Maryland Online Data Privacy Act: An Overview
On May 9, 2024, Maryland Governor, Wes Moore, approved Senate Bill 0541 (the Maryland Online Data Privacy Act or MDODPA), making Maryland the seventeenth State in the U.S. to enact comprehensive data privacy legislation. The MDODPA will take effect on October 1, 2025. The MDODPA joins other U.S. State data privacy laws that are either in effect or will soon come into force (together with the MDODPA, the State Data Privacy Laws). This article summarizes key provisions of the MDODPA.
Scope and Applicability
Similar to other State Data Privacy Laws, the MDODPA expressly provides data processing and revenue thresholds for applicability purposes. The MDODPA applies to a person that conducts business in the State or provides products or services that are targeted to residents of the State, and that during the preceding calendar year:
- Controlled or processed personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction
- Controlled or processed personal data of at least 10,000 consumers and derived more than twenty percent (20%) of its gross revenue from the sale of personal data.
In line with most other State Data Privacy Laws, the MDODPA only applies to personal data collected from consumers, which are residents of Maryland. The MDODPA exempts the following entities: State political entities (including, but not limited to, regulatory, administrative, advisory, executive, and judicial bodies), registered national securities associations, financial institutions subject to the Gramm-Leach-Bliley Act, and nonprofit organizations that use personal data solely for the purposes of assisting: (i) law enforcement in investigating insurance crimes or (ii) first responders in responding to catastrophic events. In contrast to most State Data Privacy Laws, the MDODPA does not include an exemption for institutions of higher education and the nonprofit exemption is much narrower than for other States, meaning that the MDODPA may likely apply to many non-profits.
However, like other State Data Privacy Laws, the MDODPA exempts the following information and data:
- Protected health information under the Health Insurance Portability and Accountability Act (HIPPA)
- Information used for public health activities in accordance with HIPPA, patient-identifying information (42 U.S.C. § 290DD–2)
- Identifiable private information that is collected or used in the protection and research of human subjects (45 C.F.R. § 46 and 21 C.F.R. §§ 50 and 56)
- Patient safety work product that is created and used for patient safety improvement (42 C.F.R. §3)
- Personal information regarding credit-reporting data under the Federal Fair Credit Reporting Act
- Information regulated by the Federal Driver's Privacy Act, Family Educational Rights and Privacy Act, Farm Credit Act, Airline Deregulation Act, and the Insurance Article
- Information used for emergency contacts, administrating benefits and by individuals applying to or employed by a controller.
Controller and Processor Regime
The MDODPA, like certain other State Data Privacy Laws, contains the regulatory framework of the European Union's General Data Protection Regulation, which distinguishes between roles and responsibilities of controllers and processors. Under the MDODPA, a "controller" is defined as "a person that, alone or jointly with others, determines the purpose and means of processing personal data." The MDODPA defines a "processor" as "a person that processes personal data on behalf of a controller."
Under the MDODPA, controllers are required to provide consumers with a privacy notice that is reasonably accessible, clear, and meaningful. This privacy notice must, among other things, disclose:
- the categories of personal data processed by the controller and the purpose of such processing
- the categories of personal data, including sensitive data, the controller shares with third parties
- the categories of third parties with whom the controller shares personal data
- how consumers may exercise their privacy rights, including the appeals process, and an email address or online method for contacting the controller.
Controllers must limit the collection of personal data to what is reasonably necessary and proportionate for the processing purpose, such as providing or maintaining the specific product or service requested by the consumer. Controllers are also required to implement and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
The MDODPA requires controllers and processors to enter into a contract that governs the processor's data processing procedures for processing performed on behalf of the controller. The contract shall be binding and clearly provide:
- Instructions for processing data
- The nature and purpose of processing
- The type of data subject to processing
- The duration of processing
- The rights and obligations of both parties.
Under the contract, processors are required to: (i) implement security practices for personal data; (ii) respond according to consumers' rights requests (including to stop processing data, delete data, or return data); (iii) cooperate with controller's requests for processor information and reasonable assessment; and (iv) obtain controller consent to engage subcontractors. In addition to mandatory contractual obligations with controllers, processors must maintain appropriate technical and organizational measures to respond to consumer rights requests and assist controllers with security breaches and data protection assessments.
