OHIO LEGISLATIVE SERVICE COMMISSION
Office of Research Legislative Budget
www.lsc.ohio.gov and Drafting Office
H.B. 345 Bill Analysis
135th General Assembly
Click here for H.B. 345’s Fiscal Note
Version: As Introduced
Primary Sponsors: Reps. Hall and Seitz
Effective Date:
Austin C. Strohacker, Attorney
SUMMARY
 Provides consumers with the following rights:
 A right to know what personal data a covered business collects about that
consumer;
 A right to access and receive personal data that a company has with regard to that
consumer;
 A right to request that incorrect personal data be corrected;
 A right to request that personal data pertaining to that consumer be deleted;
 A right to request that personal data pertaining to that consumer not be sold.
 Requires covered businesses to establish, maintain, and make available a privacy policy
that describes how the business collects, uses, and sells consumer personal data.
 Requires covered businesses to comply with verified requests made in relation to the
consumer rights provided by the bill and specifies deadlines for compliance.
 Establishes the Attorney General as the sole entity authorized to enforce the
requirements of the bill via investigations and lawsuits.
 Provides covered businesses a path for asserting an affirmative defense against such
lawsuits.
 Authorizes the Attorney General to use $250,000 of the Operating Expenses line item, in
FY 2025, for the purpose of enforcing the bill’s requirements.
February 15, 2024
Office of Research and Drafting LSC Legislative Budget Office
TABLE OF CONTENTS
Overview ......................................................................................................................................... 3
Application ...................................................................................................................................... 3
Consumer rights .............................................................................................................................. 3
Consumer’s right to know what data is collected .......................................................................... 3
Privacy policy ............................................................................................................................... 4
Material changes to privacy policy.............................................................................................. 4
Consumer rights in relation to the data collected .......................................................................... 5
Methods for exercising rights ..................................................................................................... 5
Right to access the personal data collected ................................................................................ 6
Right to correct personal data .................................................................................................... 6
Right to delete the personal data collected ................................................................................ 6
Right to request personal data not be sold................................................................................. 7
Miscellaneous provisions relating to selling personal data ........................................................ 7
Retaliation prohibited ..................................................................................................................... 8
Relationship between data processors and covered businesses ................................................... 8
Enforcement ................................................................................................................................... 9
Investigations .............................................................................................................................. 9
Disclosures................................................................................................................................... 9
Enforcement via lawsuit ............................................................................................................ 10
Civil penalties ........................................................................................................................ 10
Data processor liability .............................................................................................................. 11
Affirmative defense ................................................................................................................... 11
Exemptions.................................................................................................................................... 12
Exempt data .............................................................................................................................. 12
Exempt with regard to compliance ........................................................................................... 14
Interpretation and application .................................................................................................. 15
Pseudonymous data .................................................................................................................. 15
Trade secrets ............................................................................................................................. 16
Statewide, comprehensive enactment ......................................................................................... 16
Earmark ......................................................................................................................................... 16
Effective date ................................................................................................................................ 16
Definitions ..................................................................................................................................... 16
P a g e |2 H.B. 345
As Introduced
Office of Research and Drafting LSC Legislative Budget Office
DETAILED ANALYSIS
Overview
The bill establishes requirements related to the collection, processing, and sale of digital
personal data. These requirements fall into two primary categories: (1) requirements imposed
on companies that collect or process personal data, and (2) rights provided to consumers
whose personal data is collected. As used in the bill, “personal data” is any information that
relates to an identified or identifiable consumer processed by a business. Personal data does
not include publicly available information, deidentified, or aggregate information.1
Application
The bill applies to a business that conducts business in Ohio, or whose products or
services target consumers in Ohio, and that meets any of the following criteria:
 Gross annual revenue exceeds $25 million;
 Controls or processes personal data of 100,000 or more consumers during a calendar
year;
 During a calendar year, derives more than 50% of gross revenue from the sale of
personal data and processes or controls personal data of 25,000 or more consumers.2
Consumer rights
The bill provides five basic rights to consumers with regard to their personal data: (1) a
right to know what data is collected about them, (2) a right to request that data, (3) a right to
have their data deleted, (4) a right to have their data corrected, and (5) a right to prohibit the
sale of their personal data. The bill imposes requirements corresponding to each of those rights
on affected businesses.3
Consumer’s right to know what data is collected
The bill provides consumers with a right to know what personal data a company collects
about them.4 The primary way that this requirement is met is through the company’s privacy
policy.
1 R.C. 1357.01(J).
2 R.C. 1357.02(A).
3 R.C. 1357.03(A), 1357.05(A), 1357.06(A), 1357.07(A), and 1357.08(A).
4 R.C. 1357.03(A).
P a g e |3 H.B. 345
As Introduced
Office of Research and Drafting LSC Legislative Budget Office
Privacy policy
A business subject to the bill is required to provide consumers with information on the
personal data it processes by providing a reasonably accessible, clear, and conspicuously posted
privacy policy. The privacy policy must include all of the following:
 The identity and the contact information of the business, including the business’s
contact for privacy and data security inquiries, and the identity of any affiliate to which
personal data may be transferred by the business;
 The categories of personal data the business processes;
 The purposes of processing each category of personal data;
 The categories of sources from which the personal data is collected;
 The categories of processors with whom the business discloses personal data;
 Whether or not the business sells personal data to third parties and, if the business
makes such sales, the categories of third parties to whom the business sells personal
data, and how a consumer may exercise the right to opt out of such processing;
 A description of the business’s data retention practices for personal data and the
purposes for such retention;
 How individuals can exercise their personal data rights;
 The effective date of the privacy policy;
 A description of the mechanism or mechanisms a business can use to notify consumers
when it makes a material change to its privacy policy or decides to process personal
data for purposes incompatible with the privacy policy.
