The Ohio Personal Privacy Act (OPPA), House Bill 376 was introduced on July 13, 2021, in the Ohio House of Representatives. The crafting of the Bill was led by InnovateOhio, Governor Mike DeWine’s technology innovation office headed by Lt. Governor Jon Husted. OPPA follows in the footsteps of other states’ personal data privacy laws, including the California Consumer Privacy Act (CCPA), (as modified by the California Privacy Rights Act, or CPRA, effective in 2023), Virginia’s Consumer Data Privacy Act (CDPA), and the Colorado Privacy Act (CPA). The Bill’s primary sponsors are Representatives Rick Carfagna (R-Genoa Township) and Thomas Hall (R-Madison Township).
During the news
conference unveiling the legislation, co-sponsor Representative Rick Carfagna commented on what drove the introduction of the Bill: "In the absence of a comprehensive federal policy on the collection and use of personal information, Ohio has an opportunity to position itself as a technology leader on multiple fronts. House Bill 376 will balance reasonable privacy standards to protect Ohioans with less bureaucracy and regulation on businesses."
OPPA would apply only to organizations that conduct business in Ohio or target Ohio consumers and:
- have gross annual revenue generated in Ohio that exceed $25 million,
- process or control data of 100,000 or more Ohio consumers, or
- derive 50% or more of gross revenue from selling or processing data of 25,000 or more Ohio consumers.
Exempted from OPPA would be government agencies, institutions of higher education, financial institutions and affiliates, business-to-business transactions, insurers and private insurance agents, among others. Similarly, OPPA also would not apply to information subject to certain other statutes governing personal data, such as GLBA1, HIPAA2, FERPA3, and FCRA4.
The Bill provides Ohio residents with rights regarding when their personal data is collected by businesses, including:
Right to Access – right to request access to and the disclosure of personal data collected for the preceding 12-month period and to be provided such data in an electronic, portable, readily usable format;
Right to Delete – right to request a business delete data collected from the consumer for commercial purposes that the business maintains in an electronic format (notably, this provision has 12 exemptions);
Right to Opt-Out – right to opt-out of a business’ sale of personal data to third parties (notably, there is no requirement for a "Do Not Sell My Personal Information" link like the CCPA/CPRA requires), and
Right to Non-discrimination – right to non-discrimination for exercising these rights with the caveat that businesses could charge different prices or rates for individuals who exercise their rights under OPPA if for legitimate business reasons or as otherwise permitted or required by applicable law.
Unlike some state privacy laws, the OPPA does not include a consumer’s right to correct inaccurate data, does not include any requirements regarding the collection or treatment of sensitive data (such as a requirement to encrypt all sensitive data), and does not require mandatory data protection risk assessments.
While "consumer" is defined more narrowly than the CCPA, encompassing only Ohio residents acting in an individual or household context and not individuals acting in a business or employment capacity, "personal data" is comparably broad, encompassing "any information that relates to an identified or identifiable consumer processed by a business for a commercial purpose"– e.g., cookies may
The Bill does not provide citizens a private cause of action, leaving enforcement to the Ohio Attorney General, with a required notice and 30-day cure period prior to action and penalties thereafter of up to $5,000 for each violation (by provision and consumer). Consistent with Ohio’s previously enacted Data Protection Act (see ORC §1354), OPPA also provides a "safe harbor" in the form of an affirmative defense for businesses that create, maintain, and comply with a privacy framework that conforms to the National Institute of Standards and Technology (NIST) privacy framework.6
House Bill 376 will likely be referred to a House
committee in September to begin the committee review process. Legislation in Ohio must undergo the full committee process and receive a floor vote in both chambers prior to passage. As Ohio operates on a two-year legislative session, House Bill 376 must pass in both the House and Senate and be signed by the Governor by December 31, 2022, in order to become law. We will be closely monitoring this dynamic process and the evolution of the Bill.
Please contact us if you have any questions or concerns about this legislation or data rights and privacy law, generally.
1The Gramm-Leach-Bliley Act (GLBA) provides protections for how consumer data and customer information is handled by financial institutions.
2The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects an individual’s health-related information when healthcare information is transmitted or maintained to ensure security and privacy.
3The Family Educational Rights and Privacy Act (FERPA) provides students control over disclosure and access to their educational records, including the right to notice, consent, access and correction, security and accountability.
4The Fair Credit Reporting Act (FCRA) regulates the consumer reporting industry and provides rights in consumer reports such as to access and correct their information and to limit use of collection to defined, permissible purposes.
“cookie,” or “magic cookie,” as used in programming jargon, refers to a piece of information shared between cooperating software to link previous web actions on the same device. Cookies can enable authentication, personalization, delivery of targeted advertisements, and allow website browsers to preload much faster on a given device. However, once a website has identified a transaction with a user (such as a credit card transaction linking an account and user’s name), if that same information is again utilized, the cookies will link the two transactions.
6See NIST Special Publications 800-53 and 800-53a.