Ohio Introduces Data Privacy Legislation
On July 13, 2021, Ohio Lieutenant Governor John Husted announced the introduction of the Ohio Personal Privacy Act (OPPA), a comprehensive privacy framework following in the footsteps of recent legislative enactments in California (the CCPA as modified by the CPRA), Virginia (the CDPA), and Colorado (the Colorado Privacy Act).
The Ohio Personal Privacy Act generally resembles the privacy laws enacted in California, Virginia, and Colorado, but it more closely aligns with the Virginia CDPA in regards to structure, approach, and language. The Ohio Privacy Act also contains a notable deviation from privacy laws enacted in other states: Businesses can utilize an affirmative defense from an enforcement action by the Ohio Attorney General or a lawsuit filed by a consumer if the business creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology privacy framework.
Scope and Applicability
The OPPA applies to organizations that conduct business in Ohio, or produce products or services targeted to consumers in Ohio, and either:
Has annual gross revenues generated in Ohio that exceed $25 million;
During a calendar year, the business controls or processes personal data of 100,000 or more Ohio consumers;
During a calendar year, the business derives over 50 percent of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more Ohio consumers.
Similar to Colorado and Virginia, the OPPA defines “consumer” more narrowly than California by excluding individuals acting in a “business capacity or employment context.”
Of specific importance for online advertising, the OPPA defines "personal data" as “any information that relates to an identified or identifiable consumer processed by a business for a commercial purpose.” The OPPA then defines “commercial purpose” as “the processing of information for the purpose of obtaining any form of consideration” from either “the person that is the subject of such information” or “any third party.”
The OPPA contains several exemptions, including exemptions for business-to-business transactions, specified governmental agencies and institutions of higher education, activities regulated by the Fair Credit Reporting Act, and data subject to the Children’s Online Privacy Protection Act.
Like the Colorado and Virginia laws, the OPPA contains an exemption relating to the Gramm-Leach-Bliley Act that covers not only data governed by the act but also financial institutions subject to and in compliance with the act. For health care institutions, like the Virginia law, the OPPA contains a similar “entity-level” exemption for covered entities and business associates subject to HIPAA. In addition, the OPPA contains separate exemptions relating to protected health information and medical information as well as other information processed in certain research contexts.
The OPPA outlines multiple consumer rights, including rights for access and deletion, as well as an opt-out right for the sale of personal data. A business that sells personal data must provide a “clear and conspicuous notice” to enable the consumer to opt-out of the sale of the consumer's personal data. While other states require such notice to be included on the business’ website, the OPPA gives businesses discretion to decide what is considered “clear and conspicuous notice.” In addition, businesses are prohibited from discriminating against consumers who exercise their rights under the OPPA as well.
No Private Right of Action/Affirmative Defense
The OPPA expressly does not contain or create a private right of action. The Ohio Attorney General (OAG) maintains exclusive jurisdiction to enforce the law and has the power to bring an action in a county court of common pleas if the OAG “has reasonable cause to believe that a business has engaged or is engaging in an act or practice that violates the OPPA.” In such an action, the OAG could seek a declaratory judgment, injunctive relief, civil penalties (including triple damages for any knowing or willful violations), or attorney’s fees and investigative costs.
Although such penalties could be severe, the OPPA provides a 30-day cure period prior to the initiation of an action by the OAG. Importantly, the OPPA provides an important deviation from prior U.S. privacy laws: Businesses may utilize an affirmative defense from an enforcement action by the OAG or a lawsuit filed by a consumer if the business creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” The OPPA then outlines a list of scalable factors to determine whether the business’ written privacy program complies with the NIST framework, such as the sensitivity of the personal information processed and whether the business complied with any applicable state or federal laws.