Business > Services for Business > Business Guide

Personal Information of Consumers

Certain Ohio laws specify how sellers should handle consumers’ personal information, such as their Social Security numbers and credit card numbers, and how they should address a security breach that puts consumers’ personal information at risk.

Printing credit card numbers on receipts

Ohio’s Credit Card Truncation Act (Ohio Revised Code (ORC) Section 1349.18) prohibits sellers from printing the expiration date or more than the last five digits of a consumer’s credit or debit card number on a receipt. This law applies to sellers such as restaurants, stores, online retailers, and other entities that electronically print these numbers on receipts.

Recording a consumer’s Social Security number

The Credit Card Recording Act (ORC 1349.17) says that sellers may not record a consumer’s credit card or Social Security number when a check, bill of exchange, or other draft is presented for payment, unless all the following conditions apply:

  • The number is recorded for a legitimate business purpose, including collection purposes;
  • The number is not disclosed to any third party, except for collection purposes; and
  • The consumer consents to having the number recorded.

What is a security breach?

A security breach is the unauthorized access to and acquisition of personal information which causes, reasonably is believed to have caused, or reasonably is believed will cause a risk of identity theft or other fraud to the person or property of a resident of this state.

What is “personal information”?

Personal information is an individual’s name connected with any of the following data, if the data are not encrypted, redacted, or altered to make them unreadable:

  • Social Security number;
  • Driver’s license number or state identification card number; or
  • Account number, credit, or debit card number linked to a security code or password.

Do consumers need to be notified of a breach?

Under the Security Breach Notification Act (ORC 1349.19), consumers must be notified of any security breach to stored personal information that may reasonably cause a material risk of identity theft or other fraud.

How quickly must a business notify consumers of a breach?

Consumers must be notified in the quickest way possible, but not later than 45 days after the breach is discovered.

What is an acceptable notice of a breach?

The type of notice required depends on the number of consumers affected and the size of the business. Depending on these factors, it may be acceptable to notify consumers: in writing; via e- mail or electronic notice; over the phone; through the local newspaper; on the business’s website; or through notification to major media outlets in the area where the entity is located. For more information, see ORC 1349.19(E).

Handling consumers’ personal information:

  • Sellers cannot print a consumer’s credit card expiration date and cannot print more than the last five digits of a credit card number on receipts.
  • Social Security numbers may not be recorded unless certain conditions apply.
  • Consumers must be notified of any security breach that may put them at risk for fraud.