How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
(E) "Personal informationPersonal information"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.Ohio Rev. Code § 1347.01(E)" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a systemSystem"System" means any collection or group of related records that are kept in an organized manner and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. "System" includes both records that are manually stored and records that are stored using electronic data processing equipment. "System" does not include collected archival records in the custody of or administered under the authority of the Ohio history connection, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.Ohio Rev. Code § 1347.01(F) by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal informationPersonal information"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.Ohio Rev. Code § 1347.01(E)" includes sensitive dataSensitive data"Sensitive data" includes any information regarding an individual's name, date of birth, social security number, telephone number, character, general reputation, personal characteristics, immigration status, facial recognition data, or mode of living.Ohio Rev. Code § 1347.01(I).
(I) "Sensitive dataSensitive data"Sensitive data" includes any information regarding an individual's name, date of birth, social security number, telephone number, character, general reputation, personal characteristics, immigration status, facial recognition data, or mode of living.Ohio Rev. Code § 1347.01(I)" includes any information regarding an individual's name, date of birth, social security number, telephone number, character, general reputation, personal characteristics, immigration status, facial recognition data, or mode of living.
(J) "Permitted usePermitted use"Permitted use" includes the evaluation of credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; in the valuation of a potential investor or servicer; a local child support enforcement agency establishing an individual's capacity to make child support payments or determining the appropriate level of such payment; by the federal deposit insurance corporation or national credit union administration as part of its appointment process or exercise of its conservator, receiver, or liquidating agent powers; in response to a court order, subpoena, or judicial warrant; in accordance with the written instructions of the consumer to whom it relates; or the investigation of a criminal offense.Ohio Rev. Code § 1347.01(J)" includes the evaluation of credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; in the valuation of a potential investor or servicer; a local child support enforcement agency establishing an individual's capacity to make child support payments or determining the appropriate level of such payment; by the federal deposit insurance corporation or national credit union administration as part of its appointment process or exercise of its conservator, receiver, or liquidating agent powers; in response to a court order, subpoena, or judicial warrant; in accordance with the written instructions of the consumer to whom it relates; or the investigation of a criminal offense.
Section 1347.01 is the definitions section for Ohio Revised Code Chapter 1347. HB 807 amends this section to add two new defined terms: sensitive data and permitted use. Sensitive data is broadly defined to include name, date of birth, social security number, telephone number, character, general reputation, personal characteristics, immigration status, facial recognition data, and mode of living. The definition of personal information is amended to explicitly include sensitive data. Permitted use enumerates the circumstances under which sensitive data may lawfully be sold or communicated, tracking categories familiar from the Fair Credit Reporting Act (credit, insurance, employment) plus government enforcement, court orders, consumer consent, and criminal investigations.
(A) 1 No state agencyState agency"State agency" means the office of any elected state officer and any agency, board, commission, department, division, or educational institution of the state.Ohio Rev. Code § 1347.01(A), state official, data broker, or private entity shall sell, communicate, or otherwise furnish sensitive dataSensitive data"Sensitive data" includes any information regarding an individual's name, date of birth, social security number, telephone number, character, general reputation, personal characteristics, immigration status, facial recognition data, or mode of living.Ohio Rev. Code § 1347.01(I) to any data broker or private entity with the intent of generating profit from that data, unless one of the following applies: (1) That data will be used for a permitted usePermitted use"Permitted use" includes the evaluation of credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; in the valuation of a potential investor or servicer; a local child support enforcement agency establishing an individual's capacity to make child support payments or determining the appropriate level of such payment; by the federal deposit insurance corporation or national credit union administration as part of its appointment process or exercise of its conservator, receiver, or liquidating agent powers; in response to a court order, subpoena, or judicial warrant; in accordance with the written instructions of the consumer to whom it relates; or the investigation of a criminal offense.Ohio Rev. Code § 1347.01(J). (2) The sharing of that data is done with the informed consent of the individual, or is required by a warrant, court order, or subpoena. (3) The sharing of that data is otherwise required by state or federal law.
