OHIO LEGISLATIVE SERVICE COMMISSION
Office of Research Legislative Budget
www.lsc.ohio.gov and Drafting Office
H.B. 376* Bill Analysis
134th General Assembly
Click here for H.B. 376’s Fiscal Note
Version: As Reported by House Government Oversight
Primary Sponsors: Reps. Carfagna and Hall
Effective Date:
Nick Thomas, Research Analyst
SUMMARY
 Provides consumers with the following rights:
 A right to know what personal data a covered business collects about that
consumer;
 A right to access and receive personal data that a company has with regard to that
consumer;
 A right to request that incorrect personal data be corrected;
 A right to request that personal data pertaining to that consumer be deleted;
 A right to request that personal data pertaining to that consumer not be sold.
 Requires covered businesses to establish, maintain, and make available a privacy policy
that describes how the business collects, uses, and sells consumer personal data.
 Requires covered businesses to comply with verified requests made in relation to the
consumer rights provided by the bill and specifies deadlines for compliance.
 Establishes the Attorney General as the sole entity authorized to enforce the
requirements of the bill via investigations and lawsuits, provides covered businesses a
path for asserting an affirmative defense against such lawsuits, and specifies that the bill
does not authorize consumers to bring lawsuits against covered businesses.
 Authorizes the Attorney General to use $250,000 of the Operating Expenses line item, in
FY 2023, for the purpose of enforcing the bill’s requirements.
*This analysis was prepared before the report of the House Government Oversight appeared in the
House Journal. Note that the legislative history may be incomplete.
February 9, 2022
Office of Research and Drafting LSC Legislative Budget Office
TABLE OF CONTENTS
Overview ......................................................................................................................................... 3
Application ...................................................................................................................................... 3
Consumer rights .............................................................................................................................. 3
Consumer’s right to know what data is collected .......................................................................... 3
Privacy policy ............................................................................................................................... 3
Material changes to privacy policy.............................................................................................. 4
Consumer rights in relation to the data collected .......................................................................... 5
Methods for exercising rights ..................................................................................................... 5
Right to access the personal data collected ................................................................................ 6
Right to correct personal data.................................................................................................... 6
Right to delete the personal data collected ................................................................................ 6
Right to request personal data not be sold................................................................................. 7
Miscellaneous provisions relating to selling personal data ........................................................ 7
Retaliation prohibited ..................................................................................................................... 8
Relationship between data processors and covered businesses ................................................... 8
Enforcement ................................................................................................................................... 9
Investigations .............................................................................................................................. 9
Disclosures................................................................................................................................... 9
Enforcement via lawsuit ............................................................................................................ 10
Civil penalties ........................................................................................................................ 10
Data processor liability .............................................................................................................. 11
Affirmative defense ................................................................................................................... 11
Exemptions.................................................................................................................................... 12
Exempt data .............................................................................................................................. 13
Exempt with regard to compliance ........................................................................................... 14
Interpretation and application .................................................................................................. 15
Pseudonymous data .................................................................................................................. 16
Trade secrets ............................................................................................................................. 16
Statewide, comprehensive enactment ......................................................................................... 16
Earmark ......................................................................................................................................... 16
Definitions ..................................................................................................................................... 16
P a g e |2 H.B. 376
As Reported by House Government Oversight
Office of Research and Drafting LSC Legislative Budget Office
DETAILED ANALYSIS
Overview
The bill establishes requirements related to the collection, processing, and sale of digital
personal data that will take effect one year after the bill’s effective date. These requirements
fall into two primary categories: requirements imposed on companies that collect or process
personal data and rights provided to consumers whose personal data is collected. As used in
the bill, “personal data” is any information that relates to an identified or identifiable consumer
processed by a business for a commercial purpose. Personal data does not include publicly
available information, deidentified, or aggregate information.1
Application
The bill applies to a business that conducts business in Ohio, or whose products or
services target consumers in Ohio, and that meets any of the following criteria:
 Gross annual revenue exceeds $25 million;
 Controls or processes personal data of 100,000 or more consumers during a calendar
year;
 During a calendar year, derives more than 50% of gross revenue from (1) the sale of
personal data and (2) processes or controls personal data of 25,000 or more
consumers.2
Consumer rights
The bill provides five basic rights to consumers with regard to their personal data: a
right to know what data is collected about them, a right to request that data, a right to have
their data deleted, a right to have their data corrected, and a right to prohibit the sale of their
personal data. The bill imposes corresponding requirements on affected businesses.
Consumer’s right to know what data is collected
The bill provides consumers with a right to know what personal data a company collects
about them.3 The primary way that this requirement is met is through the company’s privacy
policy.
Privacy policy
Businesses are required to provide consumers with information on the personal data it
processes by providing a reasonably accessible, clear, and conspicuously posted privacy policy.
The privacy policy must include all of the following:
1 R.C. 1355.01(J) and Section 4.
2 R.C. 1355.02(A).
3 R.C. 1355.03(A).
P a g e |3 H.B. 376
As Reported by House Government Oversight
Office of Research and Drafting LSC Legislative Budget Office
 The identity and the contact information of the business, including the business’s
contact for privacy and data security inquiries, and the identity of any affiliate to which
personal data may be transferred by the business;
 The categories of personal data the business processes;
 The purposes of processing each category of personal data;
 The categories of sources from which the personal data is collected;
 The categories of processors with whom the business discloses personal data;
 Whether or not the business sells personal data to third parties and, if the business
makes such sales, the categories of third parties to whom the business sells personal
data, and how a consumer may exercise the right to opt out of such processing;
 A description of the business’s data retention practices for personal data and the
purposes for such retention;
 How individuals can exercise their personal data rights;
 The effective date of the privacy policy;
 A description of the mechanism or mechanisms a business can use to notify consumers
when it makes a material change to its privacy policy or decides to process personal
data for purposes incompatible with the privacy policy.
