Ohio

Ohio Data Privacy Laws: Safe Harbor & Consumer Rights (2026)

By Recording Law Editorial TeamPublished March 21, 2026Reviewed May 20, 202622 min read

Ohio has no comprehensive consumer data privacy law, leaving residents without the access, deletion, and opt-out rights available in more than 20 other states. The Ohio Data Protection Act (ORC Chapter 1354) is a voluntary cybersecurity safe harbor for businesses. The breach notification law (ORC 1349.19) requires notice within 45 days.

Ohio takes a patchwork approach to data privacy. Rather than enacting a single comprehensive consumer privacy statute, the state relies on a combination of targeted laws: a first-in-the-nation voluntary cybersecurity safe harbor, a data breach notification requirement, government data practices rules, insurance data security standards, and consumer protection enforcement through the Ohio Consumer Sales Practices Act.

This approach places Ohio behind the growing majority of states. As of May 2026, more than 20 states have enacted comprehensive consumer privacy laws granting residents rights to access, correct, delete, and opt out of the sale of their personal data. Ohio residents have none of those rights against private businesses under state law.

What Ohio does have is substantial. The 2018 Data Protection Act remains unique nationwide, and the state's enforcement agencies have secured meaningful data-breach settlements on behalf of residents. Understanding what the law covers, and where it does not reach, is essential for both businesses operating in Ohio and residents trying to protect their information.

This guide covers every major Ohio statute affecting data privacy, what protections currently exist, how enforcement works, what federal law adds, and where pending legislation stands as of May 2026.

Ohio Data Protection Act: A Voluntary Safe Harbor, Not Consumer Rights (ORC Chapter 1354)

The Ohio Data Protection Act, enacted through Senate Bill 220 and signed on August 3, 2018, is frequently mischaracterized as an Ohio privacy law. It is not a consumer-rights statute. It does not give Ohio residents the right to access, correct, or delete their data. It does not restrict what data businesses can collect.

The law creates a legal benefit for businesses. A covered entity that creates, maintains, and complies with a qualifying written cybersecurity program earns an affirmative defense against tort lawsuits alleging that the failure to implement reasonable information security controls resulted in a data breach. The law took effect on November 2, 2018, and was the first of its kind in the United States.

What the Safe Harbor Covers

Under ORC 1354.02, the affirmative defense is available against causes of action sounding in tort that are brought under Ohio law and allege that inadequate cybersecurity caused a data breach. The defense covers both personal information and restricted information.

The safe harbor is a defense raised in court, not an immunity. A business that suffers a breach cannot simply invoke it to avoid all consequences. It must demonstrate compliance with the statutory requirements. The defense does not block regulatory enforcement actions, breach notification obligations, or claims arising under other statutes.

What a Qualifying Cybersecurity Program Requires

To qualify for the safe harbor, a covered entity must maintain a written cybersecurity program with administrative, technical, and physical safeguards designed to accomplish three objectives. First, protect the security and confidentiality of personal information and restricted information. Second, protect against anticipated threats or hazards to the security or integrity of that information. Third, protect against unauthorized access and acquisition that is likely to result in a material risk of identity theft or other fraud.

The program must be scaled appropriately. Relevant factors include the size and complexity of the covered entity, the nature and scope of its activities, the sensitivity of the information protected, the cost and availability of security tools, and available resources.

Recognized Cybersecurity Frameworks

ORC 1354.02 lists specific frameworks a business may rely on to qualify for the safe harbor.

NIST Cybersecurity Framework. The National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.

FedRAMP. The Federal Risk and Authorization Management Program Security Assessment Framework.

CIS Controls. The Center for Internet Security Critical Security Controls for Effective Cyber Defense.

ISO/IEC 27000. The international Information Security Management Systems standards family.

Industry-regulated entities may also use their sector-specific frameworks. HIPAA and HITECH-covered entities can rely on compliance with those rules. GLBA-regulated financial institutions can rely on Title V compliance. Federal agencies and contractors subject to FISMA qualify through that compliance. PCI DSS-compliant entities must also conform to at least one other listed framework.

The Reasonable Conformance Standard

Under ORC 1354.03, the statute requires reasonable conformance, not perfect compliance. When a recognized framework is amended or updated, a covered entity has one year from the effective date of the amendment to conform to the updated version.

