(COLUMBUS, Ohio)—Ohio Lt. Governor Jon Husted, Director of InnovateOhio, today was joined by State Representative Rick Carfagna (R-Genoa Twp.); State Representative Thomas Hall (R-Madison Twp.); Deputy Director of InnovateOhio Carrie Kuruc; and Chair of the CyberOhio Advisory Board Kirk Herath for a press conference to announce the introduction of landmark data privacy legislation.
House Bill 376, also known as the Ohio Personal Privacy Act, would establish data rights for Ohioans while requiring businesses to adhere to specified data standards. It would primarily apply to businesses with $25 million or more gross revenue in Ohio or businesses that control or process large amounts of data. It also encourages Ohio businesses to adopt the National Institute of Standards and Technology (NIST) Privacy Framework as a standard for developing a privacy policy.
“Federal and state laws do not adequately protect how companies use your personal data and what rights you have to that information,” Lt. Governor Husted said. “Without action in this space on the federal level, it’s important that our state take the lead. The Ohio Personal Privacy Act implements the necessary tools to keep Ohioans’ data safe and gives them control over their digital presence.”
OPPA would establish a list of “data rights” for Ohioans that does not currently exist, such as the ability to have your personal data deleted and a request to businesses to not sell a person’s data. These rights would give Ohioans control over how businesses are using their data and give Ohioans the option to tell businesses to not sell their data.
“In the absence of a comprehensive federal policy on the collection and use of personal information, Ohio has an opportunity to position itself as a technology leader on multiple fronts,” said Rep. Carfagna. “House Bill 376 (the Ohio Personal Privacy Act) will balance reasonable privacy standards to protect Ohioans with less bureaucracy and regulation on businesses. I’m thrilled to work with my joint-sponsor State Rep. Thomas Hall, Lt. Governor Husted and Attorney General Yost to create what we believe will serve as a national model for data privacy.”
Additionally, House Bill 376 includes a list of obligations for businesses to follow, such as posting privacy notices and disclosing where data is being sold. It also includes a list of exemptions for certain businesses, industries, and data that already have established data privacy standards, such as through Gramm-Leach-Bliley and HIPAA.
“As the youngest member of the Ohio General Assembly, I know that those in my generation have a larger online presence and are more subject to knowingly or unknowingly sharing their personal information to third parties,” said. Rep. Hall. “I believe we should provide the tools necessary to empower and inform all Ohioans on understanding and controlling the collection of their data. I’m grateful for the opportunity to work with Lt. Gov. Husted and Rep. Carfagna on this important issue.”
The Ohio Attorney General would have exclusive authority to enforce OPPA and no private right of action would exist. Ohioans who believe that their rights are being violated under OPPA could make a complaint to the Ohio Attorney General’s Office. After being notified of a potential violation, businesses would have a 30-day right to cure where they can fix any potential violations without any further legal action being taken.
“Providing consumers with more control over their data is a good thing for Ohioans,” said Ohio Attorney General Dave Yost. “I look forward to working with the Lieutenant Governor and the Legislature to ensure this legislation gives my office the tools and resources it needs to accomplish this worthy goal.”
OPPA would also change Ohio laws so that businesses that take reasonable precautions and meet NIST’s industry-recommended standards would be afforded an affirmative defense against legal claims. To trigger the affirmative defense provision, businesses must create their own data privacy programs that meet the standards specified in the latest version of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. This affirmative defense encourages businesses to adopt the NIST Privacy Framework that would require all rights and obligations outlined in the bill.
“While Ohio joins over 20 other states that have introduced or passed data privacy legislation, I believe that Ohio’s novel use of the NIST-Privacy framework as the Safe Harbor standard of care makes it the most innovative proposal to date,” said Kirk Herath. “It ushers in the use of a national framework that can be a useful model for other states to begin to build a state-based national and uniform privacy standard, without Congressional action.”
With today’s announcement, Ohio will join over 20 other states that have introduced similar data privacy legislation, including Colorado, California (CCPA) and Virginia (CDPA) who have enacted data privacy standards.
