Consumer privacy issues are as a hot as ever, and on the radar of the state and federal legislature alike. Following in the footsteps of California, and most recently Virginia and Colorado, Ohio introduced a comprehensive consumer privacy bill, the Ohio Personal Privacy Act (the “Act”). By introducing the Act, Ohio follows the growing nation-wide trend towards stronger state privacy laws related to consumer rights.
The Act primarily applies to businesses in Ohio or business that collect data about consumers in Ohio which fall into one of the following categories:
- at least $25 million in gross revenue;
- with 100,000 customers;
- derives more than 50% of its gross revenue from the sale of personal data and processes; or
- controls personal data of 25,000 or more consumers.
The Act provides exceptions for certain business and institutions. Exceptions include institutions of higher education, business to business transactions, a covered entity or business associate under the Health Insurance Portability and Accountability Act, and a financial institution or an affiliate of a financial institution governed by the federal Gramm Leach-Bliley Act.
Consumer Data Rights
The Act specifies the following rights for consumers:
- to ask companies what personal data they’ve collected;
- to request corrections to the personal data collected;
- to request that data be deleted subject to exceptions; and to request that companies stop selling personal data.
It is also important to note, that as with its counterparts in certain other states, the Ohio bills defines “consumer” as a natural person who is a resident of the Ohio acting only in an individual or household context. The Act states that the definition of consumer does not include a “natural person acting in a business capacity or employment context.”
The Act prohibits businesses from engaging in discriminatory conduct related to the price of its products against consumers who exercise any of the above rights. Businesses must have legitimate business reasons for any differences in prices or ranges.
Unlike many other states that have implemented consumer privacy protections, the Act does not provide for a private right of action. However, consumers may make a complaint to the Attorney General’s Office who has the sole authority to enforce the provisions of the Act. The Attorney General may seek civil penalties of up to $5,000 for each violation.
For more information on common features in the consumer privacy law landscape that should be considered when examining the effects of such laws on an organization, review our post on that topic. State consumer privacy legislative activity is only ramping up, and organizations across all jurisdictions need to be prepared.