As Introduced

136th General Assembly

Regular Session H. B. No. 801

2025-2026

Representative Russo

Cosponsors: Representatives Jarrells, Humphrey, Mohamed, Piccolantonio, Lawson-Rowe, Cockley, Somani, Abdullahi, Sigrist, Lett, Rader, Brennan, Glassburn, Brent, Robinson, Upchurch, Synenberg, Brewer, Troy, Isaacsohn, Thomas, C., Bryant Bailey, Baker, Brownlee, Sims, Hall, D., Tims, White, E., Rogers, Grim, Miller, J., McNally, Sweeney


To enact section 149.61 of the Revised Code regarding the provision of personal data to out-of-state entities and to name this act the Ohio Privacy Act.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:

Section 1. That section 149.61 of the Revised Code be enacted to read as follows:

Sec. 149.61. (A) As used in this section:

(1) "Deidentified data" means personal information or data that cannot reasonably be used to infer information about, or otherwise linked to, a particular individual or household.

(2) "Private information" means data about an individual that is not a public record, as that term is defined in section 149.43 of the Revised Code.

(3) "State agency" has the same meaning as in section 1.60 of the Revised Code and includes any employees or agents thereof.

(B)(1) A state agency shall not collect private information pertaining to individuals beyond what is necessary to perform its functions and duties, including meeting any reporting requirements.

(2) A state agency shall not collect private information related to an individual's citizenship or immigration status, unless required by state or federal law.

(C)(1) Except as permitted by this section or when required by federal law, no state agency shall disclose private information for any purpose not directly connected with the administration of the state agency's programs.

(2) An entity that receives private information for a purpose directly connected with the administration of a state agency's programs shall agree to all of the following:

(a) To not share the private information further;

(b) To only use the private information for a purpose directly connected with the administration of a state agency's programs;

(c) That misuse of private information terminates the information sharing agreement and that the entity may be liable to the state agency for any penalties the state agency faces pursuant to division (F) of this section if the entity improperly shares or uses the private information.

(3) A state agency shall post any active information sharing agreements on the state agency's web site and list what type of information will be shared, the entity with which it will be shared, and the stated purpose of the information sharing agreement.

(D)(1) A state agency may share private information as deidentified data that is aggregated to the greatest extent allowable while still in compliance with federal law, if sharing the data would benefit the administration or execution of a public service.

(2) A state agency may share private information in any of the following circumstances:

(a) The consent of the individual whose private information would be disclosed is obtained.

(b) A warrant is signed by a judge of this state or a federal judge.

(c) A lawful court order is administered by a court within this state or by a federal court.

(d) A subpoena is administered within this state, or a federal subpoena is administered.

(E) If a state agency receives a request that may be in furtherance of an activity prohibited by this section, the state agency shall refer the request to the attorney general. Upon receipt of the referral, the attorney general shall assess the lawfulness of the request and direct the state agency to deny or grant the request as appropriate.

(F)(1) An individual harmed as a result of a violation of this section has a cause of action and is entitled to relief as follows:

(a) For a violation of division (C)(3) of this section, three hundred dollars per violation;

(b) For a violation of division (B) of this section, one hundred dollars per violation;

(c) For a violation of division (C)(1), (C)(2), or (D) of this section, seven hundred fifty dollars per violation.

(2) In addition to the amounts provided in division (F)(1) of this section, a court may award to the plaintiff an additional one thousand dollars per violation if the court finds by a preponderance of evidence that the violation occurred as a result of the intentional, willful, or wanton disregard of this section.

(3) Nothing in this section shall be construed to preclude an individual from recovering actual damages that stem from a violation of this section.

(G) It is the intent of the general assembly in enacting this section to recognize this state's compelling interest in protecting the privacy and personal information of its residents from government overreach.

Section 2. This act shall be known as the Ohio Privacy Act.