Ohio Personal Privacy Act Introduced: A Possible First Step In Privacy Protections

July 15, 2021

Currently, twenty states have enacted legislation to protect the collection and distribution of consumer data by third parties. However, at the moment, there are no privacy protections in place for consumers in Ohio. On July 12, 2021, Rick Carfagna and Thomas Hall introduced House Bill 376, also known as the Ohio Personal Privacy Act. The proposed legislation aims to create a set of rights for consumers in relation to data collection by allowing consumers to control how their data is collected and processed by businesses.

The Ohio Personal Privacy Act stipulates that consumers have a right to request access to their personal data, as well as control the disclosure of the information collected. Under the proposed legislation, consumers have the right to ask for corrections when data is inaccurate, request for data to be deleted and demand that their data not be sold to others. The goal of the Personal Privacy Act is to create privacy standards that businesses can follow in order to protect the confidentiality of consumers in Ohio.

Who Would the Personal Privacy Act Affect?

The proposed legislation will not be applicable to all businesses in Ohio. In order to be held accountable under the Personal Privacy Act, businesses must fall within one of three categories. These categories include:

  1. A business whose annual gross revenues generated in Ohio exceed $25 million
  2. A business that controls or processes the personal data of 100,000 or more consumers in a year
  3. A business which derives more than 50% of its gross revenue from the sale of personal data and controls the personal data of 25,000 or more consumers

Furthermore, certain businesses will be excluded from the proposed legislation, including (but not limited to), banks, credit unions, government agencies, doctor’s offices and higher education institutions.

What Must Be Included in Public Privacy Notices?

Businesses that fall within the above guidelines will be required to create public notices that inform consumers of their rights. Specifically, privacy policies must include the type of personal data processed, where the data is processed from, who the data is shared with, how consumers can exercise their rights to control their personal data and more.

Material Changes to Use of Collected Data

If there are material changes in how a company uses data collected, or if the company shares consumer data in a way not previously disclosed, the company will have to inform consumers of the change and either get their affirmative consent to use the data in the new way (opt-in), or provide notice and give consumers a reasonable means of opting out of the new practice.

A Way for Consumers To Discuss Their Data Collection With You

The proposed legislation requires businesses to establish convenient means for communication to allow consumers to learn about what data is being collected and how it is being used. This includes establishing a toll-free number, a webform, an email address or a privacy portal or link on a website. Any requests for disclosure of data will cover the 12-month period preceding the business’s receipt of the request, and must generally be made free of charge, within 45 calendar days of the request. Overall, the proposed legislation will require privacy policies to be readily accessible, clear and straightforward.

Penalties for Non Compliance With the Personal Privacy Act

If violated, there will be no private right of action. Instead, consumers will have to bring their complaints to the Attorney General’s office, which will be responsible for enforcing the legislation. Before legal action can be taken, a business will be given 30 days to rectify its violations. Upon violation, the Attorney General can seek penalties of up to $5,000, as well as compensatory damages ranging between $100 and $750 per violation.

What Steps Should Businesses Take To Prepare for the Personal Privacy Act?

If the Personal Privacy Act is signed into law, businesses that fall under its provisions should be prepared to examine their data collection, storage and use practices. Many Ohio businesses that will be covered by the law lack a Written Information Security Program (WISP), which is designed to protect the confidentiality, integrity and availability of consumer information. Because the proposed law will require disclosure of how a covered company protects its consumer data, a data security program would be required. At a minimum, businesses should be prepared to establish a privacy policy, document their data policies surrounding storage, use, classification and deletion, and draft a security program to ensure the safety of the personal information of consumers. Furthermore, businesses should review contracts and agreements that involve the sharing of consumer data to ensure compliance.

KJK will continue to follow the progression of House Bill 376. If you have questions or would like to discuss further, please reach out to Mark Rasch at mdr@kjk.com or 301.547.6925. For more information about minimizing cybersecurity liability for businesses, visit our Cybersecurity and Data Breach practice page.