Today the sponsor of an Ohio privacy bill announced he was resigning to pursue a position with the Ohio Chamber of Commerce—an unexpected development. Recall that the Ohio Personal Privacy Act (the “OPPA”) was introduced in September 2021 by Republican state Reps. Carfagna and Hall, of Butler County, with the backing of Governor DeWine and Lt. Governor Husted. Four hearings on the bill were held in the fall, although the House Government Oversight Committee ultimately held the bill when they met on December 9, 2021.
The OPPA gives consumers certain rights pertaining to their data and creates new obligations for non-exempt businesses in Ohio. Under the OPPA, consumers would be allowed to access their personal data and obtain a copy of certain information in a portable format. Consumers would also have the right to request that a business delete personal data that the business has collected from the consumer for commercial purposes and that the business maintains in an electronic format. Under the OPPA consumers would have a right to request that a business that sells personal data to third parties not sell the consumer’s personal data. Unlike the California Consumer Privacy Act (“CCPA”), the OPPA would not provide consumers with a private right of action. Instead, enforcement is at the discretion of the Ohio Attorney General’s Office (“OAGO”) (although consumers may file complaints with OAGO for purported violations of the OPPA).
The OPPA would apply to entities: (1) with at least $25 million in gross annual revenues in Ohio, (2) those that control or processes the personal data of 100,000 or more consumers, or (3) that over the course of a calendar year derive over fifty per cent of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers. There are certain exceptions, including but not limited to institutions of higher education, business to business transactions, a covered entity or business associate under the Health Insurance Portability and Accountability Act, and a financial institution or an affiliate of a financial institution governed by the federal Gramm Leach-Bliley Act. Businesses would have an affirmative defense to liability under the OPPA if they create, maintain, and comply with a written privacy program that reasonably conforms to the national institute of standards and technology (“NIST”) privacy framework.
With Rep. Carfagna’s resignation, the future of the OPPA (which has support across party lines and within the Governor’s office) is uncertain. For more on this, stay tuned.