Ohio Consumer Privacy Law

Primary law

Ohio's breach-notification duty applies to any person that owns or licenses computerized data including personal information — with no revenue or volume threshold — and requires disclosure to affected Ohio residents when a breach creates a material risk of identity theft or other fraud.

Any person that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to the resident.

See Ohio Rev. Code § 1349.19(B)(1).

Primary law

The Consumer Sales Practices Act bans unfair or deceptive acts or practices in connection with consumer transactions, before, during, or after the transaction — the general hook for privacy misrepresentations.

No supplier shall commit an unfair or deceptive act or practice in connection with a consumer transaction. Such an unfair or deceptive act or practice by a supplier violates this section whether it occurs before, during, or after the transaction.

See Ohio Rev. Code § 1345.02(A).

Primary law

The Ohio Data Protection Act entitles a covered entity that maintains a conforming written cybersecurity program to an affirmative defense to tort claims alleging that inadequate security controls caused a data breach.

A covered entity that satisfies divisions (A)(1), (B), and (C) of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information.

See Ohio Rev. Code § 1354.02(D)(1).

Primary law

Ohio's insurance data security law requires every insurance licensee to develop, implement, and maintain a comprehensive written information security program based on its risk assessment.

Each licensee shall develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment.

See Ohio Rev. Code § 3965.02(A).

Primary law

Ohio has a narrow payment-transaction rule restricting the recording of credit-card account numbers, telephone numbers, and Social Security account numbers in specified payment transactions, subject to limited exceptions.

(A) No person shall record or cause to be recorded either of the following ... (1) A credit card account number of the other party to a transaction, when a check, bill of exchange, or other draft is presented for payment ... (2) The telephone number or social security account number of the other party to a transaction, when payment is made by credit card charge agreement, check, bill of exchange, or other draft.

See Ohio Rev. Code § 1349.17(A).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

A privacy policy that misdescribes actual data practices is a deceptive act or practice a supplier may not commit in connection with a consumer transaction.

No supplier shall commit an unfair or deceptive act or practice in connection with a consumer transaction.

See Ohio Rev. Code § 1345.02(A).

Primary law

Ohio courts construing the Consumer Sales Practices Act must give due consideration and great weight to FTC orders, rules, and federal-court interpretations of the FTC Act, making FTC privacy-enforcement materials especially persuasive in Ohio deception analysis.

In construing division (A) of this section, the court shall give due consideration and great weight to federal trade commission orders, trade regulation rules and guides, and the federal courts' interpretations of subsection 45 (a)(1) of the "Federal Trade Commission Act," 38 Stat. 717 (1914), 15 U.S.C.A. 41, as amended.

See Ohio Rev. Code § 1345.02(C).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a)(1).

Primary law

The GLBA bars a financial institution from disclosing nonpublic personal information to nonaffiliated third parties unless it has first provided the consumer a compliant privacy notice.

Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.

See 15 U.S.C. § 6802(a).

Primary law

A vendor or custodian that stores computerized personal information on behalf of another person must notify that person of a qualifying breach in an expeditious manner.

Any person that, on behalf of or at the direction of another person or on behalf of or at the direction of any governmental entity, is the custodian of or stores computerized data that includes personal information shall notify that other person or governmental entity of any breach of the security of the system in an expeditious manner, if the personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person and if the access and acquisition by the unauthorized person causes or reasonably is believed will cause a material risk of identity theft or other fraud to a resident of this state.

See Ohio Rev. Code § 1349.19(C).

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

See 16 C.F.R. § 314.4(f)(2).

Primary law

HIPAA requires a written business-associate contract that establishes permitted uses and disclosures, requires appropriate safeguards, requires breach reporting, and flows restrictions down to subcontractors.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

See 45 C.F.R. § 164.504(e)(2).

Primary law

An Ohio insurance licensee must require its third-party service providers to implement appropriate administrative, technical, and physical measures to protect the information systems and nonpublic information they hold or access.

A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider.

See Ohio Rev. Code § 3965.02(F)(2).

Primary law

A reportable breach is unauthorized access to and acquisition of computerized data that compromises personal information and causes, or is reasonably believed to cause, a material risk of identity theft or other fraud to an Ohio resident.

"Breach of the security of the system" means unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.

See Ohio Rev. Code § 1349.19(A)(1)(a).

Primary law

Disclosure must be made in the most expedient time possible and no later than forty-five days after discovery or notification of the breach, subject to law-enforcement needs and scope-determination measures.

