A new data protection and privacy bill (HB 376) was recently introduced in Ohio. The Ohio Personal Privacy Act (OPPA) is similar to recent legislative enactments in California, Virginia, and Colorado, but of the three, this bill most closely resembles Virginia's Consumer Data Protection Act. If enacted, the OPPA would establish data rights for citizens of the state and impose multiple obligations on businesses both inside and outside the state that collect the personal data of Ohio consumers.

To whom would it apply?

The OPPA would apply to businesses that conduct business in Ohio or target consumers in the state, and either:

• Has annual gross revenues generated in the state that exceed $25 million;
• Controls or processes personal data of 100,000 or more consumers during a calendar year; or
• Derives over 50% of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more Ohio consumers during a calendar year.

The OPPA would not apply to:

• Any public entity or political subdivision of the state;
• Financial institutions or affiliates of financial institutions governed by Title V of Gramm-Leach-Bliley Act;
• Institutions of higher education;
• Business-to-business transactions;
• Any insurer or independent insurance agent, as defined in section 3905.49 of the Revised Code;
• Nonprofit organizations established to detect or prevent insurance-related crime or fraud; and
• Advisory or rating organizations as described in sections 3937.09 and 3937.05 of the Revised Code.

What types of information would it cover?

The OPPA would protect the "personal data" of consumers who reside in Ohio in an individual or household context. Employees, contractors, job applicants, officers, directors, and business owners are not considered consumers when acting in a business or employment capacity.

Personal data is defined as "information that relates to an identified or identifiable consumer processed by a business for a commercial purpose." This definition excludes data processed from publicly available sources and "[p]seudonymized, deidentified, or aggregate data."

What rights would it create?

The OPPA would create various consumer rights, including the right to: 

• Know what personal data is being collected about the consumer;
• Access to the consumer's personal data that has been collected;
• Request to delete personal data; and
• Decline or opt-out of the sale of the consumer's personal data.

What obligations would it impose?

The OPPA would require a covered business to post in a reasonably accessible, clear, and conspicuously manner a privacy policy that includes the following:

• The identity and the contact information of the business, including the business's contact for privacy and data security inquiries, and the identity of any affiliate to which personal data may be transferred by the business;
• Categories of personal data the business processes;
• The purposes of processing for each category of personal data;
• The purposes for collecting or selling personal data;
• The categories of sources from which the personal data is collected;
• The categories of processors with whom the business discloses personal data;
• Whether the business sells personal data, the categories of third parties to whom the business sells personal data, and the purposes of the sale;
• A description of the business's data retention practices for personal data and the purposes for such retention;
• How individuals can exercise their rights under this chapter;
• A general description of the business's data security practices;
• The effective date of the privacy policy;
• A description of how the business will notify consumers when it makes a material change to its privacy policy or decides to process personal data for purposes incompatible with the privacy policy.

Failure to maintain a privacy policy that reflects the business's data privacy practices will be considered an unfair and deceptive practice but will not entitle consumers to a private cause of action. Consumers must be directly notified, where possible, of any material changes to the business's privacy policy 60 days prior to implementation.

How would it be enforced?

The OPPA would grant the Attorney General's Office (AG) investigative powers and exclusive enforcement authority. To the extent the AG has reasonable cause to believe that a business has engaged or is engaging in an act or practice that violates the OPPA, it may bring an action in a county court of common pleas and seek a declaratory judgment, injunctive relief, civil penalties (including triple damages), and attorneys' fees. However, before doing so, the AG must provide a 30-day cure period prior to the commencement of an action.

Unlike similar enactments, the OPPA creates a safe harbor for companies complying with the U.S. National Institute of Standards and Technology's Privacy Framework.

Where does it stand?

The OPPA was introduced on July 12, 2021—with the support of Ohio Governor Mike Devine—and does not contain an effective date.