Keypoint: Maryland’s bill diverges from other Washington Privacy Act variants passed to date with unique data minimization, sensitive data, minor’s data privacy, and unlawful discrimination provisions (among others).
On April 6, 2024, the Maryland legislature passed the Maryland Online Data Privacy Act of 2024 (MODPA) (SB 541). A companion House bill (HB 567) also appears likely to pass before the legislature closes on April 8. Subject to the procedural formalities in the legislature, the bills will next head to Maryland Governor Wes Moore for consideration.
Assuming MODPA becomes law, Maryland will become the sixteenth state to pass broad consumer data privacy legislation. However, Maryland will be the first state to pass a Washington Privacy Act variant that contains unique provisions regarding data minimization, sensitive data, minor’s data privacy, and unlawful discrimination – among other provisions. In doing so, Maryland injects a new wrinkle into the state privacy law debate much like Washington did with last year’s My Health My Data Act. MODPA also contains a low threshold for applicability such that even smaller companies may need to comply with its provisions.
The below article analyzes MODPA’s contours, including some of its more notable provisions and deviations. We also have added MODPA to our chart providing a detailed comparison of the laws enacted to date. It should be noted that – as of the date of this article – the bills available on the legislature’s website have not yet been updated to reflect the final amendments although we have included those amendments in our analysis.
The Maryland legislature also passed Age-Appropriate Design Code Act companion bills (SB 571 / HB 603). We will provide a separate article analyzing those bills.
Overview
MODPA is a Washington Privacy Act (WPA) variant with provisions taken from Connecticut, Delaware, and Oregon’s consumer data privacy laws as well as Connecticut’s consumer health provisions added through last year’s SB 3. However, what makes MODPA notable is that it grafts on additional consumer protection concepts such as its unique treatment of sensitive data. That said, the grafting of these concepts onto the WPA model creates complexity and internal tensions within MODPA that require careful analysis.
Low Threshold for Applicability
MODPA applies to persons that, during the prior calendar year either controlled or processed the personal data of at least 35,000 consumers (excluding payment transaction data) or controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.
These thresholds appear to be taken from Delaware’s law; however, Delaware (approximately 1.02 million people) has a much smaller population than Maryland (approximately 6.18 million people). The 35,000 threshold is only 0.56% of Maryland’s population, which is lower in comparison to other state laws such as Colorado (1.72%), Connecticut (2.78%), Delaware (3.43%), Oregon (2.35%), and Virginia (1.16%). Ultimately, this means that MODPA is likely to apply more broadly than these other laws.
With respect to MODPA’s exemptions, MODPA contains an entity level GLBA exemption but no data level exemption. It does not exempt nonprofit organizations or institutions of higher education. It also does not exempt HIPAA covered entities but does contain several data level exemptions for health-related data.
Unlike Connecticut, MODPA contains a data level exemption for personal data collected by or on behalf of a person regulated by Maryland’s insurance laws or an affiliate. It also removes “insurance” from the definition of “decisions that produce legal or similarly significant effects concerning the consumer.”
Finally, as with other WPA variants, MODPA does not apply to employee data.
New Approach to Data Minimization and Sensitive Data
The gravamen of MODPA is found in section 14-4607, through which Maryland becomes the first state to integrate novel data minimization, sale, minor’s data, and unlawful discrimination provisions into a Washington Privacy Act variant. We will examine each of these in turn.
- Unique Data Minimization Provisions
MODPA creates different data minimization rules based on whether the data at issue is personal data or sensitive data. This approach finds its genesis in sections 101 and 102 of the federal American Data Privacy Protection Act (ADPPA) (H.R. 8152).
For personal data, section 14-4607(B)(1)(I) states that controllers must limit their collection “to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer to whom the data pertains.” (Emphasis added.)
In comparison, the Colorado Privacy Act, for example, states that a “controller’s collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.” (Emphasis added).
In other words, MODPA shifts the focus from the controller’s specified purposes (i.e., what is stated in a privacy notice) to what is reasonably necessary to provide or maintain the requested product or service. However, as noted, this section is limited to the collection of personal data and not the processing or sharing of personal data.
Second, section 14-4607(A)(1) states that a controller may not collect, process or share sensitive personal data unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.” This provision diverts from other WPA variants, which require controllers to obtain consumer consent to process sensitive data or, in the case of Iowa and Utah, provide a notice and offer an opt-out. The concept behind this shift is the argument that providing consumers with consent mechanisms and disclosures is less protective than requiring controllers to limit their data collection and processing practices.
It is important to note that these new requirements are grafted onto a WPA structure that is based on consent and that Maryland still retains much of this structure thus creating internal tension.
