Privacy Bill Essentials: Ohio Personal Privacy Act

July 16, 2021
Hinshaw Privacy & Cyber Bytes

A new data protection and privacy bill (HB 376) was recently introduced in Ohio. The Ohio Personal Privacy Act (OPPA) is similar to recent legislative enactments in California, Virginia, and Colorado, but of the three, this bill most closely resembles Virginia's Consumer Data Protection Act. If enacted, the OPPA would establish data rights for citizens of the state and impose multiple obligations on businesses both inside and outside the state that collect the personal data of Ohio consumers.

To whom would it apply?

The OPPA would apply to businesses that conduct business in Ohio or target consumers in the state, and either:

The OPPA would not apply to:

What types of information would it cover?

The OPPA would protect the "personal data" of consumers who reside in Ohio in an individual or household context. Employees, contractors, job applicants, officers, directors, and business owners are not considered consumers when acting in a business or employment capacity.

Personal data is defined as "information that relates to an identified or identifiable consumer processed by a business for a commercial purpose." This definition excludes data processed from publicly available sources and "[p]seudonymized, deidentified, or aggregate data."

What rights would it create?

The OPPA would create various consumer rights, including the right to: 

What obligations would it impose?

The OPPA would require a covered business to post in a reasonably accessible, clear, and conspicuously manner a privacy policy that includes the following:

Failure to maintain a privacy policy that reflects the business's data privacy practices will be considered an unfair and deceptive practice but will not entitle consumers to a private cause of action. Consumers must be directly notified, where possible, of any material changes to the business's privacy policy 60 days prior to implementation.

How would it be enforced?

The OPPA would grant the Attorney General's Office (AG) investigative powers and exclusive enforcement authority. To the extent the AG has reasonable cause to believe that a business has engaged or is engaging in an act or practice that violates the OPPA, it may bring an action in a county court of common pleas and seek a declaratory judgment, injunctive relief, civil penalties (including triple damages), and attorneys' fees. However, before doing so, the AG must provide a 30-day cure period prior to the commencement of an action.

Unlike similar enactments, the OPPA creates a safe harbor for companies complying with the U.S. National Institute of Standards and Technology's Privacy Framework.

Where does it stand?

The OPPA was introduced on July 12, 2021—with the support of Ohio Governor Mike Devine—and does not contain an effective date.