Legislation was introduced this week that, if passed, would create the Ohio Personal Privacy Act.
HB 376, initiated by Lt. Governor Jon Husted, was introduced this week by Representative Rick Carfagna (R- Westerville) and Representative Thomas Hall (R-Middletown) and targets businesses in Ohio that satisfy one or more of the following criteria:
- Annual gross revenue generated in Ohio exceeds $25 million;
- A business that controls or processes personal data of 100,000 or more consumers (Ohio residents only) during a calendar year; and/or
- A business that derives over 50% of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers (Ohio residents only) during a calendar year.
The bill excludes:
-
Pseudonymized, de-identified, or aggregate data;
-
Personal data pertaining to a person when acting in a business capacity (for example, a person’s business contact information);
-
Employee and job applicant personal data;
- Political subdivisions;
- Financial institutions (with respect to activities that are subject to the GLBA);
- Any entity when acting as a covered entity or business associate under HIPAA;
- An institution of higher education;
- Business to business transactions;
- Insurers or independent insurance agents;
- Nonprofits established to detect or prevent insurance fraud; and
- Insurance rating or advisory organizations.
The bill requires businesses to provide consumers with a notice about the personal data that it processes about the consumer by providing a reasonably accessible, clear, and conspicuously posted privacy policy. Failure on the part of a business to maintain a privacy policy that reflects the business's data privacy practices to a reasonable degree of accuracy or otherwise comply with the bill shall be considered an unfair and deceptive practice under Chapter 1345 or Ohio’s Consumer Sales Practices Act, with one primary exception: The bill does not provide a consumer with a private right of action including participation in a class action lawsuit.
Enforcement authority rests solely with the Ohio Attorney General. Where the Attorney General has reasonable cause to believe that a business has engaged or is engaging in an act or practice prohibited under the bill, the Attorney General may investigate, whether through complaints made by consumers or its own inquiries, and bring an action against the business. Before initiating action against the business, the Attorney General must give the business 30 days' written notice to cure the violations. If the violation(s) continue or if a business violates a commitment made to the Attorney General during the enforcement process, an action may be initiated and a business may be charged civil penalties of $5,000 per violation (with each consumer affected and each provision of the bill that was violated counting as a separate violation). Commitments by a business made to the Attorney General to cure violations of the bill may be released by the Attorney General as a matter of public record.
The bill also provides an affirmative defense for businesses that create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0”, given the size and scope of their operations. Businesses would be given one year to conform with future published revisions made to the framework in order to assert the defense.
The bill would also provide a consumer with the right to know and request disclosure of the personal data that a business collects about the consumer and allows the consumer to request that a business delete personal data that the business has collected from the consumer for commercial purposes and that the business maintains in an electronic format. Finally, a consumer would have a right to request that a business not sell the consumer’s personal data, provide a notice as such, and allow an opt-out provision. A business shall not discriminate with respect to consumers who exercise their rights under the bill; however, may charge different prices or rates for goods or services to consumers who exercise their rights under the bill.
California, Colorado, and Virginia have passed comprehensive consumer data privacy laws, and many other states have similar legislation pending. The Ohio Legislature is on a recess during the month of July and is expected to return in mid to late August.
Benesch would be happy to provide you with our insight and guidance on this and other data privacy and protection best practices—including litigation avoidance strategies. We look forward to working with you to keep your data safe and secure.
If you have an interest in House Bill 376 and how Consumer Data Privacy Laws impact your business, or wish to participate in the legislative process on this bill and others, please reach out to a member of the firm's Government Relations or Data Protection Group.
Michael D. Stovsky at mstovsky@beneschlaw.com or 216.363.4626.
Rachel Winder at rwinder@beneschlaw.com or 614.223.9316.
Ryan T. Sulkin at rsulkin@beneschlaw.com or 312.624.6398.
Rob Zimmerman at rzimmerman@beneschlaw.com or 216.363.4437.
Holly Gross at hgross@beneschlaw.com or 614.223.9392.