To amend section 1349.99 and to enact section 1349.65 of the Revised Code to regulate online advertising networks.

Section 1. That section 1349.99 be amended and section 1349.65 of the Revised Code be enacted to read as follows:

Sec. 1349.65.  (A) As used in this section:

(1) "Consumer" means a natural person using or accessing a web site, web page, or online service that includes the display of advertisements.

(2) "Nonpersonally identifiable information" means an internet protocol address, or other information, that cannot be used independently to identify, contact, or locate a consumer.

(3) "Personally identifiable information" means a name, address, telephone number, electronic mail address, or other information that can be used independently to identify, contact, or locate a consumer.

(4) "Online advertising network" means an individual, company, or other group that engages in advertising delivery and reporting on multiple web pages controlled by different publishers.

(5) "Online preference marketing" means advertising delivery and reporting by an online advertising network whereby data is collected over time, to determine or predict the characteristics or preferences of a consumer, for use in advertising delivery on the internet.

(6) "Publisher" means a company, individual, or other group that has a web site, web page, or other internet page.

(7) "Advertising delivery and reporting" means:

(a) Providing an advertisement to an internet web site;

(b) Statistical reporting in connection with the activity on a web site that receives advertisements;

(c) Tracking the number of advertisements served on a particular day to a particular web site;

(d) Any activity related to the delivery of advertisements on a web site that involves the collection or logging of personally or nonpersonally identifiable information about individual visits to the web site by a consumer or web browser.

(8) "Material change" means a change in a policy of data collection and use practices that involves a new or expanded collection, use, or disclosure of information that a consumer acting reasonably under the circumstances would not expect to occur based on the advertising network's prior policy or on the substance of any consent provided by the consumer.

(B) An online advertising network that is collecting or logging personally or nonpersonally identifiable information shall post a clear and conspicuous notice on its own web site. The notice shall describe the advertising network's policy of data collection and use practices for advertising delivery and reporting activities. The notice shall include, without limitation, clear descriptions of the following:

(1) The types of information that are collected or logged by the online advertising network through its advertising delivery and reporting activities including any such activities on the network's own web site or sites;

(2) The types of additional data that may be combined with data collected or logged through advertising delivery and reporting;

(3) The ways in which personally and nonpersonally identifiable information may be used by the online advertising network including transfer, if any, to a third party in nonaggregated form;

(4) The approximate length of time that personally and nonpersonally identifiable information will be retained by the online advertising network.

(C) An online advertising network that engages in online preference marketing shall include, in the notice required under division (B) of this section, clear descriptions of the following:

(1) Profiling activities undertaken by the online advertising network, including all the types of personally and nonpersonally identifiable information that may be collected, logged, or used for online preference marketing;

(2) Procedures for opting out of the data use, as required by division (E) of this section, including a description of circumstances that would make it necessary for a consumer to renew the opt out, such as when a consumer changes computers, changes browsers, or deletes relevant blocks of data also commonly known as cookies. If the online advertising network seeks consent from consumers for the use of sensitive personally identifiable information, as required by division (F) of this section, for the purposes of online preference marketing, the notice also shall include a clear description of the types of sensitive personally identifiable information to be used and the procedures for revoking consent. If the third-party advertising network seeks consent from consumers for the merger of personally identifiable information with nonpersonally identifiable information, the notice also shall include a clear description of the types of nonpersonally identifiable information and personally identifiable information that may be merged and the procedures for revoking consent for any further merger on a prospective basis. If an online advertising network materially changes its policy of data collection and use practices, it shall post prior notice of that change on its web site. Any material change shall apply only to information collected following the change in policy. Information collected prior to the material change in policy is governed by the policy in effect at the time the information was collected, unless the consumer receives direct notice of the change and an opportunity to choose not to have previously collected information governed by the new policy.

(D) An online advertising network, when entering into a contract with a publisher for advertising delivery and reporting services, shall require that the publisher post a privacy policy that clearly and conspicuously discloses the publisher's use of an online advertising network and the type of information that may be collected or logged by the online advertising network. If the online advertising delivery and reporting services include online preference marketing, then the notice also shall clearly and conspicuously disclose that the consumer has the ability to opt out of online preference marketing and include a link to the opt out page. The online advertising network shall make every reasonable effort to ensure that any publisher using its advertising delivery and reporting services post a privacy policy on the publisher's web site as required by this section.

(E) An online advertising network that engages in online preference marketing shall provide a method for consumers to opt out of online preference marketing by the network. The network shall make the method accessible at a designated opt out page on the online advertising network's web site.