Why This Matters for Consumers

Consumers benefit indirectly from the Data Protection Act. Businesses have a financial incentive to invest in cybersecurity because strong programs reduce tort exposure. But the law creates no direct consumer rights. Ohio residents whose data is held by a business that participates in the safe harbor have no right to request access to that data, no right to deletion, and no right to opt out of data sales.

Ohio Data Breach Notification Law (ORC 1349.19)

Ohio's data breach notification law, ORC 1349.19, establishes mandatory notification obligations for businesses and individuals that experience a security breach affecting Ohio residents. The law was originally enacted in 2005 and has been updated since.

Stack of official legal documents with decorative embossed seal on a marble surface, fountain pen alongside

Definition of Personal Information

The statute defines personal information as an individual's name combined with any one or more of the following data elements when not encrypted, redacted, or otherwise rendered unreadable or unusable:

Social Security number
Driver's license number or state identification card number
Account number, credit card number, or debit card number combined with any required security code, access code, or password

The encryption safe harbor is significant. If compromised data was encrypted or rendered unreadable at the time of the breach, notification is not required.

Definition of a Breach

A breach of the security of the system means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of an Ohio resident.

Both access and acquisition must occur. Unauthorized system access alone, without evidence that data was actually acquired, does not trigger notification obligations.

45-Day Notification Timeline

Entities must notify affected Ohio residents in the most expedient time possible, but no later than 45 days after discovering the breach. The notification window permits time to determine the scope of the breach, identify affected residents, and restore reasonable system integrity.

Law enforcement agencies may request a delay if notification would impede a criminal investigation. Once law enforcement determines disclosure will no longer compromise the investigation, the 45-day window resumes.

Methods of Notification

The law permits written notice by letter, telephonic notice by phone call, or electronic notice when the entity's primary communication method with the individual is electronic. Substitute notice is available when direct notification costs exceed $250,000, the affected class exceeds 500,000 residents, or the entity lacks sufficient contact information. Substitute notice requires a combination of email notification, conspicuous website posting, and notification to major statewide media.

Small business substitute notice is available when the entity has 10 or fewer employees and notification costs exceed $10,000. This permits a combination of paid local newspaper notification, website posting, and local media notification.

Large Breach Reporting

When a breach affects more than 1,000 Ohio residents in a single occurrence, the entity must also notify all nationwide consumer reporting agencies without unreasonable delay. That notice must include the timing, distribution, and content of the disclosure sent to affected residents.

Penalties and Enforcement

The Ohio Attorney General has enforcement authority under ORC 1349.191. Civil penalties are graduated based on the duration of noncompliance: up to $1,000 per day for the first 60 days, up to $5,000 per day from 60 to 90 days, and up to $10,000 per day after 90 days of intentional or reckless noncompliance. These penalties require a court action brought by the Attorney General.

Exemptions

Financial institutions subject to federal data breach notification requirements and regulatory examination are exempt from ORC 1349.19 (their breach notification obligations fall under the Gramm-Leach-Bliley Act and federal banking regulations). Entities with preexisting contractual notification provisions consistent with the statute may rely on those arrangements.

State Agency Data Breach Notification (ORC 1347.12)

ORC 1347.12 imposes separate and parallel breach notification obligations on Ohio state agencies and political subdivisions. These government entities must disclose any breach to affected Ohio residents when the breach causes or is reasonably believed to cause a material risk of identity theft or other fraud.

When a government agency stores data on behalf of another agency, it must notify the data-owning agency expeditiously so that agency can fulfill its own notification obligations.

The civil penalty structure for government agency noncompliance mirrors the private sector structure: courts may impose up to $1,000 per day for each day of intentional or reckless noncompliance.

Government Data Practices (ORC Chapter 1347)

ORC Chapter 1347 governs how Ohio state agencies collect, maintain, use, and disclose personal information in their systems. This statute predates modern data privacy frameworks and focuses on government accountability.

Smartphone Settings screen showing device controls including Wi-Fi, Bluetooth, and Location Services toggles

Individual Rights Against State Agencies

ORC Chapter 1347 gives Ohio residents specific rights regarding personal information held by state agencies. These rights do not extend to private businesses.

Right to know. Any person may request that a state or local agency confirm whether it maintains personal information about that person in its systems.

Right to inspect. The person, their legal guardian, or an authorized attorney may inspect all personal information the agency holds about the individual.

Right to correct. If personal information is inaccurate, the individual may request correction.

Right to challenge. If the agency refuses to correct the information, the individual may submit a statement of disagreement that becomes part of the record.

Confidential Personal Information Rules

Under ORC 1347.15, each state agency must adopt administrative rules under Chapter 119 regulating access to confidential personal information. These rules must cover both electronic and paper records. Agencies must maintain access logs and establish internal procedures preventing unauthorized disclosure.

Ohio Consumer Sales Practices Act: Primary Privacy Enforcement Tool (ORC Chapter 1345)

Without a comprehensive privacy statute, the Ohio Consumer Sales Practices Act (CSPA) is the primary mechanism through which the Ohio Attorney General pursues privacy violations involving consumer transactions.

The CSPA prohibits unfair or deceptive acts or practices in connection with consumer transactions. Companies that promise specific data security protections but fail to deliver can face CSPA enforcement actions for deceptive practices. Businesses that fail to adequately disclose data collection practices may engage in unfair conduct.

Marriott Settlement (October 2024)

In October 2024, the Ohio Attorney General filed suit in Franklin County Common Pleas Court alleging that Starwood and Marriott International violated the CSPA by misrepresenting their cybersecurity practices, which allowed a massive data breach affecting millions of consumers. The parties submitted a consent judgment approved and entered on October 11, 2024. Marriott agreed to strengthen its data-security practices, provide certain consumer protections, and pay $52 million to 49 participating states, with more than $1.5 million going to Ohio.

CSPA Penalty Structure

Courts may impose civil penalties of up to $25,000 per CSPA violation. Violations of court orders (temporary restraining orders, preliminary injunctions, or permanent injunctions) can result in penalties of $5,000 per day. Seventy-five percent of civil penalties go to the state's Consumer Protection Enforcement Fund, with 25% to the county treasury where the action was brought.

Consumers who suffer harm from CSPA violations may bring private lawsuits and recover rescission of the transaction, treble damages (three times actual economic damages) or $200, whichever is greater, plus noneconomic damages up to $5,000.

Ohio Department of Commerce: Bayview Settlement (January 2025)

The Ohio Department of Commerce, through its Division of Financial Institutions, joined a $20 million multistate enforcement action against Bayview Asset Management LLC and three affiliates (Lakeview Loan Servicing, Community Loan Servicing, and Pingora Holdings) announced January 8, 2025.

State financial regulators in California, Maryland, North Carolina, and Washington State led the coalition of 52 state financial regulatory agencies. Investigators found that Bayview Companies' cybersecurity practices did not meet federal or state requirements, and the companies delayed examination compliance by failing to respond to state requests in a timely manner.

The breach affected approximately 5.8 million customers across the country, including 138,906 Ohio residents. This settlement represents the first collective multistate enforcement action by state financial regulators specifically targeting a mortgage company data breach.

In addition to the $20 million penalty, Bayview agreed to improve its cybersecurity programs, undergo independent assessments, and provide three years of additional reporting to participating states.

Data privacy breach notification correspondence showing certified letter to affected consumers

Insurance Data Security Act (ORC Chapter 3965)

Ohio enacted the Insurance Data Security Act through Senate Bill 273, effective March 20, 2019. This law, based on the NAIC Insurance Data Security Model Law, imposes specific cybersecurity requirements on insurance licensees operating in Ohio.

Program Requirements

Licensees must develop, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards protecting nonpublic information. The program must be based on a risk assessment that identifies foreseeable internal and external threats, assesses the likelihood and potential damage of those threats, evaluates existing safeguard sufficiency, and implements appropriate controls.

Breach Notification for Insurance Companies

Insurance licensees must notify the Ohio Superintendent of Insurance as promptly as possible, but no later than three business days after determining that a cybersecurity event has occurred, when either Ohio is the licensee's state of domicile or the event has a reasonable likelihood of materially harming a consumer or a material part of the licensee's operations.

HIPAA Compliance Equivalency

A licensee in compliance with HIPAA's privacy and security rules (45 C.F.R. Parts 160 and 164) is deemed to meet the requirements of ORC Chapter 3965, except for the notification provisions. HIPAA-compliant entities still must follow Ohio's insurance-specific breach notification rules.