The person shall make the disclosure described in division (B)(1) of this section in the most expedient time possible but not later than forty-five days following its discovery or notification of the breach in the security of the system, subject to the legitimate needs of law enforcement activities described in division (D) of this section and consistent with any measures necessary to determine the scope of the breach, including which residents' personal information was accessed and acquired, and to restore the reasonable integrity of the data system.

See Ohio Rev. Code § 1349.19(B)(2).

Primary law

Personal information under the breach statute is a resident's name combined with an unencrypted, unredacted Social Security number, driver's license or state ID number, or financial-account or card number with its access code — a narrow three-element list.

"Personal information" means an individual's name, consisting of the individual's first name or first initial and last name, in combination with and linked to any one or more of the following data elements, when the data elements are not encrypted, redacted, or altered by any method or technology in such a manner that the data elements are unreadable:(i) Social security number;(ii) Driver's license number or state identification card number;(iii) Account number or credit or debit card number, in combination with and linked to any required security code, access code, or password that would permit access to an individual's financial account.

See Ohio Rev. Code § 1349.19(A)(7)(a).

Primary law

Notice may be given by written notice, electronic notice where electronic means are the primary communication method with the resident, or telephone notice.

For purposes of this section, a person may disclose or make a notification by any of the following methods:(1) Written notice;(2) Electronic notice, if the person's primary method of communication with the resident to whom the disclosure must be made is by electronic means;(3) Telephone notice;

See Ohio Rev. Code § 1349.19(E).

Primary law

Substitute notice is available when ordinary contact information is insufficient, costs exceed $250,000, the affected class exceeds 500,000 people, or a business with ten or fewer employees would face notice costs over $10,000.

(4) Substitute notice in accordance with this division, if the person required to disclose demonstrates that the person does not have sufficient contact information to provide notice in a manner described in division (E)(1), (2), or (3) of this section, or that the cost of providing disclosure or notice to residents to whom disclosure or notification is required would exceed two hundred fifty thousand dollars, or that the affected class of subject residents to whom disclosure or notification is required exceeds five hundred thousand persons. Substitute notice under this division shall consist of all of the following:(a) Electronic mail notice if the person has an electronic mail address for the resident to whom the disclosure must be made;(b) Conspicuous posting of the disclosure or notice on the person's web site, if the person maintains one;(c) Notification to major media outlets, to the extent that the cumulative total of the readership, viewing audience, or listening audience of all of the outlets so notified equals or exceeds seventy-five per cent of the population of this state.(5) Substitute notice in accordance with this division, if the person required to disclose demonstrates that the person is a business entity with ten employees or fewer and that the cost of providing the disclosures or notices to residents to whom disclosure or notification is required will exceed ten thousand dollars. Substitute notice under this division shall consist of all of the following:(a) Notification by a paid advertisement in a local newspaper that is distributed in the geographic area in which the business entity is located, which advertisement shall be of sufficient size that it covers at least one-quarter of a page in the newspaper and shall be published in the newspaper at least once a week for three consecutive weeks;(b) Conspicuous posting of the disclosure or notice on the business entity's web site, if the entity maintains one;(c) Notification to major media outlets in the geographic area in which the business entity is located.

See Ohio Rev. Code § 1349.19(E)(4)-(5).

Primary law

When a single breach requires disclosure to more than one thousand Ohio residents, the person must also notify the nationwide consumer reporting agencies without unreasonable delay.

If a person discovers circumstances that require disclosure under this section to more than one thousand residents of this state involved in a single occurrence of a breach of the security of the system, the person shall notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the disclosure given by the person to the residents of this state.

See Ohio Rev. Code § 1349.19(G).

Primary law

Financial institutions, trust companies, and credit unions that are required by federal law to notify customers of security breaches and are subject to federal examination are exempt from the Ohio breach statute.

A financial institution, trust company, or credit union or any affiliate of a financial institution, trust company, or credit union that is required by federal law, including, but not limited to, any federal statute, regulation, regulatory guidance, or other regulatory action, to notify its customers of an information security breach with respect to information about those customers and that is subject to examination by its functional government regulatory agency for compliance with the applicable federal law, is exempt from the requirements of this section.

See Ohio Rev. Code § 1349.19(F)(1).

Primary law

The Ohio breach statute does not apply to HIPAA covered entities, which answer to the federal breach-notification regime instead.

This section does not apply to any person or entity that is a covered entity as defined in 45 C.F.R. 160.103, as amended.

