What is The Ohio Personal Privacy Act (OPPA)? Ohio's Proposed Privacy Regulation

Last month, Ohio  Lieutenant Governer Josh Husted announced the Ohio Personal Privacy Act (OPPA), making Ohio the latest in a growing number of US States to introduce privacy legislation.

Like California's CCPA (updated by the CPRA), Virginia's CDPA, and the Colorado Privacy Act,  the OPPA is a comprehensive privacy framework that defines new digital privacy rights for Ohio citizens,  as well as rules for enforcement and legal action. In this post, we'll break down the Ohio Personal Privacy Act and answer key questions such as who it applies to, and what businesses will need to do to stay compliant if the bill passes. 

Who Would the OPPA Apply To?

The rules propsed in the OPPA would apply to any organizations that conduct business in Ohio, or offer goods and services targeted to consumers in Ohio and meet the following requirements

• Annual gross revenues generated in Ohio exceed $25 million.

• Controls or processes the personal data of 100,000 or more Ohio consumers per year.

• Derives more than 50 percent of its gross revenue from the sale of personal data and processes or controls the personal data of 25,000 or more Ohio consumers per year.

How Does the OPPA Define Personal Data?

Similar to Colorado and Virginia, the OPPA defines “consumer” more narrowly than California by excluding individuals acting in a “business capacity or employment context.”

In comparison to broader privacy laws like California's CCPA or Europe's GDPR, the OPPA gives a more narrow definition of what constitutes a "consumer" and "personal data." 

Under the OPPA, individuals acting in a "business capacity or employment context" are excluded from the protections proposed in the bill. "Personal data" is defined as any information that relates to an identified or identifiable consumer processed by a business for a commercial purpose." So what is a commercial purpose? The OPPA defines "commercial purpose" as "the processing of information for the purpose of obtaining any form of consideration" from a the data subject, or any third party. That means tracking and targeting for marketing or sales purposes would be considered commercial purpose under the OPPA. 

Are There Exemptions to Ohio's Proposed Privacy Law?

The OPPA does contains several exemptions, primarily for data subject to regulation by federal legislation like the Fair Credit Reporting Act, the Children's Online Privacy Protection Act, and the Gramm-Leach-Bliley Act. For the later, exemptions cover not only data governed by the GLBA, but also financial institutions that can prove compliance with the act. A similar exemption exists for health care institutions and business associates subject to HIPAA.

Most notably, under the  OPPA businesses will be able to utilize an "affirmative defense" against enforcement action and consumer lawsuits filed by a consumer if the business can prove that it  "creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology privacy framework." 

What Consumer Rights Exist under OPPA? 

The OPPA cpntains multiple consumer rights that will familiar to those following privacy laws, including: 

• Right to Access
• Right to Deletion
• Right to opt-out of the sale of personal data
• The Right to know what data a business collects about them

Will the OPPA Require Consent Banners?

Most privacy frameworks, like the GDPR and CCPA, require a consent banner to be posted on  a website, either informing a consumer of the information collected, or giving them the option to opt-out of tracking altogether.  The OPPA, however, gives businesses a wider berth. According to the OPPA, businesses must "provide consumers notice about the personal data that it processes about the consumer by providing a reasonably accessible, clear, and conspicuously posted privacy policy." Whether that means a privacy notice must be unavoidable, such as a consent notice banner, or if a link present on a websites header or footer would suffice is yet to be seen. 

Is There a Private Right of Action? What Enforcement Actions Exist Under the OPPA?

Unlike the CCPA, The OPPA does not give consumers a private right of action to seek damages per consumer per incident for data breaches of personal information. Under the OPPA, only the Ohio Attorney General has  jurisdiction to enforce the law if the OAG “has reasonable cause to believe that a business has engaged or is engaging in an act or practice that violates the OPPA.” In an enforcement action, the OAG could seek a declaratory judgment, injunctive relief,  and civil penalties of up to $5,000 per violation of the law. However, the OPPA will provide a 30-day cure period, during which a business or organization in violation can avoid penalties by remediating issues. 

How Ensighten Can Help

The OPPA is just the latest in a string of state laws that bring new rights to consumers while pressing new responsibilities—and penalties—on businesses and marketers. Ensighten offers organizations a solution to help build a fully compliant website and simplify compliance with the OPPA, as well as the CCPA, CPA. CDPA, and GDPR.

With Ensighten Consent Management Plus (CMP+), you can set up geo-targeted opt-out of sale links for Ohio consumers and give your customers a clear-cut choice on how their data is used, or whether it is collected. A simple line of JavaScript added to your website is all you need to stop data from being collected before your customers give their consent, allowing real-time enforcement of customer consent regardless of tag management systems or 3^rd party tags.

Request a demo to see how Ensighten can help your organization meet compliance with the Ohio Personal Privacy Act.