Ohio Lawmakers Seek Privacy Bill That's 'Just Right'
Ohio should be firm but fair with businesses on privacy, Republican sponsors of a comprehensive state bill said Tuesday. Ohio House Government Oversight Committee members questioned sponsors but didn’t vote at HB-376’s first hearing. Lt. Gov. Jon Husted (R) unveiled the bill in July that would apply to businesses with at least $25 million revenue in the state (see 2107130049). Consumer Reports (CR) raised concerns the bill won’t adequately protect users. Minnesota also weighed privacy legislation this week.
Ohio’s bill could be the fourth state privacy law after California, Virginia and Colorado. HB-376 would give no private right of action. It would set up a mechanism for consumers to make complaints to the attorney general's office, the law’s sole enforcer. It would allow businesses a 30-day right to cure possible violations and give enhanced legal protection for organizations that adopt the National Institute of Standards and Technology privacy framework.
“We intend to be firm, but we want to be fair,” said Rep. Rick Carfagna (R) at the meeting livestreamed from Columbus. “We’re here to be reasonable, and we want to ensure that not only are Ohioans in control of their data but that businesses and affected organizations are on a pathway to compliance before any enforcement action is taken.” California’s privacy law is more heavy-handed, while Virginia is at the other end of the spectrum, said Carfagna: Ohio wants to be “just right” and a model for other states and a federal approach. Co-sponsor Rep. Thomas Hall (R) echoed, “Let’s be firm but fair.”
State relief shouldn’t exceed what federal law provides, and Ohio should exempt entities subject to federal privacy laws, said Rep. Bill Seitz (R). “The last thing you want to do is create a patchwork of state laws that is inconsistent with federal laws and create regulatory obstacles for companies that have to navigate the law in 50 states.” Ohio’s bill defers to existing privacy frameworks including Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA), but Congress hasn’t made a comprehensive law, replied Carfagna: “In the absence of that, you really are going to have the Wild West with states doing what they deem appropriate.”
Ranking member Bride Rose Sweeney (D) asked why sponsors chose a $25 million threshold. Carfagna doesn’t want to target “mom-and-pop” shops but instead large businesses “warehousing very large volumes of personal data and potentially selling that to others.” He said “a lot of people ... may not avail themselves” of rights provided by the bill because they like personalization businesses provide by collecting data. Sweeney asked how consumers will understand what data is being collected and how it will be used. Carfagna said the bill would require companies to make information accessible including through a toll-free number, email address and web form.
HB-376 “would provide Ohio residents with some rights regarding their personal data, but it is not as extensive as the California Privacy Rights Act, the Colorado Privacy Act and the Virginia Consumer Data Protection Act,” emailed Husch Blackwell attorney David Stauss. For example, he said, Ohio’s bill as introduced doesn’t “require a universal opt out mechanism, which is required by the Colorado Privacy Act and is currently being discussed in the Virginia working group meetings,” and it lacks “a right to opt out of targeted advertising.”
“The bill in its current form would do little to protect Ohioans’ personal data,” emailed CR Senior Policy Analyst Maureen Mahoney. “Unlike laws in California and Colorado, the bill would not require businesses to honor browser privacy signals as opt outs, so consumers would have to reach out to hundreds if not thousands of different companies to stop the sale of their data.” An exemption for pseudonymous data “means that consumers would not be able to stop the disclosure of much of the data used for ad tracking,” she said: The NIST framework might be “useful as an internal protocol for assessing privacy issues within a company” but doesn’t give “clear guidance as to what companies can or cannot do with personal data, and as such is inappropriate as a safe harbor from legislative protections.”
Minnesota
The Minnesota House Commerce Committee held an information session Monday on that state’s privacy bill (HF-1492), which would be enforced by the AG office. Companion SF-1408 is pending in the Senate Commerce Committee. “We’re doing our best to make sure businesses don’t end up with a 50-state hodgepodge of completely unrelated data privacy bills,” said Rep. Steve Elkins (Democratic-Farmer-Labor). “We are trying to create a common framework of as many as states as possible.”
Minnesota lawmakers should know that “as more states look to enact their own privacy regimes and as the patchwork of laws nationwide continue to grow, compliance costs will continue to mount -- hitting smaller and medium-sized businesses the most,” warned TechNet in written testimony. The State Privacy and Security Coalition cautioned the state not to include a private right of action like in California. “The practical realities of enforcement created significant unintended consequences for businesses while also failing spectacularly to help actual consumers,” wrote the coalition’s attorney Anton van Seventer of DLA Piper.
It’s good that HF-1492 “would prohibit charging consumers more for exercising their rights under the law,” CR’s Mahoney told us. “More should be done to make sure it's easy for consumers to exercise their rights, and to close up potential loopholes in the opt out for targeted advertising.”
Work to implement the California Privacy Rights Act (CPRA) is getting underway about a year after California Consumer Privacy Act rules went into effect. The California Privacy Protection Agency (CPPA) seeks comment by Nov. 8 on a proposed rulemaking (see 2109230045). The CPRA takes effect Jan. 1, 2023.
“As the California privacy landscape continues to be a moving target, companies will need to pay close attention to the new rules from the CPPA,” Wiley attorneys blogged Friday. Kelley Drye privacy lawyers blogged Sunday: “The CPRA puts thornier issues into play for rulemaking: assessing risks to consumer privacy, standards for using automated decisionmaking, limiting uses of sensitive personal information, and further defining what it means to ‘combine’ consumer personal information.”