On May 9, 2024, Maryland Governor Wes Moore signed into law Senate Bill 541 (the "Maryland Online Data Privacy Act") making Maryland the eighteenth state to adopt comprehensive data privacy legislation in the United States ("US State Data Privacy Laws"). The Maryland Online Data Privacy Act will take effect on October 1, 2025. The Maryland Office of the Attorney General (Consumer Protection Division) will have exclusive enforcement authority, and there is no private right of action available under this act.

In this latest in our series of articles on US State Data Privacy Laws, we have summarized below the key components of the Maryland Online Data Privacy Act.

To whom does the Maryland Online Data Privacy Act apply?

The Maryland Online Data Privacy Act imposes obligations on individuals or legal entities that, alone or jointly with others, determine the purpose and means of processing personal data ("Controllers"), that conduct business in Maryland, or provide products or services targeted to residents of Maryland and, within the calendar year:

• Control or process personal data of at least 35,000 Maryland consumers; or
• Control or process personal data of 10,000 Maryland consumers and derive more than 20% gross revenue from the sale of personal data. 

Notably, the 20% gross revenue requirement is a much lower threshold than other US State Data Privacy Laws including the laws of Kentucky, Florida, and Tennessee. The Act exempts several categories of entities, including state and city government agencies; financial institutions and data regulated by the Gramm-Leach-Bliley Act; non-profit organizations that process or share personal data to assist law enforcement or first responders; and national securities associations registered under the Securities Exchange Act. Certain types of information and data are also exempted, including consumer credit-reporting data, data covered by the Drivers' Privacy Protection Act, Family Educational Rights and Privacy Act, Farm Credit Act, data covered by HIPAA and other health care statutes, data that has been de-identified; and data processed or maintained for emergency contact purposes.

What rights does the Maryland Online Data Privacy Act give to consumers?

The Maryland Online Data Privacy Act gives consumers—Maryland residents acting only in an individual or household context—rights that are largely consistent with other US State Data Privacy Laws. Under the Act, consumers may:

• Confirm whether a controller processes their personal data and if so, access their data;
• Correct inaccuracies in their personal data;
• Delete personal data provided by or obtained about the consumer, unless retention of the data is required by law;
• Obtain a copy of their personal data held by the controller in a readily usable format (i.e., data portability) that allows the consumer to easily transfer their data to another controller; 
• Obtain a list of the categories of third parties to which the controller has disclosed their data or to which the controller has disclosed data generally; and
• Opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling. 

The Act requires controllers who receive a request from a consumer seeking to exercise these rights to respond to the consumer within 45 days, unless it is reasonably necessary to extend that time and the controller notifies the consumer of the extension within 45 days.

Controllers must also establish a process for consumers to appeal denials of their requests, within a reasonable time after communicating that denial. Within 60 days of receiving the appeal, a controller must inform the consumer of the outcome of the appeal, along with an explanation. If the controller denies an appeal, the controller must provide an online mechanism for the consumer to contact the Consumer Protection Division to submit a complaint.

What obligations does the Maryland Online Data Privacy Act impose on controllers and processors?

The Maryland Online Data Privacy Act applies to "personal data," which is any information that is "linked or can be reasonably linkable to an identified or identifiable consumer," and, like other US State Data Privacy Laws, excludes de-identified data and publicly available information.

Controllers must also:

• Limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service–unless the controller obtains the consumer's consent;
• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure it from unauthorized access;
• Provide a mechanism for consumers to revoke consent to the processing of their personal data that is at least as easy as the mechanism for them to have given consent, and to cease processing the data as soon as possible, but no later than within 30 days of revocation of consent;
• Clearly disclose to consumers if they sell personal data to third parties or process personal data for targeted advertising or profiling, and provide a clear method for consumers to opt out;
• Process data in a non-discriminatory manner and not discriminate against a consumer for exercising a consumer right; 
• Conduct a data protection impact assessment on the processing of personal data that presents a heightened risk of harm to the consumer. The assessment applies to processing activities that occur on or after October 1, 2025. Notably, a data protection assessment conducted in compliance with another law of similar scope will be sufficient to satisfy this requirement; and
• Allow consumers to opt out of the processing of their personal data by using a user-selected universal opt-out mechanism ("UOOM"). Several other states, including California, Connecticut, and New Jersey, also mandate the use of UOOMs. Notably, to satisfy this requirement, Maryland permits the use of UOOMs approved by other states.

