Maryland Enacts Sweeping Privacy Reform
The push by U.S. states to pass data privacy laws continues with Maryland being the 18th state to join their ranks. However, Maryland has taken a more stringent and comprehensive approach than many of its peers: Governor Wes Moore signed both the Maryland Online Data Privacy Act of 2024 (MODPA) and the Maryland Age Appropriate Design Code (HB 603/SB 5712023, the “Kids Code”) into law on May 9, 2024. The MODPA will go into effect October 1, 2025, and the Kids Code will go into effect October 1 of this year. See the Mintz Privacy blog for discussion of the Kids Code.
This post will provide the details and information you and your business need to know about the MODPA. You can find our discussion regarding other recently enacted state laws here, here, and here.
Applicability Criteria
The Maryland applicability criteria mirrors the New Hampshire Privacy Act and applies to any business or person that produces products or services that are targeted to residents of Maryland, and either: (i) controls or processes the personal data of at least 35,000 Maryland consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (ii) controls or processes the personal data of at least 10,000 unique Maryland consumers and derives more than 20% (New Hampshire being 25%) of its gross revenue from the sale of personal data. These thresholds are lower than most state privacy laws and will require compliance on the part of more companies.
A “consumer” under the MODPA is an individual who is a resident of Maryland. It does not include individuals acting in a commercial or employment context. This distinction is the predominant approach we are seeing adopted by the states, with the exception being California.
Notably, under the MODPA, “sale” is defined as an exchange of personal data for “monetary or other valuable consideration”, which is broader than most states and similar to laws adopted by California, Colorado and Connecticut.
Exemptions
The MODPA does not apply to:
- Maryland government and regulatory entities (including any instrumentality of the State, including boards, bureaus commissions or units of the state, or a political subdivision of the State);
- Financial institutions and affiliates, or data subject to the federal GLBA;
- National securities associations registered under the Exchange Act or registered futures associations under the Commodity Exchange Act;
- Covered entities or business associates governed by certain rules under HIPAA;
- Nonprofit organizations that process data solely to assist law enforcement in investigating insurance-related criminal or fraudulent acts or first responders to catastrophic events (note the narrow nature of this exemption);
- Certain research data or employment-related information; and
- Information governed by federal laws, such as HIPAA, COPPA, the Driver’s Privacy Protection Act, the Airline Deregulation Act, the Controlled Substances Act, the Family Educational Rights and Privacy Act, the Fair Credit Reporting Act or the Farm Credit Act.
Consumer Rights
Consumers who are Maryland residents will be able to exercise the following rights under the MODPA:
- Right to confirm whether or not their personal data is processed (unless such confirmation or access would require the controller to reveal a trade secret);
- Right to access their personal data (if being processed);
- Right to correct inaccuracies in their personal data ;
- Right to deletion of their personal data (unless required by law to retain);
- Right to portability of their personal data when data is processed via automated means;
- Right to obtain a list of categories of third parties receiving personal data from the controller; and
- Right to opt-out of the processing of their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Business Obligations to Consumers
The MODPA is similar to most state laws passed in the last year, and businesses should consider the following compliance obligations on the horizon:
- Respond to consumer requests under the MODPA without undue delay, but not later than 45 days of receipt of such request (may be extended an additional 45 days when reasonably necessary so long as the controller notifies the consumer of their intent to extend);
- Establish a process for consumers to appeal any refusal to take action on a consumer request;
- Provide a decision as to any appeal within 60 days of such appeal, and if denied, respond to the consumer with a method to submit a complaint with the attorney general (via online mechanism, if available);
- Allow consumers to opt out of the processing of their personal data by using a user-selected universal opt-out mechanism ("UOOM"). Several other states, including California, Connecticut, and New Jersey, also mandate the use of UOOMs. Notably, to satisfy this requirement, Maryland permits the use of UOOMs approved by other states.
- Provide required information to consumers free of charge, once per twelve-month period; and
- Use commercially reasonable efforts to authenticate requests.
Notices to Consumers
- Businesses must provide consumers with a “reasonably accessible, clear and meaningful” privacy notice that includes:
- Categories of personal data processed by the business;
- The purpose of processing personal data;
- How consumers may exercise their consumer rights (including how a consumer may appeal a business’s decision with regard to a consumer’s request);
- Categories of personal data that the business may share with third parties;
- Categories of third parties with which the business shares personal data; and
- An active email address or online mechanism that the consumer may use to contract the business.
- Businesses must “clearly and conspicuously” disclose any sale of personal data or use of personal data for targeted advertising or for the purpose of profiling (and how to opt-out of such sale or processing).
