In the wake of Virginia and Colorado passing comprehensive privacy legislation this year, the Ohio legislature is similarly considering a privacy bill, albeit one that would impose fewer restrictions on businesses and does not include a private right of action. The Ohio Personal Privacy Act (“OPPA”), was introduced yesterday by Republican state Reps. Carfagna, of Delaware County and Hall, of Butler County, with the backing of Governor DeWine and Lt. Governor Husted. Co-sponsors include Representatives Click, Plummer, Schmidt, Lanese, White, Stewart, Carruthers, and Ginter. The OPPA gives consumers certain rights pertaining to their data and creates new obligations for non-exempt businesses in Ohio. Read on to learn more as well as for exclusive comments from those involved in the bill’s drafting.
Under the OPPA, consumers would be allowed to access their personal data and obtain a copy of certain information in a portable format. Consumers would also have the right to request that a business delete personal data that the business has collected from the consumer for commercial purposes and that the business maintains in an electronic format. Additionally, under the OPPA consumers would have a right to request that a business that sells personal data to third parties not sell the consumer’s personal data. Unlike the California Consumer Privacy Act (“CCPA”), the OPPA would not provide consumers with a private right of action. Instead, enforcement is at the discretion of the Ohio Attorney General’s Office (“OAGO”) (although consumers may file complaints with OAGO for purported violations of the OPPA).
The OPPA would apply to entities: (1) with at least $25 million in gross annual revenues in Ohio, (2) those that control or processes the personal data of 100,000 or more consumers, or (3) that over the course of a calendar year derive over fifty per cent of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers. There are certain exceptions, including but not limited to institutions of higher education, business to business transactions, a covered entity or business associate under the Health Insurance Portability and Accountability Act, and a financial institution or an affiliate of a financial institution governed by the federal Gramm Leach-Bliley Act.
Businesses would have an affirmative defense to liability under the OPPA if they create, maintain, and comply with a written privacy program that reasonably conforms to the national institute of standards and technology (“NIST”) privacy framework.
CyberOhio, an advisory committee launched by then-Ohio Attorney General Mike DeWine, was involved with drafting of the OPPA. Now, CyberOhio is a branch of InnovateOhio, headed by Lt. Governor Jon Husted. CyberOhio is composed of an Advisory Committee comprised of cybersecurity industry experts and business leaders and led by Kirk M. Herath, who CPW’s Kristin Bryan connected with advance of the OPPA being introduced.
As Mr. Herath explained, “CyberOhio considered other state’s privacy laws when drafting the OPPA, and attempted to come up with an alternative to the California/CCPA/CPRA model.” In a break from other states, the Advisory Committee explicitly adopts the NIST privacy standard in the OPPA. This was intended, Mr. Herath commented, “to provide a flexible approach that would evolve as technology continues to advance.” Brian Ray, the Director, Center for Cybersecurity and Privacy Protection at Cleveland Marshall Law School, also commented in advance of the OPPA’s introduction that “the OPPA expressly precludes derivative claims, in a deliberate effort to prevent plaintiff’s counsel from attempting an end-run around the statute’s lack of a private right of action.”
For more on this development, stay tuned. CPW will be there to keep you in the loop.