State Privacy Law Tracker: Ohio

Ohio Data Privacy Law

To date, Ohio does not have a comprehensive Ohio privacy law or an Ohio data protection act in effect. Thus far, no comprehensive privacy bill has been introduced in 2023.

Failed Ohio Personal Privacy Act of 2021

In July 2021, Ohio state lawmakers announced the introduction of landmark data privacy legislation, HB 376, or the Ohio Personal Privacy Act (OPPA).

OPPA would establish a list of “data rights” such as the ability to have personal data deleted and a request to businesses to not sell a person’s data. These rights would give Ohioans control over how businesses are using their data and give Ohioans the option to tell businesses to not sell their data.

Additionally, House Bill 376 includes a list of obligations for businesses to follow, such as posting privacy notices and disclosing where data is being sold. It also includes a list of exemptions for certain businesses, industries, and data that already have established data privacy standards, such as through Gramm-Leach-Bliley and HIPAA

Of note, OPPA would alter Ohio law to grant firms that adhere to NIST’s industry-recommended guidelines an affirmative defense against legal claims. Businesses must develop their own data privacy programs that adhere to the requirements outlined in the most recent edition of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management to qualify for the affirmative defense provision.

Ohio’s leveraging the use of the NIST-Privacy framework as the Safe Harbor standard of care, makes it an innovative state privacy proposal. The use of a national framework may be a useful model for other states to begin to build a state-based national and uniform privacy standard, without Congressional action.

The bill did not pass.

Scope 

Businesses would need to meet specific requirements, similar to other consumer privacy laws, to be covered by the OPPA.

The statute specifically applies to any company that conducts business in Ohio or creates products or services marketed to residents of Ohio and meets one or more of the following requirements:

  • Over $25 million in gross revenue is produced annually in Ohio.
  • controls or manages at least 100,000 customers’ data during a given year.
  • generates more than half of its total revenue from the selling of personal data and manages or processes the personal information of 25,000 or more customers annually.

Consumer rights

Consumers’ rights under OPPA include:

  • The right to know

The right to be informed of the personal information a company acquires about a specific customer.

  • The right to access

The ability to ask for access to and disclosure of any personal information that a company has about a customer.

  • The right to be forgotten

The ability to ask that a company erase any personal information that it has obtained from a customer and used for marketing.

  • The right to decline

 the right to request that a company that sells customer data to other parties refrain from doing so.

  • Non-discrimination right

The right not to face discrimination from a company for using any of the OPPA-administered consumer rights.

Centraleyes brings you the latest updates on state privacy laws across the USA.

Sign up for our Data Privacy Tracker with monthly updates on the latest news and developments

Skip to content