A detailed new privacy framework was launched in Ohio to give better protection to the privacy of Ohio residents. The Ohio Personal Privacy Act lines up tightly with lately introduced laws in Virginia (CDPA) and provides Ohio locals a number of new rights relating to the personal information collected, saved, maintained, and sent by businesses.
Much like Virginia’s CDPA, the Ohio Personal Privacy Act has a limited definition of consumers and doesn’t include persons acting in an enterprise capacity or work context. Personal information protected by the Ohio Personal Privacy Act is categorized as any data that pertains to an identified or identifiable consumer the a business processes for a commercial reason.
The Ohio Personal Privacy Act is merely applicable to companies that do business in Ohio that satisfy at least one of these specifications:
- Generates yearly gross income above $25 million
- Derives over 50% of gross income from the selling of personal information and processes or manages the personal information of at least 25,000 Ohio customers
- Manages or processes the personal information of 100,000 or more residents of Ohio in a calendar year
There is a lengthy list of exemptions, such as:
- Covered entities and business associates governed by and compliant with the HIPAA
- PHI under HIPAA
- Activities controlled by the Fair Credit Reporting Act
- Financial organizations and data governed by the Gramm-Leach-Bliley Act, if compliant
- Data governed by the Children’s Online Privacy Protection Act
- Higher educational organizations
- Business-to-business transactions
- Insurance companies and independent insurance providers
Consumers should be advised regarding how their personal information will be gathered and used. Consumers have access rights to the personal files stored by a company and have that data erased. Consumers should be advised regarding data collection and processing actions through a clear and obvious notice and are allowed to opt-out of the selling of their personal information. Businesses aren’t allowed to discriminate against any person dependent on the exercise of their rights as governed by the Ohio Personal Privacy Act.
The Ohio Attorney General has the capacity to impose compliance with the Ohio Personal Privacy Act and take legal actions versus any covered entity when there is sensible cause to think a covered entity has broken the Act. The state Attorney General can get a declaratory judgment, civil penalties, and injunctive relief, with three times the damages relating to being aware of violations.
Before taking any action, a 30-day period will be given to enable the correction of all issues. Businesses could additionally use an affirmative defense coming from the enforcement action by the OAG or a legal action submitted by a consumer, when the business generates, keeps, and complies with a written privacy plan that agrees with the National Institute of Standards and Technology (NIST) privacy framework.
Consumers who think that their rights under the Ohio Personal Privacy Act were violated aren’t allowed to file lawsuits against a business due to any violation.