Tuesday, July 20, 2021

Ohio Legislators Introduce the Latest Comprehensive State Data Privacy Bill

The data privacy legal landscape grows steadily more complicated as more states take steps to occupy the void created by the absence of a much-needed federal statute.

Just last week, I noted in a post to the Free State Foundation's blog that Colorado had become the third state, after California and Virginia, to adopt comprehensive data privacy legislation. (Please click here and here for Perspectives from FSF Scholars addressing the two laws passed in California and here for a blog post describing the Virginia Consumer Data Protection Act.)

And now it appears that Ohio could be next.

Introduced on July 12, the Ohio Personal Privacy Act (OPPA) is a product of Governor Mike DeWine's InnovateOhio technology initiative, which is led by Lieutenant Governor Jon Husted.

Considered in isolation, the OPPA includes a number of relatively palatable provisions. Indeed, commenters have characterized the OPPA as a bill "that would impose fewer restrictions on businesses" and "more limited in scope than other state data protection laws that recently have been enacted."

Most notably, the OPPA expressly rejects a private right of action: "Any violation of this chapter shall not serve as the basis for, or be subject to, a private right of action, including a class action lawsuit, under this chapter or under any other law." The Ohio Attorney General's Office would have "exclusive authority" to enforce the OPPA.

It also would (1) provide businesses with a 30-day opportunity to cure alleged violations, and (2) create an affirmative defense to liability for any business that "creates, maintains, and complies with a written privacy program that reasonably conforms to" the Privacy Framework promulgated by the National Institute of Standards and Technology (NIST).

With some exceptions, the OPPA generally would cover those businesses that (1) earn at least $25 million in gross annual revenues within Ohio, (2) control or process the personal information of at least 100,000 consumers, or (3) derive more than half of their gross revenues from the sale of data and process/control the data of at least 25,000 consumers.

Businesses would be required to make available "a reasonably accessible, clear, and conspicuously posted privacy policy" that, among other things, details (1) the categories of personal information processed, and (2) the reasons for collecting or selling that data.

Where a business seeks to make a material change to its privacy policy, it would have the option to (1) obtain prior affirmative consent from affected consumers or (2) provide them with notice and "a reasonable means to opt out."

The OPPA would empower consumers in a number of ways, such as by establishing a right to know what personal information is collected, a right to request a copy of that information once during a twelve-month period, a right to demand that that data be deleted, and a right to prohibit its sale.

As Carrie Kuroc, deputy director of InnovateOhio, recently explained, "[o]ur goal isn't to copy, we want to lead. We wanted to craft privacy legislation that other states and the federal government can use as a model."

The big-picture problem with that goal, of course, is that the passage of yet another unique state law, regardless of the particulars of its approach, would serve to further confuse consumers as to their rights and exacerbate the compliance challenge for businesses.

The only solution to this increasingly complicated legal scenario is a comprehensive federal data privacy statute. Specifically, one that requires adequate consumer disclosures, establishes reasonable individual rights, embraces an "opt out" approach for non-sensitive personal information, treats all businesses equally, preempts state laws, and rejects a private right of action in favor of exclusive FTC enforcement.

In a July 16 letter to President Biden, four Republican lawmakers – Senators Roger Wicker (MS) and Marsha Blackburn (TN) and Representatives Cathy McMorris Rodgers (WA) and Gus Bilirakis (FL) – "urge[d him] to prioritize comprehensive data privacy legislation as part of [his] Administration's agenda."