Ohio Personal Privacy Act: What Marketers and Advertisers Need to Know

Much has been made about 2023 being the year of reckoning for privacy regulations in the United States, with five states having new regulations go into effect. Beyond these five states (California, Virginia, Colorado, Utah, and Connecticut), several more have active bills making their way through state legislatures. Today we’ll take a look at Ohio’s proposed privacy bill, the Ohio Personal Privacy Act, to compare with the requirements already in place from regulations in effect and evaluate what businesses operating in Ohio should begin considering for their data privacy strategy. 

What businesses are in scope for the Ohio Personal Privacy Act?

Like other State U.S. privacy legislation, the Ohio Personal Privacy Act (OPPA) has minimum thresholds a business must surpass before being in scope to legally comply with the regulation. 

The bill applies to a business that conducts business in Ohio, or whose products or services target consumers in Ohio, and that meet any of the following criteria:

• Gross annual revenues generated in this state (Ohio) exceeds $25 million;
• Controls or processes personal data of 100,000 or more consumers during a calendar year;
• During a calendar year, derives more than 50% of gross revenue from:
  • The sale of personal data and
  • Processes or controls personal data of 25,000 or more consumers

Consumers in the context of the OPPA are people who are Ohio residents operating in an individual or household context. 

What data is addressed by the regulation?

Rights and protections are afforded to consumers with respect to their “Personal Data” as defined by the OPPA. Personal data in the context of the regulation is “any information that is linked or is reasonably linkable to an identified or identifiable consumer and that is processed by a business for a commercial purpose. Personal data does not include data processed from publicly available sources or pseudonymized, deidentified, or aggregate data”.

What rights do consumers have with respect to their personal data?

The OPPA affords consumers five specific rights with respect to their personal data. Those five rights are:

1. Consumers’ right to know what personal data is collected about them
2. Consumers’ right to request personal data collected about them
3. Consumers’ right to have their personal data deleted
4. Consumers’ right to have their personal data corrected
5. Consumers’ right to prohibit the sale of their personal data 
   • This right includes both the right to request:
     • That the business not sell the consumer’s personal data;
     • That the business not process the consumer’s personal data for the purpose of targeted advertising

What does this mean for my business?

For starters, you’ll need to know all of the personal data that is being collected, where it is flowing, with whom it is being shared/sent, and for what purposes it is being used. This data auditing and mapping activity will bring to light all of the data processing and both form the foundation of your compliance program, as well as provide key inputs with which to design your data strategy moving forward. 

Need help getting started? Reach out to us to discuss a Compliance Audit today!

Once all personal data processing has been mapped out, you can then begin putting practices in place to ensure each of the rights afforded to consumers is being properly addressed. 

Let’s go through each of those rights, the requirements, and how you can use your data inventory and map to address each.

Consumers’ right to know what personal data is collected about them

For this, you will need to disclose to users what personal data is being processed in an accessible and easy-to-understand way via a conspicuously posted privacy policy. Specific requirements to include as outlined in the OPPA are as follows:

• The identity and the contact information of the business, including the business’s contact for privacy and data security inquiries, and the identity of any affiliate to which personal data may be transferred by the business;
• The categories of personal data the business processes;  
• The purposes of processing each category of personal data;  
• The categories of sources from which the personal data is collected;  
• The categories of processors with whom the business discloses personal data;  
• Whether or not the business sells personal data to third parties and, if the business makes such sales, the categories of third parties to whom the business sells personal data, and how a consumer may exercise the right to opt out of such processing;  
• A description of the business’s data retention practices for personal data and the purposes for such retention;  
• How individuals can exercise their personal data rights;  
• The effective date of the privacy policy;  
• A description of the mechanism or mechanisms a business can use to notify consumers when it makes a material change to its privacy policy or decides to process personal data for purposes incompatible with the privacy policy.

Consumers’ right to request personal data collected about them

Upon receiving a verifiable request from a consumer, you must provide them with the personal data that they previously provided to the business electronically in a portable and, to the extent technically feasible, readily usable format. The provided information should cover the most recent 12-month period of personal data collected. 

