ILN Data Privacy Paper

USA - Ohio

1349.19), which defines “personal information” as: [A]n individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable: Social security number; Driver's license number or state identification card number; or Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.[1] Under the Ohio DPA, "Personal information" does not include “publicly available information that is lawfully made available to the general public from federal, state, or local government records and certain widely-distributed media.”[2] The Ohio DPA also defines “restricted information” as “any information about an individual, other than personal information, that, alone or in combination with other information, including personal information, can be used to distinguish or trace the individual's identity or that is linked or linkable to [1] Ohio Rev. Code, 1347.12(A)(7)(a) [2] Id.

to maintain safeguards and offer consumers a specified level of transparency with respect to their procedures pertaining to the collection and use of personal data through the conspicuous posting of a privacy policy. Scope of Application The Ohio DPA and proposed OPPA both specify the nature of the information that is being protected by the respective legal framework. Only specific information, such as “personal information” as defined under Ohio’s DPA or “personal data” as defined under OPPA, rise to the level of triggering certain rights and obligations as applicable. Additionally, if enacted, OPPA would mirror existing and proposed comprehensive consumer data privacy legislation in limiting its application to certain businesses based on factors such as (1) the connection that the business has to Ohio through physical presence and/or targeting of Ohio consumers, (2) the annual gross revenue of the business, (3) the volume of personal data processed by the business, and (4) amount of revenue the business derives from the sale of personal data. 3.1. Definition of Personal Information and Restricted Information (Ohio DPA) The incentive-based Ohio DPA incorporates the definition of “personal information” from Ohio’s previously-enacted data breach notification statue (Ohio Rev. Code,

https://www.mcdonaldhopkins.com/

Made with FlippingBook - PDF hosting