Similar to other State Data Privacy Laws, the MDODPA requires controllers to conduct and document data protection assessments for "data processing activities that present a heightened risk of harm to a consumer, including an assessment for each algorithm that is used." Processing that presents a heightened risk of harm includes processing personal data for targeted advertising, selling personal data, processing sensitive data, or certain profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical, or reputational harm, any intrusion upon the solitude or seclusion of consumers that is offensive to a reasonable person, or any other substantial injury to consumers.
A data protection assessment must identify and weigh the benefits of the processing activity with potential risks to consumers, as mitigated by the safeguards employed by the controller related to such risks and the necessity and proportionality of processing related to the stated purpose. Some of the factors the controller should consider in the assessment include the use of de-identified data, the reasonable expectations of consumers, the context of the processing and the relationship between the controller and the consumer.
Controllers may use data protection assessments created pursuant to other laws with similar requirements, including other relevant State Date Privacy Laws, for MDODPA compliance purposes. The data protection assessment obligations apply to processing activities that occur after October 1, 2025.
Consumer Rights and Requests
Similar to most other State Data Privacy Laws, the MDODPA outlines a wide variety of individual consumer rights. These rights provide consumers with a right to access, correct, delete, and obtain a copy of their personal data, and to opt-out of the selling of personal data and/or sharing of personal data for targeted advertising. The MDODPA also provides consumers with an express right to obtain from a controller a list of third parties to which the controller has disclosed the consumer's personal data (or a list of third parties to which the controller has disclosed personal data generally). In addition, like some other State Data Privacy Laws, the MDODPA provides consumers with the ability to revoke their consent to various types of processing, including the processing of sensitive and other personal data, and such processing must cease within thirty (30) days of such request.
Under the MDODPA, "profiling" is defined as "any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable consumer's economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements." Consumers may opt-out of profiling if automated decisions produce legal or similarly significant effects concerning the consumer.
The MDODPA also permits parents and guardians to exercise rights on behalf of their children (defined as individuals under the age of thirteen (13)). Children's data must be processed in accordance with the Children's Online Privacy Protection Act (COPPA), which requires consent from parents or guardians. However, the MDODPA expands certain protections to minors, as controllers are prohibited from selling or processing personal data for purposes of targeted advertising where the controller knows or should know that the consumer is under the age of eighteen (18).
In line with most other State Data Privacy Laws, the MDODPA grants consumers certain rights with respect to other "sensitive data." Under the MDODPA, "sensitive data" is personal data that includes racial or ethnic origin, religious beliefs, mental or physical health data, sex life, sex orientation, status as transgender or nonbinary, national original, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation data. Notably, genetic or biometric data falls under the sensitive data definition regardless of whether it is "processed for the purpose of uniquely identifying an individual." Controllers may not collect, process or share a consumer's sensitive data, "except where the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom personal data pertains," even if the controller obtains the consumer's consent. This “strictly necessary” regime likely provides the most restrictive requirements with respect to the processing of sensitive data when compared to other State Data Privacy Laws.
Right to Appeal
Under the MDODPA, a controller must respond to a consumer's request to exercise a right within forty-five (45) days after the controller receives the request. A controller may extend the response period by an additional forty-five (45) days when it is reasonably necessary to complete the request based on the complexity and number of consumer requests received and the controller informs the consumer of the extension and attendant reasoning within the initial forty-five (45) day period.
Like most other State Data Privacy Laws, the MDODPA requires that if a controller denies a consumer's request, the controller must inform the consumer without undue delay of the justification for the denial and include instructions for appeal that are conspicuously available and similar to the process for submitting consumer rights requests. Within sixty (60) days of receipt of an appeal request, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If a controller denies an appeal, the controller must provide the consumer with an online mechanism through which the consumer may contact the Division (as defined below) to submit a complaint.
Selling Personal Data
The MDODPA defines the "sale of personal data" as "the exchange of personal data by a controller, a processor, or an affiliate of a controller or processer to a third party for monetary or other valuable consideration." The MDODPA provides exceptions to the "sale of personal data" definition in line with a number of other State Data Privacy Laws, including a controller's disclosure of personal data:
- to a processor that processes personal data on behalf of the controller
- to a third party for purposes of providing a product or service requested by the consumer or as otherwise directed by the consumer
- to the controller's affiliates
- that the consumer intentionally made available to the general public via a channel of mass media
- to a third party as an asset that is part of a merger or acquisition. The MDODPA also expressly prohibits the sale of sensitive data by a controller.
