To date, Ohio does not have a comprehensive Ohio privacy law or an Ohio data protection act in effect. Thus far, no comprehensive privacy bill has been introduced in 2023.
Failed Ohio Personal Privacy Act of 2021
In July 2021, Ohio state lawmakers announced the introduction of landmark data privacy legislation, HB 376, or the Ohio Personal Privacy Act (OPPA).
OPPA would establish a list of “data rights” such as the ability to have personal data deleted and a request to businesses to not sell a person’s data. These rights would give Ohioans control over how businesses are using their data and give Ohioans the option to tell businesses to not sell their data.
Additionally, House Bill 376 includes a list of obligations for businesses to follow, such as posting privacy notices and disclosing where data is being sold. It also includes a list of exemptions for certain businesses, industries, and data that already have established data privacy standards, such as through Gramm-Leach-Bliley and HIPAA
Of note, OPPA would alter Ohio law to grant firms that adhere to NIST’s industry-recommended guidelines an affirmative defense against legal claims. Businesses must develop their own data privacy programs that adhere to the requirements outlined in the most recent edition of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management to qualify for the affirmative defense provision.
Ohio’s leveraging the use of the NIST-Privacy framework as the Safe Harbor standard of care, makes it an innovative state privacy proposal. The use of a national framework may be a useful model for other states to begin to build a state-based national and uniform privacy standard, without Congressional action.
The bill did not pass.
Businesses would need to meet specific requirements, similar to other consumer privacy laws, to be covered by the OPPA.
The statute specifically applies to any company that conducts business in Ohio or creates products or services marketed to residents of Ohio and meets one or more of the following requirements:
- Over $25 million in gross revenue is produced annually in Ohio.
- controls or manages at least 100,000 customers’ data during a given year.
- generates more than half of its total revenue from the selling of personal data and manages or processes the personal information of 25,000 or more customers annually.
Consumers’ rights under OPPA include:
- The right to know
The right to be informed of the personal information a company acquires about a specific customer.
- The right to access
The ability to ask for access to and disclosure of any personal information that a company has about a customer.
- The right to be forgotten
The ability to ask that a company erase any personal information that it has obtained from a customer and used for marketing.
- The right to decline
the right to request that a company that sells customer data to other parties refrain from doing so.
- Non-discrimination right
The right not to face discrimination from a company for using any of the OPPA-administered consumer rights.
Centraleyes brings you the latest updates on state privacy laws across the USA.