LISTEN NOW: Evolution of Data Controls in the Era of Generative AI

View

An Overview of Ohio’s Personal Privacy Act (OPPA) – House Bill 345

Publicada agosto 15, 2024

I. Introduction

The Ohio Personal Privacy Act (OPPA), designated as House Bill 345, marks a significant legislative development aimed at enhancing the privacy rights of individuals within the state of Ohio. This landmark data privacy bill is designed to empower Ohio residents with greater control over their personal data.

The OPPA introduces strict regulations for businesses with respect to collecting, processing, and sharing data, thereby establishing a more secure environment for personal data.

The OPPA demonstrates Ohio's dedication to bringing state policy into line with the rapidly evolving digital privacy landscape and enabling individuals with the resources they need to safeguard their right to privacy in an increasingly data-driven world.

II. Who Needs to Comply with OPPA

A. Material Scope

The OPPA applies to businesses that operate in Ohio or provide goods or services intended for Ohioan consumers and meet one or more of the following requirements:

  • The business's gross yearly sales in Ohio surpass $25 million;
  • The business controls or processes the personal information of 100,000 or more customers during a calendar year;
  • The business processes or controls the personal data of at least 25,000 consumers, and over 50% of its gross income is derived from the selling of personal data during a calendar year.

The OPPA does not apply to any of the following:

  • Any governmental subdivision of Ohio or any body, authority, board, bureau, commission, district, or agency;
  • A financial institution subject to Title V of the federal Gramm-Leach-Bliley Act and its implementing regulations or data that is an affiliate of a financial institution;
  • A covered entity or business associate subject to the federal Health Information Technology for Economic and Clinical Health Act and the privacy, security, and breach notification regulations published by the US Department of Health and Human Services;
  • An institution of higher education;
  • Business-to-business transactions;
  • Any insurer or independent insurance agent;
  • Any nonprofit organization established to detect or prevent insurance-related crime or fraud;
  • Any advisory organization; and
  • Any rating organization.

B. Exemptions

The following information is exempted under OPPA:

  • Data and records created in accordance with the federal Health Care Quality Improvement Act;
  • Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act;
  • Data obtained from any healthcare-related data that has been deidentified in compliance with HIPAA's de-identification criteria;
  • Data related to the protection of human subjects under 21 C.F.R. 6, 50, and 56, or personal data used or shared in research that complies with applicable laws;
  • Information and documents created for purposes of the federal "Health Care Quality Improvement Act of 1986;
  • Patient safety work product for purposes of the federal "Patient Safety and Quality Improvement Act;
  • Information used solely for public health activities and purposes as authorized by HIPAA;
  • Information that originates from, is intermingled with, or is treated the same as exempt healthcare information when maintained by a HIPAA-covered entity or qualified service organization under 42 U.S.C. 290dd-2 (substance abuse treatment confidentiality);
  • Consumer credit information as regulated under the federal Fair Credit Reporting Act (FCRA);
  • Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act;
  • Personal data regulated by the federal Family Educational Rights and Privacy Act;
  • Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act;
  • Personal data regulated by the federal Children's Online Privacy Protection Act (COPPA); and
  • Data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of business subject to OPPA, processor, or a related third-party to the extent that the data is collected and used within the context of that role.

III. Definitions of Key Terms

A. Child

Any natural person under thirteen years of age.

A clear affirmative act signifying a freely given, specific, informed, and unambiguous indication of a consumer's agreement to the processing of personal data relating to the consumer, such as by a written statement, including by electronic means, or other course of action that would clearly indicate that consent has been provided.

C. Consumer

A natural person who is a resident of Ohio acting only in an individual or household context. The consumer does not include a natural person acting in a business capacity or employment context, including contractors, job applicants, officers, directors, or owners.

D. Personal Data

Any information that is linked or reasonably linkable to an identified or identifiable consumer and that is processed by a business. Personal data does not include data processed from publicly available sources and de-identified or aggregate data.

E. Deidentified Data

Personal data that has been deidentified using commercially reasonable methods such that a consumer or a device linked to a consumer cannot be reasonably identified.

