WeVote

Bill

Bill

HB 801

Enact the Ohio Privacy Act

136th Legislature (2025-2026) Introduced by Munira Abdullahi and 33 co-sponsors

Ohio Privacy Act gives residents broad data rights (access, deletion, correction, portability, opt-out) and imposes security and governance duties on data handlers.

Referred to committee
0
WeVote Research Nonpartisan
Bill Summary · HB 801

Ohio HB 801 (Session 136): Enact the Ohio Privacy Act

Purpose and intent

  • Establishes a comprehensive framework for data privacy and protection governing the collection, use, storage, and sharing of personal data by entities operating in Ohio.
  • Aims to give Ohio residents greater control over their personal information and to set clear obligations for businesses and other organizations handling that data.

Key provisions and changes (highlights)

  • Applicability and scope

    • Applies to entities that process personal data of Ohio residents. The act defines what constitutes personal data, consumer, and data processing activities.
    • Likely covers both covered entities and service providers, as well as certain data processors with obligations to protect data and respect consumer rights.
  • Rights for individuals (data subjects)

    • Right to access personal data held by a controller.
    • Right to delete or have personal data erased in certain circumstances.
    • Right to correct inaccurate data and to obtain information about how data is used.
    • Right to data portability, allowing data to be transferred to another entity upon request.
    • Right to opt out of certain processing (e.g., sale or targeted advertising) where applicable.
    • Right to be informed about data collection practices and purpose limitations.
  • Controllers and processors duties

    • Controllers must implement reasonable data minimization and security measures; processors must adhere to documented instructions from controllers.
    • Requirement to conduct and document data protection impact assessments for high-risk processing activities.
    • Obligations to implement risk-based security standards and incident response plans.
  • Data security and breach notification

    • Standards for safeguarding personal data and patching vulnerabilities.
    • Clear breach notification timelines to affected individuals and relevant state authorities, with specified notification windows.
  • Compliance and governance

    • Establishes a state regulatory framework to enforce the act, including enforcement mechanisms and penalties for non-compliance.
    • Possible provision for a private right of action in some circumstances (e.g., data breaches or repeated violations), or specific AG/enforcement remedies.
    • Requirements for data inventories, processing records, and privacy-by-design documentation.
  • Sector-specific or exemption provisions

    • May include exemptions for certain activities (e.g., data processed for journalistic, academic, or literary purposes; information governed by other privacy laws; small businesses under a certain revenue or data threshold).
    • Potential alignment with existing federal or state laws and coordination with other privacy or consumer protection statutes.
  • Enforcement and penalties

    • Establishes penalties for violations, potentially scaled by severity and number of violations.
    • Specifies enforcement authorities (state attorney general or designated agency) and procedures for investigations.
  • Effective date and transition

    • Provides effective date and any phased implementation timeline.
    • May include transition provisions for existing contracts and data processing arrangements.

Who would be affected

  • Individuals: Ohio residents gain enhanced rights over their personal data and clearer explanations of data practices.
  • Businesses and organizations: Entities collecting or processing Ohio resident data would need to adapt operations to meet new privacy governance, security, and disclosure requirements.
  • Data processors and service providers: Obligations to comply with vendor-specific requirements and to assist controllers in meeting obligations.
  • Public sector/regulated entities: Potential alignment with state oversight and reporting requirements.

Procedural and timeline aspects

  • Introduced: March 31, 2026.
  • Referred to committee: May 13, 2026.
  • The bill will undergo committee review, including possible hearings, amendments, and potential votes before advancing to the full chamber for consideration.
  • If enacted, the act would become part of Ohio’s statutory privacy framework, with implementation timelines likely tied to the act’s effective date.

Notes

  • The summary reflects the bill’s general structure typical of comprehensive privacy acts. Specifics such as threshold amounts, exact rights (e.g., precise opt-out categories), and enforcement details would be defined in the final bill text as amended during the legislative process.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.