WeVote

Bill

WeVote Research Nonpartisan
Bill Summary · HB 807

Overview

HB 807 (Ohio, 136th General Assembly) proposes to prohibit state and local government agencies, as well as private entities, from selling or sharing sensitive personal data with data brokers or private entities for profit, except when used for a permitted purpose. The bill establishes definitions, conditions for permissible sharing, civil remedies, and enforcement provisions. It also creates a new section (1347.072) and repeals existing provisions (1347.01, 1347.10, 1347.99) as part of consolidating the regime governing personal information in state/local systems.

Main purpose and intent

  • Prevent the sale or communication of sensitive data to data brokers or private entities for profit, unless the data sharing meets listed permitted uses or is otherwise authorized (consent, legal process, or required by law).
  • Limit subsequent use of sold data by recipients to only permitted uses.
  • Create civil remedies and enforcement mechanisms to deter violations and provide relief to harmed individuals.
  • Clarify definitions and scope of personal information, systems, and data interconnections within state and local agencies.

Key provisions and changes

  • Sec. 1347.072 (new): Prohibits sale or communication of sensitive data to data brokers/private entities for profit unless:
    • Used for a permitted use;
    • Informed consent from the individual or required by a warrant, court order, or subpoena; or
    • Required by state or federal law.
  • When data is shared for a permitted use, the receiving entity may not further use or disclose the data beyond the permitted purpose.
  • Sec. 1347.01 (definitions): Establishes key terms including “state agency,” “local agency,” “personal information,” “system,” “interconnection of systems,” “combination of systems,” “sensitive data,” and “permitted use.” It also expands on what counts as a “system” and sets boundaries for interconnections and combined systems.
  • Sec. 1347.10 (civil remedies and damages):
    • Subsection (A): Allows individuals harmed by improper handling of personal information to sue for damages if the harm resulted from intentional misconduct related to maintaining, using, or denying access to personal data.
    • Subsection (B): For violations of 1347.072, civil actions may seek statutory damages ($500) or actual/punitive damages, plus attorney’s fees; additional damages ($2,500 statutory) for obtaining data under false pretenses or without a permitted use, plus other damages.
    • Subsection (C): Courts may issue injunctions to enforce compliance.
  • Sec. 1347.99 (enforcement penalties):
    • Violations of certain provisions are misdemeanors; repeat offenses or violations involving false pretenses under 1347.10 or 1347.072 can trigger higher-level penalties (felony of the fourth degree for repeat violations of 1347.072).
  • Repeal: The bill repeals existing sections 1347.01, 1347.10, and 1347.99 and replaces them with updated provisions, consolidating the framework for sensitive data protections.

Who would be affected

  • State agencies, state officials, and local agencies (including municipalities, school districts, special districts, and counties) that maintain personal information systems.
  • Private entities and data brokers that acquire sensitive data from state/local systems (directly or indirectly as recipients of shared data).
  • Individuals whose sensitive data is stored in or processed by state/local information systems.
  • Public officials and employees who manage or maintain personal information systems, given potential penalties for noncompliance.

Procedural and timeline aspects

  • Status: Introduced (March 31, 2026) and referred to committee (May 13, 2026 in the action history).
  • The bill would enact a new data-sharing prohibition effective upon enactment, with civil and criminal penalties calibrated to the severity and repeat offenses.
  • Enforcement mechanisms include private civil actions for individuals harmed and potential actions by the Attorney General or prosecuting attorneys for injunctions.
  • The bill reorganizes and clarifies the statutory framework by repealing and replacing prior provisions related to personal information protection.

Potential impact and considerations

  • Strengthens privacy protections for residents by restricting profit-driven dissemination of sensitive data and limiting data recipients’ uses.
  • Introduces measurable penalties (statutory damages, actual/punitive damages, injunctions) to deter improper data handling.
  • Could affect data-sharing practices of government entities, requiring more explicit consent, warrants, or legal mandates for sharing sensitive information with third parties.
  • May influence data broker operations and private sector entities that rely on Ohio-sourced data, requiring heightened compliance for permitted uses and consent mechanisms.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.