- Businesses must establish (and describe in a privacy notice), one or more secure and reliable means for consumers to submit a request to exercise their consumer rights, including:
- A clear and conspicuous link on the businesses website enabling opt-out of targeted advertising or sale of the consumers personal data; and
- Not later than October 1, 2025, allow a consumer to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data.
Other Business Obligations
The Do’s:
- Conduct and document data protection impact assessments for data processing activities created or generated after October 1, 2025, which include extensive requirements, including to identify and compare the processing activity’s benefits that may flow to all parties with potential risks to consumer rights and an obligation to provide assessments to the Attorney General upon request;
- Limit collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains;
- Process personal data solely for disclosed purposes or purposes compatible with disclosures, unless the consumer consents (noting that aggregated data is excluded from the definition of personal data);
- Establish, implement, and maintain data security practices to protect confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of personal data at issue; and
- Provide an effective mechanism to revoke consent.
And the Do Not’s:
- Do not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers;
- Do not sell sensitive data;
- Do not discriminate against a consumer for exercising any consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to consumers;
- Do not collect, process or share sensitive data except where strictly necessary to provide or maintain a specific consumer-requested product or service;
- Do not provide employees or contractors access to Consumer Health Data (defined as personal data that is used to identify a consumer's physical or mental health status including data related to gender–affirming care treatment and reproductive or sexual health care) unless the employee or contractor is subject to contractual or statutory obligations of confidentiality;
- Do not process personal data for purposes of target advertising or selling personal data if the controller knew or should have known the personal data related to a consumer under 18 years of age;
- Do not sell personal data of a consumer without the consumer’s consent if the controller knew or should have known that the consumer is under 18 years of age;
- Do not continue to process consumer personal data where consent to process was revoked within 30 days of such revocation; and
- Do not use a geofence to establish a virtual boundary that is within 1,750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from, or sending any notification to a consumer regarding the consumer’s consumer health data.
“Sensitive data” includes (1) personal data that includes data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, status as transgender or nonbinary, national origin, or citizenship or immigration status; (2) genetic or biometric data; (3) personal data collected from a person known or has reason to know is a child (under COPPA); or, (4) precise geolocation data (within a radius of 1,750 feet).
Notably, the definition of “biometric data” under MODPA specifies that data collected will be considered biometric if it “can” be used to identify a person, regardless of intent. Other states have opted to use the more permissive intent requirement. Additionally, MODPA makes it clear that you cannot collect sensitive data unless it is “strictly necessary” to provide a specific product or service requested by the consumer.
Like with the Kids Act, the MODPA takes steps to protect children, but with a higher age threshold than most states, causing more confusion for businesses aiming at the “tween” and teen markets. While most states include provisions regarding children under 13 (or 16 in California), in Maryland, controllers may not process the personal data of children for targeted advertising purposes, and are prohibited to sell such data where the controller “knew or should have known” that the children in question were under the age of 18.
Impacts on Vendors/Data Processors
Vendors that are data processors have direct obligations under the MODPA, such as adhering to instructions from data controllers, assisting data controllers with their own compliance obligations, assisting data controllers with data protection impact assessments, and required subcontractor flow-down obligations.
The MODPA also contains specific requirements that must be included in data processing agreements between data controllers and data processors.
Data Protection Assessments
As expected, the MODPA also requires controllers to conduct data protection assessments for each processing activity that presents a heightened risk of harm. Such assessments must include an assessment for each algorithm that is used (more expansive than most state privacy laws). These types of activities include:
- Processing personal data for targeted advertising;
- Selling personal data;
- Processing sensitive data; or
- Processing personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair, abusive, or deceptive treatment of consumers or results in substantial injury to consumers.
The assessments must identify and compare the processing activity’s benefits that may flow to all parties with potential risks to consumer rights. Similar to other state privacy laws, the MODPA allows data protection assessments performed for other state privacy laws to satisfy its assessment requirements. Data protection assessments will apply to processing activities occurring on or after October 1, 2025.
No private right of action; AG Enforcement
Like comprehensive data privacy laws in most other states (except California’s limited private right related to data breaches), the MODPA does not provide for a private right of action. The MODPA will be enforced exclusively by Maryland’s Attorney General and, before initiating an enforcement action, the Maryland AG must provide 60 days’ prior written notice of an alleged violation and an opportunity to cure the violation. Beginning on April 1, 2027, the cure period becomes discretionary, and the state AG may consider providing a cure period for a violation by considering certain specified factors.
Fines and Penalties
Civil penalties can be up to $10,000 per violation for first time violations and up to $25,000 per violation for repeat violations.
Effective Date for MODPA
MODPA goes into effect on October 1, 2025. However, the law will not have any effect on or application to processing activities prior to April 1, 2026.