F. Aggregated Data

Personal data that has been aggregated using commercially reasonable methods such that a consumer cannot be reasonably identified.

IV. Obligations for Organizations Under OPPA

Non-Discrimination Requirements

Businesses must refrain from discriminating against consumers who exercise their consumer rights. However, a business may charge different prices or rates for products or services for valid commercial reasons or as otherwise allowed by the OPPA.

A. Privacy Notice Requirements

A business must provide customers notice about the personal data it processes about them by posting a privacy policy that is easily reasonably accessible, clear, and conspicuously displayed. The privacy policy must include:

  • The name and address of the business, including the individual to contact in regard to privacy and data security concerns, as well as the name of any affiliate to whom the business may transfer personal data;
  • The categories of personal data the business processes;
  • The purposes of processing for each category of personal data;
  • The categories of sources from which the personal data is collected;
  • The purposes of processing for each category of personal data;
  • The categories of sources from which the personal data is collected;
  • The categories of processors with whom the business discloses personal data;
  • If the business sells personal data to third parties, it must publish this information in a clear and noticeable manner, together with the types of third parties to which it sells personal data and the methods by which a consumer may exercise their right to refuse such processing;
  • An overview of the business's data retention practices for personal data and the reasons for such retention;
  • How individuals can exercise their rights;
  • The effective date of the privacy policy;
  • An overview of the method (or methods) by which a business may notify consumers when it chooses to handle personal data for purposes that are inconsistent with its privacy policy or makes significant updates to the privacy policy; and
  • The business’s privacy policy must also include all the reasons why it collects and processes personal data.

When a business decides to process personal data for reasons that are not in line with its privacy policy or makes significant updates to its privacy policy, it must take one of the following actions before processing any further personally identifiable information (PII) that has already been collected:

  • Obtain the impacted consumer’s affirmative consent;
  • Send a notification to the impacted customers explaining the changes to the businesses’ privacy policy and giving them a practical way to opt-out of having their data processed or shared.
  • Considering the nature of the connection between the business and the consumer and the state of technology, notice must be given at least 60 days before the change takes effect.

B. Security Requirements

Businesses must develop, implement, and maintain reasonable administrative, technical, and physical safeguards to ensure the security and privacy of personal data. Additionally, a business may redact some data from its responses to consumers, including social security numbers, bank account numbers, and driver's license numbers, to secure personal data.

V. Data Processor Obligations

When it comes to processing done on behalf of the business, the processor's data processing practices are governed by the terms of their contract with the business. A processor is responsible for the following tasks:

  • Consider the nature of processing and, to the degree practicable, support the business in carrying out its duty to respond to consumer requests by using the appropriate organizational and technological measures.
  • Appropriate administrative, technological, and physical protections should be developed, implemented, and maintained to ensure the security and privacy of the personal data processed by the processor. The protections must be appropriate for the kind, extent, and purpose of the processor's operations and its involvement in processing personal data.
  • Upon request, delete or return all personal data to the business at the conclusion of the contract time unless legally mandated otherwise.
  • If the processor engages a subprocessor to assist the business, the processor should impose requirements on the subprocessor regarding any personal data.

VI. Data Subject Rights

A. Right to Know

A consumer has a right to know the personal data that a business collects about them.

B. Right to Opt-Out

By submitting a verified request, a consumer, or the parent or guardian of a known kid acting on the child's behalf, may at any moment request to opt-out of processing.

C. Right to Portability

A consumer may request a copy of the personal data they previously submitted electronically to the business in a portable and, to the extent that is technically possible, easily readable format.

D. Right to Correct Inaccuracies

A consumer has the right to request that the business correct inaccuracies in the personal data previously provided to it.

E. Right to Delete

A consumer has the right to request the business to delete any personal data that has been obtained from them and is stored with the business in an electronic format.

F. Right Not to Sell

A consumer has the right to request that a business not sell their personal data.

G. Right Not to be Subject to Targeted Advertising

A consumer has the right to request that a business not sell or process their personal data for the purpose of targeted advertising.

