ILN Data Privacy Paper

USA - Ohio

shall reflect the nature and scope of the activities of the processor and its role in possessing the personal data. [1] Unlike other privacy legal frameworks such as HIPAA that require covered entities to implement administrative, technical, and physical safeguards, OPPA does not narrowly specify the applicable safeguards, which presumably may entail actions such as monitoring of information systems, employee training on cybersecurity, or requirements with respect to implementation of policies/procedures beyond the core privacy policy. 5.5. Data Processing of Minors’ Data Under OPPA, businesses would be prohibited from selling the personal data collected online of a known child without complying with the requirements or exceptions of the Children’s Online Privacy Protection Act of 1998 (COPPA).[2] This requirement mirrors comprehensive data privacy legislation in other jurisdiction, such as Connecticut and other jurisdictions that afford special protections to the personal data of minors.

penalties of up to five thousand dollars for each violation.[3] If the attorney general has reasonable cause to believe that a business or processor has engaged or is engaging in an act or practice that violates OPPA, the attorney general would be able to bring an action in an Ohio court of common pleas to seek relief in the form of declaratory judgements that the business/processor has engaged in an act or practice that violates OPPA as well as injunctive relief (both preliminary and permanent) to prevent further violations and compel compliance.[4]

[3] Id. [4] Id.

Conclusion Ohio is advancing toward a data protection landscape in which it simultaneously promotes and requires the safeguarding of personal data of its residents through collective legislation based in both incentives and requirements. At the aggregate level, Ohio’s data protection legislation is focused on rewarding businesses for taking steps to enhancing their cybersecurity posture while also affording consumers newfound control over their personal information and imposing requirements of companies with respect to data processing.

[1] Id. [2] Id.

OPPA Enforcement Unlike similar legislation in other jurisdictions, OPPA does not establish a new privacy regulator. If enacted in its current form, the Ohio Attorney General would maintain exclusive authority to enforce OPPA through investigation of businesses and processors for compliance and civil

https://www.mcdonaldhopkins.com/

Made with FlippingBook - PDF hosting