ILN Data Privacy Paper

USA - Ohio

program that is maintained must contains administrative, technical, and physical safeguards for the protection of personal information.[1] 3.2. Definition of Personal Data (OPPA) If enacted in its current version, OPPA would mirror existing and proposed comprehensive consumer data privacy legislation elsewhere throughout the U.S. in defining “personal data” broadly as “any information that is linked or reasonably linkable to an identified or identifiable consumer and that is processed by a business for a commercial purpose.”[2] Personal data would not include “data processed from publicly available sources” or “Pseudonymized, deidentified, or aggregate data.”[3] Statutory Exemptions If enacted in its current version, OPPA would exempt certain personal data regulated by the Children’s Online Privacy Protection Act (COPPA), and protected health information under the Health Insurance Portability and Accountability Act (HIPAA).[4] Additionally, OPPA would not apply to Ohio state agencies, financial institutions governed by the Gramm- Leach-Bliley Act (GLBA), and institutions of higher education. Business to business transactions would also be exempt under OPPA. [5] [1] Ohio Rev. Code, 1354.02(A)(1) [2] Ohio Personal Privacy Act, Sub. H. B. No. 376, 134th General Assembly

3.3. Covered Entities – Ohio’s DPA Under the DPA, Ohio extends the benefit of an affirmative defense to “covered entities,” which are defined broadly as “a business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside this state (Ohio).”[5] 3.4. Covered Entities - OPPA If enacted in its current version, OPPA would apply much more narrowly than the DPA only to businesses that either conduct business in Ohio or “produce products or services targeted to consumers in” Ohio),” and that satisfy one or more of the following: ·The business's annual gross revenues generated in Ohio exceed twenty-five million dollars; ·During a calendar year, the business controls or processes personal data of one hundred thousand or more consumers; or ·During a calendar year, the business derives over fifty per cent of its gross revenue from the sale of personal data and processes or controls personal data of twenty-five thousand or more consumers.[6] [5] Ohio Rev. Code, 1354.01(B) [6] Ohio Personal Privacy Act, Sub. H. B. No. 376, 134th General Assembly

[3] Id. [4] Id. [5] Id.

https://www.mcdonaldhopkins.com/

Made with FlippingBook - PDF hosting