For example, section 14-4612, which contains MODPA’s exemptions, states that “nothing in this subtitle may be construed to restrict a controller’s or processor’s ability to . . . provide a product or service specifically requested by a consumer.” This section (which appears in other WPA variants) does not use the “reasonably necessary” or “strictly necessary” requirements as found in the above data minimization language although it uses the same “provide a product or service specifically requested by a consumer” language.
One also must consider MODPA’s secondary use language, which states: “Unless the controller obtains the consumer’s consent, [a controller may not] process personal data for a purpose that is neither reasonably necessary to, nor compatible with, the disclosed purposes for which the personal data is processed, as disclosed to the consumer.” Therefore, if a controller limits its collection of personal data to what is reasonably necessary to provide the requested product, once that data is ingested, the controller could use it for other purposes so long as those purposes are disclosed to the consumer. For example, if a controller collects a consumer’s email address to send a receipt, the controller presumably could send marketing emails to that consumer if it disclosed that purpose at the time of collection.
MODPA’s new provisions also are likely to lead to numerous questions regarding the definition of “product or service.” For example, consumers routinely use sensitive data (e.g., biometrics such as fingerprints) to access their accounts. However, that use is arguably not “strictly necessary” because passwords also can be used to access accounts. Yet, if the “service” is defined as the use of biometrics to access accounts and not the providing of accounts themselves, then the processing of biometrics would be strictly necessary.
Similarly, if a website or app is viewed as the requested product or service (and not the products sold on the website or app), controllers could argue that their use of tracking technologies is reasonably necessary to provide the website or app since it allows them to stay in business and provide the website or app.
In that same vein, MODPA does not define “reasonably necessary” or “strictly necessary” or identify the perspective for those standards. In other words, MODPA does not state that those standards must be viewed from the consumers’ perspective. Presumably, therefore, a controller can determine what it believes is reasonably necessary or strictly necessary from its perspective. In the existing consent model, the consumer (not the controller) makes the decision from her perspective by providing her consent. This also diverges from CCPA Regulation 7002, which states that, for CCPA purposes, the “purpose(s) for which the personal information was collected or processed shall be consistent with the reasonable expectations of the consumer(s) whose personal information is collected or processed.”
In the end, this is all not meant to suggest that MODPA’s new data minimization standards will not be impactful. However, much like all things in privacy law, it is very likely that the full extent of their impact will be use-case and company dependent. In some instances, MODPA’s provisions will no doubt be more consumer protective than existing law. At the same time, in some instances they will lead to the same result and it is possible they may even be less protective than existing law. Ultimately, the new requirements will almost certainly create numerous compliance questions that will need further analysis, including how the language impacts the use of online advertising and data brokering (in particular, buying personal data), to name a few.
Finally, the author would like to thank Keir Lamont for contributing greatly to the thoughts and analysis provided in this section (although any omissions or errors are solely the author’s).
b. Prohibition on Selling Sensitive Data
Section 14-4607(A)(2) specifically states that controllers may not “sell sensitive data.” Although consent is not listed as an exception in this section of the statute, that exception is arguably covered by the definition of sale as discussed further in the next section. That said, even if a controller could use an exception to “sell” sensitive data, the controller would still need to consider whether MODPA’s sensitive data minimization provision would restrict the transfer.
MODPA defines sensitive data as data revealing (1) racial or ethnic origins; (2) religious beliefs; (3) consumer health data; (4) sex life; (5) sexual orientation; (6) status as transgender or nonbinary; (7) national origin; or (8) citizenship or immigration status. It also includes genetic or biometric data (without a restriction that it be used to identify an individual), personal data of a consumer that the controller knows or has reason to know is a child and precise geolocation.
MODPA’s definition of sensitive data is close – but not identical – to the laws in Connecticut, Oregon, and Delaware. To learn more, please see our chart comparing the various definitions of sensitive data.
Heightened Protections for Minor’s Data
Section 14-4607 states that a controller cannot processing the personal data of a consumer for purposes of targeted advertising or sell the personal data of a consumer if the controller “knew or should have known that the consumer is under the age of 18 years.”
Although this section does not contain an exemption for when a controller obtains consent, consent (or some variation thereof) is arguably already included through the definitions of sale and targeted advertising. Specifically, “sale” is defined to exclude “the disclosure of personal data where the consumer . . . directs the controller to disclose the personal data.” Further, targeted advertising does not include advertisements “directed to a consumer in response to the consumer’s request for information or feedback” (although the contours of the targeted advertising exception are admittedly more nuanced).
