The Ohio Personal Privacy Act, also known as House Bill 376, is being considered in the Buckeye State.
Here are a few takeaways:
- Enforcement by Attorney General only
- Affirmative defense for companies that maintain and comply with a written privacy program that reasonably conforms with the NIST Privacy Framework.
- “Business” include non-profits
- Similar to Virginia and Colorado, “consent” uses the GDPR formulation of “freely given, specific, informed and unambiguous”
- Excludes data in the employment context
- Narrow definition of “publicly available” (only government records)
- “Sale” – monetary or other valuable consideration; transfer to affiliate is exempted
- GLBA financial institutions and HIPAA CE and BAs, higher ed institutions and B2B transactions – exempted
- Long list of data including health related – exempted
- Exemption for fraud and identity theft detection
- Right to know – via privacy notice which needs to include, in addition to what we saw in the other laws:
- details regarding the business and any affiliate to which personal data is transferred
- data retention practices
- information security practices
- notification of material changes to the policy (this requires affirmative consent or a notice + opt out 60 days in advance, as well as a need to provide direct notification where possible)
- Right of access (by at least one method out of a provided list) covering the preceding 12 months
- Right to delete (by at least one method), but exceptions include the written records retention schedule
- Right to opt out of sale (with verification required); compliance with COPPA required for the sale of children’s information; required to notify third parties of the request and request that they comply.
- No discrimination
- Agreement between business and processor is required (but no prescriptive provisions)