Ohio recently became the latest state to consider enacting comprehensive privacy legislation. On July 13, 2021, the Ohio Personal Privacy Act (House Bill 376) was introduced into the Ohio House of Representatives with the backing of Ohio Governor Mike DeWine and Lt. Governor Jon Husted. If passed, OPPA would establish consumer data rights for natural persons who are residents of Ohio acting only in individual or household contexts, not residents acting in a business capacity or employment context, such as contractors, job applicants, officers, directors or owners. The bill would also require certain businesses to comply with a framework of data standards, similar to other states such as California, Virginia and Colorado.
As introduced, OPPA generally applies to businesses that conduct business in Ohio, or produce products or services targeted to Ohio residents, and either:
- Have an annual gross revenue generated in Ohio that exceeds $25 million;
- Control or process personal data of 100,000 or more residents during a calendar year; or
- Derive over 50% of their gross revenue from the sale of personal data and process or control personal data of 25,000 or more residents during a calendar year.
However, OPPA does not apply to government bodies, financial institutions governed by the federal Graham-Leach-Bliley Act, a covered entity or business associate governed by HIPAA, institutions of higher education, business-to-business transactions, and other exemptions. OPPA also outlines numerous types of information and data that are exempt from the act and necessary business purposes to which the act does not apply, such as protected health information under HIPAA and data collected to comply with state or federal law.
Similar to the California, Virginia and Colorado laws, OPPA affirmatively grants rights to residents, as follows:
- The right to request access to and disclosure of the personal data the business collects about that resident, including the categories of third parties to whom the business sells personal data.
- The right to request deletion by a business of personal data that the business has collected from the resident for commercial purposes and that the business maintains in electronic format, although the business may not be obligated to delete the data if it is necessary to maintain the data for various reasons specified in the act.
- The right to opt out of the sale of the resident’s personal data by a business that sells personal data.
- The right to non-discrimination for residents that exercise their rights under the act.
OPPA does not grant a private right of action, including class action lawsuits brought under the act. Instead, the Ohio attorney general has the exclusive authority to investigate and enforce OPPA’s provisions. Prior to initiating any action under OPPA, the attorney general shall provide the business with a 30-day right to cure via a written notice, during which the business has 30 days to fix the alleged violation before it is held liable. If the violation is not cured, the attorney general may seek civil penalties of up to $5,000 per violation, with each provision that was violated and each affected resident counting as a separate violation. Each affected resident may also be awarded between $100 and $750 per violation, regardless of actual damages. If a court finds that the violation was committed willfully or knowingly, the court may triple that award.
OPPA encourages businesses to adopt a written privacy program that reasonably conforms to the National Institute of Standards and Technology Privacy Framework by providing businesses with a safe harbor from liability, specifically an affirmative defense against allegations of OPPA violations, if the business creates, maintains and complies with NIST’s Privacy Framework.
As Lt. Governor Husted explained on the Aug. 13, 2021 episode of “The Privacy Advisor Podcast” to host Jedidiah Bracy, pegging the safe harbor to NIST’s Privacy Framework allows OPPA’s privacy standards to evolve as the NIST standards evolve, which the bill’s drafters believe are the national standards that are “the living, breathing goal that everybody should aspire to live up to.” Lt. Governor Husted also spoke to the possibility that utilizing NIST’s standards, if other states follow, could limit the number of different privacy standards and frameworks with which businesses must comply.
We will continue to monitor and provide updates on OPPA developments as the Ohio General Assembly’s legislative process unfolds.