Ohio Introduces CCPA-like Consumer Privacy Bill

Jackson Lewis P.C.

Consumer privacy issues are as a hot as ever, and on the radar of the state and federal legislature alike.  Following in the footsteps of California, and most recently Virginia and Colorado, Ohio  introduced a comprehensive consumer privacy bill, the Ohio Personal Privacy Act (the “Act”). By introducing the Act, Ohio follows the growing nation-wide trend towards stronger state privacy laws related to consumer rights.


The Act primarily applies to businesses in Ohio or business that collect data about consumers in Ohio which fall into one of the following categories:

  • at least $25 million in gross revenue;
  • with 100,000 customers;
  • derives more than 50% of its gross revenue from the sale of personal data and processes; or
  • controls personal data of 25,000 or more consumers.

The Act provides exceptions for certain business and institutions. Exceptions include institutions of higher education, business to business transactions, a covered entity or business associate under the Health Insurance Portability and Accountability Act, and a financial institution or an affiliate of a financial institution governed by the federal Gramm Leach-Bliley Act.

Consumer Data Rights

Businesses are expected to provide a “reasonably accessible, clear, and conspicuously posted privacy policy” to inform consumers about the data collected.

The Act specifies the following rights for consumers:

  • to ask companies what personal data they’ve collected;
  • to request corrections to the personal data collected;
  • to request that data be deleted subject to exceptions; and to request that companies stop selling personal data.

It is also important to note, that as with its counterparts in certain other states, the Ohio bills defines “consumer” as a natural person who is a resident of the Ohio acting only in an individual or household context. The Act states that the definition of consumer does not include a “natural person acting in a business capacity or employment context.”

Anti-Discrimination Provision          

The Act prohibits businesses from engaging in discriminatory conduct related to the price of its products against consumers who exercise any of the above rights. Businesses must have legitimate business reasons for any differences in prices or ranges.


Unlike many other states that have implemented consumer privacy protections, the Act does not provide for a private right of action. However, consumers may make a complaint to the Attorney General’s Office who has the sole authority to enforce the provisions of the Act. The Attorney General may seek civil penalties of up to $5,000 for each violation.

For more information on common features in the consumer privacy law landscape that should be considered when examining the effects of such laws on an organization, review our post on that topic. State consumer privacy legislative activity is only ramping up, and organizations across all jurisdictions need to be prepared.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Lewis P.C. | Attorney Advertising

Written by:

Jackson Lewis P.C.

Jackson Lewis P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide