Ohio Personal Privacy Act will grant Ohioans an expansive set of new rights, writes US attorney David Oberly
And there may be further, similarly momentous changes to the privacy legal landscape before the year is over, after Buckeye State legislators recently introduced their own consumer privacy bill.
The Ohio Personal Privacy Act (OPPA) has strong support from Ohio’s governor and lieutenant governor, increasing the likelihood that the Midwestern state may soon join the ranks of a growing number of states with consumer privacy statutes on the books.
If enacted, the OPPA would provide an expansive set of new rights to Ohio consumers, and impose a corresponding set of stringent obligations on businesses that collect and handle their data.
The OPPA: Scope and applicability
Similar to the CCPA and other consumer privacy statutes, businesses would have to meet certain thresholds to fall under the scope of the OPPA.
Specifically, the law applies to any business that conducts operations in Ohio or produces goods/services targeted at Ohio consumers and satisfies one or more of the following criteria:
- Annual gross revenue generated in Ohio above $25 million.
- Controls or processes the personal data of 100,000 or more consumers during the calendar year.
- Derives more than 50% of its gross revenue from the sale of personal data and processes/controls the personal data of 25,000 or more consumers during a calendar year.
Like other consumer privacy statutes, the OPPA grants consumers a broad range of rights, including:
- Right to know: The right to know the personal data that a business collects pertaining to a given consumer.
- Right to access: The right to request access to, and the disclosure of, the personal data that a business collects about the consumer.
- Right to deletion: The right to request that a business delete the personal data that the business has collected from the consumer for commercial purposes.
- Right to opt-out: The right to request that a business that sells personal data to third parties will not sell the consumer’s personal data.
- Non-discrimination right: The right to not be discriminated against by a business for exercising any of the rights provided to consumers under the OPPA.
The OPPA also requires businesses to give notice to consumers regarding the personal data that they process. Unlike other privacy statutes, however, the OPPA provides that a failure to maintain a privacy notice that reflects the entity’s data processing practices to a reasonable degree of accuracy constitutes an unfair or deceptive practice under Ohio law.
By far the most significant aspect of the proposed bill is an affirmative defense offered to businesses which maintain a written privacy program that reasonably conforms with the National Institute of Standards and Technology’s (NIST) privacy framework.
Businesses that satisfy requirements for the affirmative defense are afforded protection from any cause of action brought under Ohio laws, or in Ohio courts, alleging a violation of the OPPA or similar claims based on alleged violations of the Ohio Consumer Sales Practices Act’s privacy-related provisions.
Liability and enforcement
The OPPA does not offer a private right of action for individuals to pursue litigation against entities for alleged violations of the law. Rather, enforcement authority rests exclusively with the Ohio attorney general, who may seek civil penalties of up to $5,000 per violation.
However, before initiating an enforcement action, the AG must give at least 30 days’ notice to cure any alleged violations.
With the support of the state’s governor and lieutenant governor, buttressed by the success of other states in swiftly moving consumer privacy bills through the legislative process this year, the Buckeye State may well become the third US state to pass a new consumer privacy statute in 2021.
From a broader perspective, the increasing momentum for consumer privacy laws across the globe should serve as a reminder for all companies to take proactive steps to build out a comprehensive privacy and data protection program.
Specifically, companies should consider implementing the following measures if they have not already done so:
- Complete a data-mapping and inventory exercise.
- Design and implement processes and procedures for responding to consumer requests.
- Ensure the maintenance of a robust data security program – ideally one designed in conformity with a universally-recognized security framework, such as NIST’s privacy framework or the ISO:27001 information security standard.
- Update service provider and vendor contracts to include language limiting the processing of personal data by the service provider to that which is required to perform services for the company.
- And consult with experienced privacy counsel to ensure compliance with today’s constantly-evolving privacy legal landscape.