The privacy policy must also disclose any and all purposes for which the business
collects or processes personal data. However, the bill specifies that it is not to be construed as
authorizing a consumer to sue for a failure to comply with privacy policy requirement. Failure
on the part of a business to maintain a privacy policy that reflects the business’s data privacy
practices to a reasonable degree of accuracy is to be considered an unfair and deceptive
practice under the Consumer Sales Practices Act (CSPA). And finally, a business, a co-business,
or a processor may provide the privacy policy to the consumer on behalf of a primary business.5
Material changes to privacy policy
If a business makes a material change to its privacy policy or decides to process personal
data for purposes incompatible with the privacy policy, it must do either of the following prior
to further processing previously collected personal data:
 Obtain affirmative consent from the consumers affected;
5 R.C. 1357.03(A), (B), (C), and (D).
P a g e |4 H.B. 345
As Introduced
Office of Research and Drafting LSC Legislative Budget Office
 Provide notice outlining the changes to the business’s privacy policy and providing
affected consumers a reasonable means to opt out of having their data processed or
disseminated.
A business is required to provide direct notification, where possible, regarding a
material change to the privacy policy to affected consumers. If a company complies with this
requirement via notice, the notice must be provided not less than 60 days prior to
implementing the change, taking into account available technology and the nature of the
relationship between the business and the consumer.6
Consumer rights in relation to the data collected
The bill prescribes several rights for consumers with regard to their personal data. It also
prescribes a uniform method of exercising those rights.
Methods for exercising rights
The bill allows a consumer, or the parent or guardian of a known child (a person under
13) on the child’s behalf, to exercise the rights provided under the bill by making a verifiable
request. A business is required to provide at least one of the following methods for making such
a request:
 A toll-free telephone number;
 An email address;
 A web form;
 A clear and conspicuous link on the business’s main internet homepage to an internet
webpage.
For consumers that maintain an account with the business in question, the business may
require the consumer to submit the request through that account. However, if the consumer
does not maintain an account with the business in question, the business is prohibited from
requiring an account be made.
Prior to granting requests made in relation to personal data, businesses must verify the
requester’s identity. If the business is not able to verify the consumer’s identity, then the
business is not required to comply with the request.
For verified requests, the business must comply with the request within 45 days. For
reasonable cause, and upon notice to the consumer, the business may take an additional
45 days to respond to the request. But such a delay may not be used more than once. Upon
receipt of a verified request, a business must comply with all requirements associated with the
rights provided by the bill, as described below, including notifying processors.7
6 R.C. 1357.03(E) and (F).
7 R.C. 1357.04 and 1357.01(D).
P a g e |5 H.B. 345
As Introduced
Office of Research and Drafting LSC Legislative Budget Office
Right to access the personal data collected
Under the bill, a consumer may request a copy of the consumer’s personal data that the
consumer previously provided to the business electronically in a portable, and to the extent
technically feasible, readily usable format.8 After receiving a verified request, covered
businesses must disclose both of the following for the preceding 12-month period:
 The categories of third parties to whom the business sells personal data, or that it does
not sell personal data;
 The personal data the business has collected about the consumer.9
A business is not obligated to provide access to a consumer’s personal data more than
once in a 12-month period, beginning from the prior date on which the consumer made a
request. Finally, a business may redact personal data in its responses to consumers to protect
the security of personal data, including redacting Social Security numbers, financial account
numbers, or driver’s license numbers.10
Right to correct personal data
Under the bill, a consumer has a right to correct inaccuracies in the consumer’s personal
data that the consumer previously provided to the business. Upon receiving a verified request,
a business is required to correct inaccurate information as requested by the consumer, taking
into account the nature of the personal data and the purposes for which it is processed by the
business.11
Right to delete the personal data collected
The bill provides consumers with the right to request that a business delete personal
data that the business has collected from the consumer and that the business maintains in an
electronic format. A verifiable request to delete personal data must reasonably describe the
personal data the consumer is requesting be deleted.12
If the consumer’s personal data is stored on archived or backup systems, a covered
business may delay compliance with a consumer’s request to delete until the archived or
backup system relating to that data is restored to an active system, next accessed, or used for a
sale, disclosure, or other purpose. If the consumer’s personal data is stored on archived or
backup systems, the business may comply with the consumer’s request by deleting or
overwriting the data in accordance with a scheduled backup or creation of a new archive, so
8 R.C. 1357.05(A).
9 R.C. 1357.05(B) and (C).
10 R.C. 1357.05(C) and (D).
11 R.C. 1357.06.
12 R.C. 1357.07(A) and (B).
P a g e |6 H.B. 345
As Introduced
Office of Research and Drafting LSC Legislative Budget Office
long as the business employs encryption standards to protect that data both when the data is in
transit and is at rest.13
A business is not required to delete personal data that it maintains or uses as
aggregated, deidentified, or pseudonymous data, provided that such data in the possession of
the business is not linked to a specific consumer. Also, a business, or an associated processor, is
not to be required to com