Carfagna, Hall Introduce Data Privacy Legislation in Ohio

July 26, 2021

Two Ohio state representatives have introduced legislation aimed at protecting data privacy by creating standards for the handling of data by businesses.

Rick Carfagna (R-Genoa Township) and Thomas Hall (R-Madison Township) introduced House Bill 376, known as the Ohio Personal Privacy Act (OPPA). It would establish data rights for Ohioans while requiring businesses to adhere to specified data standards, according to a statement released by Carfagna.

It would primarily apply to businesses with $25 million or more gross revenue in Ohio or businesses that control or process large amounts of data.

It also encourages Ohio businesses to adopt the National Institute of Standards and Technology (NIST) Privacy Framework as a standard for developing a privacy policy.

OPPA would establish a list of “data rights” for Ohioans that does not currently exist, such as the ability to have your personal data deleted and a request to businesses to not sell a person’s data. These rights would give Ohioans control over how businesses are using their data and give Ohioans the option to tell businesses to not sell their data.

Additionally, the bill includes a list of obligations for businesses to follow, such as posting privacy notices and disclosing where data is being sold. It also includes a list of exemptions for certain businesses, industries, and data that already have established data privacy standards, such as through Gramm-Leach Bliley and HIPAA.

The Ohio Attorney General would have exclusive authority to enforce OPPA and no private right of action would exist.

Ohioans who believe that their rights are being violated under OPPA could make a complaint to the Ohio Attorney General’s Office. After being notified of a potential violation, businesses would have a 30-day right to cure where they can fix any potential violations without any further legal action being taken.

OPPA would also change Ohio laws so that businesses that take reasonable precautions and meet NIST’s industry-recommended standards would be afforded an affirmative defense against legal claims. To trigger the affirmative defense provision, businesses must create their own data privacy programs that meet the standards specified in the latest version of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. This affirmative defense encourages businesses to adopt the NIST Privacy Framework that would require all rights and obligations outlined in the bill.

Ohio joins over 20 other states that have introduced similar data privacy legislation, including California (CCPA) and Virginia (CDPA) who have enacted data privacy standards.

Topics Legislation Ohio

Was this article valuable?

Here are more articles you may enjoy.