https://portswigger.net/daily-swig/oppa-ohio-could-become-the-third-us-state-to-enact-a-new-consumer-privacy-law-in-2021 The Daily Swig [ ] ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) Regions Hacking News Data Breaches Cyber-attacks Vulnerabilities Bug Bounties More About Africa Asia Europe Middle East Latin America North America Oceania View all US news APT focus Take a closer look at Iran's state-sponsored hacking groups Latest Hacking News Hacking Tools Hacking Techniques Pen Testing Cloud Security Database Security Email Security Network Security View all hacking news Movers and shakers OWASP stirs up web app threat categories in 2021 Latest Data Breaches Data Leak Organizations Enterprise Security View all data breach news In focus Software supply chain attacks - everything you need to know Latest Cyber-attacks Cybercrime Cyber Warfare DDoS Attacks Supply Chain Attacks View all cyber-attack news Special report North Korean cyber-threat groups become top-tier adversaries Latest Vulnerabilities Zero-Day News RCE XSS SQL Injection SSRF CSRF XS Leaks View all security vulnerability news I, robot Machine learning security vulnerabilities are a growing threat Bug Bounty News VDP News Research OSINT View all bug bounty news Bug Bounty Radar The latest programs for October 2021 Interviews Analysis Research Deep Dives Browsers Ransomware Phishing Malware Encryption Privacy Mobile IoT Policy and Legislation Machine learning DNS Open Source Hardware Authentication Events View all infosec industry news Cybersecurity conferences A schedule of events in 2021 and beyond OPPA: Ohio could become the third US state to enact a new consumer privacy law in 2021 David Oberly 06 October 2021 at 15:41 UTC Updated: 06 October 2021 at 18:14 UTC US Privacy Data Breach Twitter WhatsApp Facebook Reddit LinkedIn Email Ohio Personal Privacy Act will grant Ohioans an expansive set of new rights, writes US attorney David Oberly OPPA: Ohio could become the third US state to enact a new consumer privacy law in 2021 State legislatures in the US have been busy this year, with both Virginia and Colorado passing new consumer privacy statutes mirroring the now well-known California Consumer Privacy Act (CCPA). And there may be further, similarly momentous changes to the privacy legal landscape before the year is over, after Buckeye State legislators recently introduced their own consumer privacy bill. The Ohio Personal Privacy Act (OPPA) has strong support from Ohio's governor and lieutenant governor, increasing the likelihood that the Midwestern state may soon join the ranks of a growing number of states with consumer privacy statutes on the books. If enacted, the OPPA would provide an expansive set of new rights to Ohio consumers, and impose a corresponding set of stringent obligations on businesses that collect and handle their data. The OPPA: Scope and applicability Similar to the CCPA and other consumer privacy statutes, businesses would have to meet certain thresholds to fall under the scope of the OPPA. Specifically, the law applies to any business that conducts operations in Ohio or produces goods/services targeted at Ohio consumers and satisfies one or more of the following criteria: * Annual gross revenue generated in Ohio above $25 million. * Controls or processes the personal data of 100,000 or more consumers during the calendar year. * Derives more than 50% of its gross revenue from the sale of personal data and processes/controls the personal data of 25,000 or more consumers during a calendar year. Consumer rights Like other consumer privacy statutes, the OPPA grants consumers a broad range of rights, including: * Right to know: The right to know the personal data that a business collects pertaining to a given consumer. * Right to access: The right to request access to, and the disclosure of, the personal data that a business collects about the consumer. * Right to deletion: The right to request that a business delete the personal data that the business has collected from the consumer for commercial purposes. * Right to opt-out: The right to request that a business that sells personal data to third parties will not sell the consumer's personal data. * Non-discrimination right: The right to not be discriminated against by a business for exercising any of the rights provided to consumers under the OPPA. Privacy notices The OPPA also requires businesses to give notice to consumers regarding the personal data that they process. Unlike other privacy statutes, however, the OPPA provides that a failure to maintain a privacy notice that reflects the entity's data processing practices to a reasonable degree of accuracy constitutes an unfair or deceptive practice under Ohio law. Affirmative defense By far the most significant aspect of the proposed bill is an affirmative defense offered