US: Maryland Online Data Privacy Act summary and comparative analysis
Maryland Governor Wes Moore has signed the Maryland Online Data Privacy Act of 2024 (MODPA) into law.
MODPA, enacted on May 9, 2024, tracks other state comprehensive privacy laws in certain regards but deviates in areas such as those pertaining to sensitive data, consumer health data, minor’s data, and anti-discrimination measures.
Applicability
MODPA’s applicability threshold is lower than most of its counterparts, resembling New Hampshire’s new comprehensive privacy law (SB 255).
MODPA applies to persons that either conduct business in Maryland or provide products or services that are targeted to Maryland residents, and during a calendar year either:
- (1) control or process personal data of at least 35,000 Maryland consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction or
- (2) control or process personal data of at least 10,000 Maryland consumers and derive over 20 percent of gross revenue from the “sale” of personal data.
MODPA contains several entity-level exemptions, including for example, for regulatory, administrative, advisory, executive, appointive, legislative, or judicial bodies or instrumentalities of Maryland; certain entities regulated by the Federal Securities Exchange Act of 1934 or the Federal Commodity Exchange Act; financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); and nonprofits whose processing or sharing of data concerns law enforcement investigations or first responder responses. Notably, however, MODPA does not categorically exempt non-profits or higher education institutions.
Like the other state comprehensive privacy laws, MODPA also contains various data-level exemptions, including but not limited to, protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and data subject to the Fair Credit Reporting Act (FCRA), the Federal Driver’s Privacy Protection Act of 1994, the Federal Family Educational Rights and Privacy Act (FERPA), and the Federal Farm Credit Act.
Key definitions
MODPA’s definitions largely parallel other state comprehensive privacy laws. Key definitions include the following:
Consumer. “Consumer” means an individual who is a resident of Maryland. Like the majority of state comprehensive privacy laws, “consumer” does not include an individual acting in a commercial or employment context, nor does it apply to processing of personal data in a personal or household context.
Consumer health data. Similar to the recent amendments made to the Connecticut Data Privacy Act (CTDPA) (SB 3), MODPA uniquely regulates “consumer health data” (see below for a summary of these provisions). Consumer health data is personal data that is used to identify a consumer’s physical or mental health status, including data related to gender-affirming treatment or reproductive or sexual health care. The law also includes consumer health data in its definition of sensitive personal information, thus subjecting consumer health data to the same protective measures afforded to sensitive data.
Personal data. Like most state comprehensive privacy laws, “personal data” is any information that is linked or can be reasonably linked to an identified or identifiable consumer. Personal data does not include “de-identified data” or “publicly available information.”
Sale of personal data. MODPA specifically defines “sale of personal data” and in line with a growing majority of states, it means the exchange of personal data by a controller, processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration.
Sensitive data. “Sensitive data” means personal data that includes data revealing race/ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizenship or immigration status. “Sensitive data” also includes genetic or biometric data, or precise geolocation data. Like a majority of other state comprehensive privacy laws, sensitive data also includes minors’ personal data, but MODPA goes a step further by including personal data from a consumer the controller knows or “has reason to know” is a child’s.
Targeted advertising. “Targeted advertising” means displaying advertisements to a consumer on a device identified by a unique identifier, where the advertisement stems from obtaining or inferring the consumer’s activities over time and across nonaffiliated websites or nonaffiliated online applications to predict the consumer’s preferences or interests. Targeted advertising does not include advertisements arising from a consumer’s interactions with a site (including searches), a consumer’s request for information or feedback, or processing personal data only to measure or report an advertisement’s frequency, performance, or reach.
Key requirements
Many of MODPA’s requirements parallel other state comprehensive privacy laws, with some notable exceptions as highlighted below.
Sensitive data processing
While the majority of state consumer privacy laws require affirmative consent to collect and process sensitive data, MODPA instead directly limits the collection, processing, and sharing of a consumer’s sensitive data to when it is “strictly necessary to provide or maintain a specific product or service requested by the consumer.” MODPA also includes a blanket prohibition on the sale of sensitive data for monetary or other valuable consideration.
Consumer health data
MODPA sets forth particular obligations for controllers that process “consumer health data” and since it is considered sensitive data, the limitations discussed above related to the processing of sensitive data apply to consumer health data as well. In addition, employees that handle consumer health data must be subject to a duty of confidentiality or confidentiality must be a condition of employment for the employee. Additionally, processors with access to consumer health data must maintain a contract governing the processing that aligns to MODPA’s controller-processor contracting obligations. Those contracting requirements largely mirror many other state comprehensive privacy laws.
Privacy notice
Like other laws, MODPA requires controllers to disclose the categories of personal data that it shares with third parties, if any. MODPA also specifically requires that this disclosure include a level of detail that “enables the consumer to understand the type of, business model of, or processing conducted by each third party.” In practice, these granular disclosure requirements regarding third parties are similar to requirements under the California Consumer Privacy Act and the Colorado Privacy Act Regulations.
Minors’ data and targeted advertising
MODPA prohibits controllers from selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age, which is notable both because the age threshold is 17 or younger and because it applies where a controller knows or “should have known” consumer was under 18. MODPA’s inclusion of “should have known” broadens the threshold for this requirement from the typical “known child” threshold found in many other state comprehensive privacy laws. Further, applying the restriction to the personal data of consumers under 18, regardless of consent, goes well beyond that of other state consumer privacy laws. While California and a handful of other states have adopted so-called “age-appropriate design code acts” that define a child as a consumer under 18, these laws generally apply only to websites and online services that are likely to be accessed by a substantial number of minors.
Data minimization
MODPA also has somewhat unique data minimization requirements, requiring a controller to limit collection of personal data to what is reasonably necessary and proportionate to provide or maintain the consumer’s requested product or service. The vast majority of other state comprehensive privacy laws require controllers’ collection, use, retention, and/or sharing of a consumer’s personal information to be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed. Notably, under MODPA this provision only applies to the collection of personal data and not to processing or sharing.
Data protection assessments
Like a majority of other state comprehensive privacy laws, MODPA requires data protection assessments for controllers’ processing activities that present “a heightened risk of harm” to a consumer. These activities include processing personal data for targeted advertising, the sale of personal data, and processing sensitive data, as well as “profiling” (automated processing for purposes of evaluating, analyzing or predicting consumer behavior or characteristics) that presents a reasonably foreseeable risk of (a) unfair, abusive, or deceptive treatment of a consumer; (b) an unlawful disparate impact on a consumer; (c) financial, physical, or reputational injury to a consumer; (d) a physical or other intrusion upon the solitude or seclusion or the private affairs or concerns of a consumer if the intrusion would be offensive to a reasonable person; or (e) other substantial injury to a consumer. Under MODPA, DPIAs must be conducted and documented on an ongoing basis, for in-scope processing activities that occur on or after October 1, 2025, including “for each algorithm used” in such higher-risk processing activities. Interestingly, the law doesn’t expressly state that DPIAs must be conducted prior to engaging in the in-scope activities, as is expressly required by the majority of state consumer privacy laws.
De-identified data
MODPA specifically requires controllers that disclose de-identified data to exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data is subject and take appropriate steps to address any breaches of any contractual commitments.
Consumer rights
MODPA offers consumers many of the same rights found in other state privacy laws, such as the right to:
(i) Confirm/know whether a controller is processing the consumer’s personal data
(ii) Access the consumer’s personal data
(iii) Correct inaccuracies in the consumer’s personal data
(iv) Delete the consumer’s personal data provided by or obtained about the consumer (unless retention is required by law)
(v) Obtain a copy of the consumer’s personal data processed by the controller in a portable and (to the extent technically feasible) readily usable format and
(vii) Opt-out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that result in legal or similarly significant effects on the consumer.
Additionally, MODPA, like Delaware and Oregon, also provides consumers the right to request a list of the specific third parties to which the controller has disclosed the consumer’s personal data. If the controller does not maintain this information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers’ personal data may be provided instead.
Like most other laws, MODPA requires controllers to respond to consumer rights requests within 45 days of receiving the request. A controller may also extend this period by an additional 45 days if reasonably necessary to complete the request if the controller informs the consumer of the extension and why the extension is necessary.
Enforcement and liability
Pursuant to MODPA, a processor may be considered a controller if it: (i) is not limited in its processing of specific personal data in accordance with a controller’s instructions; or (ii) fails to adhere to a controller’s instructions with respect to a specific processing of personal data. Thus, processors that fail to adhere to a controller’s instructions or process personal data on behalf of a controller in the absence of compliant contractual terms may be subject to enforcement as a controller (even if it considers itself a processor).
MODPA will be enforced by the Maryland Attorney General. While no private right of action is available for consumers, MODPA notes that it “does not prevent a consumer from pursuing any other remedy provided by law.” MODPA also includes a 60-day discretionary cure period whereby the Attorney General has discretion to determine whether it will provide the business a right to cure. The opportunity to cure will expire April 1, 2027. Violations of MODPA will be actionable as unfair, abusive, or deceptive trade practices under Maryland’s Consumer Protection Act.
For more information about MODPA or any other state comprehensive privacy law, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Cybersecurity Practice.