The Maryland Online Data Privacy Act prohibits Controllers from:

• Collecting, processing, or sharing "sensitive data" unless the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer. Sensitive data is defined as personal data revealing racial or ethnic origin; religious beliefs; physical or mental health status, including gender affirming treatments and reproductive or sexual health care; sex life or sexual orientation; status as transgender or non-binary; national origin; citizenship or immigration status; genetic or biometric data; data collected from a known child; and geolocation data;
• Selling sensitive data;
• Processing or selling the personal data of a consumer where the controller knows, or should know, that the consumer is under the age of 18 for the purposes of targeted advertising;
• Providing its employees or contractors access to Consumer Health Data (defined as personal data that is used to identify a consumer's physical or mental health status including data related to gender–affirming care treatment and reproductive or sexual health care) unless the employee is subject to contractual or statutory obligations of confidentiality; and
• Using a geofence within 1,750 feet of any mental health facility or reproductive or sexual health facility to identify, track, or collect data from, or send notifications to consumers regarding their health data.

The Maryland Online Data Privacy Act requires controllers to provide consumers a reasonably accessible, clear, and meaningful privacy notice that includes: the categories of personal data it processes, including sensitive data; the categories of personal data shared with third parties, including sensitive data; the purposes for processing the data; information on how consumers may exercise their rights and submit an appeal; an active email address or other online mechanism that allows the consumer to contact the controller; and a disclosure if the controller sells personal data to third parties or processes personal for targeted advertising or profiling. 

The Maryland Online Data Privacy Act also imposes requirements on processors (a person or entity who processes personal data on behalf of a controller). Processors must cooperate with the controller to comply with its obligations under the act, including its obligations regarding fulfilling consumer rights requests, ensuring security of data processing, and conducting data impact assessments. The Act requires that processing be governed by a contract between the controller and processor that outlines relevant privacy provisions set forth under the Act.

Enforcement

Like most of the US State Data Privacy Laws, Maryland's Online Data Privacy Act does not provide for a private right of action. The Maryland Attorney General (Consumer Protection Division) has exclusive authority to enforce violations who may issue the controller or processor a notice of violation prior to initiating any action. A controller or processor will then have 60 days to cure the noticed violation. In determining whether to grant an opportunity to cure, the Maryland Attorney General may consider several factors, including the number of violations, the size of the controller or processor, the nature and extent of the controller, and the likelihood of injury to the public. The Maryland Attorney General may bring an action in court seeking various forms of relief, including injunctive relief, civil penalties, and attorney's fees. A court may impose civil penalties of up to $10,000 for each violation and $25,000 per violation for repeated violations.

Key Aspects of the Maryland Online Data Privacy Act 

• Applicability Threshold. In one of the two applicability thresholds, the Act applies to entities who control or process the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data. This revenue threshold is lower than most US State Data Privacy Laws.
• Definition of Sale of Personal Data. Like New Jersey and California, the Act includes valuable consideration in its definition of "sale of personal data." The exchange of personal data must be for monetary or other valuable consideration. 
• Sensitive Data. The Act completely prohibits the selling of sensitive data without exception (e.g., by obtaining informed consent). 
• Data of Minors. Controllers may not process or sell the personal data of a consumer where the controller knows, or should know, that the consumer is under the age of 18 for the purposes of targeted advertising. 
• Mandated Use of UOOMs. Like a number of other states that have passed comprehensive data privacy laws, Maryland has opted to require controllers to allow consumers to communicate their privacy preferences automatically, through the use of online UOOMs. Notably, to satisfy this requirement, Maryland permits the use of UOOMs approved by other states.
• Revoking Consent. The Act requires that controllers provide a mechanism for consumers to revoke consent to the processing of their personal data and to cease processing the data as soon as possible but within 30 days of revocation of consent. Most states, excluding New Jersey and Oregon, do not impose this requirement upon controllers. 
• Access to Consumer Health Data. Controllers and processors must contractually obligate its employees and contractors to a duty of confidentiality before providing them access to Consumer Health Data, unless such confidentiality is statutorily required.

White & Case's Data, Privacy and Cybersecurity team will continue to provide updates on this law and any related rules and regulations. Please reference our US Data Privacy Guide for general steps to take to comply with US State Data Privacy Laws.

Katherine Madriz (White & Case, Law Clerk, Boston) co-authored this publication.