Ohio Data Privacy Laws: Safe Harbor & Consumer Rights (2026)

Ohio takes a patchwork approach to data privacy. Rather than enacting a single comprehensive consumer privacy statute, the state relies on a combination of targeted laws covering data breach notification, cybersecurity incentives, government data practices, insurance data security, and consumer protection enforcement.

This approach leaves Ohio residents without the broad data rights available in states like California, Virginia, or Texas. However, Ohio made history in 2018 by becoming the first state to offer businesses a legal incentive for maintaining strong cybersecurity programs through its Data Protection Act.

This guide covers every major Ohio statute affecting data privacy, what protections exist for residents, what obligations businesses face, and where federal law fills gaps in state coverage.

Ohio Data Protection Act (SB 220, ORC Chapter 1354)

The Ohio Data Protection Act, codified as ORC Chapter 1354, was signed into law on August 3, 2018, through Senate Bill 220. It took effect on November 2, 2018.

This law was the first of its kind in the United States. Rather than imposing mandatory cybersecurity requirements, it creates a voluntary incentive system. Businesses that implement and maintain qualifying cybersecurity programs earn an affirmative defense against certain lawsuits.

How the Safe Harbor Works

Under ORC 1354.02, a covered entity that creates, maintains, and complies with a written cybersecurity program is entitled to an affirmative defense against any cause of action sounding in tort that is brought under Ohio law and alleges that the failure to implement reasonable information security controls resulted in a data breach.

This means a business that suffers a data breach cannot be held liable in tort if it had a qualifying cybersecurity program in place at the time of the breach. The defense applies to claims involving both personal information and restricted information.

The safe harbor is an affirmative defense only. It does not create a blanket immunity. The business must raise the defense in court and demonstrate that it met the statutory requirements. It also does not prevent regulatory enforcement actions or claims arising under other statutes.

Cybersecurity Program Requirements

To qualify for the safe harbor, a covered entity must create, maintain, and comply with a written cybersecurity program that includes administrative, technical, and physical safeguards. The program must be designed to accomplish three objectives.

First, it must protect the security and confidentiality of personal information or restricted information. Second, it must protect against any anticipated threats or hazards to the security or integrity of that information. Third, it must protect against unauthorized access to and acquisition of the information that is likely to result in a material risk of identity theft or other fraud.

The law requires the program to be scaled appropriately based on several factors. These include the size and complexity of the covered entity, the nature and scope of its activities, the sensitivity of the information to be protected, the cost and availability of tools to improve information security, and the resources available to the covered entity.

Recognized Cybersecurity Frameworks

The cybersecurity program must reasonably conform to an industry-recognized framework. ORC 1354.02 specifically lists the following frameworks as qualifying standards.

NIST Cybersecurity Framework. The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology.

FedRAMP. The Federal Risk and Authorization Management Program Security Assessment Framework.

CIS Controls. The Center for Internet Security Critical Security Controls for Effective Cyber Defense.

ISO/IEC 27000. The International Organization for Standardization/International Electrotechnical Commission 27000 family of Information Security Management Systems standards.

For entities regulated by specific industries, additional frameworks qualify.

HIPAA and HITECH. Entities subject to the Health Insurance Portability and Accountability Act must reasonably conform to the HIPAA Security Rule and the Health Information Technology for Economic and Clinical Health Act.

GLBA. Financial institutions subject to Title V of the Gramm-Leach-Bliley Act can rely on compliance with those requirements.

FISMA. Federal agencies and contractors subject to the Federal Information Security Modernization Act qualify through that compliance.

PCI DSS. Entities handling payment card data can comply with the Payment Card Industry Data Security Standard, but they must also conform to at least one other listed framework.

Reasonable Conformance Standard

Under ORC 1354.03, the law does not require perfect compliance. A covered entity must demonstrate "reasonable conformance" with its chosen framework. When a framework is amended, the entity has one year from the effective date of the amendment to conform to the updated version.

Ohio Data Breach Notification Law (ORC 1349.19)

Ohio's data breach notification law, codified as ORC 1349.19, establishes mandatory notification requirements for businesses and individuals that experience a data breach involving personal information of Ohio residents.