The privacy policy must also disclose any and all commercial purposes for which the company
collects or processes personal data. However, the bill specifies that it is not to be construed as
authorizing a consumer to sue for a failure to comply with privacy policy requirement. Failure
on the part of a business to maintain a privacy policy that reflects the business’s data privacy
practices to a reasonable degree of accuracy is to be considered an unfair and deceptive
practice under the Consumer Sales Practices Act. And finally, a business, a co-business, or a
processor may provide the privacy policy to the consumer on behalf of a primary business.4
Material changes to privacy policy
If a business makes a material change to its privacy policy or decides to process personal
data for purposes incompatible with the privacy policy, it must do either of the following prior
to further processing previously collected personal data:
 Obtain affirmative consent from the consumers affected;
 Provide notice outlining the changes to the business’s privacy policy and providing
affected consumers a reasonable means to opt out of having their data processed or
disseminated.
4 R.C. 1355.03(A), (B), (C), and (D).
P a g e |4 H.B. 376
As Reported by House Government Oversight
Office of Research and Drafting LSC Legislative Budget Office
A business is required to provide direct notification, where possible, regarding a
material change to the privacy policy to affected consumers, taking into account available
technology and the nature of the relationship. If a company complies with this requirement via
notice, the notice must be provided not less than 60 days prior to implementing the change,
taking into account available technology and the nature of the relationship between the
business and the consumer.5
Consumer rights in relation to the data collected
The bill prescribes several rights for consumers with regard to their personal data. It also
prescribes a uniform method of exercising those rights.
Methods for exercising rights
The bill allows a consumer, or the parent or guardian of a known child (a person under
13) on the child’s behalf, to exercise the rights provided under the bill by making a verifiable
request. A business is required to provide at least one of the following methods for making such
a request:
 A toll-free telephone number;
 An email address;
 A web form;
 A clear and conspicuous link on the business’s main internet homepage to an internet
webpage.
For consumers that maintain an account with the business in question, the business may
require the consumer to submit the request through that account. However, if the consumer
does not maintain an account with the business in question, the business is prohibited from
requiring an account be made.
Prior to granting requests made in relation to personal data, businesses must first verify
the requester’s identity. If the business is not able to verify the consumer’s identity, then the
business is not required to comply with the request.
For verified requests, the business must comply with the request within 45 calendar
days. For reasonable cause, and upon notice to the consumer, the business may take an
additional 45 days to respond to the request. But such a delay may not be used more than
once. Upon receipt of a verified request, a business must comply with all requirements
associated with the rights provided by the bill, as described below, including notifying
processors.6
5 R.C. 1355.03(E) and (F).
6 R.C. 1355.04 and 1355.01(D).
P a g e |5 H.B. 376
As Reported by House Government Oversight
Office of Research and Drafting LSC Legislative Budget Office
Right to access the personal data collected
Under the bill, a consumer has a right to request may request a copy of the consumer’s
personal data that the consumer previously provided to the business electronically in a
portable, and to the extent technically feasible, readily usable format.7 After receiving a verified
request, covered businesses must disclose both of the following for the preceding 12-month
period:
 The categories of third parties to whom the business sells personal data, or if it does not
sell personal data, that fact;
 The personal data the business has collected about the consumer.8
A business is not obligated to provide access to a consumer’s personal data more than
once in a 12-month period, beginning from the prior date on which the consumer made a
request. Finally, a business may redact personal data in its responses to consumers to protect
the security of personal data, including redacting Social Security numbers, financial account
numbers, or driver’s license numbers.9
Right to correct personal data
Under the bill, a consumer has a right to correct inaccuracies in the consumer’s personal
data that the consumer previously provided to the business, taking into account the nature of
the personal data and the purposes of the processing of the consumer’s personal data, by
making a verifiable request to have the consumer’s data be corrected. Upon receiving a verified
request, a business is required to correct inaccurate information as requested by the consumer,
taking into account the nature of the personal data and the purposes of the processing of the
consumer’s personal data.10
Right to delete the personal data collected
The bill provides consumers with the right to request that a business delete personal
data that the business has collected from the consumer for commercial purposes and that the
business maintains in an electronic format. As with the right to access, this is done by a
verifiable request. Such a request must reasonably describe the personal data the consumer is
requesting deleted.11
If the consumer’s personal data is stored on archived or backup systems, a covered
business may delay compliance with a consumer’s request to delete until the archived or
backup system relating to that data is restored to an active system, next accessed, or used for a
7 R.C. 1355.05(A).
8 R.C. 1355.05(B) and (C).
9 R.C. 1355.05(C) and (D).
10 R.C. 1355.06.
11 R.C. 1355.07(A) and (B).
P a g e |6 H.B. 376
As Reported by House Government Oversight
Office of Research and Drafting LSC Legislative Budget Office
sale, disclosure, or commercial purpose. If the consumer’s personal data is stored on archive