Ohio Personal Privacy Act Introduced to Improve Privacy Protections for Ohioans
A comprehensive new privacy framework has been introduced in Ohio to better protect the privacy of Ohioans. The Ohio Personal Privacy Act aligns closely with recently introduced legislation in Virginia (CDPA) and gives Ohio residents a host of new rights over the personal data collected, stored, maintained, and transmitted by businesses.
Similar to Virginia’s CDPA, the Ohio Personal Privacy Act has a narrow definition of consumers and does not cover individuals acting in a business capacity or employment context. Personal data covered by the Ohio Personal Privacy Act is classed as “any information that relates to an identified or identifiable consumer processed by a business for a commercial purpose.”
The Ohio Personal Privacy Act only applies to organizations that conduct business in the state of Ohio that meet one or more of the following criteria:
- Generates annual gross revenues in excess of $25 million;
- Controls or processes the personal data of 100,000 or more Ohio residents in a calendar year;
- Derives more than 50% of gross revenue from the sale of personal data and processes or controls the personal data of 25,000 or more Ohio consumers.
There is a long list of exemptions, which include:
- Covered entities and business associates subject to and compliant with HIPAA
- Protected health information under HIPAA
- Activities regulated by the Fair Credit Reporting Act
- Data subject to the Children’s Online Privacy Protection Act,
- Financial institutions and data subject to the Gramm-Leach-Bliley Act if compliant
- Higher educational institutions
- Business-to-business transactions
- Insurers and independent insurance agents
Consumers must be informed about how their personal data will be collected and used. Consumers have the right to access the personal data held by an organization and have that information deleted. Consumers must be informed about data collection and processing activities via a clear and conspicuous notice and are permitted to opt out of the sale of their personal data. Businesses are not permitted to discriminate against any individual based on them exercising their rights under the Ohio Personal Privacy Act.
The Ohio Attorney General has the authority to enforce compliance with the Ohio Personal Privacy Act and bring legal actions against any covered entity if there is reasonable cause to believe a covered entity has violated the Act. The state Attorney General can seek a declaratory judgment, injunctive relief, and civil penalties, with triple damages applying to knowing violations.
Prior to any action being taken, a 30-day period will be provided to allow all issues are corrected. Businesses may also utilize an affirmative defense from an enforcement action by the OAG or a lawsuit filed by a consumer, if the business creates, maintains, and complies with a written privacy program that confirms to the National Institute of Standards and Technology (NIST) privacy framework.
Consumers who feel the rights given to them by the Ohio Personal Privacy Act have been violated are not permitted to take legal action against a business over any violation.