Ohio House Bill 345, also known as The Ohio Personal Privacy Act, was introduced at the end of 2023 and is currently being considered in committee. The bill establishes requirements related to the collection, processing, and sale of digital personal data.
Categories of Requirements
These requirements fall into two primary categories:
- Requirements for Companies: Imposed on businesses that collect or process personal data.
- Consumer Rights: Provided to consumers whose personal data is collected.
Consumer Rights Under the Bill
The proposed law would grant Ohio consumers numerous significant rights and protections regarding their personal data. Specifically, the law would provide consumers with the following rights:
- Right to Know: The right to know what personal data a covered business collects about that consumer.
- Right to Access: The right to access and receive personal data that a company has regarding that consumer.
- Right to Correction: The right to request that incorrect personal data be corrected.
- Right to Deletion: The right to request that personal data pertaining to that consumer be deleted.
- Right to Opt-Out: The right to request that personal data pertaining to that consumer not be sold.
Criteria for Covered Businesses
Businesses covered by the new law include those that conduct business in Ohio, or whose products or services target consumers in Ohio, and that meet any of the following criteria:
- Revenue Threshold: Gross annual revenue exceeds $25 million.
- Data Volume: Controls or processes personal data of 100,000 or more consumers during a calendar year.
- Revenue from Data Sales: During a calendar year, derives more than 50% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers.
Requirements for Businesses
Under the proposed law, businesses must establish, maintain, and make available a privacy policy that describes how the business collects, uses, and sells consumer personal data. Businesses must also comply with verified requests related to the consumer rights mentioned above.
Enforcement and Legal Protections
Importantly, the Attorney General would be the sole entity authorized to enforce the requirements of the bill via investigations and lawsuits. This means consumers would not have the right to bring a private action against a business for a violation of the new law. The bill also provides covered businesses with a path for asserting an affirmative defense against such lawsuits.
By providing consumers with numerous rights while simultaneously shielding businesses from personal lawsuits, the new bill seeks to balance consumer rights and business protections. Several other states have already adopted similar laws, and we will see in the next several months if Ohio joins by enacting The Ohio Personal Privacy Act.
To discuss, please contact KJK Cyber Security & Data Breach attorney Michael Hoenig (MDH@kjk.com).