Last month, Ohio Lieutenant Governer Josh Husted announced the Ohio Personal Privacy Act (OPPA), making Ohio the latest in a growing number of US States to introduce privacy legislation.
Like California's CCPA (updated by the CPRA), Virginia's CDPA, and the Colorado Privacy Act, the OPPA is a comprehensive privacy framework that defines new digital privacy rights for Ohio citizens, as well as rules for enforcement and legal action. In this post, we'll break down the Ohio Personal Privacy Act and answer key questions such as who it applies to, and what businesses will need to do to stay compliant if the bill passes.
Who Would the OPPA Apply To?
The rules propsed in the OPPA would apply to any organizations that conduct business in Ohio, or offer goods and services targeted to consumers in Ohio and meet the following requirements
Annual gross revenues generated in Ohio exceed $25 million.
Controls or processes the personal data of 100,000 or more Ohio consumers per year.
Derives more than 50 percent of its gross revenue from the sale of personal data and processes or controls the personal data of 25,000 or more Ohio consumers per year.
How Does the OPPA Define Personal Data?
Similar to Colorado and Virginia, the OPPA defines “consumer” more narrowly than California by excluding individuals acting in a “business capacity or employment context.”
In comparison to broader privacy laws like California's CCPA or Europe's GDPR, the OPPA gives a more narrow definition of what constitutes a "consumer" and "personal data."
Under the OPPA, individuals acting in a "business capacity or employment context" are excluded from the protections proposed in the bill. "Personal data" is defined as any information that relates to an identified or identifiable consumer processed by a business for a commercial purpose." So what is a commercial purpose? The OPPA defines "commercial purpose" as "the processing of information for the purpose of obtaining any form of consideration" from a the data subject, or any third party. That means tracking and targeting for marketing or sales purposes would be considered commercial purpose under the OPPA.
Are There Exemptions to Ohio's Proposed Privacy Law?
The OPPA does contains several exemptions, primarily for data subject to regulation by federal legislation like the Fair Credit Reporting Act, the Children's Online Privacy Protection Act, and the Gramm-Leach-Bliley Act. For the later, exemptions cover not only data governed by the GLBA, but also financial institutions that can prove compliance with the act. A similar exemption exists for health care institutions and business associates subject to HIPAA.
Most notably, under the OPPA businesses will be able to utilize an "affirmative defense" against enforcement action and consumer lawsuits filed by a consumer if the business can prove that it "creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology privacy framework."
What Consumer Rights Exist under OPPA?
The OPPA cpntains multiple consumer rights that will familiar to those following privacy laws, including:
- Right to Access
- Right to Deletion
- Right to opt-out of the sale of personal data
- The Right to know what data a business collects about them
Will the OPPA Require Consent Banners?
Is There a Private Right of Action? What Enforcement Actions Exist Under the OPPA?
Unlike the CCPA, The OPPA does not give consumers a private right of action to seek damages per consumer per incident for data breaches of personal information. Under the OPPA, only the Ohio Attorney General has jurisdiction to enforce the law if the OAG “has reasonable cause to believe that a business has engaged or is engaging in an act or practice that violates the OPPA.” In an enforcement action, the OAG could seek a declaratory judgment, injunctive relief, and civil penalties of up to $5,000 per violation of the law. However, the OPPA will provide a 30-day cure period, during which a business or organization in violation can avoid penalties by remediating issues.
How Ensighten Can Help
The OPPA is just the latest in a string of state laws that bring new rights to consumers while pressing new responsibilities—and penalties—on businesses and marketers. Ensighten offers organizations a solution to help build a fully compliant website and simplify compliance with the OPPA, as well as the CCPA, CPA. CDPA, and GDPR.
Request a demo to see how Ensighten can help your organization meet compliance with the Ohio Personal Privacy Act.
Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.