(F) An online advertising network shall not use personally identifiable information about a consumer's medical history or condition, financial situation, sexual behavior, or sexual orientation, for the purpose of online preference marketing without the affirmative consent of the consumer. An online advertising network that seeks consent also shall provide a means of revoking consent in the future. The network shall make the means accessible at a designated location on the online advertising network's web site.

(G) An online advertising network shall not merge nonpersonally identifiable information collected through advertising delivery and reporting activities with personally identifiable information without the consumer's prior consent, unless the merger is required by law. If the merger involves nonpersonally identifiable information that may be collected in the future, the network shall give both prominent notice and an opportunity to opt out to the consumer. The means of opting out shall remain available at a designated location on the online advertising network's web site. When a consumer exercises the opt out at a later time, after information has been merged, the effect of that choice is to revoke consent for further mergers of the information. If the merger involves previously collected nonpersonally identifiable information, the network shall obtain affirmative opt in consent. An online advertising network that seeks consent also shall provide a means of revoking consent for further mergers of the data. The network shall make the means accessible at a designated location on the online advertising network's web site.

(H) An online advertising network shall make reasonable efforts to protect data collected as a result of advertising delivery and reporting from loss, misuse, alteration, destruction, or improper access. An online advertising network that collects both nonpersonally identifiable information through advertising delivery and reporting activities and personally identifiable information directly from consumers or from third parties shall implement reasonable technical and procedural protections to prevent the unlawful merger of personally identifiable information and nonpersonally identifiable information.

(I) An online advertising network shall provide consumers with reasonable access to personally identifiable information and other information that is directly associated with personally identifiable information retained by the online advertising network for advertising delivery and reporting. This division does not require an online advertising network to provide an individual with access where:

(1) The consumer requesting access cannot reasonably verify his or her identity as the person to whom the personally identifiable information relates.

(2) The rights of persons other than the consumer would be violated.

(3) The burden or expense of providing access would be disproportionate to the risks of harm to the consumer in the case in question.

(4) Proprietary or confidential information, technology, or business processes would be revealed as a result.

(5) Revealing the information likely would affect litigation or judicial proceedings in which the advertising network has an interest.

(6) Revealing the information would be unlawful, or likely would interfere with the detection or prevention of unlawful activity.

(J) An online advertising network may charge a reasonable fee for providing access in accordance with this section, which shall not exceed the greater of the actual cost to the online advertising network of responding to the consumer's access request or the average cost to the online advertising network of responding to access requests of a similar type. The obligation to provide access does not, by itself, create an obligation on the organization to retain personally identifiable information.

(K)(1) If by the attorney general's own inquiries, or as a result of complaints received, the attorney general has reasonable cause to believe that an online advertising network or a publisher has engaged in, is engaging, or is threatening to engage in an act or practice that violates this section, the attorney general may investigate. For this purpose, the attorney general may administer oaths, subpoena witnesses, adduce evidence, and require the production of relevant materials. If materials that the attorney general requires to be produced are located outside the state, the attorney general may designate representatives, including officials of the state in which the materials are located, to inspect the materials on behalf of the attorney general, and the attorney general may respond to similar requests from officials of other states. The attorney general shall make reasonable efforts to coordinate an investigation of an online advertising network or publisher with officials in other states who the attorney general has reason to believe are undertaking a similar investigation to avoid imposing unreasonable discovery burdens on the online advertising network or publisher that is the subject of the attorney general's investigation.

(2) The attorney general may bring an action to enjoin a violation of this section.

(L) The attorney general may approve a self-regulatory program that is established, implemented, and monitored by a private industry organization, which imposes requirements on participants that are equivalent to the requirements of this section, or that provide greater privacy protections to consumers. An advertising network or publisher that participates in any approved private industry self-regulatory program shall be deemed to be in compliance with this section.

Sec. 1349.99. (A) Whoever violates section 1349.06 or 1349.17 of the Revised Code is guilty of a minor misdemeanor.

(B)(1) Whoever violates section 1349.45 of the Revised Code is guilty of a misdemeanor of the first degree.

(2) Notwithstanding division (B)(1) of this section, the only remedies that are available for a violation of section 1349.45 of the Revised Code by a registrant or licensee under sections 1322.01 to 1322.12 of the Revised Code are those set forth in section 1322.10 of the Revised Code or otherwise provided by statute or common law.

(3) The provisions of division (B) of this section are not intended to be exclusive remedies and do not preclude the use of any other remedy provided by law.

(C) Whoever violates section 1349.65 of the Revised Code shall be fined not more than one thousand dollars for each violation. Whoever is found to have engaged in a pattern or practice of violating section 1349.65 of the Revised Code shall be fined not more than three thousand dollars for each violation. The amount of any fine imposed pursuant to this division shall not exceed five hundred thousand dollars.

Section 2. That existing section 1349.99 of the Revised Code is hereby repealed.