Ohio Personal Privacy Act (HB 345): What you need to know

The Ohio Personal Privacy Act (HB 345) is one of the many privacy bills currently active across US states. If passed by Ohio’s legislature, the bill will make Ohio one of more than 20 states to have passed comprehensive privacy legislation.

This article explores how HB 345 applies, who’s exempt, what consumer rights the bill provides, and the obligations it would place on businesses operating in Ohio.

Application

HB 345 applies to any business operating in Ohio or targeting products or services to Ohio residents that meets one or more of the following thresholds:

• Annual gross revenues generated in Ohio exceed $25 million.
• During a calendar year, the business controls or processes personal data of 100,000 or more consumers.
• The business derives over 50% of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers.

HB 345 is somewhat unusual in imposing a revenue threshold above which any business must comply with the law. However, unlike a similar provision in California, HB 345 would only take account of revenues generated in Ohio.

Exemptions include:

• State and local government entities.
• Financial institutions and data regulated under the Gramm-Leach-Bliley Act (GLBA).
• Covered entities and business associates governed by HIPAA.
• Institutions of higher education.
• Business-to-business transactions.
• Insurance-related entities and organizations involved in fraud prevention.

The law also personal data processed in compliance with certain laws, including:

• The Health Insurance Portability and Accountability Act (HIPAA)
• The Children’s Online Privacy Protection Act (COPPA)
• The Fair Credit Reporting Act (FCRA)
• The Family Educational Rights and Privacy Act (FERPA)

Definitions

Key terms defined under HB 345 include:

• Personal data: Information that is linked or reasonably linkable to an identified or identifiable consumer, excluding publicly available information, deidentified, or aggregate data.
• Processing: Any operation or set of operations performed on personal data, including collection, storage, use, disclosure, and deletion.
• Controller: A business that determines the purposes and means of processing personal data.
• Processor: A legal or natural person who processes personal data on behalf of a controller.
• Consent: A clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to the processing of personal data.

The bill also defines “pseudonymous data,” which refers to data that can no longer identify an individual without additional information that is kept separately under strict controls.

Unusually, HB 345 does not define “sensitive data,” although controllers must account for the sensitivity of personal data in certain contexts.

Selling Personal Data and Targeted Advertising

The sale of personal data is defined as the exchange of personal data for monetary or other valuable consideration to a third party. Exceptions to this definition include:

• Disclosures to processors acting on behalf of the controller.
• Transfers to an affiliate of the business.
• Transfers as part of a merger, acquisition, or bankruptcy.

Targeted advertising is regulated, defined as displaying an advertisement to a consumer based on personal data collected over time across nonaffiliated websites or apps. However, it excludes first-party ads based on data from the business’s own website or contextual ads.

Consumer Rights

Ohio consumers under HB 345 are granted the following rights:

• Access: Consumers have the right to know what personal data a business collects about them and to obtain a copy of that data.
• Correction: Consumers can request corrections to inaccuracies in their personal data.
• Deletion: Consumers can request the deletion of their personal data held by a business.
• Opt-out: Consumers can opt out of the sale of their personal data and from having their data used for targeted advertising.

Businesses must comply with these requests within 45 days, with a possible extension of an additional 45 days if necessary. Businesses must also provide clear and accessible methods for consumers to exercise these rights.

Obligations on Controllers

HB 345 imposes several obligations on businesses, including:

• Limiting data collection to what is necessary for specified purposes.
• Implementing reasonable security measures to protect personal data.
• Providing clear and accessible privacy notices that disclose data practices and consumer rights.
• Ensuring that any material changes to data practices are communicated to consumers, who must be given the option to opt out of new practices.

Data Protection Assessments

Businesses must conduct and document Data Protection Assessments (DPAs) for processing activities that pose a heightened risk to consumer privacy, such as targeted advertising or the sale of personal data. The Ohio Attorney General can request access to these assessments during investigations, although the assessments remain confidential.

Obligations on Processors

Processors are required to:

• Assist controllers in complying with the law, including responding to consumer rights requests.
• Implement security safeguards to protect personal data.
• Adhere to binding contracts with controllers that outline the nature and purpose of data processing.

Processors must also ensure that any sub processors they engage adhere to the same obligations.

Enforcement

The Ohio Attorney General has exclusive authority to enforce the provisions of HB 345.

Before initiating an action, the Attorney General must provide a business with 30 days’ notice to cure any alleged violations. If the violation is not cured, the Attorney General may seek civil penalties of up to $5,000 per violation, along with other remedies.

HB 345 does not create a private right of action, meaning consumers cannot sue businesses directly for violations. Any penalties collected will be used to fund consumer protection efforts within the state.

The law is set to take effect one year after its enactment.