to businesses which maintain a written privacy program that reasonably conforms with the National Institute of Standards and Technology's (NIST) privacy framework. Read more of the latest data privacy news Businesses that satisfy requirements for the affirmative defense are afforded protection from any cause of action brought under Ohio laws, or in Ohio courts, alleging a violation of the OPPA or similar claims based on alleged violations of the Ohio Consumer Sales Practices Act's privacy-related provisions. Liability and enforcement The OPPA does not offer a private right of action for individuals to pursue litigation against entities for alleged violations of the law. Rather, enforcement authority rests exclusively with the Ohio attorney general, who may seek civil penalties of up to $5,000 per violation. However, before initiating an enforcement action, the AG must give at least 30 days' notice to cure any alleged violations. Compliance tips With the support of the state's governor and lieutenant governor, buttressed by the success of other states in swiftly moving consumer privacy bills through the legislative process this year, the Buckeye State may well become the third US state to pass a new consumer privacy statute in 2021. From a broader perspective, the increasing momentum for consumer privacy laws across the globe should serve as a reminder for all companies to take proactive steps to build out a comprehensive privacy and data protection program. Specifically, companies should consider implementing the following measures if they have not already done so: * Complete a data-mapping and inventory exercise. * Properly inform consumers of the entity's data processing activities through the implementation of a publicly-available privacy policy and just-in-time notices where required. * Design and implement processes and procedures for responding to consumer requests. * Ensure the maintenance of a robust data security program - ideally one designed in conformity with a universally-recognized security framework, such as NIST's privacy framework or the ISO:27001 information security standard. * Update service provider and vendor contracts to include language limiting the processing of personal data by the service provider to that which is required to perform services for the company. * And consult with experienced privacy counsel to ensure compliance with today's constantly-evolving privacy legal landscape. RECOMMENDED What does the future hold for browser security? Check out the latest features destined for mobile and desktop US Privacy Data Breach Data Leak Government Policy and Legislation North America Compliance Database Security Network Security Cloud Security Email Security Organizations Enterprise Analysis David Oberly David Oberly @DavidJOberly Twitter WhatsApp Facebook Reddit LinkedIn Email This page requires JavaScript for an enhanced user experience. Latest Posts Tip of the iceberg Multiple XSS vulnerabilities in child monitoring app Canopy 06 October 2021 Tip of the iceberg Multiple XSS vulnerabilities in child monitoring app Canopy Firefox 93 lands with HTTP download blocking, new user privacy features 06 October 2021 Firefox 93 lands with HTTP download blocking, new user privacy features Roadblocks erected against untrusted content and unwanted ads Fast fashion US clothing brand Next Level Apparel reports phishing-driven data breach 06 October 2021 Fast fashion US clothing brand Next Level Apparel reports phishing-driven data breach Related stories This page requires JavaScript for an enhanced user experience. Buckeye privacy bill Ohio could become the third US state to enact a new consumer privacy law in 2021 06 October 2021 Buckeye privacy bill Ohio could become the third US state to enact a new consumer privacy law in 2021 Tip of the iceberg Multiple XSS vulnerabilities in child monitoring app Canopy 06 October 2021 Tip of the iceberg Multiple XSS vulnerabilities in child monitoring app Canopy Firefox 93 lands with HTTP download blocking, new user privacy features 06 October 2021 Firefox 93 lands with HTTP download blocking, new user privacy features Roadblocks erected against untrusted content and unwanted ads Fast fashion US clothing brand Next Level Apparel reports phishing-driven data breach 06 October 2021 Fast fashion US clothing brand Next Level Apparel reports phishing-driven data breach Burp Suite Web vulnerability scanner Burp Suite Editions Release Notes Vulnerabilities Cross-site scripting (XSS) SQL injection Cross-site request forgery XML external entity injection Directory traversal Server-side request forgery Customers Organizations Testers Developers Company About PortSwigger News Careers Contact Legal Privacy Notice Insights Web Security Academy Blog Research The Daily Swig PortSwigger Logo Follow us (c) 2021 PortSwigger Ltd.