Maryland is the 16th US State to Pass Comprehensive Consumer Privacy Legislation
15 April 2024
On 6 April 2024, the Maryland legislature passed the Maryland Online Data Privacy Act of 2024. Once approved by the state’s governor, as expected shortly, Maryland will become the 16th US state to adopt comprehensive consumer data privacy legislation, and it is joining Kentucky, New Jersey and New Hampshire which enacted such laws earlier in 2024.
Scope of Application
The new act sets a relatively low threshold for applicability, capturing a wider array of businesses compared to other states. It applies to entities that conduct business in Maryland or provide products or services that are targeted to Maryland residents, and either:
- Control or process personal data of at least 35,000 consumers; or
- process personal data of at least 10,000 consumers while deriving more than 20% of their gross revenue from selling personal data.
The act includes several exemptions which affect its scope, such as for entities and data subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA), non-profits that process personal data only for the purpose of assisting, law enforcements agencies, first responders and state bodies.
Importantly, excluded from the act’s scope are information of business-to-business contacts, employees’ data and publicly available information. Publicly available information is defined as “information that a person: (1) lawfully obtains from a record of a governmental entity; (2) reasonably believes a consumer or widely distributed media have lawfully made available to the general public; or (3) if the consumer has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.”
Obligations of Controllers
Similar to other US state privacy laws, the act requires data controllers to provide a detailed privacy notice and clearly and conspicuously disclose if they sell personal data or process personal data for targeted advertising or for the purposes of profiling the consumer in furtherance of decisions that produce legal or similarly significant effects.
Additional controllers’ obligations include implementing adequate security measures, entering into data processing agreements with data processors and carrying out regular data protection assessments for processing activities that present a heightened risk of harm, such as targeted advertising, profiling, selling personal data, and processing sensitive data. Interestingly, unlike the other US privacy laws enacted so far, Maryland’s act requires controllers to perform an assessment for each algorithm that is used in the relevant processing activities.
Processing Restrictions
Under the new act, controllers are required to adhere to stringent data minimization and handling standards, particularly concerning sensitive data. Sensitive data is defined as data revealing (1) racial or ethnic origins; (2) religious beliefs; (3) consumer health data; (4) sex life; (5) sexual orientation; (6) status as transgender or nonbinary; (7) national origin; or (8) citizenship or immigration status. Sensitive data also includes genetic or biometric data, personal data of a consumer that the controller knows or has reason to know is a child under the age of 13 and precise geolocation.
Controllers must limit data collection of any personal data to what is “reasonably necessary and proportionate” to provide or maintain the specific service or product requested by the consumer. Further use of the collected data for a purpose that is “neither reasonably necessary to, nor compatible with, the disclosed purposes”, requires the consumer’s consent.
The collection, processing, or sharing of sensitive personal data is permitted only when “strictly necessary” for the provision or maintenance of a specific product or service requested by the consumer.
The act also explicitly prohibits the sale of sensitive data. While it does not specify consent as an exception to this ban, the definition of “sale” might implicitly cover such scenarios. This definition excludes disclosures of personal data for purposes of providing a product or service affirmatively requested by the consumer and where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.
Furthermore, the act introduces specific protections for minors by prohibiting the sale or use of data for targeted advertising if the controller knew or should have known that the consumer is under the age of 18.
Consumer Rights
Similarly, to other US privacy laws, Maryland’s new privacy act grants several rights for consumers regarding their personal data, including the right to know whether a controller is processing their personal data, right to access the personal data, as well as the rights to deletion, portability, correction, non-discrimination, and the right to revoke consent.
The act also enhances consumer rights by allowing Maryland residents to obtain a list of categories of third parties with whom their data has been shared (or any personal data, if the controller does not maintain this information in a format specific to the consumer.
In addition, controllers must provide consumers with means to opt-out of targeted advertising and the sale of personal data, which include either:
- Adding a link on controller’s website that enables opt-out of such processing activities; or
- Allowing an opt-out through preference signal sent to the controller indicating the consumer’s intent to opt out of the processing or sale.
Controllers must response to a consumer request no later than 45 days. This period may be extended by another 45 days for justified reasons, subject to informing the consumer of any such extension. Furthermore, the controller must establish a process for a consumer to appeal the controller’s refusal to take action on a request.
Enforcement
Subject to the governor’s approval, the new act will take effect on 1 October 2025, with a 60-day cure period for violations that is set to expire on 1 April 2027. This means that businesses will have a brief window to address violations upon notice before enforcement actions are pursued.
The enforcement of the act is tasked to the Maryland Attorney General’s Office, and there is no private right of action.
Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regime in Maryland. Feel free to contact us if you have any questions regarding the new act and its practical implications.