Another notable aspect of this section is the scienter requirement – i.e., knew or should have known. No other WPA variant (or the CCPA) uses the “should have known” standard, instead utilizing the actual knowledge and/or willful disregard standards. It could be argued that a “should have known” standard will require controllers to use age verification or age assurance or not to engage in targeted advertising or selling of personal data at all. For example, in a footnote in a 2012 FTC request for comments, the Commission cited a federal district court case for the proposition that “should have known” imposes a duty to ascertain unknown facts. If Maryland’s requirement is read to require age verification or age assurance, it could potentially trigger First Amendment challenges.
Anti-Discrimination Provision
MODPA also contains a first-of-its kind antidiscrimination provision in which controllers are prohibited from collecting, processing, or transferring personal data or publicly available data “in a manner that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability unless an exception applies. This section finds its origins in ADPPA section 207.
Scope of Personal Data
a. Broad Biometric Data Definition
MODPA utilizes a broad definition for biometric data, stating that biometric data “means data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer’s identity.” In other words, it is sufficient if the controller can use the data to identify the individual, not that they actually do so.
The use of the word “authenticate” in the definition is also notable. Other WPA variants do not use that word and instead state that the data must be used to identify an individual. “Authenticate” is a defined terms and means “to use reasonable means to determine that a request to exercise a consumer right in accordance with § 14-4605 of [MODPA] is being made by, or on behalf of, a consumer who is entitled to exercise the consumer right with respect to the personal data at issue.” The use of the word therefore suggests that biometric data is somehow intertwined with a controller’s ability to verify identity with respect to a consumer request.
b. Connecticut-Style Consumer Health Data Provisions
MODPA’s definition of consumer health data is slightly different than the definition in Connecticut’s SB 3 (the first state to add consumer health data to a WPA variant). MODPA defines consumer health data to mean personal data that a controller uses to identify a “consumer’s physical or mental health status.” Connecticut’s law states “physical or mental health condition or diagnosis.” Similar to Connecticut’s law, MODPA adds consumer health data to its definition of sensitive data and creates additional obligations for controllers including access, confidentiality, and geofence restrictions.
c. Oregon-Style Treatment of Pseudonymous Data
MODPA follows Oregon’s approach and does not provide a pseudonymous data exemption.
Consumer Rights
MODPA largely tracks the consumer rights provided in existing WPA variants with one exception. Maryland residents have the right to obtain a list of the categories of third parties to which a controller has disclosed the consumer’s personal data or a list of the categories of third parties to which the controller has disclosed any consumer’s personal data if the controller does not maintain this information in a format specific to the consumer.
Loyalty Programs
MODPA largely tracks Connecticut’s loyalty program language with the exception that MODPA states that the selling of personal data cannot be a condition of participation in the program.
Universal Opt-Out Mechanisms Optional
In a notable (and perhaps unintentional) change, MODPA makes the recognition of universal opt-out mechanisms (UOOMs) optional. Specifically, section 14-4607(F)(3) states that a controller may provide a clear and conspicuous link on the controller’s website to a page that allows the consumer or authorized agent to opt out of the targeted advertising or the sale of the consumer’s personal data or, on or before October 1, 2025, allows a consumer to opt out through an opt-out preference signal.
In comparison, laws such as Connecticut and Oregon contain these same two requirements but use “and” instead of “or” thus mandating both a link and recognition of UOOMs.
Third Party Use and Sharing
Section 14-4609 contains another provision new to WPA variants. It states that “if a third party uses or shares a consumer’s information in a manner inconsistent with promises made to the consumer at the time of collection of the information, the third party shall provide an affected consumer with notice of the new or changed practice before implementing the new or changed practice.” The use of the word “information” in this section (rather than personal data) is notable especially given that MODPA does not define the term. The ambiguities presented with the phrase “promises made to the consumer at the time of collection” are also likely to cause numerous compliance questions.
Data Protection Assessments and Algorithms
In what we believe to be a first-of-its-kind requirement, MODPA’s data protection assessment section requires controllers to consider their algorithms. Specifically, section 14-4610(B) states that “a controller shall conduct and document, on a regular basis, a data protection assessment for each of the controller’s processing activities that present a heightened risk of harm to a consumer, including an assessment for each algorithm that is used.”
Enforcement
MODPA is enforceable by the Division of Consumer Protection in the Maryland Attorney General’s office. There is no private right of action.
MODPA contains a limited 60 day right to cure that expires April 1, 2027. Section 14-4614 states that the Division “may” issue a notice of violation if the Division determines that a cure is possible.
Rulemaking
MODPA does not itself authorize rulemaking. However, Maryland Code § 13-205 allows the Division of Consumer Protection to engage in permissive rulemaking “to effectuate the purposes of this subtitle, including rules, regulations, or standards which further define specific unfair or deceptive trade practices.”
Effective Date
MODPA takes effect on October 1, 2025.
[View source.]