Record Retention

Licensees must maintain all records, schedules, and data supporting their certificate of compliance for five years. Documentation of material improvement areas must be available for inspection by the Ohio Department of Insurance.

Student Data Privacy (ORC 3319.321 and FERPA)

ORC 3319.321 governs the administrative use of public school records. Student records containing personally identifiable information, other than designated directory information, require written consent from a parent, guardian, or custodian before release. This aligns with and supplements federal Family Educational Rights and Privacy Act (FERPA) requirements.

Directory information may be released consistent with FERPA guidelines, but parents retain the right to opt out of directory information disclosure. When a residential parent presents a court order limiting a non-residential parent's access to student records, the record keeper must comply with those limitations.

Data privacy - children and student data privacy protection in educational settings

Identity Theft and Fraud Protections

Identity Fraud Criminal Statute (ORC 2913.49)

ORC 2913.49 establishes identity fraud as a felony in Ohio. The severity of the offense depends on the financial harm caused.

Baseline offense: felony of the fifth degree
$1,000 to $7,500 in losses: felony of the fourth degree
$7,500 to $150,000 in losses: felony of the third degree
$150,000 or more in losses when the victim is in a protected class: felony of the first degree

ORC 1349.17 restricts the recording of Social Security numbers, credit card numbers, and telephone numbers during consumer transactions. Businesses involved in credit card transactions may not record a consumer's Social Security number as part of that transaction process.

Ohio Privacy Act (HB 801, 136th General Assembly): Narrow Pending Legislation

House Bill 801, introduced by Representative Russo on March 27, 2026, and referred to the House Committee on Technology and Innovation on May 13, 2026, would enact section 149.61 of the Ohio Revised Code and is named the Ohio Privacy Act.

The scope of HB 801 is narrow. The bill targets state government entities, barring them from collecting, recording, or sharing an individual's identifying information or personal data with out-of-state entities except where otherwise required by law or permitted for government operations. It is not a comprehensive consumer privacy statute granting individual rights against private businesses.

HB 801 should not be confused with the broader consumer privacy frameworks enacted in California, Virginia, Colorado, or Texas. It addresses a specific concern about state government sharing resident data across state lines, not the full spectrum of consumer data rights.

As of May 2026, the bill remains pending before the House Committee on Technology and Innovation with no scheduled hearings announced.

Ohio's Failed Attempts at Comprehensive Privacy Legislation

Ohio has made multiple attempts to pass comprehensive consumer privacy legislation. None have succeeded.

HB 376 (134th General Assembly, 2021)

House Bill 376 was introduced during the 134th General Assembly and would have established the Ohio Personal Privacy Act with data rights for Ohio consumers. The bill was re-referred to the Rules and Reference Committee in February 2022 and died without advancing to a floor vote.

HB 345 (135th General Assembly, 2023)

House Bill 345 was introduced during the 135th General Assembly on November 29, 2023, and would have enacted the Ohio Personal Privacy Act establishing consumer rights similar to those in California, Virginia, and Colorado. The bill was referred to the Government Oversight Committee in December 2023 and died in committee.

Both bills would have applied to businesses conducting business in Ohio that either had annual gross revenues exceeding $25 million, processed data of 100,000 or more consumers, or derived more than 50% of gross revenue from data sales while processing data of 25,000 or more consumers. Both would have granted the Attorney General exclusive enforcement authority.

As of May 2026, no comprehensive consumer privacy bill has advanced in the 136th General Assembly.

How Ohio Compares to Other States

Ohio's patchwork approach puts it behind states with comprehensive privacy laws. As of May 2026, more than 20 states have enacted comprehensive consumer data privacy statutes.

California residents have the broadest rights in the nation under CCPA and CPRA, enforced by the dedicated California Privacy Protection Agency. Virginia, Colorado, Connecticut, Texas, and more than 15 other states grant consumers explicit rights to access, delete, correct, and opt out of the sale and sharing of personal data.

Ohio residents have none of those rights against private businesses under state law. The rights available under ORC Chapter 1347 apply only to personal information held by state government agencies.

Ohio's Data Protection Act safe harbor remains unique nationwide. No other state offers the same voluntary cybersecurity incentive structure for businesses. The approach reflects a business-friendly philosophy that uses legal incentives rather than punitive mandates.

