Ohio residents may be gaining new rights in regard to how large businesses use their data and the privacy they can expect.
Ohio Lieutenant Governor Jon Husted, director of Innovate Ohio, recently announced the introduction of the Ohio Personal Privacy Act.
“Federal and state laws do not adequately protect how companies use your personal data and what rights you have to that information,” he said. “Without action in this space on the federal level, it’s important that our state take the lead.
House Bill 376 would establish data rights for Ohioans while requiring businesses to adhere to specified data standards.
It would primarily apply to businesses with $25 million or more gross revenue in Ohio or businesses that control or process large amounts of data.
It also encourages Ohio businesses to adopt the National Institute of Standards and Technology (NIST) Privacy Framework as a standard for developing a privacy policy.
“The Ohio Personal Privacy Act implements the necessary tools to keep Ohioans’ data safe and gives them control over their digital presence,” Lt. Governor Husted said.
“The act would establish a list of ‘data rights’ for Ohioans that does not currently exist, such as the ability to have your personal data deleted and a request to businesses to not sell a person’s data. These rights would give Ohioans control over how businesses are using their data and give Ohioans the option to tell businesses to not sell their data.”
Additionally, House Bill 376 includes a list of obligations for businesses to follow, such as posting privacy notices and disclosing where data is being sold.
It includes a list of exemptions for certain businesses, industries and data that already have established data privacy standards, such as through Gramm-Leach-Bliley and HIPAA.
The lieutenant governor was joined by State Representatives Rick Carfagna and Thomas Hall; Carrie Kuruc, deputy director of Innovate Ohio, and Kirk Herath, chair of the CyberOhio advisory board at a press conference July 13.
“As the youngest member of the Ohio General Assembly, I know that those in my generation have a larger online presence and are more subject to knowingly or unknowingly sharing their personal information to third parties,” Representative Hall said.
“I believe we should provide the tools necessary to empower and inform all Ohioans on understanding and controlling the collection of their data. I’m grateful for the opportunity to work with Lt. Governor Husted and Rep. Carfagna on this important issue.”
The Ohio attorney general would have exclusive authority to enforce the act and no private right of action would exist.
Ohioans who believe their rights are being violated could make a complaint to the attorney general’s office.
After being notified of a potential violation, businesses would have a 30-day right to cure where they can fix any potential violations without any further legal action being taken.
“Providing consumers with more control over their data is a good thing for Ohioans,” Ohio Attorney General Dave Yost said.
“I look forward to working with the lieutenant governor and the legislature to ensure this legislation gives my office the tools and resources it needs to accomplish this worthy goal.”
The act also would change Ohio laws so businesses that take reasonable precautions and meet NIST’s industry-recommended standards would be afforded an affirmative defense against legal claims.
To trigger the affirmative defense provision, businesses must create their own data privacy programs that meet the standards specified in the latest version of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.
This affirmative defense encourages businesses to adopt the NIST Privacy Framework that would require all rights and obligations outlined in the bill.
“While Ohio joins over 20 other states that have introduced or passed data privacy legislation, I believe that Ohio’s novel use of the NIST-Privacy framework as the Safe Harbor standard of care makes it the most innovative proposal to date,” Mr. Herath said. “It ushers in the use of a national framework that can be a useful model for other states to begin to build a state-based national and uniform privacy standard, without Congressional action.”
Ohio will join more than 20 other states that have introduced similar data privacy legislation, including Colorado, California and Virginia who have enacted data privacy standards.
