Ohio lawmakers this week introduced a bill to protect consumer data-privacy that Lt. Gov. Jon Husted said represents a comfortable “middle ground” amid the field of existing state privacy laws.
Introduced by Republican state Reps. Rick Carfagna and Thomas Hall, the Ohio Personal Privacy Act contains many of the provisions found in the three states that have passed data-privacy laws — California, Colorado and Virginia. In Ohio, these would include the establishment of a set of consumer “data rights,” such as the right to ask companies what personal data they’ve collected, request corrections to that data, have that data deleted upon request, request companies stop selling personal data and complain to the attorney general’s office of infractions.
The bill is missing what’s known as a private right of action, a contentious provision allowing people to privately sue companies for complaints. Disputes over private-right-of-action clauses have repeatedly tripped up passage of data-privacy legislation in Washington and Florida. Ohio’s legislation also primarily applies to businesses clocking at least $25 million in gross revenue or 100,000 customers, with exemptions for certain institutions, like banks and doctor’s offices.
Husted told StateScoop the bill’s introduction represents two years of work and the largest stakeholder gathering he’s attended in his two decades of public service. And while the bill doesn’t contain a private right of action like California’s landmark privacy law does, Husted said this concession allows Ohio businesses to avoid “nuisance lawsuits that can run up costs.”
“We think it’s both consumer- and business-friendly,” Husted said. “For now, there’s nothing, so every bit you do for the consumer is a lot better than what they have at present. … Right now people have essentially zero privacy protection and this gives them some tools.”
Ohio’s legislation would encourage businesses to adopt the popular privacy framework outlined by the National Institute of Standards and Technology. Businesses that follow NIST’s framework would be granted so-called affirmative defense against legal claims in the event a cybersecurity incident compromises customers’ personal information. Husted said they settled on the NIST privacy framework because it’s widely respected, nonpartisan and adaptive.
“We have to treat this as something we have to constantly evolve to keep pace with the changes in technology, and typically government is not very good at that,” Husted said. “That’s why we encourage in our standard to adopt the NIST privacy framework, because that constantly evolves with the most thoughtful people in the privacy arena.”
With no national law on data privacy, 31 states have so far at least attempted to pass some form privacy legislation, according to the International Association of Privacy Professionals. (Other states with active legislation this year include Massachusetts, New York, North Carolina and Pennsylvania.)
Husted said he believes after enough states develop successful privacy laws, the federal government will eventually follow. He pointed to an incident during his eight years as Ohio’s secretary of state, discussing election-data security with U.S. Homeland Security officials, as a turning point in his thinking about state government’s role.
“We were like, well, you tell us what’s going on,” he said. “And they were like, you know more about what’s going on than we do, and it was then that the lightbulb went on that, yeah, there’s nobody really in charge of this. We have to be very much at state and local levels our own protectors.”