Read the full stored bill text
As Introduced
136th
General Assembly
Regular
Session
H. B. No. 801
2025-2026
Representative Russo
Cosponsors: Representatives Jarrells,
Humphrey, Mohamed, Piccolantonio, Lawson-Rowe, Cockley, Somani,
Abdullahi, Sigrist, Lett, Rader, Brennan, Glassburn, Brent, Robinson,
Upchurch, Synenberg, Brewer, Troy, Isaacsohn, Thomas, C., Bryant
Bailey, Baker, Brownlee, Sims, Hall, D., Tims, White, E., Rogers,
Grim, Miller, J., McNally, Sweeney
To
enact section 149.61 of the Revised Code
regarding
the provision of personal data to out-of-state entities and to name
this act the Ohio Privacy Act.
BE
IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:
Section
1.
That
section 149.61 of the Revised Code be enacted to read as follows:
Sec.
149.61.
(A)
As used in this section:
(1)
"Deidentified data" means personal information or data that
cannot reasonably be used to infer information about, or otherwise
linked to, a particular individual or household.
(2)
"Private information" means data about an individual that
is not a public record, as that term is defined in section 149.43 of
the Revised Code.
(3)
"State agency" has the same meaning as in section 1.60 of
the Revised Code and includes any employees or agents thereof.
(B)(1)
A state agency shall not collect private information pertaining to
individuals beyond what is necessary to perform its functions and
duties, including meeting any reporting requirements.
(2)
A state agency shall not collect private information related to an
individual's citizenship or immigration status, unless required by
state or federal law.
(C)(1)
Except as permitted by this section or when required by federal law,
no state agency shall disclose private information for any purpose
not directly connected with the administration of the state agency's
programs.
(2)
An entity that receives private information for a purpose directly
connected with the administration of a state agency's programs shall
agree to all of the following:
(a)
To not share the private information further;
(b)
To only use the private information for a purpose directly connected
with the administration of a state agency's programs;
(c)
That misuse of private information terminates the information sharing
agreement and that the entity may be liable to the state agency for
any penalties the state agency faces pursuant to division (F) of this
section if the entity improperly shares or uses the private
information.
(3)
A state agency shall post any active information sharing agreements
on the state agency's web site and list what type of information will
be shared, the entity with which it will be shared, and the stated
purpose of the information sharing agreement.
(D)(1)
A state agency may share private information as deidentified data
that is aggregated to the greatest extent allowable while still in
compliance with federal law, if sharing the data would benefit the
administration or execution of a public service.
(2)
A state agency may share private information in any of the following
circumstances:
(a)
The consent of the individual whose private information would be
disclosed is obtained.
(b)
A warrant is signed by a judge of this state or a federal judge.
(c)
A lawful court order is administered by a court within this state or
by a federal court.
(d)
A subpoena is administered within this state, or a federal subpoena
is administered.
(E)
If a state agency receives a request that may be in furtherance of an
activity prohibited by this section, the state agency shall refer the
request to the attorney general. Upon receipt of the referral, the
attorney general shall assess the lawfulness of the request and
direct the state agency to deny or grant the request as appropriate.
(F)(1)
An individual harmed as a result of a violation of this section has a
cause of action and is entitled to relief as follows:
(a)
For a violation of division (C)(3) of this section, three hundred
dollars per violation;
(b)
For a violation of division (B) of this section, one hundred dollars
per violation;
(c)
For a violation of division (C)(1), (C)(2), or (D) of this section,
seven hundred fifty dollars per violation.
(2)
In addition to the amounts provided in division (F)(1) of this
section, a court may award to the plaintiff an additional one
thousand dollars per violation if the court finds by a preponderance
of evidence that the violation occurred as a result of the
intentional, willful, or wanton disregard of this section.
(3)
Nothing in this section shall be construed to preclude an individual
from recovering actual damages that stem from a violation of this
section.
(G)
It is the intent of the general assembly in enacting this section to
recognize this state's compelling interest in protecting the privacy
and personal information of its residents from government overreach.
Section
2.
This
act shall be known as the Ohio Privacy Act.