Columbus, OH – On Wednesday, The Buckeye Institute testified (see full text below or download a PDF) before the Ohio House Government Oversight Committee on the policies in House Bill 376, which would protect consumer data and is “among the best state data privacy laws already implemented or being considered.”

In his testimony, Logan Kolas, an economic policy analyst with the Economic Research Center at The Buckeye Institute, noted that House Bill 376 “takes a consumer-oriented approach to data privacy” and would help businesses provide better services by harnessing the free market to determine what privacy services customers prefer. Kolas points out that “forcing businesses to charge one-size-fits-all rates…will inevitably disrupt market signals and degrade the consumer’s desired service and privacy protection.”

Kolas went on to highlight two other provisions in the legislation that make it “the standard for state and federal law.” First, the legislation assigns enforcement oversight to the Ohio Attorney General’s office, and limits enforcement authority by “clearly defining the enforcement rules and placing meaningful constraints on the executive power.” Second, the bill includes a number of provisions to “limit the law’s burden on emerging and smaller firms.” 

As with any legislation, House Bill 376 can be improved, and Kolas urged policymakers to consider four changes to strengthen the proposal: 

• Extend the 30-day cure period for businesses to fix statutory violations to 60 days as other states have done, and clearly outline compliance violations so that businesses understand the issue and how to address it;
• Allow technology companies to communicate with and provide data to their consumers electronically;
• Harmonize House Bill 376 with other states’ rules and explore forming a multi-state compact to make data privacy rules as uniform as possible across state lines; and 
• Include a “local preemption” provision to clarify that the state-level data privacy law preempts the need for and authority to pass local data privacy regulations, which will “reduce the risk of city or county rules making data privacy compliance more expensive or confusing in Ohio.”

Kolas closed by noting that these changes would “make an already well-crafted bill an exemplar of data privacy legislation worth emulating.”

# # #

A Smarter Way to Protect Consumer Data

Interested Party Testimony
Ohio House Government Oversight Committee
House Bill 376

Logan Kolas, Economic Policy Analyst
The Buckeye Institute
December 8, 2021

As Prepared for Delivery

Chair Wilkin, Vice Chair White, Ranking Member Brown, and members of the Committee, thank you for the opportunity to testify today regarding House Bill 376 and Ohio’s need for data privacy. 

My name is Logan Kolas. I am the economic policy analyst at The Buckeye Institute, an independent research and educational institution—a think tank—whose mission is to advance free-market public policy in the states.

Despite a persistent bipartisan appetite for data privacy protection, federal lawmakers have been unable to pass federal data privacy legislation, leaving states to fill the void. House Bill 376 does so admirably and, if enacted, would be among the best state data privacy laws already implemented or being considered. Indeed, many of its policies should set the standard for state and federal law on the subject.

House Bill 376 takes a consumer-oriented approach to data privacy by allowing businesses to charge consumers different prices and rates based in part on whether the consumer agrees to share their data. Such an allowance preserves key market signals for the industry, helping businesses provide better services that meet the actual wants and needs of their customers. California and the European Union took an opposite approach and prohibited businesses from charging different fees for different privacy services directed by consumer preferences. And forcing businesses to charge one-size-fits-all rates, as the California Consumer Privacy Act did, will inevitably disrupt market signals and degrade the consumer’s desired service and privacy protection. House Bill 376 averts that market distortion. 

Enforcement mechanisms are key to any data privacy legislation. House Bill 376 wisely places that key in the hand of the state attorney general and thereby avoids creating messy, expensive, and often frivolous private rights of action that can deter technology firms from offering their services in Ohio. And in vesting enforcement authority with the attorney general, the bill rightly limits that authority by clearly defining the enforcement rules and placing meaningful constraints on the executive power. Data privacy laws should be narrowly tailored to securing privacy, and they then should be narrowly enforced. California erred by granting its attorney general broad discretion to significantly expand the scope of the California Consumer Privacy Act. House Bill 376 does not repeat that mistake.

House Bill 376 recognizes that complying with new data privacy rules can be difficult. Accordingly, the bill creates minimum-revenue and -customer triggers to limit the law’s burden on emerging and smaller firms. It carves out exemptions for businesses that make good faith compliance and data protection efforts, including a first-of-its-kind “affirmative defense” for businesses that follow the National Institute of Standards and Technology data protection rules. And, like many states, House Bill 376 provides a 30-day “cure period” during which businesses may remedy violations before facing legal enforcement action. These protections will help stay the heavy hand of bureaucratic regulation.

House Bill 376 offers much to be commended, but some room remains for improvement.

First, the 30-day cure period for businesses to fix potential statutory violations should be extended to 60 days as in other states. And any compliance violation notice should describe the alleged violation in adequate detail so that notified businesses understand the issue and how to address it.

Second, the bill’s requirement compelling technology companies to provide consumers with their data through paper mail adds unnecessary expense. A single access data request can cost a company nearly $1,400, and California estimated that its initial round of data privacy legislation would cost $55 billion—nearly 1.8 percent of its gross state product. House Bill 376 should make every effort to reduce compliance costs and should therefore clarify that communicating with and providing data to consumers electronically is sufficient. 

Third, to further limit compliance expenses, Ohio should find ways to harmonize House Bill 376 with other states’ rules and explore forming a multi-state compact to make data privacy rules as uniform as possible across state lines. The inherent universality and decentralization of data transcends city limits and state lines, making data protection laws a potentially nightmarish regulatory web for businesses and consumers. As recommended in The Buckeye Institute’s Policy Solution for More Innovation: A Policy Primer for Emerging Technology in Ohio, state officials should prioritize working with other states to avoid imposing conflicting standards and thresholds across multiple legal frameworks. Not doing so may cause many businesses simply to comply with the strictest data privacy laws where possible—thus negating many of this bill’s best qualities—or leave these businesses trying to comply with many, more onerous state laws. 

Finally, House Bill 376 should include a “local preemption” provision to clarify for local Ohio jurisdictions that the state-level data privacy law preempts the need for and authority to pass local data privacy regulations. Such an approach would enhance market certainty for businesses and consumers, and reduce the risk of city or county rules making data privacy compliance more expensive or confusing in Ohio.

These modest improvements to House Bill 376 would make an already well-crafted bill an exemplar of data privacy legislation worth emulating.

Thank you for your time and attention. I would be happy to answer any questions that the Committee may have.

# # #