July 24, 2024
Maryland Online Data Privacy Act: A New Privacy Standard?
Maryland has become the latest state to pass its own comprehensive data privacy law, and it's pushing a few boundaries. Businesses should take note.

The Maryland General Assembly has continued the national trend of states passing their own comprehensive data privacy laws, in the absence of a federal standard. On April 8, 2024, the Assembly gave its final approval to the Maryland Online Data Privacy Act (MD-ODPA), sending it to Governor Moore’s desk for signing.

While the new law definitely takes most of its content and structure from similar laws from other states, such as the Virginia Consumer Data Protection Act, it is more than a mere copy. Notably, the MD-ODPA seems to be inspired by the amendments to Connecticut’s privacy law on the subject of consumer health data, and Virginia’s recent changes related to children’s data, which may signal the evolution of a new standard for state privacy laws. The MD-ODPA also differs from other state laws that could potentially become significant.

Here is a brief introduction to the Maryland Online Data Privacy Act and what it means for businesses.

When Does the MODPA Go Into Effect?

The Maryland privacy law goes into effect on October 1, 2025.

What Organizations Must Comply?

The Maryland Online Data Privacy Act applies to any person or organization that does business in the state or targets its products or services toward state residents, and meets at least one of the following requirements:

  • Controls or processes the personal data of at least 35,000 state residents per year (excluding data processed solely to complete a payment transaction), OR
  • Controls or processes the personal data of at least 10,000 state residents per year AND derives over 20% of its revenue from the sale of personal data

For a state of Maryland’s size (with approximately 6 million residents), these consumer thresholds are definitely on the lower end of the spectrum. For comparison, Colorado’s privacy law has a minimum consumer threshold of 100,000, even though that state’s total population is slightly lower at 5.8 million residents. The result is that the MD-ODPA has the potential to apply to more small businesses than other privacy laws.

It’s also worth noting that the MD-ODPA can also apply to nonprofit organizations.

What Rights Do Consumers Have Under Maryland's Law?

The MD-ODPA gives consumers the following rights.

  • Right to Know - Consumers have the right to confirm whether a business is processing their personal data and to access that data.
  • Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.
  • Right to Delete - Upon request, businesses must delete personal data concerning the consumer.
  • Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.
  • Right to Opt Out - Consumers can opt out of:
    • The sale of their personal data
      • Note: Businesses are not allowed to sell any sensitive data
    • Targeted advertising
    • Profiling in furtherance of automated decisions that produce legal or similarly significant effects

Can Businesses Be Sued by Consumers?

The MD-ODPA does not grant a private right of action to consumers, meaning they cannot sue an organization over violations.

What’s Different in this Law?

The MD-ODPA deviates a bit from what has become the standard model for state privacy laws. In some sections it has incorporated unique amendments by other states, in other places it sets out new rules not found anywhere else.

Personal Data from Minors

Most state privacy laws apply special rules to the processing of personal data from children under the age of 13. However, general concern is growing among lawmakers that at least some of these protections should be expanded to all minors under the age of 18, such as in the case with Virginia’s recent changes to its privacy law.

Maryland’s new privacy law is somewhere in the middle. As with other states, data from children under 13 is considered “sensitive data” the processing of which is significantly restricted (see more on that below). The MD-ODPA goes even further by completely prohibiting the sale of the personal data of minors under the age of 18, or the use of their data for targeted advertising. These rules apply if the business “knows or should have known” that the consumer was a minor; unfortunately, the MD-ODPA doesn’t provide much guidance on what that means.

Consumer Health Data

Consumer health data is another area that has been singled out lately for special privacy protections. Connecticut, for example, passed major amendments to its privacy law on the subject. The overall concern is that certain data can be used to identify a consumer’s health condition (which most people would agree is sensitive information), but it falls completely outside of HIPAA protections.

For example, a retailer may infer from a woman’s purchase of maternity clothes and prenatal vitamins that she is pregnant. Alternatively, a business could establish a virtual geofence around a doctor’s office and identify people who come and go from that location.

Maryland’s privacy law borrows heavily from the Connecticut model. Consumer health data is defined as any data that a business “uses to identify a consumer’s physical or mental health status,” and the following rules apply to its processing:

  • It is considered “sensitive data,” which means it may only be processed when strictly necessary, and the business may not sell it under any circumstances.
  • All employees who handle consumer health data must be subject to a duty of confidentiality.
  • All processors who handle consumer health data must be contractually limited in how they can use it.
  • Businesses may not establish a geofence within 1,750 feet of a mental health or reproductive health facility for the purpose of tracking, identifying, collecting data from, or sending notifications to a consumer regarding their health data.

As with the Connecticut law, one of the biggest hurdles for businesses will be determining which data counts as consumer health data. Any company in a field that is even remotely health-related should take a careful look at their privacy practices.

Data Minimization

The MD-ODPA takes a stricter approach when it comes to data minimization, and the implications for compliance are not entirely clear.

Here is what the Maryland law says about the duty to minimize data collection:

A controller or processor shall limit the collection of personal data to what is limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.  

Now compare it to the language from the Colorado Privacy Act:

"A controller's collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed."

Instead of being necessary in relation to the processing purposes specified in a business’s privacy notice, all data collection must be necessary and proportionate to provide or maintain a specific product or service requested by the consumer.

How does this apply in the context of an eCommerce website that uses targeted advertising? Is that collection of data necessary to “maintain” the website, and is the site a “specific service requested by the consumer”? Perhaps. The law certainly contemplates the use of targeted advertising (via opt-out rights), so we’re stuck with trying to figure out how it fits within this strict data minimization rule.

Sensitive Data

The MD-ODPA also varies significantly in its general rule regarding sensitive data. Most other state privacy laws require prior consent for processing sensitive data. While the Maryland law similarly defines what sensitive data is, it prohibits all processing of sensitive data unless it is strictly necessary to provide or maintain a specific product or service requested by the consumer.

Consent does not appear to overcome this restriction. In fact, a previous draft of the statute stated that sensitive data processing was only allowed if strictly necessary and the consumer consented to it.

Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.

Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.