As noted above, controllers must provide consumers with the ability to opt-out of the selling of their personal data. To satisfy the MDODPA, controllers may either provide a clear and conspicuous link on their website to a webpage that allows a consumer to opt-out of the targeted advertising or sale of their personal data or provide an opt-out method that uses a preference signal sent with the consumer's consent to the controller on or before October 1, 2025. The platform, technology or mechanisms for the opt preference must be consumer-friendly and easy to use by the average consumer, use clear and unambiguous language, not unfairly disadvantage another controller, may not use a default setting to opt a consumer out of any processing of their personal data, and must enable the controller to accurately determine whether the consumer is a Maryland resident and made a legitimate opt-out request.
Targeted Advertising
The MDODPA defines "targeted advertising" as "displaying advertisements to a consumer or on a device identified by a unique identifier, where the advertisement is selected based on personal data obtained or inferred from the consumer's activities over time and across nonaffiliated websites or online applications that are unaffiliated with each other, in order to predict the consumer's preferences or interests."
Like most other State Data Privacy Laws, the "targeted advertising" definition does not include:
- advertisements based on the context of a consumer's current search query, visit to a website, or online application
- advertisements based on a consumer's activities within a controller's websites or online applications
- advertisements directed to a consumer's request for information or feedback
- processing of personal data solely to measure or report advertising frequently, performance, or reach.
As discussed above, the MDODPA imposes the same opt-out requirements on controllers in connection with targeted advertising as it does with respect to the sale of personal data.
Deidentified Data
The MDODPA incorporates the meaning of "deidentified data" by reference to the Maryland Genetic Information Privacy Act (§ 14–4401), which defines "deidentified data" as data that: (i) cannot be reasonably (a) used to infer information about a consumer or (b) linked to an identifiable consumer; and (ii) is subject to (a) administrative and technical measures to ensure that the data cannot be associated with a particular consumer; (b) public commitment by the company to maintain and use data in a deidentifiable form and not attempt to reidentify data; and (c) legally enforceable contractual obligations that prohibit a recipient of the data from attempting to reidentify the data. Notably, this definition may be slightly broader than the definition of certain other State Data Privacy Laws, which do not contemplate "inferences" about a consumer.
Similar to other State Data Privacy Laws, the MDODPA requires controllers that disclose deidentified data to: "(i) exercise reasonable oversight to monitor compliance with any contractual commitments to which the de–identified data is subject and (ii) take appropriate steps to address any breaches of any contractual commitments." The determination of whether such measures are reasonable and appropriate will consider whether the disclosed deidentified data includes data that would be considered sensitive data if the data were re-identified.
More notably, unlike many other State Data Privacy Laws, the MDODPA does not include a definition of "pseudonymous" data (which typically captures data that cannot be attributed to a specific individual without the use of additional information). This means that data that qualifies for certain exemptions under other State Data Privacy Laws by virtue of being pseudonymized may not enjoy similar exemptions under the MDODPA (unless such data also qualifies as deidentified data under the MDODPA).
Enforcement and Penalties
In contrast to the California Consumer Privacy Act, as amended by the California Privacy Rights Act, MDODPA does not provide consumers with a private right of action, but the MDODPA does not prevent consumers from pursuing other remedies pursuant to other laws. The MDODPA is enforced through Maryland's Consumer Protection Division of the Office of the Attorney General. The Division will determine if a controller or a processor should have the opportunity to cure an alleged violation and will consider the number of violations, the size and complexity of the controller or the processor, the nature and extent of the processing activities, the likelihood of injury to the public, the safety of persons or property, whether the violation was caused by a human or technical error, and the extent to which the controller or the processor has violated MDODPA or similar laws in the past.
If a cure is possible, the Division will provide the controller and/or the processor with a notice of violation and such entity will have sixty (60) days to cure the violation. If the violation remains uncured, the Division may bring an enforcement action against the controller and/or the processor. In contrast to many other State Data Privacy Laws, the MDODPA does not expressly specify a civil penalty amount for violations; rather, violations of the MDODPA are treated as violations of the State consumer protection statute. The right to cure provision sunsets on April 1, 2027.