Read the full stored bill text
As Introduced
136th
General Assembly
Regular
Session
H. B. No. 807
2025-2026
Representatives Cockley, Rader
Cosponsors: Representatives Brennan,
Piccolantonio, Bryant Bailey, Miller, J., Abdullahi, Somani,
Brownlee, Brent, Sims, Jarrells, Brewer, Russo, Lett, Synenberg,
Grim, Upchurch
To
amend sections 1347.01, 1347.10, and 1347.99 and to enact section
1347.072 of the Revised Code
to
prohibit various government and private entities from selling
sensitive personal data to a data broker or private entity with the
intent of generating profit, unless used for a permitted purpose.
BE
IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:
Section
1.
That
sections 1347.01, 1347.10, and 1347.99 be amended and section
1347.072 of the Revised Code be enacted to read as follows:
Sec.
1347.01.
As
used in this chapter, except as otherwise provided:
(A)
"State agency" means the office of any elected state
officer and any agency, board, commission, department, division, or
educational institution of the state.
(B)
"Local agency" means any municipal corporation, school
district, special purpose district, or township of the state or any
elected officer or board, bureau, commission, department, division,
institution, or instrumentality of a county.
(C)
"Special purpose district" means any geographic or
political jurisdiction that is created by statute to perform a
limited and specific function, and includes, but is not limited to,
library districts, conservancy districts, metropolitan housing
authorities, park districts, port authorities, regional airport
authorities, regional transit authorities, regional water and sewer
districts, sanitary districts, soil and water conservation districts,
and regional planning agencies.
(D)
"Maintains" means state or local agency ownership of,
control over, responsibility for, or accountability for systems and
includes, but is not limited to, state or local agency depositing of
information with a data processing center for storage, processing, or
dissemination. An agency "maintains" all systems of records
that are required by law to be kept by the agency.
(E)
"Personal information" means any information that describes
anything about a person, or that indicates actions done by or to a
person, or that indicates that a person possesses certain personal
characteristics, and that contains, and can be retrieved from a
system by, a name, identifying number, symbol, or other identifier
assigned to a person.
"Personal information" includes sensitive data.
(F)
"System" means any collection or group of related records
that are kept in an organized manner and that are maintained by a
state or local agency, and from which personal information is
retrieved by the name of the person or by some identifying number,
symbol, or other identifier assigned to the person. "System"
includes both records that are manually stored and records that are
stored using electronic data processing equipment. "System"
does not include collected archival records in the custody of or
administered under the authority of the Ohio history connection,
published directories, reference materials or newsletters, or routine
information that is maintained for the purpose of internal office
administration, the use of which would not adversely affect a person.
(G)
"Interconnection of systems" means a linking of systems
that belong to more than one agency, or to an agency and other
organizations, which linking of systems results in a system that
permits each agency or organization involved in the linking to have
unrestricted access to the systems of the other agencies and
organizations.
(H)
"Combination of systems" means a unification of systems
that belong to more than one agency, or to an agency and another
organization, into a single system in which the records that belong
to each agency or organization may or may not be obtainable by the
others.
(I)
"Sensitive data" includes any information regarding an
individual's name, date of birth, social security number, telephone
number, character, general reputation, personal characteristics,
immigration status, facial recognition data, or mode of living.
(J)
"Permitted use" includes the evaluation of credit or
insurance to be used primarily for personal, family, or household
purposes; employment purposes; in the valuation of a potential
investor or servicer; a local child support enforcement agency
establishing an individual's capacity to make child support payments
or determining the appropriate level of such payment; by the federal
deposit insurance corporation or national credit union administration
as part of its appointment process or exercise of its conservator,
receiver, or liquidating agent powers; in response to a court order,
subpoena, or judicial warrant; in accordance with the written
instructions of the consumer to whom it relates; or the investigation
of a criminal offense.
Sec.
1347.072.
(A)
No state agency, state official, data broker, or private entity shall
sell, communicate, or otherwise furnish sensitive data to any data
broker or private entity with the intent of generating profit from
that data, unless one of the following applies:
(1)
That data will be used for a permitted use.
(2)
The sharing of that data is done with the informed consent of the
individual, or is required by a warrant, court order, or subpoena.
(3)
The sharing of that data is otherwise required by state or federal
law.
(B)
When sensitive data is sold or communicated for a permitted use under
the exception provided in division (A)(1) of this section, it may not
subsequently be used or communicated further by the receiving party
for any reason other than a permitted use.
Sec.
1347.10.
(A)
A person who is harmed by the use of personal information that
relates to
him
the
person harmed
and that is maintained in a personal information system may recover
damages in a civil action from any person who directly and
proximately caused the harm by doing any of the following:
(1)
Intentionally maintaining personal information that
he
the
person
knows, or has reason to know, is inaccurate, irrelevant, no longer
timely, or incomplete and may result in such harm;
(2)
Intentionally using or disclosing the personal information in a
manner prohibited by law;
(3)
Intentionally supplying personal information for storage in, or using
or disclosing personal information maintained in, a personal
information system, that
he
the
person
knows, or has reason to know, is false;
(4)
Intentionally denying to the person
harmed
the right to inspect and dispute the personal information at a time
when inspection or correction might have prevented the harm.
An
action under this division shall be brought within two years after
the cause of action accrued or within six months after the wrongdoing
is discovered, whichever is later; provided that no action shall be
brought later than six years after the cause of action accrued. The
cause of action accrues at the time that the wrongdoing occurs.
(B)
(B)(1)
Any person who is harmed by a person or entity that violates section
1347.072 of the Revised Code may recover, in a civil action,
statutory damages in the amount of five hundred dollars, actual
damages as determined by the court, and reasonable attorney's fees.
(2)
Any person who is harmed by a person or entity that obtains sensitive
data under false pretenses or knowingly without a permitted use may
recover, in a civil action, statutory damages in the amount of two
thousand five hundred dollars, actual damages or punitive damages as
determined by the court, and reasonable attorney's fees.
(C)
Any person who, or any state or local agency that, violates or
proposes to violate any provision of this chapter may be enjoined by
any court of competent jurisdiction. The court may issue an order or
enter a judgment that is necessary to ensure compliance with the
applicable provisions of this chapter or to prevent the use of any
practice that violates this chapter. An action for an injunction may
be prosecuted by the person who is the subject of the violation, by
the attorney general, or by any prosecuting attorney.
Sec.
1347.99.
(A)
No public official, public employee, or other person who maintains,
or is employed by a person who maintains, a personal information
system for a state or local agency shall purposely refuse to comply
with division (E), (F), (G), or (H) of section 1347.05, section
1347.071, division (A), (B), or (C) of section 1347.08, or division
(A) or (C) of section 1347.09 of the Revised Code. Whoever violates
this section is guilty of a minor misdemeanor.
(B)
Whoever violates division (H)(1) or (2) of section 1347.15 of the
Revised Code is guilty of a misdemeanor of the first degree.
(C)
Whoever violates section 1347.072 of the Revised Code is guilty of a
felony of the fourth degree if the person is determined by a court of
competent jurisdiction to be a repeat offender, with prior knowing
repeated violations or violations involving false pretenses under
division (B) of section 1347.10 of the Revised Code. An offender
under this division shall be prosecuted by the attorney general in
any court of competent jurisdiction in the state.
Section
2.
That
existing sections 1347.01, 1347.10, and 1347.99 of the Revised Code
are hereby repealed.