The Ohio Personal Privacy Act, also known as House Bill 376, is being considered in the Buckeye State.

Here are a few takeaways:

  • Enforcement by Attorney General only
  • Affirmative defense for companies that maintain and comply with a written privacy program that reasonably conforms with the NIST Privacy Framework.
  • “Business” include non-profits
  • Similar to Virginia and Colorado, “consent”  uses the GDPR formulation of “freely given, specific, informed and unambiguous”
  • Excludes data in the employment context
  • Narrow definition of “publicly available” (only government records)
  • “Sale” – monetary or other valuable consideration; transfer to affiliate is exempted
  • GLBA financial institutions and HIPAA CE and BAs, higher ed institutions and B2B transactions – exempted
  • Long list of data including health related – exempted
  • Exemption for fraud and identity theft detection

Consumer rights:

  • Right to know – via privacy notice which needs to include, in addition to what we saw in the other laws:
    1. details regarding the business and any affiliate to which personal data is transferred
    2. data retention practices
    3. information security practices
    4. notification of material changes to the policy (this requires affirmative consent or a notice + opt out 60 days in advance, as well as a need to provide direct notification where possible)
  • Right of access (by at least one method out of a provided list) covering the preceding 12 months
  • Right to delete (by at least one method), but exceptions include the written records retention schedule
  • Right to opt out of sale (with verification required); compliance with COPPA required for the sale of children’s information; required to notify third parties of the request and request that they comply.
  • No discrimination
  • Agreement between business and processor is required (but no prescriptive provisions)

Failure to maintain a privacy policy that reflects the data privacy practice to a reasonable degree of accuracy is an unfair and deceptive practice (but not privacy right of action).