As we anticipated in 2018, "So Goes California, So Goes the Country," when it comes to U.S. privacy law. California broke new ground when it passed the California Consumer Privacy Act of 2018 (CCPA), now, the rest of the nation is following suit. Since 2018, Virginia (the VCDPA) and Colorado (the CPA) have passed similar statues. Now, Ohio is ready to join the party.
Introduced earlier this month, House Bill 376 "The Ohio Personal Privacy Act," seeks to bring similar protections to Ohio consumers by giving them control over their personal data. The draft legislation does not have an effective date, but we expect that in the next few years, businesses subject to proposed law will need to meet its specifications. For now, businesses should start to consider the bill's requirements and how they may implement the necessary processes to be compliant with its requirements.
Who must comply?
Of course, the first question is which businesses are subject to the bill's requirements? In a nutshell, the bill applies to businesses that meet one of the following criteria:
(1) have an annual gross revenue generated in Ohio that is greater than $25 million; or
(2) in one calendar year process personal data of at least 100,000 consumers; or
(3) in one calendar year generate over 50 percent of its gross revenue from the sale of personal data.
The proposed legislation does not apply to:
- state bodies, authorities, or other agencies;
- financial institutions governed by Title V of the Gramm-Leach-Bliley Act (GLBA);
- covered entities or business associates covered by the HIPAA Privacy Rule;
- higher education institutions;
- business-to-business transactions; or
- specified insurance companies and affiliate organizations as outlined in § 1355.02 (B) (6).
Additionally, the proposed legislation exempts various types of information and data. A few examples of exempt data include, but are not limited to:
- protected health information (PHI) as defined by HIPAA;
- health records;
- patient-identifying information;
- personal information under the Fair Credit Reporting Act (FCRA);
- personal data collected under the Family Education Rights and Privacy Act (FERPA); and
- personal data collected by the Farm Credit Act (FCA).
What rights are provided to consumers?
The Ohio bill provides similar consumer rights as the CCPA, VCDPA, and CPA. If enacted, Ohio consumers will have the following rights:
- Right to Know: An Ohio consumer has the right to know the personal data that is collected by a business about the consumer. Businesses must provide notice to consumers about what type of personal data is being collected. This notice must be reasonably accessible, clear, and conspicuously posted in the privacy policy.
- Right to Access: Ohio consumers will be able to request access and disclosure of the personal data that businesses collect about them. This disclosure includes the personal data that the business has collected and the types of third parties to whom data is being sold. Consumers can also request their own data, and businesses are responsible for providing it in an electronic and portable format.
- Right to Deletion: Ohio consumers may request businesses to delete their personal data that was collected for commercial purposes and stored electronically.
- Right to opt-out of sale: Ohio consumers can ask businesses not to sell their personal data to third parties. Any business that chooses to sell consumer personal data must provide clear and conspicuous notice about this sale. If a consumer opts-out, businesses must then inform processors and third parties of the consumer's choice. Businesses are also prohibited from selling children's personal data without complying with the Children's Online Privacy Protection Act of 1998 (COPPA).
- Right to Nondiscrimination: Businesses cannot discriminate against consumers who choose to protect their personal data under this statute or assert any rights thereunder.
Additionally, businesses must provide at least one method for consumers to make requests and exercise these rights. These methods include: a toll free number, electronic mail address, a web form, or a clear and conspicuous link on the business's main page.
How will this proposed law be enforced?
Under the proposed law, the Ohio Attorney General has exclusive enforcement power, which means that there is no private right of action. Businesses that violate this law are provided notice and given a 30-day "cure period" to resolve the defect.
What next?
While none of us at Taft have a crystal ball, we are confident this legislation will not be the last you hear about consumer privacy protection laws. Ohio's Personal Privacy Act is far from finalized. The bill is waiting for committee negotiations, Senate approval, and the governor's signature. What is clear is that more is to come in Ohio and across the country.
The questions being raised by state and federal leaders around big tech and the fight to control personal data are far from resolved. For businesses trying to comply with Ohio's draft legislation, California Consumer Privacy Act, Virginia's Consumer Data Protection Act, or Colorado's Privacy Act, the most important points for our readers to take away are:
(1) While new statutes across the country are similar, they are not the same. Businesses working to comply with state requirements need to understand how each statute impacts the business operations in each state.
(2) All businesses, regardless of state, would be well-served to invest the time and resources to properly understand what personal information it processes and for what purposes.
(3) Furthermore, each business should evaluate its compliance requirements and ensure it has the administrative, technical, and physical controls to meet each law's requirements to include facilitating any consumer rights.
As always, Taft will continue to monitor how states seek to balance consumer rights and business needs, and will keep you updated on such developments right here on Taft's Privacy and Data Security Insights blog. For more information on the Ohio Personal Privacy Act and other data privacy questions, please contact Taft's Privacy and Data Security Team.
Authors
The content of this update was made possible by significant
effort and contributions by two of our exceptional Taft summer
associates: Salha El-Shwehdi (Dayton) and
Noelle Suarez-Murias (Columbus).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.