HB 376, initiated by Lt. Governor Jon Husted, was introduced this week by Representative Rick Carfagna (R- Westerville) and Representative Thomas Hall (R-Middletown) and targets businesses in Ohio that satisfy one or more of the following criteria:

1. Annual gross revenue generated in Ohio exceeds $25 million;
2. A business that controls or processes personal data of 100,000 or more consumers during a calendar year; and/or
3. A business that derives over 50% of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers during a calendar year.

The bill excludes:

1. Political subdivisions;
2. Financial institutions;
3. Any entity covered under HIPAA;
4. An institution of higher education;
5. Business to business transactions;
6. Insurers or independent insurance agents;
7. Nonprofits established to detect or prevent insurance fraud; and
8. Insurance rating or advisory organizations.

The bill requires businesses to provide consumers with a notice about the personal data that it processes about the consumer by providing a reasonably accessible, clear, and conspicuously posted privacy policy. Failure on the part of a business to maintain a privacy policy that reflects the business's data privacy practices to a reasonable degree of accuracy shall be considered an unfair and deceptive practice under Chapter 1345 or Ohio’s Consumer Sales Practices Act, with one primary exception: The bill does not provide a consumer with a private right of action including participation in a class action lawsuit.

Enforcement authority rests solely with the Ohio Attorney General. Where the Attorney General has reasonable cause to believe that a business has engaged or is engaging in an act or practice prohibited under the bill, the Attorney General may investigate, whether through complaints made by consumers or its own inquiries, and bring an action against the business. Before initiating action against the business, the Attorney General must give the business 30 days' written notice to cure the violations. If the violation(s) continue, an action may be initiated and a business may be charged civil penalties of $5,000 per violation per consumer.

The bill also provides an affirmative defense for businesses that create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0”, given the size and scope of their operations. Businesses would be given one year to conform with future published revisions made to the framework in order to assert the defense.

The bill would also provide a consumer with the right to know and request disclosure of the personal data that a business collects about the consumer and allows the consumer to request that a business delete personal data that the business has collected from the consumer for commercial purposes and that the business maintains in an electronic format.  Finally, a consumer would have a right to request that a business not sell the consumer’s personal data, provide a notice as such, and allow an opt-out provision. A business shall not discriminate, but may charge different prices or rates for goods or services to consumers who exercise their rights under the bill.

California, Colorado, and Virginia have passed comprehensive consumer data privacy laws, but many other states have similar legislation pending. The Ohio Legislature is on a recess during the month of July and is expected to return in mid to late August.