As Introduced

136th General Assembly

Regular Session H. B. No. 807

2025-2026

To amend sections 1347.01, 1347.10, and 1347.99 and to enact section 1347.072 of the Revised Code to prohibit various government and private entities from selling sensitive personal data to a data broker or private entity with the intent of generating profit, unless used for a permitted purpose.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:

Section 1. That sections 1347.01, 1347.10, and 1347.99 be amended and section 1347.072 of the Revised Code be enacted to read as follows:

Sec. 1347.01. As used in this chapter, except as otherwise provided:

(A) "State agency" means the office of any elected state officer and any agency, board, commission, department, division, or educational institution of the state.

(B) "Local agency" means any municipal corporation, school district, special purpose district, or township of the state or any elected officer or board, bureau, commission, department, division, institution, or instrumentality of a county.

(C) "Special purpose district" means any geographic or political jurisdiction that is created by statute to perform a limited and specific function, and includes, but is not limited to, library districts, conservancy districts, metropolitan housing authorities, park districts, port authorities, regional airport authorities, regional transit authorities, regional water and sewer districts, sanitary districts, soil and water conservation districts, and regional planning agencies.

(D) "Maintains" means state or local agency ownership of, control over, responsibility for, or accountability for systems and includes, but is not limited to, state or local agency depositing of information with a data processing center for storage, processing, or dissemination. An agency "maintains" all systems of records that are required by law to be kept by the agency.

(E) "Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. "Personal information" includes sensitive data.

(F) "System" means any collection or group of related records that are kept in an organized manner and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. "System" includes both records that are manually stored and records that are stored using electronic data processing equipment. "System" does not include collected archival records in the custody of or administered under the authority of the Ohio history connection, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.

(G) "Interconnection of systems" means a linking of systems that belong to more than one agency, or to an agency and other organizations, which linking of systems results in a system that permits each agency or organization involved in the linking to have unrestricted access to the systems of the other agencies and organizations.

(H) "Combination of systems" means a unification of systems that belong to more than one agency, or to an agency and another organization, into a single system in which the records that belong to each agency or organization may or may not be obtainable by the others.

(I) "Sensitive data" includes any information regarding an individual's name, date of birth, social security number, telephone number, character, general reputation, personal characteristics, immigration status, facial recognition data, or mode of living.

(J) "Permitted use" includes the evaluation of credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; in the valuation of a potential investor or servicer; a local child support enforcement agency establishing an individual's capacity to make child support payments or determining the appropriate level of such payment; by the federal deposit insurance corporation or national credit union administration as part of its appointment process or exercise of its conservator, receiver, or liquidating agent powers; in response to a court order, subpoena, or judicial warrant; in accordance with the written instructions of the consumer to whom it relates; or the investigation of a criminal offense.

Sec. 1347.072. (A) No state agency, state official, data broker, or private entity shall sell, communicate, or otherwise furnish sensitive data to any data broker or private entity with the intent of generating profit from that data, unless one of the following applies:

(1) That data will be used for a permitted use.

(2) The sharing of that data is done with the informed consent of the individual, or is required by a warrant, court order, or subpoena.

(3) The sharing of that data is otherwise required by state or federal law.

(B) When sensitive data is sold or communicated for a permitted use under the exception provided in division (A)(1) of this section, it may not subsequently be used or communicated further by the receiving party for any reason other than a permitted use.

Sec. 1347.10. (A) A person who is harmed by the use of personal information that relates to ~~him~~the person harmed and that is maintained in a personal information system may recover damages in a civil action from any person who directly and proximately caused the harm by doing any of the following:

(1) Intentionally maintaining personal information that hethe person knows, or has reason to know, is inaccurate, irrelevant, no longer timely, or incomplete and may result in such harm;

(2) Intentionally using or disclosing the personal information in a manner prohibited by law;

(3) Intentionally supplying personal information for storage in, or using or disclosing personal information maintained in, a personal information system, that hethe person knows, or has reason to know, is false;

(4) Intentionally denying to the person harmed the right to inspect and dispute the personal information at a time when inspection or correction might have prevented the harm.

An action under this division shall be brought within two years after the cause of action accrued or within six months after the wrongdoing is discovered, whichever is later; provided that no action shall be brought later than six years after the cause of action accrued. The cause of action accrues at the time that the wrongdoing occurs.

~~(B)~~(B)(1) Any person who is harmed by a person or entity that violates section 1347.072 of the Revised Code may recover, in a civil action, statutory damages in the amount of five hundred dollars, actual damages as determined by the court, and reasonable attorney's fees.

(2) Any person who is harmed by a person or entity that obtains sensitive data under false pretenses or knowingly without a permitted use may recover, in a civil action, statutory damages in the amount of two thousand five hundred dollars, actual damages or punitive damages as determined by the court, and reasonable attorney's fees.

(C) Any person who, or any state or local agency that, violates or proposes to violate any provision of this chapter may be enjoined by any court of competent jurisdiction. The court may issue an order or enter a judgment that is necessary to ensure compliance with the applicable provisions of this chapter or to prevent the use of any practice that violates this chapter. An action for an injunction may be prosecuted by the person who is the subject of the violation, by the attorney general, or by any prosecuting attorney.

Sec. 1347.99. (A) No public official, public employee, or other person who maintains, or is employed by a person who maintains, a personal information system for a state or local agency shall purposely refuse to comply with division (E), (F), (G), or (H) of section 1347.05, section 1347.071, division (A), (B), or (C) of section 1347.08, or division (A) or (C) of section 1347.09 of the Revised Code. Whoever violates this section is guilty of a minor misdemeanor.

(B) Whoever violates division (H)(1) or (2) of section 1347.15 of the Revised Code is guilty of a misdemeanor of the first degree.

(C) Whoever violates section 1347.072 of the Revised Code is guilty of a felony of the fourth degree if the person is determined by a court of competent jurisdiction to be a repeat offender, with prior knowing repeated violations or violations involving false pretenses under division (B) of section 1347.10 of the Revised Code. An offender under this division shall be prosecuted by the attorney general in any court of competent jurisdiction in the state.

Section 2. That existing sections 1347.01, 1347.10, and 1347.99 of the Revised Code are hereby repealed.