Enter to open, tab to navigate, enter to select
Maryland Enacts Online Consumer Data Privacy Act
Practical Law Legal Update w-043-2737 (Approx. 7 pages)
Maryland Enacts Online Consumer Data Privacy Act
by Practical Law Data Privacy & Cybersecurity
| Published on 10 May 2024 • Maryland |
Maryland has enacted the Maryland Online Data Privacy Act of 2024, which creates personal data rights for Maryland residents, imposes data privacy and security requirements on controllers, and provides the Maryland Attorney General with exclusive enforcement authority. The law contains no private right of action and takes effect October 1, 2025.
On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA) (SB 541). The law takes effect October 1, 2025, but will not apply to personal data processing activities before April 1, 2026. The law provides Maryland residents acting as consumers in individual contexts more control over their personal data and contains protections for consumer health data. The law does not cover individuals acting in employment or commercial contexts.
The MODPA applies to individuals and entities conducting business in Maryland or producing products or services targeting Maryland residents that during the preceding calendar year controlled or processed the personal data of either:
- 35,000 or more Maryland consumers, excluding personal data controlled or processed solely to complete a payment transaction.
- 10,000 or more Maryland consumers and derived more than 20% of their gross revenue from personal data sales.
The MODPA broadly defines personal data as information that is linked or reasonably linkable to an identified or identifiable consumer. The term does not include:
- De-identified data.
- Publicly available information.
The MODPA defines sensitive data as:
- Personal data revealing race or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or binary, national origin, or citizenship or immigration status.
- Genetic or biometric data, excluding physical or digital photographs, video or audio recordings, or data generated from them unless the data is generated to identify a specific individual.
- Personal data of a consumer the controller knows or has reason to know is a child.
- Precise geolocation data.
The MODPA grants consumers, and the parents or guardians of children under 13, rights to:
- Confirm whether a controller is processing their personal data unless the confirmation would require the controller to reveal a trade secret.
- Access their personal data unless the access would require the controller to reveal a trade secret.
- Request deletion of their personal data unless its retention is legally required.
- Correct inaccuracies in their personal data, considering the nature of the personal data and the processing purposes.
- If the personal data is processed automatically, obtain a copy of their personal data in a format that is:
- portable and readily usable, to the extent technically possible; and
- easily transmittable to another controller.
- Obtain a list of the categories of third parties to which the controller has disclosed their personal data.
- Opt out of having their personal data processed for purposes of:
- targeted advertising;
- personal data sales; or
- profiling to further solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Controllers have obligations similar to those under other states' recent consumer data privacy laws. Specifically, they must:
- Implement and maintain reasonable administrative, physical, and technical data security practices to safeguard personal data.
- Provide consumers with a reasonably accessible, clear, and meaningful privacy notice stating:
- the categories of personal data the controller processes;
- the processing purposes;
- how consumers may exercise their rights;
- the categories of personal data the controller shares with third parties and the categories of those third parties, if any; and
- an active email address or other online contact mechanism the consumer can use to contact the controller.
- Only process personal data for the purposes reasonably necessary or compatible with the disclosed processing purposes unless the controller obtains consumer consent.
- Provide an easy mechanism for consumers to revoke consent.
- Respond to consumers' requests to exercise their rights within 45 days, subject to certain exclusions and extension opportunities.
- Execute data processing agreements with their processors that include specified provisions and instructions. Processors must adhere to the controller's instructions and support the controller's compliance obligations.
- Take steps to manage de-identified data, including exercising reasonable oversight to monitor compliance with and enforce contracts under which they disclose de-identified data.
In addition, the MODPA creates unique data minimization obligations requiring controllers to:
- Limit personal data collection to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer.
- Collect, process, and share consumers' sensitive personal data only as strictly necessary to provide or maintain a specific product or service requested by the consumer.
Controllers must refrain from:
- Selling sensitive personal data.
- Selling a consumer's personal data or processing the data for targeted advertising if the controller knew or should have known that the consumer is under 18 years old.
- Collecting, processing, or transferring personal data or publicly available data in a manner that unlawfully discriminates in, or otherwise unlawfully makes unavailable, the equal enjoyment of goods or services based on race, color, religion, national origin, sex, sexual orientation, gender identity, or disability unless an exception applies.
- Discriminating against consumers for exercising their personal data rights.
The MODPA provides heightened protections around consumer health data including:
- Prohibitions on geofencing.
- Conditions on employee, contractor, and data processor access to consumer health data.
Controllers must conduct data protection impact assessments (DPIAs) for personal data processing activities that create a heightened risk of harm, including an assessment for each algorithm used. The DPIAs must:
- Identify and weigh any benefits of the relevant personal data processing to the controller, consumers, other stakeholders, and the public against consumer risks, as mitigated by available safeguards.
- Consider the use of de-identified data.
- Address reasonable consumer expectations and the controller's relationship with them.
The MODPA does not apply to:
- HIPAA-defined protected health information and other specified health data and derivatives.
- State and local government agencies.
- Financial institutions and personal data subject to the Gramm-Leach-Bliley Act.
- Certain processing by nonprofit organizations.
- Personal data processed in the employment context.
- Data processing by an individual in a personal or household activity.
- Personal data collected by insurers and affiliates regulated under Maryland's insurance laws.
- Personal data regulated under other enumerated federal privacy laws.
The MODPA provides the Maryland attorney general with exclusive enforcement authority through the division of consumer protection and does not include a private right of action. After the MODPA takes effect through April 1, 2027, the attorney general must issue a 60-day right to cure notice to the controller before bringing an action for a violation.