Additional Considerations for Businesses

  • A consumer has the right to request that businesses not use their personal data for targeted advertising.
  • Businesses are not allowed to sell the personal data of a known child that they have obtained online unless they abide by the requirements or exceptions outlined in the Children's Online Privacy Protection Act (COPPA).
  • A business must provide consumers with at least one of the following ways to submit requests:
    • A toll-free telephone number;
    • An electronic mail address;
    • A web form;
    • A clear and conspicuous link on the businesses’ main internet homepage to an internet webpage that enables a consumer to exercise rights.
  • Businesses must comply with a verified consumer request within 45 calendar days of the request.
  • A business may extend the time to respond to a request by 45 calendar days if there is reasonable cause and the consumer is notified of the reason for the delay. However, such a delay must not be utilized more than once per request.
  • When a consumer requests to opt-out, the business must reasonably notify its processors or other third parties and ask them to abide by the request.

It is important to note that consumer rights do not apply to pseudonymous data if identifiable information is kept separate and secure.

VII. Exemptions and Limitations

This law does not apply to the extent necessary for a business or processor to do any of the following:

  • Comply with other applicable laws, asserting or defending legal claims, or cooperating with government authorities or investigations.
  • Prevent, detect, or respond to security incidents, fraud, or illegal activities and preserving system security.
  • Conduct public interest research, provided it adheres to ethics and privacy laws.
  • Assist other businesses or processors in fulfilling obligations.
  • Provide products or services requested by consumers or fulfilling contracts.
  • To defend an interest that is vital to the consumer's or another natural person's life or physical safety, and if another legal basis cannot justify the processing.
  • Conduct internal research to identify, improve, or repair products, services, or technology, including technical errors that impair existing or intended functionality, or undertake internal operations reasonably aligned with the consumer’s expectations for the performance of a service or provision of a product.

VIII. Regulatory Authority

The Attorney General has exclusive authority to enforce the OPPA. If the Attorney General has reasonable cause to believe that a business or processor has engaged in or is currently engaging in an act or practice that violates the OPPA, either through their own inquiries or because of complaints, they may file a lawsuit in this state's court of common pleas, requesting any or all of the following relief:

  • A declaratory judgment that the act or practice violates OPPA’s requirements;
  • Injunctive relief, including preliminary and permanent injunctions, to prevent further violations of and compel compliance with OPPA’s requirements;
  • Civil penalties;
  • Attorneys' fees and investigative costs;
  • Any other relief the court determines appropriate.

The Attorney General must provide a business or processor thirty days' written notice before filing any action, describing the particular requirements that the Attorney General claims have been or are being violated.

However, the Attorney General shall not bring any legal action against the business or processor if, within the thirty-day period, the business or processor corrects the violation and submits to the Attorney General a clear written statement stating that the alleged violations have been resolved and that no more of the same kind of violations will happen.

IX. Penalties for Non-Compliance

Upon the expiration of the cure period, if a business or processor persists in violating a representation made in the written statement or violates an express written statement that was provided to the Attorney General, the Attorney General may file a lawsuit and pursue civil penalties equal to $5,000 for each infraction.

Regardless of whether any real damages were incurred, the court may provide relief to each identified impacted consumer in an amount not to exceed $750 per violation, with a minimum award of $100. In the event that the court determines that the processor or business intentionally or knowingly violated the OPPA requirements, the judgment might be doubled at its discretion.

X. How an Organization Can Operationalize OPPA

Organizations can operationalize Ohio’s Personal Privacy Act (OPPA) by:

  • Establishing clearly defined policies and procedures for processing data in compliance with OPPA’s provisions;
  • Developing clear and accessible understandable privacy notices that comply with OPPA’s requirements;
  • Obtaining explicit consent from users before processing their personal data;
  • Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
  • Train employees who handle the consumers’ data on the organization's policies and procedures and the OPPA's requirements.

XI. How Securiti Can Help

Securiti’s Data Command Center enables organizations to comply with Ohio’s Personal Privacy Act (OPPA) by securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.

Compartir

Suscríbase a nuestro boletín

Obtenga toda la información más reciente, actualizaciones de leyes y más en su bandeja de entrada

What's
New