Ohio lawmakers are giving big tech companies a gift in the form of the Ohio Personal Privacy Act. This law purports to strike a balance between consumer protection and company demands. Instead, it stacks the deck even further against individuals who want to protect their privacy.
The OPPA would enshrine privacy violating practices from Big Tech and other companies, and place the responsibility for managing privacy entirely on individuals—without actually improving protections for the people of Ohio or offering them a way to stand up for their own privacy. If it is not substantially improved before it is enacted, it risks locking in industry-friendly provisions that would directly benefit tech giants such as Facebook, Google, and Amazon. In many ways, passing this bill would be worse for the everyday consumer than passing nothing at all.
Ohio: Tell Your Lawmakers to Stop the OPPA
For example, the bill purports to provide consumers with the option to opt-out of targeted advertising, one of the Big Tech practices that, unchecked, causes the most harm to privacy today. However, the language in the bill is ambiguous enough that large firms such as Facebook and Google might be able to continue business as usual—and maybe even entrench their hold on the advertising market.
It also offers any company a safe harbor from the law—meaning they are not subject to its requirements—if it can prove it complies with the National Institute of Standards and Technology (NIST) framework for privacy. NIST’s Privacy Framework advises companies on ways to categorize and maintain information, but is insufficient as a stand-in for a privacy law. In other words, this is yet another way that the OPPA sets up very limited protections and then gives companies a huge backdoor to route around them.
For these reasons, we believe that while the bill includes some language affording Ohioans new privacy rights, its loopholes and sweetheart deals would actually hurt privacy in Ohio more than it would help.
We have broader issues with the OPPA as written, and urge the legislature to strengthen it. In many respects, the Ohio law is similar to a state privacy law EFF opposed last year in Virginia. As with that privacy bill, the language in the Ohio bill falls far short of all the metrics that EFF would consider a strong consumer data privacy law in many other ways.
For one, it expressly allows for discrimination against those who exercise their privacy rights, saying that companies can charge them more (or offer them less) if they act to protect their privacy. It also sets down an “opt-out” framework that puts the onus on consumers to maintain their privacy, rather than using an “opt-in” framework that would requires businesses to ask first before collecting, selling, or sharing information. And it fails to give people any mechanism to protect their own privacy rights through lawsuits—as is a common and best practice in many existing privacy laws.
Ohio’s lawmakers are right to recognize the need to address privacy, and for wanting to hold big technology firms to account for their actions. Ohio has a chance to become a leader in state privacy, if it passes a strong bill that provides this accountability.
But the Ohio Personal Privacy Act, as written, will not set a new high standard. Instead, it will allow companies to continue as usual and possibly lower the bar on privacy protections. In truth, the people of Ohio would be better off with nothing than with this so-called privacy protection act. We urge all Ohioans to write to their legislators and ask them not to advance the OPPA.