See Ohio Rev. Code § 1349.19(F)(2).

Primary law

An insurance licensee must notify the superintendent of insurance of a qualifying cybersecurity event as promptly as possible and no later than three business days after determining the event occurred.

Each licensee shall notify the superintendent of insurance as promptly as possible after a determination that a cybersecurity event involving nonpublic information in the possession of the licensee has occurred, but in no event later than three business days after that determination, when either of the following criteria has been met:

See Ohio Rev. Code § 3965.04(A).

Primary law

When an insurance licensee must notify the superintendent under chapter 3965, it must also comply with Ohio's consumer breach-notice statute as applicable and provide the superintendent a copy of that consumer notice.

A licensee shall comply with section 1349.19 of the Revised Code as applicable and provide a copy of the notice sent to consumers under that section to the superintendent, when the licensee is required to notify the superintendent under division (A) of this section.

See Ohio Rev. Code § 3965.04(C).

Primary law

To earn the safe harbor a covered entity must create, maintain, and comply with a written cybersecurity program reasonably conforming to an industry-recognized framework; restricted-information claims require a program protecting both personal information and restricted information.

A covered entity seeking an affirmative defense under sections 1354.01 to 1354.05 of the Revised Code shall do one of the following: (1) Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework, as described in section 1354.03 of the Revised Code; or (2) Create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of both personal information and restricted information and that reasonably conforms to an industry recognized cybersecurity framework, as described in section 1354.03 of the Revised Code.

See Ohio Rev. Code § 1354.02(A).

Primary law

The chapter provides separate affirmative-defense tracks for tort claims alleging a data breach concerning personal information and for tort claims alleging a data breach concerning personal information or restricted information.

A covered entity that satisfies divisions (A)(1), (B), and (C) of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information. (2) A covered entity that satisfies divisions (A)(2), (B), and (C) of this section is entitled to an affirmative defense to any cause of action sounding in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information or restricted information.

See Ohio Rev. Code § 1354.02(D)(1)-(2).

Primary law

A covered entity is any business that accesses, maintains, communicates, or processes personal or restricted information through systems, networks, or services located in or outside Ohio — with no size threshold.

"Covered entity" means a business that accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside this state.

See Ohio Rev. Code § 1354.01(B).

Primary law

The qualifying industry-recognized frameworks are enumerated: the NIST Cybersecurity Framework, NIST SP 800-171, NIST SP 800-53/53a, FedRAMP, the CIS Critical Security Controls, and the ISO/IEC 27000 family.

The cybersecurity program reasonably conforms to the current version of any of the following or any combination of the following, subject to divisions (A)(2) and (D) of this section:(a) The "framework for improving critical infrastructure cybersecurity" developed by the "national institute of standards and technology" (NIST);(b) "NIST special publication 800-171";(c) "NIST special publications 800-53 and 800-53a";(d) The "federal risk and authorization management program (FedRAMP) security assessment framework";(e) The "center for internet security critical security controls for effective cyber defense";(f) The "international organization for standardization/international electrotechnical commission 27000 family - information security management systems."

See Ohio Rev. Code § 1354.03(A)(1).

Primary law

The one-year revision rule applies to listed industry frameworks, regulated-entity frameworks, PCI DSS, and combinations of revised frameworks or standards.

When a final revision to a framework listed in division (A)(1) of this section is published, a covered entity whose cybersecurity program reasonably conforms to that framework shall reasonably conform to the revised framework not later than one year after the publication date stated in the revision.(B)(1) The covered entity is regulated by the state, by the federal government, or both, or is otherwise subject to the requirements of any of the laws or regulations listed below, and the cybersecurity program reasonably conforms to the entirety of the current version of any of the following, subject to division (B)(2) of this section:(a) The security requirements of the "Health Insurance Portability and Accountability Act of 1996," as set forth in 45 CFR Part 164 Subpart C;(b) Title V of the "Gramm-Leach-Bliley Act of 1999," Public Law 106-102, as amended;(c) The "Federal Information Security Modernization Act of 2014," Public Law 113-283;(d) The "Health Information Technology for Economic and Clinical Health Act," as set forth in 45 CFR part 162.(2) When a framework listed in division (B)(1) of this section is amended, a covered entity whose cybersecurity program reasonably conforms to that framework shall reasonably conform to the amended framework not later than one year after the effective date of the amended framework.(C)(1) The cybersecurity program reasonably complies with both the current version of the "payment card industry (PCI) data security standard" and conforms to the current version of another applicable industry recognized cybersecurity framework listed in division (A) of this section, subject to divisions (C)(2) and (D) of this section.(2) When a final revision to the "PCI data security standard" is published, a covered entity whose cybersecurity program reasonably complies with that standard shall reasonably comply with the revised standard not later than one year after the publication date stated in the revision.(D) If a covered entity's cybersecurity program reasonably conforms to a combination of industry recognized cybersecurity frameworks, or complies with a standard, as in the case of the payment card industry (PCI) data security standard, as described in division (A) or (C) of this section, and two or more of those frameworks are revised, the covered entity whose cybersecurity program reasonably conforms to or complies with, as applicable, those frameworks shall reasonably conform to or comply with, as applicable, all of the revised frameworks not later than one year after the latest publication date stated in the revisions.

