Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
The Maryland General Assembly has continued the national trend of states passing their own comprehensive data privacy laws, in the absence of a federal standard. On April 8, 2024, the Assembly gave its final approval to the Maryland Online Data Privacy Act (MD-ODPA), sending it to Governor Moore’s desk for signing.
While the new law definitely takes most of its content and structure from similar laws from other states, it is more than a mere copy. Notably, the MD-ODPA seems to be inspired by recent changes to Connecticut and Virginia's privacy laws on the subject of Colorado’s privacy law has a minimum consumer threshold of 100,000, even though that state’s total population is slightly lower at 5.8 million residents. The result is that the MD-ODPA has the potential to apply to more small businesses than other privacy laws.
It’s also worth noting that the MD-ODPA can apply to nonprofit organizations.
The MD-ODPA gives consumers the following rights.
The MD-ODPA does not grant a private right of action to consumers, meaning they cannot sue an organization over violations.
The MD-ODPA deviates a bit from what has become the standard model for state privacy laws. In some sections it has incorporated unique amendments by other states, in other places it sets out new rules not found anywhere else.
Most state privacy laws apply special rules to the processing of personal data from children under the age of 13. However, general concern is growing among lawmakers that at least some of these protections should be expanded to all minors under the age of 18, such as in the case with Virginia’s recent changes to its privacy law.
Maryland’s new privacy law is somewhere in the middle. As with other states, data from children under 13 is considered “sensitive data” the processing of which is significantly restricted (see more on that below). The MD-ODPA goes even further by completely prohibiting the sale of the personal data of minors under the age of 18, or the use of their data for targeted advertising. These rules apply if the business “knows or should have known” that the consumer was a minor; unfortunately, the MD-ODPA doesn’t provide much guidance on what that means.
Consumer health data is another area that has been singled out lately for special privacy protections. Connecticut, for example, passed major amendments to its privacy law on the subject. The overall concern is that certain data can be used to identify a consumer’s health condition (which most people would agree is sensitive information), but it falls completely outside of HIPAA protections.
For example, a retailer may infer from a woman’s purchase of maternity clothes and prenatal vitamins that she is pregnant. Alternatively, a business could establish a virtual geofence around a doctor’s office and identify people who come and go from that location.
Maryland’s privacy law borrows heavily from the Connecticut model. Consumer health data is defined as any data that a business “uses to identify a consumer’s physical or mental health status,” and the following rules apply to its processing:
As with the Connecticut law, one of the biggest hurdles for businesses will be determining which data counts as consumer health data. Any company in a field that is even remotely health-related should take a careful look at their privacy practices.
The MD-ODPA takes a stricter approach when it comes to data minimization, and the implications for compliance are not entirely clear.
Here is what the Maryland law says about the duty to minimize data collection:
A controller or processor shall limit the collection of personal data to what is limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.
Now compare it to the language from the Colorado Privacy Act:
"A controller's collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed."
Instead of being necessary in relation to the processing purposes specified in a business’s privacy notice, all data collection must be necessary and proportionate to provide or maintain a specific product or service requested by the consumer.
How does this apply in the context of an eCommerce website that uses targeted advertising? Is that collection of data necessary to “maintain” the website, and is the site a “specific service requested by the consumer”? Perhaps. The law certainly contemplates the use of targeted advertising (via opt-out rights), so we’re stuck with trying to figure out how it fits within this strict data minimization rule.
The MD-ODPA also varies significantly in its general rule regarding sensitive data. Most other state privacy laws require prior consent for processing sensitive data. While the Maryland law similarly defines what sensitive data is, it prohibits all processing of sensitive data unless it is strictly necessary to provide or maintain a specific product or service requested by the consumer.
Consent does not appear to overcome this restriction. In fact, a previous draft of the statute stated that sensitive data processing was only allowed if strictly necessary and the consumer consented to it.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.