Ohio Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Ohio stands out as a state that has taken a unique approach to data security without directly addressing biometric privacy. While many states have moved toward comprehensive consumer privacy laws or dedicated biometric statutes, Ohio has instead focused on incentivizing good cybersecurity practices through its first-in-the-nation safe harbor law.

If you are looking for an overview of Ohio's broader data protection landscape, see the parent guide to [Ohio Data Privacy Laws](/us-laws/data-privacy-laws/ohio-data-privacy-laws).

Ohio Does Not Have a Dedicated Biometric Privacy Law

Ohio has not enacted a standalone biometric privacy statute. Unlike Illinois, which passed the Biometric Information Privacy Act (BIPA) in 2008, or Texas, which enacted its Capture or Use of Biometric Identifier Act, Ohio has no law that specifically regulates how private businesses collect, store, use, or destroy biometric identifiers like fingerprints, facial geometry, iris scans, or voiceprints.

This means that in Ohio, private companies can generally collect and use biometric data without obtaining specific written consent, without providing a biometric data retention schedule, and without offering individuals a private right of action if their biometric information is mishandled.

Ohio residents who interact with biometric systems at retail stores, gyms, banks, or through smartphone applications do not have state-level biometric privacy rights comparable to what residents of Illinois, Texas, or Washington enjoy.

Breach Notification Law: Biometric Data Is Not Covered

Ohio's breach notification statute, ORC Section 1349.19, requires businesses to notify Ohio residents when a security breach compromises their unencrypted personal information. The law has been in effect since March 30, 2007.

However, the statute defines "personal information" narrowly. Protected data elements include:

• Social Security numbers
• Driver's license or state identification card numbers
• Account numbers, credit card numbers, or debit card numbers with associated security codes or passwords

Biometric identifiers are notably absent from this list. A breach that exposes fingerprint databases, facial recognition templates, or iris scan records does not trigger notification obligations under ORC 1349.19, as long as none of the listed traditional identifiers are also compromised.

The Ohio Attorney General enforces the breach notification law and can bring civil actions against businesses that fail to notify affected individuals.

The Ohio Data Protection Act: A Safe Harbor, Not a Privacy Law

Ohio made national headlines in 2018 when Governor John Kasich signed Senate Bill 220, creating the Ohio Data Protection Act (ODPA), codified in ORC Chapter 1354. Ohio was the first state in the nation to offer a legal safe harbor for businesses that implement recognized cybersecurity frameworks.

The ODPA does not create new consumer privacy rights. Instead, it provides an affirmative defense to tort claims arising from data breaches. A business that creates, maintains, and complies with a written cybersecurity program that reasonably conforms to a recognized industry framework can use that compliance as a defense in Ohio courts.

Recognized Cybersecurity Frameworks

Under ORC Section 1354.03, the following frameworks qualify for safe harbor protection:

Industry frameworks:

• NIST Framework for Improving Critical Infrastructure Cybersecurity
• NIST Special Publication 800-171
• NIST Special Publications 800-53 and 800-53a
• FedRAMP Security Assessment Framework
• Center for Internet Security (CIS) Critical Security Controls
• ISO/IEC 27000 family of standards

Regulatory compliance frameworks:

• HIPAA Security Rule (45 CFR Part 164 Subpart C)
• Gramm-Leach-Bliley Act Title V
• Federal Information Security Modernization Act (FISMA) of 2014
• HITECH Act

The PCI Data Security Standard also qualifies when combined with any of the industry frameworks above.

How the Safe Harbor Applies to Biometric Data

The ODPA protects both "personal information" (as defined in ORC 1349.19) and "restricted information," which covers data that alone or in combination with other information can distinguish or trace an individual's identity.

Biometric data could potentially fall under the "restricted information" category. A business that collects biometric data and maintains a cybersecurity program conforming to NIST or ISO 27000 standards would be better positioned to defend against tort claims if that biometric data were breached.

However, this is a defense mechanism, not a rights-granting statute. The ODPA does not require consent for biometric data collection, does not mandate retention schedules, and does not give individuals the right to request deletion of their biometric information.

Insurance Data Security Act: The Exception for Biometric Records

The one Ohio statute that explicitly mentions biometric data is the Insurance Data Security Act, ORC Chapter 3965.

Under ORC Section 3965.01, the definition of "nonpublic information" includes an individual's data when combined with "biometric records." Insurance licensees must implement cybersecurity programs that protect this nonpublic information, including biometric records.

The law also recognizes biometric characteristics as a valid form of multi-factor authentication. Under ORC 3965.02, licensees must consider implementing multi-factor authentication that can include "inherence factors, such as a biometric characteristic."