Federal Framework: What Applies to Ohio Residents

Because Ohio lacks a comprehensive consumer privacy law, federal statutes play a critical role in data protection for Ohio residents in specific sectors.

Data privacy and health data - HIPAA protected health information

HIPAA

The Health Insurance Portability and Accountability Act protects health information held by covered entities including hospitals, health insurers, and healthcare providers operating in Ohio. HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule establish baseline protections for protected health information nationwide.

GLBA

The Gramm-Leach-Bliley Act requires financial institutions doing business in Ohio to provide privacy notices explaining their information-sharing practices and to implement safeguards protecting consumer financial information. GLBA-regulated entities are exempt from Ohio's breach notification law because they operate under equivalent federal requirements.

FERPA

The Family Educational Rights and Privacy Act protects student education records at institutions receiving federal funding. Combined with ORC 3319.321, this creates a two-layer protection system for Ohio students' educational records.

COPPA

The Children's Online Privacy Protection Act protects the personal information of children under 13 collected by websites and online services. The Federal Trade Commission enforces COPPA nationally, including for services accessed by Ohio children. The FTC updated COPPA rules in 2024 with stronger protections for child data in ed-tech and online platforms.

FCRA

The Fair Credit Reporting Act regulates how consumer reporting agencies collect, use, and share consumer credit information. Ohio residents can access free credit reports, dispute inaccurate information, and place fraud alerts through the FCRA framework, regardless of state law.

FTC Act Section 5

The Federal Trade Commission enforces Section 5 of the FTC Act against unfair or deceptive acts or practices affecting commerce. The FTC has used this authority to bring enforcement actions against companies that misrepresent their data security practices or fail to implement reasonable security, providing a federal backstop for Ohio residents.

TAKE IT DOWN Act (Pub. L. 119-12)

The TAKE IT DOWN Act, signed into law on May 19, 2025, criminalizes the publication of nonconsensual intimate visual depictions, including AI-generated deepfakes. The Act requires covered online platforms to establish processes for users to request removal of nonconsensual intimate images and to remove those images (and known identical copies) within 48 hours of a valid notice.

The FTC is the enforcement agency. The platform takedown obligations took effect on May 19, 2026, and platforms that fail to comply face civil penalties of up to $53,088 per violation. Ohio residents who are victims of nonconsensual intimate image sharing can submit removal requests directly to covered platforms under this federal law.

American Privacy Rights Act (APRA): Did Not Pass

The American Privacy Rights Act, a bipartisan bicameral draft released in April 2024, would have established a federal comprehensive privacy framework. The bill did not advance to a floor vote in the 118th Congress and expired when that Congress ended in January 2025. As of May 2026, APRA has not been reintroduced in the 119th Congress. Ohio residents should not anticipate any federal comprehensive privacy legislation in the near term.

Practical Guidance: Businesses Operating in Ohio

Businesses that handle personal information of Ohio residents face several concrete obligations even without a comprehensive privacy law.

Step 1: Implement a written cybersecurity program. Adopt and document a program that reasonably conforms to one of the recognized frameworks in ORC 1354.02. This is the condition for the Data Protection Act safe harbor.

Step 2: Establish a breach response plan. Document your procedure for identifying, assessing, and responding to data breaches. Build in the 45-day notification clock required by ORC 1349.19 and plan for the 1,000-resident threshold triggering consumer reporting agency notification.

Step 3: Audit your privacy disclosures. Under the CSPA, misrepresentations about data security practices are actionable. Ensure your privacy policy and consumer communications accurately reflect your actual data handling and security practices.

Step 4: Assess federal overlay obligations. If you handle health data, financial data, education records, or children's data, identify your specific obligations under HIPAA, GLBA, FERPA, or COPPA. These operate independently of state law.

Step 5: Monitor Ohio legislative developments. HB 801 is pending and concerns state government data sharing, not private businesses. However, the 136th General Assembly could introduce broader consumer privacy legislation. Ohio's failure to pass HB 376 and HB 345 does not preclude future attempts.

Step 6: Check TAKE IT DOWN Act compliance. If you operate an online platform where users share content, assess whether you are a covered platform under the Act and whether your notice-and-removal process meets the 48-hour requirement.

How Ohio Residents Can Exercise Existing Rights

Ohio residents have fewer self-help tools than residents of comprehensive-privacy-law states. However, several avenues are available.