Definition of Personal Information

The statute defines "personal information" as an individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one or more of the following data elements when the data elements are not encrypted, redacted, or altered to be unreadable.

• Social Security number
• Driver's license number or state identification card number
• Account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account

The encryption safe harbor is significant. If the compromised data was encrypted, redacted, or otherwise rendered unreadable at the time of the breach, notification is not required.

Definition of a Breach

A "breach of the security of the system" means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of Ohio.

Both access and acquisition must occur. Unauthorized access alone, without evidence that data was actually acquired, does not trigger notification obligations.

45-Day Notification Timeline

Entities must notify affected Ohio residents in the most expedient time possible, but not later than 45 days after discovering the breach. The 45-day window allows time to determine the scope of the breach, identify which residents' personal information was affected, and restore the reasonable integrity of the data system.

Law enforcement may request a delay in notification if it would impede a criminal investigation. The notification timeline resumes once law enforcement determines that disclosure will no longer compromise the investigation.

Methods of Notification

The law permits several methods of notification to affected residents.

Written notice. A physical letter sent to the affected individual's last known address.

Telephonic notice. A phone call to the affected individual.

Electronic notice. Permitted if the entity's primary method of communication with the individual is electronic.

Substitute notice. Available when the cost of direct notification exceeds $250,000, the affected class exceeds 500,000 residents, or the entity lacks sufficient contact information. Substitute notice requires a combination of email notification, conspicuous posting on the entity's website, and notification to major statewide media.

Small business substitute notice. Entities with 10 or fewer employees may use an alternative substitute notice when costs exceed $10,000. This allows a combination of paid notification in a local newspaper, website posting, and notification to major local media.

Large Breach Reporting

When a breach affects more than 1,000 Ohio residents in a single occurrence, the entity must also notify all nationwide consumer reporting agencies without unreasonable delay. This notification must include the timing, distribution, and content of the disclosure given to affected residents.

Penalties and Enforcement

The Ohio Attorney General has enforcement authority under ORC 1349.191. The Attorney General may investigate complaints of noncompliance and bring civil actions.

Civil penalties are graduated: up to $1,000 per day for the first 60 days, up to $5,000 per day from 60 to 90 days, and up to $10,000 per day after 90 days of intentional or reckless noncompliance with the notification requirements. These penalties are imposed by a court following an Attorney General enforcement action.

Exemptions

Financial institutions that are subject to federal data breach notification requirements and regulatory examination are exempt from ORC 1349.19. Entities with preexisting contractual notification provisions that are consistent with the statute's requirements may also rely on those arrangements.

State Agency Data Breach Notification (ORC 1347.12)

Ohio imposes separate breach notification requirements on state and local government agencies through ORC 1347.12. This statute mirrors many of the requirements in ORC 1349.19 but applies specifically to government entities.

State agencies and political subdivisions that own or license computerized data containing personal information must disclose any breach to affected Ohio residents when the breach causes or is reasonably believed to cause a material risk of identity theft or other fraud.

If a government agency stores data on behalf of another agency, it must notify the data-owning agency in an expeditious manner so that agency can fulfill its own notification obligations.

Civil penalties for government agency noncompliance follow the same structure as private sector penalties. Courts may impose up to $1,000 per day for each day of intentional or reckless noncompliance.

Government Data Practices (ORC Chapter 1347)

ORC Chapter 1347 governs how state agencies manage personal information systems. This statute predates modern data privacy laws and focuses on government accountability for the personal data it collects and maintains.

Individual Rights Under ORC 1347

Ohio residents have specific rights regarding personal information held by state agencies.

Right to know. Any person may request that a state or local agency confirm whether it maintains personal information about that person in its systems.

Right to inspect. The person, their legal guardian, or an authorized attorney may inspect all personal information the agency holds about the individual.

Right to correct. If personal information is inaccurate, the individual may request correction.

Right to challenge. If the agency refuses to correct the information, the individual may submit a statement of disagreement that becomes part of the record.