Insurance licensees must notify the Ohio Superintendent of Insurance within three business days of determining that a cybersecurity event has occurred that involves nonpublic information, including biometric records.

This law only applies to entities licensed under Ohio insurance regulations. It does not extend biometric protections to the general public or to industries outside the insurance sector.

Employer Use of Biometric Data in Ohio

Ohio does not regulate employer collection or use of biometric data in the workplace. There is no state law requiring employers to:

• Provide written notice before collecting fingerprints, facial scans, or other biometric identifiers
• Obtain employee consent before enrolling them in biometric timekeeping or access control systems
• Publish a biometric data retention and destruction schedule
• Limit the sharing or sale of employee biometric data to third parties

Ohio employers commonly use fingerprint scanners for time and attendance tracking, facial recognition for building access, and palm vein readers for secure facility entry. None of these practices are specifically regulated by Ohio state law.

Employees who believe their biometric data has been misused may explore claims under general Ohio tort law, such as invasion of privacy or negligence, but these claims require meeting traditional tort elements and do not carry the statutory damages available under laws like Illinois BIPA.

Federal laws like HIPAA (for healthcare settings) or the Americans with Disabilities Act (which restricts certain medical examinations) may apply in specific workplace contexts, but these are not Ohio-specific biometric privacy protections.

Age Verification and Biometric Facial Estimation

Ohio House Bill 96, signed into law on June 30, 2025 and effective September 30, 2025, requires websites that publish material harmful to minors to verify that visitors are at least 18 years old.

The law permits "visual age verification software" as one approved method of age verification. This refers to biometric facial age estimation technology that analyzes facial features to approximate a person's age.

HB 96 includes a notable data minimization requirement: any data collected during age verification must be deleted immediately after verification is complete, unless the data is needed for account subscription or billing purposes. This represents one of the few instances where Ohio law directly addresses the handling of biometric-adjacent data.

Failed Attempts at Comprehensive Privacy Legislation

Ohio has considered comprehensive consumer privacy legislation multiple times, and each attempt has stalled:

HB 376 (134th General Assembly, 2021-2022). The first version of the Ohio Personal Privacy Act was introduced in July 2021. It did not advance out of committee.

HB 345 (135th General Assembly, 2023-2024). A revised version of the Ohio Personal Privacy Act was introduced in November 2023. This bill would have applied to businesses with $25 million or more in Ohio revenue, or those processing personal data of 100,000 or more Ohio consumers. The bill was referred to the Government Oversight Committee, where it died without a vote.

136th General Assembly (2025-2026). As of March 2026, no comprehensive consumer data privacy bill has been introduced in the current legislative session. The HB 345 number in the 136th General Assembly was assigned to an unrelated bill concerning voyeurism penalties.

Had any of these bills passed, they would likely have classified biometric data as sensitive personal data requiring opt-in consent, similar to the approach taken by Virginia, Colorado, and Connecticut.

How Ohio Compares to Other States

Ohio's lack of biometric privacy protections places it in the minority among states that have significant technology sectors and large populations.

States with dedicated biometric privacy statutes. Illinois, Texas, and Washington all have standalone biometric privacy laws with specific consent, notice, and data handling requirements.

States with comprehensive privacy laws covering biometrics. More than 20 states now have comprehensive consumer privacy laws that classify biometric data as sensitive data. These include California, Virginia, Colorado, Connecticut, and Kentucky, among others.

States in a similar position to Ohio. A shrinking number of states still lack both a dedicated biometric privacy statute and a comprehensive consumer privacy law. Ohio is unusual because it has an innovative cybersecurity safe harbor law but has not translated that into direct consumer privacy protections for biometric data.

Ohio's Data Protection Act safe harbor remains a distinctive feature. No other state offers the same type of affirmative defense for businesses that follow recognized cybersecurity frameworks. This approach encourages data security investment but does not grant individuals control over their biometric information.

More Ohio Laws

• Ohio Recording Laws
• Ohio Recording Laws
• Ohio Data Privacy Laws
• Ohio Recording Laws
• Ohio Recording Laws
• Ohio Recording Laws
• Ohio Dog Bite Laws
• Ohio Recording Laws

Sources and References

This article references Ohio statutes and official state government publications. For the full text of Ohio's breach notification law, visit ORC Section 1349.19 on the Ohio Legislature's website. For the Ohio Data Protection Act, see ORC Chapter 1354. For the Insurance Data Security Act, see ORC Chapter 3965. For information about Ohio's cybersecurity safe harbor, review the Senate Bill 220 summary from the Ohio Legislature.

This article provides general legal information about Ohio biometric privacy laws and data protection. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Ohio government sources.