The Maryland legislature recently passed the Maryland Online Data Privacy Act of 2024 (“MODPA”), which was delivered to Governor Wes Moore for signature and, if enacted, will impose robust requirements with respect to data minimization, the protection of sensitive data, and the processing and sale of minors’ data.
Applicability
MODPA applies to a person that “conducts business” in Maryland or provides products or services that are targeted to Maryland residents and, during the preceding calendar year, either controlled or processed the personal data of at least: (1) 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) 10,000 consumers and derived more than 20 percent of its gross revenue from the sale of personal data. MODPA does not apply to individuals acting in a commercial or employment context.
MODPA also includes several exemptions, such as for financial institutions, their affiliates, and data subject to the Gramm-Leach-Bliley Act; PHI under HIPAA; personal data regulated by the Federal Family Educational Rights and Privacy Act; personal data collected, processed, sold or disclosed in compliance with the Federal Farm Credit Act; non-profit controllers that process or share personal data for the purpose of assisting (1) law enforcement agencies in investigating criminal or fraudulent acts relating to insurance, or (2) first responders in responding to catastrophic events. Unlike some other state privacy laws, MODPA does not exempt nonprofits or institutions of higher education, and it does not contain an entity-level exemption for HIPAA-covered entities.
Controller Obligations
Data Minimization
MODPA imposes heightened data minimization requirements based on whether the data at issue is personal or sensitive. Controllers must limit their collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains. With respect to sensitive data, controllers may not collect, process or share sensitive data (discussed further below) concerning consumers unless it is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains. Note, however, that MODPA does not define or provide guidance as to what exactly constitutes “reasonably necessary” or “strictly necessary.”
Ban on Sale of Sensitive Data
MODPA prohibits the sale of sensitive data, which is a subset of personal data. A “sale of personal data” means the “exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration.” “Sensitive data” includes data revealing: racial or ethnic origin; religious beliefs; consumer health data; sex life; sexual orientation; status as transgender or nonbinary; national origin; and citizenship or immigration status. It also includes genetic and biometric data, personal data of a consumer who the controller knows or has reason to know is a child, and precise geolocation data.
Maryland utilizes a broad definition for “biometric data” which includes data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer’s identity. Other states, however, like Virginia, require that the data be used to identify a specific individual.
Data Protection Assessments
Controllers must regularly conduct and document a Data Protection Assessment for each of their “processing activities that present a heightened risk of harm to a consumer,” including an assessment for each algorithm that is used. “Processing activities that present a heightened risk of harm to a consumer” include (1) the processing of personal data for the purposes of targeted advertising; (2) the sale of personal data; (3) the processing of sensitive data; and (4) the processing of personal data for the purposes of profiling, in which the profiling presents a reasonably foreseeable risk of: (a) unfair, abusive, or deceptive treatment of a consumer; (b) having an unlawful disparate impact on a consumer; (c) financial physical, or reputational injury to a consumer; (d) a physical or other intrusion upon the solitude or seclusion or the private affairs or concerns of a consumer if the intrusion would be offensive to a reasonable person; or (e) other substantial injury to a consumer.
Restrictions for Processing and Sale of Minors’ Data
MODPA imposes guardrails with respect to the processing and sale of minors’ personal data. Controllers are prohibited from selling personal data of a consumer or using that data for purposes of targeted advertising if the controller knew or should have known that the consumer is under the age of 18. This prohibition is strict compared to other laws that require actual knowledge of consumers’ age or provide an opportunity for consumers to opt-in for the processing and sale of minors’ data.
Privacy Notice Requirements
Controllers must provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes the following, among other things: (1) the categories of personal data processed by the controller, including sensitive data; (2) the controller’s purpose for processing personal data; (3) how a consumer may exercise rights under MODPA, including how a consumer may appeal a controllers’ decision regarding the consumer’s request or revoke consent; (4) the categories of third parties with which the controller shares personal data with a level of detail that enables a consumer to understand the type of, business model of or processing conducted by each third party; (5) the categories of personal data, including sensitive data, that the controller shares with third parties; (6) an active e-mail address or other online mechanism that a consumer may use to contact the controller; and (7) if a controller sells personal data to third parties or processes personal data for targeted advertising or purposes of profiling in furtherance of decisions that produce legal or similarly significant effects, the controller must provide a clear, conspicuous and prominently displayed disclosure regarding the sale or processing, including the manner in which consumers may opt out.
Anti-Discrimination
MODPA imposes anti-discrimination requirements with respect to personal data and publicly available data. Controllers are prohibited from collecting, processing or transferring personal data or publicly available data in a manner that unlawfully discriminates or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity or disability, unless the collection, processing or transfer of personal data is for specific purposes, such as for the controller’s self-testing to prevent or mitigate unlawful discrimination.
Consumer Rights
MODPA provides consumers with the following rights: (1) to confirm whether a controller is processing the consumer’s personal data and to access such personal data; (2) to correct inaccuracies in the consumer’s personal data; (3) to delete personal data provided by, or obtained about, the consumer unless retention is required by law; (4) to obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; (5) to obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data or a list of the categories of third parties to which the controller has disclosed any consumer’s personal data if the controller does not maintain this information in a format specific to the consumer; and (6) to opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Controllers have 45 days to respond to consumer rights requests, with a potential 45-day extension where reasonably necessary.
Enforcement
MODPA will be enforced by Maryland’s Division of Consumer Protection under the Attorney General (the “Division”). The bill does not specifically provide consumers with a private right of action, but it also does not prevent consumers from pursuing remedies provided by other laws. Violations are treated as unfair, abusive, or deceptive trade practices under Maryland’s Consumer Protection Act. Before initiating an enforcement action, the Division may issue a notice of violation to a controller or processor if the Division determines that a cure is possible. If a notice of violation is issued, MODPA provides controllers and processors with a minimum of 60 days to cure the violation after receipt of the notice. In determining whether to grant a controller or processor with an opportunity to cure an alleged violation, the Division may consider, among other factors, the number of violations, the size and complexity of the controller or processor, and whether the alleged violation was likely caused by a human or technical error.
Effective Date
If enacted, MODPA will take effect on October 1, 2025, but it does not have any effect on or application to any personal data processing activities before April 1, 2026.
Update: On May 9, 2024, Governor Wes Moore signed MODPA into law.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code