Confidential Personal Information Rules

Under ORC 1347.15, each state agency must adopt administrative rules under Chapter 119 of the Revised Code regulating access to confidential personal information. These rules must cover both electronic and paper records.

Agencies must maintain logs of access to confidential personal information and establish internal procedures to prevent unauthorized disclosure.

Ohio Consumer Sales Practices Act (ORC Chapter 1345)

Without a comprehensive privacy law, the Ohio Consumer Sales Practices Act (CSPA) serves as the primary enforcement mechanism for privacy violations involving consumer transactions.

The CSPA prohibits unfair or deceptive acts or practices in connection with consumer transactions. The Ohio Attorney General has used this authority to pursue companies that misrepresent their data security practices or fail to protect consumer information.

Privacy Enforcement Under the CSPA

The Attorney General's Office applies the CSPA to data privacy matters in several ways. Companies that promise specific data security protections but fail to deliver can face enforcement actions for deceptive practices. Businesses that collect personal data without adequate disclosures may be found to engage in unfair practices.

In a notable 2024 enforcement action, the Ohio Attorney General participated in a multi-state settlement with Marriott International over data breaches that affected millions of consumers. Marriott paid over $52 million to 49 states, with Ohio receiving more than $1.5 million. The action was based on violations of consumer protection law, including misrepresentations about cybersecurity practices.

Penalties Under the CSPA

The CSPA authorizes significant penalties. Courts may impose civil penalties of up to $25,000 per violation. For violations of court orders (temporary restraining orders, preliminary injunctions, or permanent injunctions), penalties can reach $5,000 per day.

Civil penalties are distributed with 75% going to the state's Consumer Protection Enforcement Fund and 25% to the treasury of the county where the Attorney General's action was brought.

Consumers who suffer harm from CSPA violations may also bring private lawsuits. Remedies include rescission of the transaction, treble damages (three times actual economic damages) or $200 (whichever is greater), plus noneconomic damages up to $5,000.

Insurance Data Security Act (ORC Chapter 3965)

Ohio enacted the Insurance Data Security Act through Senate Bill 273, effective March 20, 2019. This law imposes specific cybersecurity requirements on insurance licensees operating in Ohio.

Key Requirements for Insurance Companies

Licensees must develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards for the protection of nonpublic information.

The program must be based on a risk assessment that identifies reasonably foreseeable internal and external threats, assesses the likelihood and potential damage of those threats, evaluates the sufficiency of existing safeguards, and implements appropriate safeguards to manage identified risks.

Breach Notification for Insurance Companies

Insurance licensees must notify the Superintendent of Insurance as promptly as possible, but no later than three business days after determining that a cybersecurity event has occurred, when either Ohio is the licensee's state of domicile or the event has a reasonable likelihood of materially harming a consumer or a material part of the licensee's normal operations.

HIPAA Compliance Equivalency

A licensee that is subject to and in compliance with the privacy and security rules under 45 C.F.R. Parts 160 and 164 (HIPAA) is deemed to meet the requirements of ORC Chapter 3965, except for the notification provisions. This means HIPAA-compliant entities still must follow Ohio's insurance-specific breach notification rules.

Record Retention

Licensees must maintain all records, schedules, and data supporting their certificate of compliance for a period of five years. Where material improvement areas have been identified, documentation must be made available for inspection by the Ohio Department of Insurance.

Student Data Privacy Protections

Ohio protects student data primarily through ORC 3319.321, which governs the administrative use of public school records.

Confidentiality of Student Records

School records containing personally identifiable information about students, other than designated directory information, require written consent from a parent, guardian, or custodian before they can be released. This aligns with federal Family Educational Rights and Privacy Act (FERPA) requirements and adds state-level enforcement.

Directory information may be released in accordance with FERPA guidelines, but parents retain the right to opt out of directory information disclosure.

Parental Access Rights

The law addresses parental access to student records in custody situations. When a residential parent presents a court order limiting the non-residential parent's access to student records, the record keeper must comply with those limitations.

Identity Theft and Fraud Protections

Ohio addresses identity theft through criminal law under ORC 2913.49, which establishes identity fraud as a criminal offense with graduated penalties.

