Key Takeaways: The Ohio Personal Privacy Act

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

The Ohio Personal Privacy Act, also known as House Bill 376, is being considered in the Buckeye State.

Here are a few takeaways:

  • Enforcement by Attorney General only
  • Affirmative defense for companies that maintain and comply with a written privacy program that reasonably conforms with the NIST Privacy Framework.
  • “Business” include non-profits
  • Similar to Virginia and Colorado, “consent” uses the GDPR formulation of “freely given, specific, informed and unambiguous”
  • Excludes data in the employment context
  • Narrow definition of “publicly available” (only government records)
  • “Sale” – monetary or other valuable consideration; transfer to affiliate is exempted
  • GLBA financial institutions and HIPAA CE and BAs, higher ed institutions and B2B transactions – exempted
  • Long list of data including health related – exempted
  • Exemption for fraud and identity theft detection

Consumer rights:

  • Right to know – via privacy notice which needs to include, in addition to what we saw in the other laws:
    1. details regarding the business and any affiliate to which personal data is transferred
    2. data retention practices
    3. information security practices
    4. notification of material changes to the policy (this requires affirmative consent or a notice + opt out 60 days in advance, as well as a need to provide direct notification where possible)
  • Right of access (by at least one method out of a provided list) covering the preceding 12 months
  • Right to delete (by at least one method), but exceptions include the written records retention schedule
  • Right to opt out of sale (with verification required); compliance with COPPA required for the sale of children’s information; required to notify third parties of the request and request that they comply.
  • No discrimination
  • Agreement between business and processor is required (but no prescriptive provisions)

Failure to maintain a privacy policy that reflects the data privacy practice to a reasonable degree of accuracy is an unfair and deceptive practice (but not privacy right of action).

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide