Privacy Laws in Ohio: What You Need to Know in 2026

Ohio is one of the most populous states in the country without a comprehensive consumer privacy law. While states like California, Colorado, and Virginia have enacted broad data privacy protections, Ohio residents still rely on a patchwork of narrower statutes and federal regulations. Here is where things stand in 2026 and what Ohio residents can do right now to protect their personal information.

Ohio's Current Privacy Landscape

Unlike states with comprehensive privacy frameworks, Ohio does not have a single law that gives residents the right to access, delete, or control how businesses collect and use their personal data. Instead, Ohio relies on several separate statutes that each address a specific slice of the privacy picture.

Ohio Data Protection Act of 2018 (Senate Bill 220)

The Data Protection Act, which took effect in November 2018, is often cited as Ohio's most significant data-related law. However, it is not a consumer privacy law in the traditional sense. Instead, it creates a voluntary safe harbor for businesses that implement recognized cybersecurity frameworks. If a company adopts and reasonably conforms to one of the following standards, it gains an affirmative defense against tort claims arising from a data breach:

• NIST Cybersecurity Framework
• ISO 27000 family of standards
• FedRAMP Security Assessment Framework
• CIS Critical Security Controls
• PCI DSS (for companies handling payment card data)
• HIPAA security requirements (for covered entities)

This law incentivizes better security practices, but it does not grant consumers any direct rights over their personal data. Participation is entirely optional.

Ohio Consumer Sales Practices Act

Ohio's Consumer Sales Practices Act (CSPA) prohibits unfair, deceptive, and unconscionable business practices. While it is not a privacy law, the Ohio Attorney General has used it to take action against companies that misrepresent how they handle consumer data or engage in deceptive data practices. If a business promises to protect your data and then fails to do so, the CSPA can provide a basis for enforcement.

Ohio Data Breach Notification Law

Ohio requires businesses to notify affected individuals when a security breach compromises personal information, including Social Security numbers, driver's license numbers, and financial account information. Notification must be made in a reasonable timeframe, though the law does not specify an exact deadline. The Attorney General must also be notified if the breach affects a large number of residents.

Proposed Privacy Legislation in Ohio

Several bills have been introduced in the Ohio legislature to close the gap between Ohio and states with comprehensive privacy laws. None have been enacted, but they indicate the direction of the policy debate.

Ohio Personal Privacy Act (HB 376)

The Ohio Personal Privacy Act was introduced as House Bill 376 and aimed to create a comprehensive consumer data privacy framework. The bill would have granted Ohio residents rights similar to those in Virginia and Colorado, including the right to access, delete, and opt out of the sale of personal data. However, the bill stalled in committee and did not advance to a floor vote as of mid-2025.

Ohio Privacy Act (Introduced March 2026)

On March 27, 2026, State Representative Allison Russo introduced a new bill called the Ohio Privacy Act. This legislation takes a different approach from previous proposals by focusing on state entities rather than private businesses. The bill would bar state government agencies from collecting or sharing personally identifying information unless required by law. Key features include:

• Restrictions on state data collection: State entities would be prohibited from gathering identifying information about Ohio residents beyond what is legally mandated.
• Limits on data sharing: Government agencies would be restricted from sharing personal information with other entities unless specifically authorized by statute.
• Scope: The bill targets government data practices rather than private-sector data collection, which means it would not directly regulate data brokers or tech companies.

While this bill addresses an important dimension of privacy — the government's own data practices — it would not give Ohio residents the kind of comprehensive rights over commercial data processing that laws like the CCPA or VCDPA provide.

How Ohio Compares to States With Comprehensive Privacy Laws

The gap between Ohio and states with enacted privacy legislation is significant. Here is how Ohio's current protections compare:

Ohio vs. California (CCPA/CPRA)

• California residents can request access to, deletion of, and correction of personal data held by businesses. Ohio residents cannot.
• California residents can opt out of the sale and sharing of personal data. Ohio has no equivalent right.
• California has a dedicated enforcement agency, the California Privacy Protection Agency. Ohio enforcement relies on the AG's general consumer protection authority.
• California provides a limited private right of action for data breaches. Ohio does not.

Ohio vs. Virginia (VCDPA)

• Virginia residents have rights to access, correct, delete, and port their data. Ohio residents do not.
• Virginia requires opt-in consent for processing sensitive data. Ohio has no such requirement.
• Virginia requires businesses to conduct data protection assessments. Ohio's Data Protection Act encourages cybersecurity frameworks but does not mandate assessments.
• Both states rely on AG enforcement with no private right of action, but Virginia's AG enforces a comprehensive law while Ohio's AG works within narrower consumer protection statutes.

Ohio vs. Neighboring States

Indiana enacted the Indiana Consumer Data Protection Act, effective January 1, 2026, giving Hoosiers rights to access, delete, and opt out of data sales. Michigan's Personal Data Privacy Act (SB 359) has passed the state Senate. Ohio lags behind both neighboring states in the legislative process.

What Ohio Residents Can Do Right Now

You do not need to wait for the Ohio legislature to act. There are concrete steps you can take today to reduce your data exposure and protect your privacy.

1. Opt out of data brokers individually. Sites like Spokeo, BeenVerified, Whitepages, PeopleFinder, and dozens of others publish your name, address, phone number, and personal details. Each one has an opt-out process you can follow, though it is time-consuming and must be repeated as your data reappears.
2. Use PrivacyOn to automate data broker removals. PrivacyOn submits removal requests to more than 100 data broker sites on your behalf and continuously monitors for your information reappearing. For Ohio residents who lack comprehensive state-level rights, this is one of the most practical ways to regain control over personal data that is already being bought and sold.
3. Freeze your credit. Place a free security freeze with Equifax, Experian, and TransUnion. A credit freeze prevents anyone from opening new credit accounts in your name, which is one of the most effective defenses against identity theft.
4. Enable Global Privacy Control (GPC). Browsers like Firefox, Brave, and DuckDuckGo support the GPC signal, which tells websites not to sell or share your data. While Ohio does not require businesses to honor GPC, companies subject to California's and Colorado's laws already must, and many apply those settings to all users regardless of location.
5. Review and limit app permissions. Go through your smartphone settings and revoke access to location, camera, microphone, and contacts for apps that do not genuinely need them.
6. Use a password manager. Credential reuse is one of the most common causes of data exposure. A password manager generates and stores unique, strong passwords for every account.
7. Monitor for data breaches. Use services that alert you when your email address or personal information appears in known data breaches, so you can change passwords and take action quickly.

Looking Ahead

Ohio's lack of a comprehensive consumer privacy law puts its residents at a disadvantage compared to those in a growing number of states. While the Ohio Privacy Act introduced in March 2026 is a step forward, it focuses on government entities rather than the commercial data ecosystem that affects most consumers daily. Whether Ohio enacts a broader law in 2026, 2027, or beyond will depend on legislative priorities and the momentum building across the country.

In the meantime, the most effective strategy for Ohio residents is to take direct action. Opt out of data brokers, lock down your digital accounts, and consider using a service like PrivacyOn to handle the ongoing work of keeping your personal information off the open internet. Your privacy should not have to wait for the legislature to act.