See Ohio Rev. Code § 1354.03(A)(2), (B)(2), (C)(2), (D).

Primary law

A regulated covered entity may qualify by reasonably conforming to the entirety of specified HIPAA, GLBA, FISMA, or HITECH security requirements.

The covered entity is regulated by the state, by the federal government, or both, or is otherwise subject to the requirements of any of the laws or regulations listed below, and the cybersecurity program reasonably conforms to the entirety of the current version of any of the following, subject to division (B)(2) of this section:(a) The security requirements of the "Health Insurance Portability and Accountability Act of 1996," as set forth in 45 CFR Part 164 Subpart C;(b) Title V of the "Gramm-Leach-Bliley Act of 1999," Public Law 106-102, as amended;(c) The "Federal Information Security Modernization Act of 2014," Public Law 113-283;(d) The "Health Information Technology for Economic and Clinical Health Act," as set forth in 45 CFR part 162.

See Ohio Rev. Code § 1354.03(B)(1).

Primary law

PCI DSS qualifies only when the cybersecurity program also conforms to another applicable industry-recognized framework listed in § 1354.03(A).

The cybersecurity program reasonably complies with both the current version of the "payment card industry (PCI) data security standard" and conforms to the current version of another applicable industry recognized cybersecurity framework listed in division (A) of this section, subject to divisions (C)(2) and (D) of this section.

See Ohio Rev. Code § 1354.03(C)(1).

Primary law

The required scale and scope of the cybersecurity program slides with the entity's size and complexity, the nature of its activities, the sensitivity of the information, the cost of security tools, and the entity's resources.

The scale and scope of a covered entity's cybersecurity program under division (A) (1) or (2) of this section, as applicable, is appropriate if it is based on all of the following factors: (1) The size and complexity of the covered entity; (2) The nature and scope of the activities of the covered entity; (3) The sensitivity of the information to be protected; (4) The cost and availability of tools to improve information security and reduce vulnerabilities; (5) The resources available to the covered entity.

See Ohio Rev. Code § 1354.02(C).

Primary law

The Data Protection Act creates no private right of action, including class actions, with respect to any act or practice it regulates — confirming its incentive-only design.

Sections 1354.01 to 1354.05 of the Revised Code shall not be construed to provide a private right of action, including a class action, with respect to any act or practice regulated under those sections.

See Ohio Rev. Code § 1354.04.

Primary law

The Attorney General has exclusive authority to bring a civil action for noncompliance with the breach-notification statute, so there is no private right of action under it.

The attorney general shall have the exclusive authority to bring a civil action in a court of common pleas for appropriate relief under this section, including a temporary restraining order, preliminary or permanent injunction, and civil penalties, if it appears that a state agency or an agency of a political subdivision has failed or is failing to comply with section 1347.12 of the Revised Code or that a person has failed or is failing to comply with section 1349.19 of the Revised Code.

See Ohio Rev. Code § 1349.192(A)(1).

Primary law

A consumer harmed by a deceptive or unconscionable act may bring an individual action to rescind the transaction or recover actual economic damages plus up to five thousand dollars in noneconomic damages.

Where the violation was an act prohibited by section 1345.02, 1345.03, or 1345.031 of the Revised Code, the consumer may, in an individual action, rescind the transaction or recover the consumer's actual economic damages plus an amount not exceeding five thousand dollars in noneconomic damages.

See Ohio Rev. Code § 1345.09(A).

Primary law

Treble damages and class actions under the Consumer Sales Practices Act are available only where a prior Attorney General rule or a prior publicly available Ohio court decision had already declared the specific act or practice deceptive or unconscionable.

