Maryland Legislature Passes State Privacy Bill with Robust Requirements and Broad Threshold for Application
Wednesday, May 1, 2024The Maryland legislature recently passed the Maryland Online Data Privacy Act of 2024 (“MODPA”), which was delivered to Governor Wes Moore for signature and, if enacted, will impose robust requirements with respect to data minimization, the protection of sensitive data, and the processing and sale of minors’ data.
MODPA applies to a person that “conducts business” in Maryland or provides products or services that are targeted to Maryland residents and, during the preceding calendar year, either controlled or processed the personal data of at least: (1) 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) 10,000 consumers and derived more than 20 percent of its gross revenue from the sale of personal data. MODPA does not apply to individuals acting in a commercial or employment context.
MODPA also includes several exemptions, such as for financial institutions, their affiliates, and data subject to the Gramm-Leach-Bliley Act; PHI under HIPAA; personal data regulated by the Federal Family Educational Rights and Privacy Act; personal data collected, processed, sold or disclosed in compliance with the Federal Farm Credit Act; non-profit controllers that process or share personal data for the purpose of assisting (1) law enforcement agencies in investigating criminal or fraudulent acts relating to insurance, or (2) first responders in responding to catastrophic events. Unlike some other state privacy laws, MODPA does not exempt nonprofits or institutions of higher education, and it does not contain an entity-level exemption for HIPAA-covered entities.
MODPA imposes heightened data minimization requirements based on whether the data at issue is personal or sensitive. Controllers must limit their collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains. With respect to sensitive data, controllers may not collect, process or share sensitive data (discussed further below) concerning consumers unless it is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains. Note, however, that MODPA does not define or provide guidance as to what exactly constitutes “reasonably necessary” or “strictly necessary.”
MODPA prohibits the sale of sensitive data, which is a subset of personal data. A “sale of personal data” means the “exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration.” “Sensitive data” includes data revealing: racial or ethnic origin; religious beliefs; consumer health data; sex life; sexual orientation; status as transgender or nonbinary; national origin; and citizenship or immigration status. It also includes genetic and biometric data, personal data of a consumer who the controller knows or has reason to know is a child, and precise geolocation data.
Maryland utilizes a broad definition for “biometric data” which includes data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer’s identity. Other states, however, like Virginia, require that the data be used to identify a specific individual.
Controllers must regularly conduct and document a Data Protection Assessment for each of their “processing activities that present a heightened risk of harm to a consumer,” including an assessment for each algorithm that is used. “Processing activities that present a heightened risk of harm to a consumer” include (1) the processing of personal data for the purposes of targeted advertising; (2) the sale of personal data; (3) the processing of sensitive data; and (4) the processing of personal data for the purposes of profiling, in which the profiling presents a reasonably foreseeable risk of: (a) unfair, abusive, or deceptive treatment of a consumer; (b) having an unlawful disparate impact on a consumer; (c) financial physical, or reputational injury to a consumer; (d) a physical or other intrusion upon the solitude or seclusion or the private affairs or concerns of a consumer if the intrusion would be offensive to a reasonable person; or (e) other substantial injury to a consumer.
MODPA imposes guardrails with respect to the processing and sale of minors’ personal data. Controllers are prohibited from selling personal data of a consumer or using that data for purposes of targeted advertising if the controller knew or should have known that the consumer is under the age of 18. This prohibition is strict compared to other laws that require actual knowledge of consumers’ age or provide an opportunity for consumers to opt-in for the processing and sale of minors’ data.
Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes the following, among other things: (1) the categories of personal data processed by the controller, including sensitive data; (2) the controller’s purpose for processing personal data; (3) how a consumer may exercise rights under MODPA, including how a consumer may appeal a controllers’ decision regarding the consumer’s request or revoke consent; (4) the categories of third parties with which the controller shares personal data with a level of detail that enables a consumer to understand the type of, business model of or processing conducted by each third party; (5) the categories of personal data, including sensitive data, that the controller shares with third parties; (6) an active e-mail address or other online mechanism that a consumer may use to contact the controller; and (7) if a controller sells personal data to third parties or processes personal data for targeted advertising or purposes of profiling in furtherance of decisions that produce legal or similarly significant effects, the controller must provide a clear, conspicuous and prominently displayed disclosure regarding the sale or processing, including the manner in which consumers may opt out.
MODPA imposes anti-discrimination requirements with respect to personal data and publicly available data. Controllers are prohibited from collecting, processing or transferring personal data or publicly available data in a manner that unlawfully discriminates or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity or disability, unless the collection, processing or transfer of personal data is for specific purposes, such as for the controller’s self-testing to prevent or mitigate unlawful discrimination.
MODPA provides consumers with the following rights: (1) to confirm whether a controller is processing the consumer’s personal data and to access such personal data; (2) to correct inaccuracies in the consumer’s personal data; (3) to delete personal data provided by, or obtained about, the consumer unless retention is required by law; (4) to obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; (5) to obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data or a list of the categories of third parties to which the controller has disclosed any consumer’s personal data if the controller does not maintain this information in a format specific to the consumer; and (6) to opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Controllers have 45 days to respond to consumer rights requests, with a potential 45-day extension where reasonably necessary.
MODPA will be enforced by Maryland’s Division of Consumer Protection under the Attorney General (the “Division”). The bill does not specifically provide consumers with a private right of action, but it also does not prevent consumers from pursuing remedies provided by other laws. Violations are treated as unfair, abusive, or deceptive trade practices under Maryland’s Consumer Protection Act. Before initiating an enforcement action, the Division may issue a notice of violation to a controller or processor if the Division determines that a cure is possible. If a notice of violation is issued, MODPA provides controllers and processors with a minimum of 60 days to cure the violation after receipt of the notice. In determining whether to grant a controller or processor with an opportunity to cure an alleged violation, the Division may consider, among other factors, the number of violations, the size and complexity of the controller or processor, and whether the alleged violation was likely caused by a human or technical error.
If enacted, MODPA will take effect on October 1, 2025, but it does not have any effect on or application to any personal data processing activities before April 1, 2026.