Data held by state agencies. Under ORC Chapter 1347, request confirmation, inspection, and correction of personal information held by any Ohio state agency or political subdivision. Contact the relevant agency's records office directly.

Credit and financial data. Under the FCRA, request your free annual credit reports from AnnualCreditReport.com, dispute inaccurate information with consumer reporting agencies, and place fraud alerts or credit freezes if you suspect identity theft.

Health data. Under HIPAA, request access to and copies of your medical records from covered healthcare providers. You can also request accounting of disclosures and restrict certain uses of your information.

Data breach notification. If a company you do business with suffers a breach, Ohio law requires notification within 45 days. If you believe notification was unreasonably delayed, you can file a complaint with the Ohio Attorney General's Consumer Protection Section.

Federal privacy complaints. File complaints with the FTC at ReportFraud.ftc.gov for deceptive data practices, with the CFPB for financial data issues, and with the FTC for COPPA violations involving children's data.

Nonconsensual intimate imagery. Under the TAKE IT DOWN Act, submit a removal request directly to the platform. If the platform fails to act within 48 hours, you can report violations to the FTC.

More Ohio Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Ohio for advice about your specific situation. Last reviewed: May 2026.

Frequently Asked Questions

Does Ohio have a comprehensive consumer data privacy law?

No. As of May 2026, Ohio does not have a comprehensive consumer data privacy law. Ohio residents lack the broad access, deletion, correction, and opt-out rights available in California, Virginia, Colorado, Texas, and more than 20 other states. Ohio has attempted to pass the Ohio Personal Privacy Act through HB 376 (2021) and HB 345 (2023), both of which died in committee. A new bill, HB 801 (136th GA), is pending but is narrowly focused on state government data sharing, not consumer rights.

What is the Ohio Data Protection Act and does it protect consumers?

The Ohio Data Protection Act (ORC Chapter 1354, effective November 2, 2018) is a voluntary safe-harbor law for businesses. It provides an affirmative defense to tort lawsuits when a business maintains a qualifying written cybersecurity program conforming to a recognized framework like NIST, ISO/IEC 27000, or CIS Controls. It does NOT grant consumers any rights to access, correct, delete, or opt out of the use of their personal data. Ohio residents receive no direct benefit from the law other than the indirect effect of encouraging better business cybersecurity.

How quickly must Ohio businesses notify residents after a data breach?

Under ORC 1349.19, businesses must notify affected Ohio residents as quickly as possible but no later than 45 days after discovering the breach. Notification may be by written letter, telephone, or electronic means. When a breach affects more than 1,000 Ohio residents, the entity must also notify all nationwide consumer reporting agencies. Law enforcement may request a delay if notification would compromise a criminal investigation.

What is Ohio HB 801 and is it a consumer privacy law?

Ohio HB 801, introduced March 27, 2026, and referred to the House Committee on Technology and Innovation on May 13, 2026, would enact ORC section 149.61 as the Ohio Privacy Act. It is not a comprehensive consumer privacy statute. The bill would restrict Ohio state government entities from collecting, recording, or sharing personal data with out-of-state entities except as required by law or for government operations. It addresses government data practices, not the rights of consumers against private businesses.

What penalties apply to Ohio data privacy violations?

Penalties depend on the statute. Under the breach notification law (ORC 1349.19), civil penalties for intentional or reckless noncompliance reach up to $1,000 per day for the first 60 days, $5,000 per day from 60 to 90 days, and $10,000 per day after 90 days. Under the Consumer Sales Practices Act (ORC Chapter 1345), courts can impose civil penalties of up to $25,000 per violation and $5,000 per day for violations of court orders. Insurance licensees under ORC Chapter 3965 have their own penalty structure enforced by the Ohio Department of Insurance.

What federal laws protect Ohio residents' data privacy?

Several federal laws fill significant gaps in Ohio state coverage. HIPAA protects health information held by covered entities. The Gramm-Leach-Bliley Act covers financial institutions. FERPA protects student education records. COPPA covers children's online data collection. The FTC Act Section 5 applies to deceptive or unfair data practices. The TAKE IT DOWN Act (platform obligations effective May 19, 2026) requires removal of nonconsensual intimate imagery within 48 hours. The American Privacy Rights Act did not pass and has not been reintroduced.

