Maryland Joins Growing Ranks and Passes Its Own Consumer Data Privacy Law

On April 6, 2024, the Maryland Legislature passed a comprehensive privacy bill, sending the Maryland Online Data Privacy Act of 2024 (MODPA) to Governor Wes Moore’s desk for signature into law. The law, which would take effect October 1, 2025, is similar to prior state consumer privacy laws but has several unique provisions, which likely will require companies subject to MODPA to adjust their state law compliance programs. The good news, however, is that while the law would take effect October 1, 2025, it will not “have any effect on or application to any personal data processing activities before April 1, 2026.”

In Depth

WHO DOES MODPA APPLY TO?

MODPA applies to any person who conducts business in Maryland or provides products or services that are targeted to Maryland residents and, during the immediately preceding calendar year, either:

• Controlled or processed the personal data of at least 35,000 Maryland consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction)
• Controlled or processed the personal data of at least 10,000 Maryland consumers and derives more than 20% of their gross revenue from the sale of personal data.

Both triggering scenarios are materially lower than a majority of other similar state consumer privacy laws, except for the recently passed New Hampshire Privacy Act.

WHO IS A “CONSUMER”?

MODPA follows the majority of the other states with consumer privacy laws and defines a consumer as an individual who is a resident of Maryland and acting only in the individual context (i.e., excluding employment or commercial actors).

WHAT IS “PERSONAL DATA”?

Another familiar definition is that of “personal data,” which MODPA defines as information that is linked or can be reasonably linked to an identified or identifiable individual but excludes de-identified data and publicly available information.

WHO CAN ENFORCE?

Maryland’s attorney general has exclusive enforcement power. With respect to an alleged violation on or before April 1, 2027, the attorney general may issue a notice of violation and a 60-day opportunity to cure it. If the controller or processor fails to remedy the issue within those 60 days, the attorney general can initiate an enforcement action. Penalties can be up to $10,000 per violation, but if the fine is in connection with a repeat violation, it may cost up to $25,000 for each violation.

WHO IS EXEMPT?

MODPA includes a short list of entity-level exemptions, including for:

• Regulatory, administrative, advisory, executive, appointive, legislative, or judicial bodies or instrumentalities of the state of Maryland
• Nonprofit organizations that process data solely to assist law enforcement in investigating insurance-related criminal or fraudulent acts or first responders to catastrophic events
• National securities associations under the Securities Exchange Act of 1934 or registered futures associations under the Commodity Exchange Act
• A financial institution or affiliate subject to the Gramm-Leach-Bliley Act.

MODPA’s list of data-level exemptions is fairly standard, including data processed in accordance with a variety of federal laws, such as the Health Insurance Portability and Accountability Act (HIPAA), federal research laws and regulations (such as the Common Rule), the Fair Credit Reporting Act, the Drivers Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act of 1971, the Airline Deregulation Act and the Children’s Online Privacy Protection Act, among others.

WHAT OBLIGATIONS ARE IMPOSED?

Controllers under MODPA are subject to several obligations, including requirements to:

• Limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer
• Avoid processing personal data for secondary reasons (purposes that are neither reasonably necessary nor compatible with the initial disclosed purposes) without the consumer’s prior consent
• Establish, implement and maintain reasonable administrative, technical and physical data security practices (to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue)
• Not collect, process or share sensitive data except where strictly necessary to provide or maintain a specific consumer-requested product or service
• Not sell sensitive data
• Not process personal data in violation of laws that prohibit unlawful discrimination against consumers and refrain from discriminating against consumers who exercise their rights
• Not process personal data for the purposes of targeted advertising or selling personal data if the controller knew or should have known the personal data related to a consumer under 18 years of age
• Provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes the disclosures now common under state consumer privacy laws.

One of the more unique and restrictive aspects of MODPA includes its blanket prohibition on the sale of sensitive data and on any collection, processing or sharing of sensitive data concerning a consumer “except where the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer.”

To date, no other state privacy law has adopted a prohibition on the sale of sensitive data. Depending on what constitutes a sale, this prohibition could have far-reaching consequences for companies that operate in (e.g., the non-HIPAA-regulated healthcare space) and deploy website tracking technologies.

WHAT CONSUMER RIGHTS ARE CREATED BY MODPA?

MODPA provides Maryland consumers with rights that should look familiar by now:

• The right to confirm whether the controller is processing the consumer’s personal data and to access said data (if being processed)
• The right to correct personal data, considering the nature of the personal data and the purposes for processing it
• The right to require the controller to delete personal data provided by or obtained about the consumer, unless required by law to retain
• The right to data portability when data processing is done through automated means
• The right to obtain a list of the categories of third parties receiving personal data from the controller
• Opt-out rights for targeted advertising, the sale of personal data and profiling, where profiling is being used to produce a legal or similarly significant effect
• The right to appeal rights requests that have not been fulfilled

SENSITIVE DATA

MODPA has a list of sensitive data that generally tracks other state consumer privacy laws – but with a twist on consumer health data:

• Racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizenship or immigration status
• Genetic data or biometric data
• Personal data collected from a consumer who the controller knows or has reason to know is a child (under 13-year-old)
• Precise geolocation data (within a 1,750-foot radius).

Consumer health data under MODPA includes personal data the controller uses to identify a consumer’s physical or mental health status and explicitly includes data related to gender-affirming treatment or reproductive or sexual healthcare. “Physical or mental health status” is not defined. To trigger the defined term, a controller must actually be using data to identify the consumer’s health status.

Additionally, businesses should note that the law treats any genetic or biometric data as sensitive data, regardless of whether the data is being used to uniquely identify a consumer. This marks another variation from the other states.

RESPONSE TO CONSUMER REQUESTS

Following the same framework as most states, under MODPA, controllers must respond to a data subject request within 45 days after receipt, with a 45-day extension available as reasonably necessary. If denied, the controller must provide a method to appeal the denial of a request and make the process conspicuously available. A decision on the appeal must be provided within 60 days of receipt of the consumer’s appeal. If an appeal is denied, the decision must include a method for the consumer to submit a complaint with the attorney general.

DATA PROTECTION ASSESSMENTS

As expected, MODPA also requires controllers to conduct “data protection assessments” for each processing activity that presents a heightened risk of harm and include an assessment for each algorithm that is used. These types of activities include:

• Processing personal data for targeted advertising
• Selling personal data
• Processing sensitive data
• Processing personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair, abusive or deceptive treatment of consumers or results in substantial injury to consumers.

The assessments must identify and compare the processing activity’s benefits that may flow to all parties with potential risks to consumer rights. Like other state privacy laws, MODPA allows impact assessments performed for other state privacy laws to satisfy its assessment requirements. Data protection assessment requirements will apply to processing activities occurring on or after October 1, 2025.

WHEN DOES MODPA TAKE EFFECT?

MODPA goes into effect on October 1, 2025. However, the law will not have any effect on or application to processing activities prior to April 1, 2026.

The plethora of unique state privacy laws is becoming more challenging as each new version is introduced. In addition to implementing comprehensive privacy programs, organizations need to ensure they are reviewing applicability and updating internal policies and procedures as needed to maintain compliance.

If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or reach out to David Saunders or Allison McSorley Tassel.