Where the violation was an act or practice declared to be deceptive or unconscionable by rule adopted under division (B)(2) of section 1345.05 of the Revised Code before the consumer transaction on which the action is based, or an act or practice determined by a court of this state to violate section 1345.02, 1345.03, or 1345.031 of the Revised Code and committed after the decision containing the determination has been made available for public inspection under division (A)(3) of section 1345.05 of the Revised Code, the consumer may rescind the transaction or recover, but not in a class action, three times the amount of the consumer's actual economic damages or two hundred dollars, whichever is greater, plus an amount not exceeding five thousand dollars in noneconomic damages or recover damages or other appropriate relief in a class action under Civil Rule 23, as amended.

See Ohio Rev. Code § 1345.09(B).

Primary law

The Attorney General may investigate suspected breach-notification noncompliance based on complaints or the office's own inquiries, with oath, subpoena, and document-production powers.

The attorney general may conduct an investigation if the attorney general, based on complaints or the attorney general's own inquiries, has reason to believe that a state agency or an agency of a political subdivision has failed or is failing to comply with section 1347.12 of the Revised Code or that a person has failed or is failing to comply with section 1349.19 of the Revised Code.

See Ohio Rev. Code § 1349.191(B).

Primary law

Intentional or reckless noncompliance with the breach statute draws a civil penalty of up to one thousand dollars for each day of noncompliance.

For each day that the state agency, agency of a political subdivision, or person has intentionally or recklessly failed to comply with the applicable section, subject to divisions (A)(1)(b) and (c) of this section, a civil penalty of up to one thousand dollars for each day the agency or person fails to comply with the section;

See Ohio Rev. Code § 1349.192(A)(1)(a).

Primary law

Daily penalties escalate to up to five thousand dollars per day after sixty days of noncompliance and up to ten thousand dollars per day from the ninety-first day onward.

If the state agency, agency of a political subdivision, or person has intentionally or recklessly failed to comply with the applicable section for more than ninety days, a civil penalty in the amount specified in division (A)(1)(a) of this section for each day of the first sixty days that the agency or person fails to comply with the section, a civil penalty of up to five thousand dollars for each day commencing with the sixty-first day and continuing through the ninetieth day that the agency or person fails to comply with the section, and, for each day commencing with the ninety-first day that the state agency, agency of a political subdivision, or person has failed to comply with the section, a civil penalty of up to ten thousand dollars for each such day the agency or person fails to comply with the section.

See Ohio Rev. Code § 1349.192(A)(1)(c).

Primary law

The Attorney General may bring CSPA actions for declaratory and injunctive relief where the office has reasonable cause to believe a supplier is violating the chapter and action is in the public interest.

If the attorney general, by the attorney general's own inquiries or as a result of complaints, has reasonable cause to believe that a supplier has engaged or is engaging in an act or practice that violates this chapter, and that the action would be in the public interest, the attorney general may bring any of the following:(1) An action to obtain a declaratory judgment that the act or practice violates section 1345.02, 1345.03, or 1345.031 of the Revised Code;(2)(a) An action, with notice as required by Civil Rule 65, to obtain a temporary restraining order, preliminary injunction, or permanent injunction to restrain the act or practice.

See Ohio Rev. Code § 1345.07(A)(1)-(2).

Primary law

Attorney General class actions under the CSPA are limited to specified § 1345.02 practices, violations of prior Attorney General rules, or practices already determined unlawful in publicly available Ohio court decisions.

A class action under Civil Rule 23, as amended, on behalf of consumers who have engaged in consumer transactions in this state for damage caused by:(a) An act or practice enumerated in division (B), (D), or (G) of section 1345.02 of the Revised Code;(b) Violation of a rule adopted under division (B)(2) of section 1345.05 of the Revised Code before the consumer transaction on which the action is based;(c) An act or practice determined by a court of this state to violate section 1345.02, 1345.03, or 1345.031 of the Revised Code and committed after the decision containing the determination has been made available for public inspection under division (A)(3) of section 1345.05 of the Revised Code.

See Ohio Rev. Code § 1345.07(A)(3).

Primary law

The Consumer Sales Practices Act reaches only a consumer transaction — a transfer of goods, a service, a franchise, or an intangible to an individual for primarily personal, family, or household purposes — leaving open whether free, ad-funded online services are covered.

"Consumer transaction" means a sale, lease, assignment, award by chance, or other transfer of an item of goods, a service, a franchise, or an intangible, to an individual for purposes that are primarily personal, family, or household, or solicitation to supply any of these things.

See Ohio Rev. Code § 1345.01(A).