Carfagna, Hall Introduce the Ohio Personal Privacy Act
COLUMBUS – State Reps. Rick Carfagna (R-Genoa Township) and Thomas Hall (R-Madison Twp.) today hosted a press conference with Lt. Gov. Jon Husted to announce the introduction of House Bill 376, landmark data privacy legislation.
The measure, known as the Ohio Personal Privacy Act (OPPA), would establish data rights for Ohioans while requiring businesses to adhere to specified data standards. It would primarily apply to businesses with $25 million or more gross revenue in Ohio or businesses that control or process large amounts of data. It also encourages Ohio businesses to adopt the National Institute of Standards and Technology (NIST) Privacy Framework as a standard for developing a privacy policy.
“In the absence of a comprehensive federal policy on the collection and use of personal information, Ohio has an opportunity to position itself as a technology leader on multiple fronts,” commented Rep. Carfagna. “House Bill 376 (the Ohio Personal Privacy Act) will balance reasonable privacy standards to protect Ohioans with less bureaucracy and regulation on businesses. I’m thrilled to work with my joint-sponsor State Rep. Thomas Hall, Lt. Governor Husted and Attorney General Yost to create what we believe will serve as a national model for data privacy.”
OPPA would establish a list of “data rights” for Ohioans that does not currently exist, such as the ability to have your personal data deleted and a request to businesses to not sell a person’s data. These rights would give Ohioans control over how businesses are using their data and give Ohioans the option to tell businesses to not sell their data.
“As the youngest member of the Ohio General Assembly, I know that those in my generation have a larger online presence and are more subject to knowingly or unknowingly sharing their personal information to third parties,” said Hall. “I believe we should provide the tools necessary to empower and inform all Ohioans on understanding and controlling the collection of their data. I’m grateful for the opportunity to work with Lt. Gov. Husted and Rep. Carfagna on this important issue.”
Additionally, the bill includes a list of obligations for businesses to follow, such as posting privacy notices and disclosing where data is being sold. It also includes a list of exemptions for certain businesses, industries, and data that already have established data privacy standards, such as through Gramm-Leach Bliley and HIPAA.
The Ohio Attorney General would have exclusive authority to enforce OPPA and no private right of action would exist. Ohioans who believe that their rights are being violated under OPPA could make a complaint to the Ohio Attorney General’s Office. After being notified of a potential violation, businesses would have a 30-day right to cure where they can fix any potential violations without any further legal action being taken.
OPPA would also change Ohio laws so that businesses that take reasonable precautions and meet NIST’s industry-recommended standards would be afforded an affirmative defense against legal claims. To trigger the affirmative defense provision, businesses must create their own data privacy programs that meet the standards specified in the latest version of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. This affirmative defense encourages businesses to adopt the NIST Privacy Framework that would require all rights and obligations outlined in the bill.
With today’s announcement, Ohio will join over 20 other states that have introduced similar data privacy legislation, including California (CCPA) and Virginia (CDPA) who have enacted data privacy standards.