Can I use third-party email marketing tools that collect personal information in Ohio? What are the requirements?

Using Third-Party Email Marketing Tools that Collect Personal Information in Ohio

If you are using third-party email marketing tools that collect personal information in Ohio, you must ensure that you comply with the relevant regulations.

OHAC Rule 3706-3-05, OHAC Rule 991-9-01, OHAC Rule 5501-4-01, and OHAC Rule 122-6-01 provide guidelines for restricting and logging access to confidential personal information in computerized personal information systems. These rules apply to personal information systems that are computer systems and contain confidential personal information.

According to OHAC Rule 991-9-01 and OHAC Rule 3706-3-02, personal information systems of Ohio agencies are managed on a “need-to-know” basis whereby the information owner determines the level of access required for an employee of the agency to fulfill his or her job duties. The determination of access to confidential personal information shall be approved by the employee’s supervisor and the information owner prior to providing the employee with access to confidential personal information within a personal information system.

OHAC Rule 5501-4-01 defines “confidential personal information” (CPI) as personal information that is identified by rules promulgated by the department in accordance with division (B)(3) of section 1347.15 of the Revised Code that reference the federal or state statutes or administrative rules that make personal information maintained by the department confidential.

OHAC Rule 122-6-01 provides guidelines for access to confidential personal information. It defines “access” as an instance of copying, viewing, or otherwise perceiving personal information. It also defines “personal information system” as a system that maintains personal information using electronic data processing equipment.

Therefore, if you are using third-party email marketing tools that collect personal information in Ohio, you must ensure that you have a mechanism for recording specific access by employees of the agency to confidential personal information in the system. Access to confidential personal information that is kept electronically shall require a password or other authentication measure.

Additionally, you must ensure that you have a policy that specifies who shall maintain the log, what information shall be captured in the log, how the log is to be stored, and how long information kept in the log is to be retained.

If you are unsure whether your use of third-party email marketing tools complies with these regulations, you should consult with a legal professional.

Conclusion

To summarize, if you are using third-party email marketing tools that collect personal information in Ohio, you must ensure that you comply with the relevant regulations. This includes having a mechanism for recording specific access by employees of the agency to confidential personal information in the system, access restrictions, and a policy for managing logs.

Jurisdiction

Ohio

• Privacy