Consumer Reports thanks the Ohio legislature for their work to advance consumer privacy. The draft Ohio Personal Privacy Act (OPPA) would extend to Ohio consumers the right to know the information companies have collected about them, the right to delete that information, and the right to stop the disclosure of certain information to third parties. However, in its current form it would do little to protect Ohioans’ personal information. The bill needs to be substantially improved before it is enacted; otherwise, it would risk locking in industry-friendly provisions that avoid actual reform.
Protections for personal information are long overdue: consumers are constantly tracked, and information about their online and offline activities are combined to provide detailed insights into a consumers’ most personal characteristics, including health conditions, political affiliations, and sexual preferences. This information is sold as a matter of course, is used to deliver targeted advertising, facilitates differential pricing, and enables opaque algorithmic scoring — all of which can lead to disparate outcomes along racial and ethnic lines.
We offer several suggestions to strengthen the proposed bill to provide the level of protections that Ohio consumers deserve. At the very least, the bill should be modified to bring it up to the standard of the California Consumer Privacy Act (CCPA), which was recently strengthened by the passage of Proposition 24, the California Privacy Rights Act (CPRA). In particular, the CCPA as refined by CPRA takes important steps such as adding to the statute a requirement to honor browser privacy signals as an opt out (currently it is required by regulation) and removing potential loopholes in the definition of sale that have been used to avoid the opt out with respect to cross-context targeted advertising.
Ideally, privacy laws should set strong limits on the data that companies can collect and share so that consumers can use online services or apps safely without having to take any action, such as opting in or opting out. We recommend including a strong data minimization requirement that limits data collection and sharing to what is reasonably necessary to provide the service requested by the consumer, as outlined in our model bill. A strong default prohibition on data sharing is preferable to an opt-out based regime which relies on users to hunt down and navigate divergent opt-out processes for potentially thousands of different companies. Consumer Reports has documented that some California Consumer Privacy Act (CCPA) opt-out processes are so onerous that they have the effect of preventing consumers from stopping the sale of their information.
For the full letter, please see the attached PDF.