be required to enter into written contracts with subcontractors prohibiting the subcontractor from processing personal data “except to provide services to the company”. However, processors could “use the data as otherwise permitted by this chapter”.


The Attorney General would have the exclusive power to enforce the law. Before bringing an action, the Attorney General would be required to grant a 30-day right of redress. The Act expressly states that it does not create a private right of action.

The Attorney General’s office would be authorized to use $ 250,000 of an existing credit item in fiscal years 2022 and 2023 for enforcement.

Safe harbor

A company would have a positive defense against allegations of violations of the law if it “creates, maintains and complies with a written privacy program that is reasonably consistent with the National Institute of Standards and Technology’s privacy framework” A tool to improve corporate confidentiality Risk management Version 1.0. ‘”

Effective date

The bill does not specify a date of entry into force.

[View source.]

Comments are closed.