Ohio Privacy Law Introduction – Privacy
Key point: As introduced, the Ohio Privacy Act would grant Ohio residents certain rights regarding their personal data, but it is not as broad as the CPRA, the CPA and VCDPA.
The main sponsors of the bill are Republicans Rick Carfagna and Thomas Hall. The bill also has eight Republican co-sponsors in the House. For reference, Republicans have an overwhelming majority in the Ohio House and Senate, and Ohio has a Republican governor. By announcing the tabling of the bill, Kirk herath, president of CyberOhio, pointed out the large group of people involved in shaping the bill, including Ohio Lt. Gov. Jon Husted. The Ohio legislature ends in December.
Below is an analysis of the invoice (as introduced).
The law would apply to “businesses” that operate in Ohio, manufacture products or services for consumers in Ohio, and that meet any of the following conditions: (1) have annual gross revenues generated in ohio more than $ 25,000,000; (2) during a calendar year, monitor or process the personal data of 100,000 or more consumers; or (3) in a calendar year, derive more than 50% of their gross income from sales or personal data and process or control the personal data of 25,000 or more consumers.
“Consumer” is defined as a resident of Ohio acting only in an individual or family context. This does not include a person acting in the course of a business or employment.
“Personal data” is defined as “any information relating to an identified or identifiable consumer processed by a company for commercial purposes”. It excludes publicly available data and pseudonymized, anonymized or aggregated data.
Among other exceptions, the law would not apply to GLBA financial institutions or data, HIPAA-covered entities or business partners, higher education institutions, and business-to-business transactions. The law would also not apply to certain types of data sets, including but not limited to HIPAA PHI data, certain types of FCRA data, personal data regulated by FERPA and linked data. to work.
The right to know
Permission to access
Consumers would have the right to request access and disclosure of personal data that a business has collected about that consumer during the previous 12 month period. At the request of a consumer, the business will have to provide personal data in an electronic, portable and easily usable format. The exercise of this right would be subordinated to the verification of the identity of the consumer.
Right of deletion
Subject to twelve waivers, consumers would have the right to ask a business to delete their personal data “that the business has collected. of the consumer for commercial purposes and which the company keeps in electronic form. The exercise of this right would be subordinated to the verification of the consumer’s identity.
Right to withdraw from sales
Consumers would have the right to refuse the sale of personal data by a business to third parties. In particular, companies would be required to verify the identity of the person making the request. Businesses would not be required to provide a “Do not sell my personal information” or similar link and there is no discussion of a universal opt-out mechanism.
“Sale” is defined as “the exchange of personal data for monetary or other consideration by a company to a third party”. Sales do not include disclosures of personal data to (1) processors, (2) third parties for the purpose of providing a product or service, (3) another business without monetary or other consideration, (4) companies affiliated with the company, and (5) third parties as an asset in a merger, acquisition, bankruptcy or similar transaction. It also does not include disclosure “of information that a consumer has intentionally made available to the general public through a mass media channel and has not limited to a specific audience”.
Right to non-discrimination
Companies would be prohibited from discriminating against consumers for the exercise of their rights; however, companies could charge different prices or rates for goods or services to persons who exercise their rights “for legitimate business reasons or as otherwise permitted or required by applicable law”.
The law does not provide (1) a right to rectify inaccurate data, (2) allows consumers to opt out of targeted advertising or profiling, (3) includes provisions for the collection and processing of sensitive data, and ( 4) require data protection assessments.
Data processing agreements
Companies would be required to enter into written contracts with subcontractors prohibiting the subcontractor from processing personal data “except to provide services to the company”. However, processors would be able to “use the data in the manner permitted by this chapter”.
The Attorney General would have the exclusive power to enforce the law. Before bringing an action, the Attorney General would be required to grant a 30-day right of redress. The Act expressly states that it does not create a private right of action.
The attorney general’s office would be authorized to use $ 250,000 of an existing credit item in fiscal years 2022 and 2023 for enforcement.
A company would have a positive defense against allegations of violations of the law if it “creates, maintains and complies with a written privacy program that is reasonably consistent with the National Institute of Standards and Technology’s privacy framework titled ‘ A tool to improve corporate confidentiality Risk Management version 1.0. ‘”
The bill does not specify a date of entry into force.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.