What did the Bayview settlement mean for Ohio residents?

The Ohio Department of Commerce joined a $20 million multistate settlement with Bayview Asset Management LLC and affiliates, announced January 8, 2025. A data breach at those mortgage companies affected 138,906 Ohio residents. The settlement required Bayview to improve its cybersecurity practices, undergo independent assessments, and provide affected consumers with credit monitoring services. The action was led by state financial regulators in California, Maryland, North Carolina, and Washington State as a multistate coalition.

Can Ohio residents opt out of data sales to third parties?

Not under Ohio state law. There is no Ohio statute that grants residents the right to opt out of the sale or sharing of their personal data by private businesses. Ohio residents can limit data sharing in federally regulated sectors: they can opt out of certain information-sharing by financial institutions under GLBA, and they can direct healthcare providers not to share information for marketing under HIPAA. Comprehensive opt-out rights require either a federal law (which does not currently exist) or the enactment of a comprehensive Ohio consumer privacy statute.

Sources and References

Ohio Revised Code Chapter 1354 -- Ohio Data Protection Act(codes.ohio.gov).gov
Ohio Revised Code Section 1354.02 -- Safe Harbor Requirements(codes.ohio.gov).gov
Ohio Revised Code Section 1354.03 -- Reasonable Conformance(codes.ohio.gov).gov
Ohio Revised Code Section 1349.19 -- Data Breach Notification(codes.ohio.gov).gov
Ohio Revised Code Section 1349.191 -- Investigation of Noncompliance(codes.ohio.gov).gov
Ohio Revised Code Section 1349.192 -- Penalties(codes.ohio.gov).gov
Ohio Revised Code Chapter 1347 -- Government Data Practices(codes.ohio.gov).gov
Ohio Revised Code Section 1347.12 -- State Agency Breach Notification(codes.ohio.gov).gov
Ohio Revised Code Section 1347.15 -- Confidential Personal Information Rules(codes.ohio.gov).gov
Ohio Revised Code Chapter 1345 -- Consumer Sales Practices Act(codes.ohio.gov).gov
Ohio Attorney General -- Consumer Protection Annual Report 2024(ohioattorneygeneral.gov).gov
Ohio Attorney General -- Laws Protecting Consumers(ohioattorneygeneral.gov).gov
Senate Bill 220 -- 132nd General Assembly(legislature.ohio.gov).gov
Ohio Revised Code Chapter 3965 -- Insurance Data Security Act(codes.ohio.gov).gov
Ohio Revised Code Section 3965.04 -- Insurance Breach Notification(codes.ohio.gov).gov
Ohio Revised Code Section 3319.321 -- Student Records Protection(codes.ohio.gov).gov
Ohio Revised Code Section 2913.49 -- Identity Fraud(codes.ohio.gov).gov
Ohio Revised Code Section 1349.17 -- SSN and Credit Card Restrictions(codes.ohio.gov).gov
House Bill 376 -- Ohio Personal Privacy Act (134th General Assembly)(legislature.ohio.gov).gov
House Bill 345 -- Ohio Personal Privacy Act (135th General Assembly)(legislature.ohio.gov).gov
NIST Cybersecurity Framework(nist.gov).gov
FedRAMP(fedramp.gov).gov
FTC -- COPPA Rule(ftc.gov).gov
House Bill 801 - Ohio Privacy Act (136th GA)(legislature.ohio.gov).gov
Ohio Dept of Commerce - Bayview $20M Multistate Settlement (Jan 2025)(com.ohio.gov).gov
Ohio Attorney General - Consumer Protection Laws(ohioattorneygeneral.gov).gov
FTC - TAKE IT DOWN Act Enforcement (May 2026)(ftc.gov).gov
FTC - TAKE IT DOWN Act Statute Page(ftc.gov).gov
IAPP - Analysis: Ohio's Data Protection Act(iapp.org)

Data Privacy Laws

Ohio Laws

Ohio

Ohio Data Privacy Laws: Safe Harbor & Consumer Rights (2026)

By Recording Law Editorial TeamPublished March 21, 2026Reviewed May 20, 202622 min read

This guide covers every major Ohio statute affecting data privacy, what protections currently exist, how enforcement works, what federal law adds, and where pending legislation stands as of May 2026.