Penalty Structure

Identity fraud is a felony in Ohio, with the severity depending on the amount of financial harm.

• Baseline offense. Identity fraud is a felony of the fifth degree.
• $1,000 to $7,500 in losses. The offense becomes a felony of the fourth degree.
• $7,500 to $150,000 in losses. The offense becomes a felony of the third degree.
• $150,000 or more in losses. The offense becomes a felony of the first degree when the victim is in a protected class.

Social Security Number Protections

ORC 1349.17 restricts the recording of credit card numbers, telephone numbers, and Social Security numbers during consumer transactions. Businesses involved in credit card transactions may not record a consumer's Social Security number as part of the transaction process.

Federal Framework Coverage

Because Ohio lacks a comprehensive consumer privacy law, federal statutes play a critical role in protecting Ohio residents' data in specific sectors.

HIPAA

The Health Insurance Portability and Accountability Act protects health information held by covered entities, including hospitals, health insurers, and healthcare providers operating in Ohio. HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule establish baseline protections for protected health information.

GLBA

The Gramm-Leach-Bliley Act requires financial institutions doing business in Ohio to provide privacy notices explaining their information-sharing practices and to implement safeguards protecting consumer financial information.

FERPA

The Family Educational Rights and Privacy Act protects student education records at institutions receiving federal funding. Combined with ORC 3319.321, this creates a two-layer protection system for Ohio students' educational records.

COPPA

The Children's Online Privacy Protection Act protects the personal information of children under 13 collected by websites and online services. The Federal Trade Commission enforces COPPA nationally, including for services accessed by Ohio children.

FCRA

The Fair Credit Reporting Act regulates how consumer reporting agencies collect, use, and share consumer credit information. Ohio residents can access free credit reports, dispute inaccurate information, and place fraud alerts through the FCRA framework.

The Path Toward Comprehensive Privacy Legislation

Ohio has made multiple attempts to pass comprehensive consumer privacy legislation, but none have succeeded.

HB 376 (2021) -- Ohio Personal Privacy Act

House Bill 376 was introduced during the 134th General Assembly. It would have established data rights for Ohio consumers and required businesses meeting certain thresholds to adhere to data protection standards. The bill was re-referred to the Rules and Reference committee in February 2022 and died without advancing.

HB 345 (2023) -- Ohio Personal Privacy Act

House Bill 345 was introduced during the 135th General Assembly on November 29, 2023. Like its predecessor, it would have enacted the Ohio Personal Privacy Act, establishing consumer rights similar to those in California, Virginia, and Colorado. The bill was referred to the Government Oversight Committee in December 2023 and died in committee.

Both bills would have applied to businesses conducting business in Ohio with annual gross revenues exceeding $25 million, businesses processing data of 100,000 or more consumers, or businesses deriving over 50% of gross revenue from data sales while processing data of 25,000 or more consumers. They would have granted the Attorney General exclusive enforcement authority with civil penalties including treble damages.

As of March 2026, no comprehensive privacy bill has been reintroduced in the 136th General Assembly.

How Ohio Compares to Other States

Ohio's patchwork approach puts it behind the growing number of states with comprehensive privacy laws. As of 2026, more than 20 states have enacted comprehensive consumer data privacy statutes.

States like California, Virginia, Colorado, Connecticut, and Texas grant consumers explicit rights to access, delete, correct, and opt out of the sale of their personal data.

Ohio residents do not have these broad statutory rights. The rights that exist under ORC Chapter 1347 apply only to personal information held by state government agencies, not to data held by private businesses.

However, Ohio's Data Protection Act safe harbor remains unique. No other state offers the same type of voluntary incentive for businesses to maintain strong cybersecurity programs. This approach reflects a business-friendly philosophy that encourages good cybersecurity practices through legal incentives rather than punitive mandates.

More Ohio Laws

• Ohio Hit and Run Laws
• Ohio Statute of Limitations
• Ohio Whistleblower Laws
• Ohio Sexting Laws
• Ohio Lemon Laws
• Ohio Dog Bite Laws
• Ohio Car Seat Laws
• Ohio Child Support Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Ohio for advice about your specific situation. Last reviewed: March 2026.