To be able to address this right, it is important to design any locations where customer personal data is stored in such a way as to easily identify and provide the data in these formats.

Consumers’ right to have their personal data deleted

Upon a verifiable consumer request, a business must be able to delete the personal data collected from the requesting consumer. Again, this makes the design of systems housing personal data extremely important for your privacy program. 

Important to note: The business is not required to delete personal data that is maintained or used as aggregated, deidentified, or pseudonymous data so long as that data is not linked to a specific consumer. This highlights the need for a design of customer data storage that can allow this aggregated data to be maintained in the absence of linked personal data. 

Consumers’ right to have their personal data corrected

Upon a verifiable consumer request, you must correct inaccurate consumer data with accurately provided information from the consumer. 

Consumers’ right to prohibit the sale of their personal data 

1. • This right includes both the right to request:
     • That the business not sell the consumer’s personal data;
     • That the business not process the consumer’s personal data for the purpose of targeted advertising

The ability to support compliance with this right is probably the most consequential in the context of marketing and advertising. This right allows users to opt-out of the processing of their personal data for many advertising use cases. Central to this is the ability to opt out of “targeted advertising”. As defined by the OPPA, “targeted advertising” means:

• Displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests. “Targeted advertising” does not include any of the following: 
  • Advertising to a consumer in response to the consumer’s request for information or feedback;  
  • Advertisements based on activities within a business’s or processor’s own websites or online applications;  
  • Advertisements based on the context of a consumer’s current search query, visit to a website, or online application;  
  • Processing personal data solely for measuring or reporting advertising performance, reach, or frequency.

This means that any targeting being done without first-party data would need to cease upon the opt-out of the user. 

A notable difference between the OPPA and other state legislation like the California Privacy Protection Act (CCPA) is the obligation for where the user’s ability to opt-out is located. In Ohio’s bill, the opt-out mechanism needs to be made available within the website’s privacy notice. Contrast this with the CCPA requirement for the disclosure of the sale or sharing of personal information and the ability to opt-out to be provided on every page of the website. This will likely result in a very small proportion of consumers actually exercising their opt-out rights in Ohio. 

What are the penalties for non-compliance?

The OPPA grants the Attorney General of Ohio the exclusive authority to enforce the provisions outlined. Initially $250,000 will be appropriated to a consumer protection enforcement fund which will provide the funding for investigations of businesses thought to be in violation. For each violation identified, a civil penalty of up to $5,000 can be levied by the Attorney General. In addition, the court can additionally award between $100 and $750 to each identified consumer affected by a violation. These individual awards can as much as triple if the business is found to have willfully or knowingly committed the violation. Importantly, no privacy right of action is provided by the bill. 

Also notable with respect to penalties is that there is a 30-day cure period where businesses will have the ability to address and remediate any cited violations before a final enforcement action would be brought. There are also limitations to the information which can be publicly released by the Attorney General about businesses that are being investigated and/or found to be in violation. 

So where should our business start?

As mentioned at the start, the Ohio Personal Privacy Act is still an active bill in the Ohio State Legislature and not yet been passed nor is it in effect. That said, it is important to understand these requirements as you begin to design your United States privacy program and data strategy. For general privacy program development and data strategy, start with the aforementioned data inventory and compliance audit to surface all personal data collection and how it flows through your organization. From there you can begin ensuring all activities are properly disclosed and access/correction/deletion rights are able to be addressed. Finally for opt-out rights, make sure that the architecture is in place to both accept verifiable requests from consumers and adhere to them with a consent management architecture. 

The rise of privacy regulations in the United States should be looked at as an opportunity. Both for the privacy expectations of users to finally be codified, as well as for your business to take a step back and reevaluate data practices through the lens of privacy. As you inventory data, it is very likely that you will identify areas that make sense to cut and efficiencies that can be gained. By making your approach to data strategy privacy-centric, you’re able to set yourself up for success in the new environment. Taking all U.S. state regulations into account, including those still in active discussions, will help to provide some guardrails and guidance for the actions to take and provisions to put in place.