Additional protections far beyond HB 376 are needed from the General Assembly. As currently written, we believe exploitable loopholes and exceptions in HB 376 can and will give businesses and corporations the ability to circumvent privacy concerns

Below is our Chief Lobbyist Gary Daniels' opponent testimony on Substitute House Bill 376. This was delivered to the House Government Oversight Committee on December 8, 2021.


To Chairman Wilkin, Vice Chair White, Ranking Member Sweeney, and members of the House Government Committee, thank you for this opportunity to provide the following opponent testimony for Substitute House Bill 376.

The ACLU of Ohio hoped to appear today as a proponent of HB 376 or at least as interested party because we strongly believe in data and digital privacy for Ohioans. However, a careful review of this bill raises fundamental questions of whether HB 376 makes any notable improvements in this area of law and policy.

To properly and adequately protect the data of Ohioans and others affected, additional protections far beyond HB 376 are needed from the General Assembly. As currently written, we believe exploitable loopholes and exceptions in HB 376 can and will give businesses and corporations the ability to circumvent privacy concerns. The ACLU of Ohio's most notable (but not only) concerns are as follows:

Enforcement

Currently, the requirements and regulations created by HB 376 have the potential to never be enforced by anyone. This is because HB 376 expressly forbids civil lawsuits by your constituents when their rights are violated under this bill. Instead, HB 376 gives this authority exclusively to the Office of the Attorney General (Lines #395-397, 599-600, 700-703 ). However, even then it is questionable how much an attorney general can accomplish in this regard.

In order for the Office of the Attorney General to bring a legal action against violators of HB 376, the attorney general must first receive and review consumer complaints (or concerns the AG's office otherwise becomes aware of or discovers itself.) (Lines #601-607).

If the AG wishes to further pursue the matter, it then must send a notice to the company or business in question at least 30 days prior to any further enforcement actions in order to give the company or business an opportunity to correct any alleged violations. (Lines #650-654 ).

The AG is then prohibited from any enforcement actions so long as the company or business provides to the attorney general "an express written statement that the alleged violations have been cured and that no further violations will occur." (Lines #655-661).

A mere written statement from a company or business saying they have not been and/or are not violating HB 376 will inherently result in lack of enforcement. In this bill, there is no requirement or procedure for the AG or anyone else to actually confirm the company or business has not violated or is not violating the law. Apparently, the AG must take the written statement at face value. This is a significant enforcement loophole.

In addition, because this gives exclusive authority to the Office of the Attorney General, Ohioans will continue to have their privacy compromised if whomever is AG at the time has little or zero interest in enforcing HB 376.

Opt in vs. opt out

HB 376 currently has no language requiring a company or business that collects, sells, aggregates, etc. personal data to adopt adequate opt-in policies regarding consumers and their personal information.

Clear and concise opt-in requirements and policies give people meaningful control over their personal information, how it will be collected, and how it will be used. Such a requirement also minimizes opt-out scenarios where people must research, contact, and navigate the processes of each and every company and business they encounter, if that is even possible (it is not).

A welcome addition to HB 376 would be adding explicit and comprehensive opt-in requirements for relevant entities to protect the privacy of Ohioans.

Consumer Sales Practices laws

Under HB 376, violations are investigated under Ohio's Consumer Sales Practices laws (ORC Chapter 1345). (Lines #601-607). But HB 376 also weakens existing law for the purposes of this bill, and perhaps only for this bill.

More specifically, under current law in ORC Chapter 1345, investigations and actions by the AG may include a request by the AG to a court to order compliance with a subpoena issued under this chapter (ORC Sec. 1345.06(E)). HB 376 explicitly prohibits the AG from doing this. (Lines #617-619).

It is another example of how HB 376 prevents, rather than facilitates or encourages, enforcement of the law.

Ohio's public records laws

HB 376 explicitly forbids public disclosure of the "identity of a business investigated under this section" or the "facts developed in investigations" unless the matter has otherwise become a public record via enforcement proceedings or unless the business in question consents in writing. (Lines #623-632).

This provision further shields violators and alleged violators from scrutiny. Even an investigation that does not result in an enforcement action can provide helpful and necessary information regarding the conduct of a business, company, or corporation.

In addition, it could shed valuable light on why an AG may or may not take further action against a violator or alleged violator. Should an AG routinely gather or discover facts about violations or alleged violations but never pursue any enforcement action, current public records law may be helpful in revealing that and Ohioans should benefit from such transparency.

Exceptions/loopholes

HB 376 contains numerous other exceptions including privacy rights protected by federal law, government entities, credit reporting, and others. (Lines# I 71-268). HB 376 also contains other broadly-written exemptions such as when a business must comply with federal or state law, with civil, criminal & regulatory enforcement and actions, to defend against legal claims, preventing and detecting fraud, and others. (Lines #269-283). Another section makes exceptions for such things as conducting internal research to improve products, services & technology, to identify and repair technical errors that impair existing functionality, or to effectuate a product recall
(Lines #314-325).

Under these exceptions, could a business or company claim the best way to provide as best a service, or product, or technology as possible is to use as much information, in this case consumer data, as possible? With the idea being the larger and more diverse the pool of data, the more helpful the testing results will be for whatever is being developed.

A similar concern arises with the law enforcement, regulatory, and related provisions. What if a company or business claims they retain as much data as possible because they can never be sure about prospective lawsuits? That is, they never know why they may get sued and so they better hold on to as much data as possible and/or they feel necessary, to comply with lawsuits, as well as investigations, audits, and related actions.

As previously mentioned, we believe there are various areas where language can and should be amended and tightened to minimize privacy concerns. Otherwise, the risk is that every example of broad or imprecise language will be fully maximized by those who collect, sell, etc. our personal data for their benefit against consumers.

In summary, what you have before you is a bill largely establishing a consumer's right to know what data is being collected about them and the purposes and uses of that collection. However, what you do not have is a bill that actually protects the rights of your constituents in this regard. Significant changes are needed to accomplish that.

While we sincerely hope for a much improved bill, as of now the ACLU of Ohio encourages a "no" vote on Substitute House Bill 376.