The Ohio Personal Privacy Act (OPPA) is a proposed law introduced in July 2021 and aimed at giving consumers more control over the way businesses use their personal information (PI). Not every business must comply, but even if the OPPA does not apply to your nonprofit, it is important to implement a risk-based privacy program. Nonprofits can hold PI that is valuable to bad actors—PI about their employees, donors, clients, and volunteers.
Additionally, Ohio has had a breach notification law in effect since 2007. A business that suffers a breach of PI must notify the affected individuals of the breach. Nonprofit organizations are not excluded even in cases where the OPPA does not apply. Data breaches can be costly and cause reputational damage. To lessen the chances of a data breach, it is important to build an effective privacy program and use reasonable security measures.