(B) 2 When sensitive dataSensitive data"Sensitive data" includes any information regarding an individual's name, date of birth, social security number, telephone number, character, general reputation, personal characteristics, immigration status, facial recognition data, or mode of living.Ohio Rev. Code § 1347.01(I) is sold or communicated for a permitted usePermitted use"Permitted use" includes the evaluation of credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; in the valuation of a potential investor or servicer; a local child support enforcement agency establishing an individual's capacity to make child support payments or determining the appropriate level of such payment; by the federal deposit insurance corporation or national credit union administration as part of its appointment process or exercise of its conservator, receiver, or liquidating agent powers; in response to a court order, subpoena, or judicial warrant; in accordance with the written instructions of the consumer to whom it relates; or the investigation of a criminal offense.Ohio Rev. Code § 1347.01(J) under the exception provided in division (A)(1) of this section, it may not subsequently be used or communicated further by the receiving party for any reason other than a permitted usePermitted use"Permitted use" includes the evaluation of credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; in the valuation of a potential investor or servicer; a local child support enforcement agency establishing an individual's capacity to make child support payments or determining the appropriate level of such payment; by the federal deposit insurance corporation or national credit union administration as part of its appointment process or exercise of its conservator, receiver, or liquidating agent powers; in response to a court order, subpoena, or judicial warrant; in accordance with the written instructions of the consumer to whom it relates; or the investigation of a criminal offense.Ohio Rev. Code § 1347.01(J).
Section 1347.072 is the bill's core operative provision. It prohibits state agencies, state officials, data brokers, and private entities from selling, communicating, or otherwise furnishing sensitive data to any data broker or private entity with the intent of generating profit from that data. Three exceptions apply: the data will be used for a permitted use, the sharing is done with the individual's informed consent or under legal process, or the sharing is otherwise required by state or federal law.
Division (B) imposes a downstream use restriction: when sensitive data is sold for a permitted use, the receiving party may not subsequently use or communicate the data for any purpose other than a permitted use. This anti-circumvention provision is designed to prevent data laundering through intermediaries.
(A) A person who is harmed by the use of personal informationPersonal information"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.Ohio Rev. Code § 1347.01(E) that relates to the person harmed and that is maintained in a personal informationPersonal information"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.Ohio Rev. Code § 1347.01(E) systemSystem"System" means any collection or group of related records that are kept in an organized manner and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. "System" includes both records that are manually stored and records that are stored using electronic data processing equipment. "System" does not include collected archival records in the custody of or administered under the authority of the Ohio history connection, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.Ohio Rev. Code § 1347.01(F) may recover damages in a civil action from any person who directly and proximately caused the harm by doing any of the following: (1) Intentionally maintaining personal informationPersonal information"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.Ohio Rev. Code § 1347.01(E) that the person knows, or has reason to know, is inaccurate, irrelevant, no longer timely, or incomplete and may result in such harm; (2) Intentionally using or disclosing the personal informationPersonal information"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.Ohio Rev. Code § 1347.01(E) in a manner prohibited by law; (3) Intentionally supplying personal informationPersonal information"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.Ohio Rev. Code § 1347.01(E) for storage in, or using or disclosing personal informationPersonal information"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.Ohio Rev. Code § 1347.01(E) maintained in, a personal informationPersonal information"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.Ohio Rev. Code § 1347.01(E) systemSystem"System" means any collection or group of related records that are kept in an organized manner and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. "System" includes both records that are manually stored and records that are stored using electronic data processing equipment. "System" does not include collected archival records in the custody of or administered under the authority of the Ohio history connection, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.Ohio Rev. Code § 1347.01(F), that the person knows, or has reason to know, is false; (4) Intentionally denying to the person harmed the right to inspect and dispute the personal informationPersonal information"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.Ohio Rev. Code § 1347.01(E) at a time when inspection or correction might have prevented the harm. An action under this division shall be brought within two years after the cause of action accrued or within six months after the wrongdoing is discovered, whichever is later; provided that no action shall be brought later than six years after the cause of action accrued. The cause of action accrues at the time that the wrongdoing occurs.
(B)(1) Any person who is harmed by a person or entity that violates section 1347.072 of the Revised Code may recover, in a civil action, statutory damages in the amount of five hundred dollars, actual damages as determined by the court, and reasonable attorney's fees.
