Ohio Introduces Consumer Data Privacy Bill
Privacy & Cybersecurity Update
Date: July 15, 2021
On July 12, Ohio legislators formally introduced the Ohio Personal Privacy Act (HB 376) and with it, Ohio has joined the growing number of states that are actively seeking to implement a consumer data protection law. Although HB 376 affords Ohio consumers with rights and privileges with respect to their personal data, the bill is more limited in scope than other state data protection laws that recently have been enacted (e.g., California, Colorado, Virginia). Notably, the bill does not contain a private right of action; however, it does furnish the Ohio Attorney General with broad authority to penalize non-compliant businesses, which may include civil penalties, attorneys’ fees, and investigatory costs.
HB 376 likely will be sent to legislative subcommittees with jurisdiction over consumer protection and technology where it will be debated and amended. The bill has been strongly endorsed by Ohio’s Lt. Governor Jon Husted and other senior Ohio politicians, which may increase the likelihood that it will be enacted into law.
Scope of the Law
As currently written, HB 376 only applies to certain types of organizations that conduct business in Ohio or produce goods or services that target Ohio consumers. For instance, the bill only applies to such businesses that also have generated $25 million in annual gross revenue in Ohio or collect and process large volumes of personal data or generate a certain percentage of its revenue from the sale of personal data. The law creates many exceptions, including for businesses subject to federal privacy laws (e.g., healthcare organizations, financial institutions), for employee and “HR” data, and to individuals acting in a business capacity (i.e., “business-to-business” data).
Data Privacy Rights
HB 376 creates new data privacy rights and privileges for Ohio consumers:
• the right to request access to and the disclosure of their personal data that a business collects about them;
• the right to request that a business delete personal data that the business has collected from them and maintains in an electronic format; and
• the right to request that a business refrain from selling their personal data to third parties.
Notably, the Ohio bill does not specifically address targeted advertising in a manner comparable to other recently enacted state privacy laws (e.g., “do not share” requirements). HB 376 creates a framework for how businesses must receive, authenticate and respond to consumer privacy requests.
The bill expressly prohibits businesses from discriminating against a consumer for exercising their data privacy rights. However, none of the data subject privacy rights are absolute and HB 376 creates exceptions and exemptions with respect to how consumers can exercise their rights and how businesses must respond to the same. Further, HB 376 provides that businesses may charge different prices or rates for goods or services for individuals who exercise their privacy rights, provided they have “legitimate business reasons” or, as otherwise permitted or required by applicable law, to do so. This will allow businesses to continue to engage in customer loyalty and similar marketing programs.
• the categories of personal data the business processes and the purposes of such processing;
• the categories of sources from which the personal data is collected;
• the categories of processors (e.g., service providers) with whom the business discloses personal data;
• whether the business sells personal data, and if so, the categories of third parties to whom the business sells personal data, and the purposes of the sale;
• a description of the business's data retention practices;
• how individuals can exercise their privacy rights; and
• a description of the business's data security measures.
Third Party Contracting
As currently written, HB 376 requires businesses to enter into written contracts or agreements with third party service providers that process personal data on their behalf (i.e., “processors”). More specifically, a business is required to “enter into a written contract with a processor that prohibits the processor from processing personal data except to provide services to the business.” Notwithstanding the generality of this prohibition, businesses may allow processors to (i) retain their own subcontractors (i.e., subprocessors), provided they comply with the same obligations as the processor, (ii) use personal data for internal purposes to improve the quality of its products or services, and (iii) use personal data provided by the business to detect or prevent data security incidents, fraud, or illegal activity. Under HB 376, a business is not liable in the event its processor uses personal data in violation of the law, provided that the business did not have actual knowledge, or reason to believe, that the processor would commit such a violation. On the other hand, a processor is not be liable for violations of HB 376 for the obligations of a business for which the processor provides services.
Pursuant to HB 376, a business has an affirmative defense against allegations of non-compliance if that business creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0," including applicable controls selected by the business from NIST Special Publication 800-53 and 800-53a. In order to leverage this affirmative defense, an organization’s privacy program must be based on its size and complexity, the nature and scope of its business activities, the sensitivity of the personal data it processes, the cost and availability of tools to improve privacy protections and data governance, and compliance with any comparable state or federal law. Interestingly, HB 376 adheres to a similar framework set forth in Ohio’s cybersecurity safe harbor law (S.B. 220), which grants Ohio businesses certain affirmative defenses from data breach-related claims to the extent it complies with certain cybersecurity standard and measures.
FOR MORE INFORMATION
For more information, please contact:
Steven G. Stransky
Certified Information Privacy Professional/Government (CIPP/G)
Certified Information Privacy Professional/United States (CIPP/US)
Thomas F. Zych
or any member of our Privacy & Cybersecurity group.
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel. This document may be considered attorney advertising in some jurisdictions.
© 2021 THOMPSON HINE LLP. ALL RIGHTS RESERVED.