While Ohio has not passed any laws specifically requiring websites to post privacy policies, such laws have been passed in several other jurisdictions. And these laws typically apply even if your business isn’t located in that state or country.
Practice Note: Ohio law hasn’t addressed privacy policies yet, but Ohio’s Data Protection Act does protect businesses from lawsuits if they take steps to protect the security and confidentiality of personal information, among other requirements.
Similarly, the European Union’s General Data Protection Regulation (GDPR) applies not only to businesses based in the EU, but also to businesses that offer goods or services to residents of the EU or that collect data from the EU. As we discuss below, most websites these days use third-party services to track website visitors. That alone potentially makes the GDPR applicable to your small business because an EU resident could stumble across your site, even if you aren’t specifically targeting the EU. So while the GDPR technically applies to almost every website in the world, (a) as a practical matter, it seems unlikely that regulators will be targeting small businesses that inadvertently obtain insignificant amounts of data, and (b) it does include an exemption to the more onerous record-keeping requirements for small businesses with less than 250 employees.
The GDPR is a complex law with a lot of requirements. But most importantly for small businesses, it requires that you: