Hogan Lovells 2024 Election Impact and Congressional Outlook Report
15 November 2024
Maryland’s legislature passed consumer privacy bill SB 541 (the Maryland Online Data Privacy Act (MODPA)), putting it on track to become the nation’s 15th comprehensive state privacy law (if you count the Florida Digital Bill of Rights, then it will be the 16th). The bill now heads to Maryland’s Governor Wes Moore for his review.
MODPA includes some distinctive requirements and obligations for controllers compared to other enacted U.S. state laws, such as for data minimization, sensitive data, and minors’ data privacy. MODPA also adopts and builds upon certain provisions, including health data-related provisions, from the Connecticut Data Privacy Act, Colorado Consumer Privacy Act, Delaware Personal Data Privacy Act, Oregon Consumer Data Privacy Act, and more.
Similar to the Delaware Personal Data Privacy Act, MODPA applies to persons that, “during the immediately preceding calendar year controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction” or “controlled or processed the personal data of at least 10,000 consumers and derived more than 90% of its gross revenue from the sale of personal data.”
MODPA does not apply to employee data or data about individuals acting in a commercial context (e.g., business contact information). And notably, unlike many other state laws, the bill does not exempt nonprofits, institutions of higher education, or contain an entity-level exception for HIPAA-covered entities (although it does have a data-level exemption for HIPAA-covered data).
The bill establishes heightened data minimization requirements that differ from other comprehensive state privacy laws. First, controllers must limit their collection of personal data “to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer to whom the data pertains.” Second, MODPA restricts controllers’ ability to process sensitive data (described further below) unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.” However, MODPA does not define what constitutes “reasonably necessary” or “strictly necessary.”
MODPA includes additional restrictions for data relating to individuals a controller knew or should have known were under the age of 18. Specifically, controllers are prohibited from selling these individuals’ personal data or using their data for targeted advertising. Other comprehensive state privacy laws typically use an actual knowledge or willful disregard knowledge standard (rather than “should have known”) and use an opt-in regime to process or sell such data rather than an express prohibition.
MODPA expressly prohibits the “sale” of sensitive data, using a broad definition of “selling” that includes transfers for non-monetary consideration. Like other states, the bill defines sensitive data to refer to data that reveals: (1) racial or ethnic origins; (2) religious beliefs; (3) consumer health data; (4) sex life; (5) sexual orientation; (6) status as transgender or nonbinary; (7) national origin; or (8) citizenship or immigration status. In addition, sensitive data may also include genetic data or biometric data (regardless of whether it is used to identify an individual), personal data of a consumer the controller knows or has reason to know is a child, and precise geolocation data.
The bill also uses a broader definition of biometric data than other state comprehensive privacy laws. Unlike other states that require that the data be used to identify an individual (or be intended to be used in such a way), MODPA provides that biometric data is “data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer’s identity.”
MODPA requires controllers to conduct data protection assessments for processing activities that present a “heightened risk of harm” to consumers. While other state comprehensive privacy laws include requirements to conduct data protection impact assessments, Maryland expands this requirement by explicitly stating that assessments should include “an assessment for each algorithm that is used.” Notably, the term “algorithm” is not defined.
The bill establishes that universal opt-out mechanisms are optional. Controllers may either (i) provide a clear and conspicuous link on their website that individuals can use to exercise their opt-out rights, or, (ii) on or before October 11, 2025, enable a consumer to use an opt-out preference signal. In comparison, other states that include provisions related to a universal opt-out mechanism typically require both mechanisms.
The bill grants enforcement powers to Maryland’s Division of Consumer Protection, which is under the Attorney General, and treats MODPA violations as unfair, abusive, or deceptive acts under Maryland’s consumer protection law. Notably, the bill carves out the private right of action under that law, but does not bar consumer from pursuing remedies under other laws.
Although the bill does not provide the Division of Consumer Protection rulemaking authority, Maryland’s consumer protection law grants the agency rulemaking authority, including to further define unfair or deceptive practices. The bill also provides a 60-day right to cure alleged violations which expires on April 1, 2027.
Similar to the draft American Data Privacy Protection Act introduced in June 2022 (and the current discussion draft of the American Privacy Rights Act), controllers are strictly prohibited from engaging in controller-related activities involving personal data or publicly available data “in a way that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services, on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability,” unless the collection, processing, or transfer of personal data is for certain purposes.
If signed by Governor Moore, the bill will go into effect on October 1, 2025.
Authored by Mark W. Brennan, Sophie Baum, Harsimar Dhanoa, and Rose Grover.