(B)(2) Any person who is harmed by a person or entity that obtains sensitive dataSensitive data"Sensitive data" includes any information regarding an individual's name, date of birth, social security number, telephone number, character, general reputation, personal characteristics, immigration status, facial recognition data, or mode of living.Ohio Rev. Code § 1347.01(I) under false pretenses or knowingly without a permitted usePermitted use"Permitted use" includes the evaluation of credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; in the valuation of a potential investor or servicer; a local child support enforcement agency establishing an individual's capacity to make child support payments or determining the appropriate level of such payment; by the federal deposit insurance corporation or national credit union administration as part of its appointment process or exercise of its conservator, receiver, or liquidating agent powers; in response to a court order, subpoena, or judicial warrant; in accordance with the written instructions of the consumer to whom it relates; or the investigation of a criminal offense.Ohio Rev. Code § 1347.01(J) may recover, in a civil action, statutory damages in the amount of two thousand five hundred dollars, actual damages or punitive damages as determined by the court, and reasonable attorney's fees.
(C) Any person who, or any state or local agencyLocal agency"Local agency" means any municipal corporation, school district, special purpose district, or township of the state or any elected officer or board, bureau, commission, department, division, institution, or instrumentality of a county.Ohio Rev. Code § 1347.01(B) that, violates or proposes to violate any provision of this chapter may be enjoined by any court of competent jurisdiction. The court may issue an order or enter a judgment that is necessary to ensure compliance with the applicable provisions of this chapter or to prevent the use of any practice that violates this chapter. An action for an injunction may be prosecuted by the person who is the subject of the violation, by the attorney general, or by any prosecuting attorney.
Section 1347.10 provides the private right of action and civil remedies for violations of Chapter 1347. HB 807 amends this section to add new subdivision (B)(1)–(2) creating tiered statutory damages for violations of the new § 1347.072 sensitive data sale prohibition. Standard violations yield $500 in statutory damages, actual damages, and attorney's fees. Violations involving false pretenses or knowing lack of permitted use yield $2,500 in statutory damages, actual or punitive damages, and attorney's fees. The existing division (A) private right of action for personal information system harms is retained with minor pronoun updates. The existing division (C) injunctive relief provision — allowing the affected individual, the attorney general, or any prosecuting attorney to seek an injunction — is unchanged.
(A) No public official, public employee, or other person who maintains, or is employed by a person who maintains, a personal informationPersonal information"Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.Ohio Rev. Code § 1347.01(E) systemSystem"System" means any collection or group of related records that are kept in an organized manner and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. "System" includes both records that are manually stored and records that are stored using electronic data processing equipment. "System" does not include collected archival records in the custody of or administered under the authority of the Ohio history connection, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.Ohio Rev. Code § 1347.01(F) for a state or local agencyLocal agency"Local agency" means any municipal corporation, school district, special purpose district, or township of the state or any elected officer or board, bureau, commission, department, division, institution, or instrumentality of a county.Ohio Rev. Code § 1347.01(B) shall purposely refuse to comply with division (E), (F), (G), or (H) of section 1347.05, section 1347.071, division (A), (B), or (C) of section 1347.08, or division (A) or (C) of section 1347.09 of the Revised Code. Whoever violates this section is guilty of a minor misdemeanor.
(B) Whoever violates division (H)(1) or (2) of section 1347.15 of the Revised Code is guilty of a misdemeanor of the first degree.
(C) Whoever violates section 1347.072 of the Revised Code is guilty of a felony of the fourth degree if the person is determined by a court of competent jurisdiction to be a repeat offender, with prior knowing repeated violations or violations involving false pretenses under division (B) of section 1347.10 of the Revised Code. An offender under this division shall be prosecuted by the attorney general in any court of competent jurisdiction in the state.
Section 1347.99 establishes criminal penalties for violations of Chapter 1347. HB 807 adds new division (C), which makes violations of § 1347.072 a fourth-degree felony when the offender is determined by a court to be a repeat offender with prior knowing repeated violations or violations involving false pretenses. Prosecution is by the attorney general. Existing criminal penalties for other Chapter 1347 violations (minor misdemeanor for public employee noncompliance, first-degree misdemeanor for identity fraud database violations) are unchanged.