Maryland legislature passes comprehensive data privacy law: the Maryland Online Data Privacy Act of 2024

On April 6, 2024, the Maryland legislature passed Senate Bill (SB) 541, or the Maryland Online Data Privacy Act of 2024 (MODPA).The legislature subsequently passed its companion bill, House Bill (HB) 567, on April 8, 2024, sending MODPA to Gov. Wes Moore for signature into law.

If enacted, MODPA would take effect on Oct. 1, 2025, and become one of the most stringent privacy laws in the U.S. by enhancing protections for minors' data, prohibiting the sale of sensitive data, strengthening consumer rights, offering universal opt-out mechanisms, and increasing data minimization efforts. We analyze MODPA’s scope and nuances below.

Key definitions from the Maryland Online Data Privacy Act 

  • Consumer:” A Maryland resident, but does not include “an individual acting in a commercial or employment context.”
  • Controller:” "A person that, alone or jointly with others, determines the purpose and means of processing personal data.”
  • Processor:” “A person that processes personal data on behalf of a controller.”
  • Personal Data:” “Any information that is linked or can be reasonably linked to an identified or identifiable consumer.”
  • Sensitive data:” Personal data that includes:
    1. data revealing racial or ethnic origin; religious beliefs; consumer health data; sex life; sexual orientation; status as transgender or nonbinary; national origin; or citizenship or immigration status;
    2. genetic data or biometric data;
    3. personal data of a consumer that the controller knows or has reason to know is a child; or
    4. precise geolocation data.

Who does the Maryland Online Data Privacy Act apply to?

MODPA applies to any person that:

  • “Conducts business in” Maryland; or
  • “Provides products or services that are targeted to” Maryland residents; and
  • “During the preceding calendar year[,]” either:

1.“controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction;” or

2. “controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.”

Other states, such as California, Colorado, Connecticut, Indiana, Iowa, Kentucky, and Oregon, have a consumer threshold of 100,000. As such, MODPA’s coverage threshold is materially lower than majority of similar state privacy regulations.

MODPA also specifies several entities to which its requirements do not apply, including state and local agencies, courts, and instrumentalities, and certain types of businesses subject to related federal laws.

Consumer rights under MODPA

MODPA establishes a number of consumer protections, including:

  • Requiring a controller to confirm whether they are “processing the consumer’s personal data;”
  • Requiring a controller to provide the consumer access to the consumer’s personal data “if a controller is processing the consumer’s personal data;”
  • The right to “correct inaccuracies in the consumer’s personal data;”
  • Requiring a controller to “delete personal data provided by, or obtained about, the consumer unless retention of the personal data is required by law;”
  • Requiring a controller to provide data portability when data processing is done through automated means;
  • The right to “obtain a list of the categories of third parties” who receive personal data from the controller; and
  • The right to “opt out of the processing of personal data” for:

1. targeted advertising;

2. the sale of personal data; or

3. profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

  • Requiring a controller to “respond to a consumer request not later than 45 days after the controller receives the consumer request;”
  • Requiring a controller to “establish a process for a consumer to appeal the controller’s refusal to act on a consumer rights request within a reasonable period after the consumer receives the decision;”
  • Requiring a controller to “establish a secure and reliable method for a consumer to exercise” any of their enumerated rights under MODPA.

Additionally, a consumer “may designate an authorized agent” to act on the consumer’s behalf to “opt out” of the processing of the consumer’s personal data, as specified. Certain individuals, such as the parent or legal guardian of a child, may exercise the consumer rights directly on behalf of the individual.

Controller and processor duties and responsibilities

MODPA establishes numerous restrictions, rules, and procedures related to controllers and processors.

Under MODPA, a controller may not:

  • Collect, process, or share “sensitive data” concerning a consumer, except where “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains;”
  • “Sell sensitive data;”
  • “Process personal data in violation of state or federal laws that prohibit unlawful discrimination;”
  • Process, collect, or sell a consumer’s personal data for targeted advertising “if the controller knew or should have known that the consumer is” under eighteen (18); and
  • “Collect, process, or transfer personal data” in a discriminatory manner.

On the other hand, a controller “shall:”

  • “Limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains;
  • “Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue;” and
  • “Provide an effective mechanism for a consumer to revoke the consumer’s consent . . . that is at least as easy as the mechanism by which the consumer provided the consumer’s consent.”

Notably, if a consumer revokes consent, “the controller shall stop processing the consumer’s personal data as soon as practicable, but not later than 30 days after receiving the request.”

MODPA provides that where a controller uses a processor to process data, the parties must enter into a contract that governs the procedures for processing data for the controller. The legislation includes parameters for this contract, including that it must clearly set forth:

  • instructions for processing data;
  • the nature and purpose of processing;
  • the type of data subject to processing;
  • the duration of processing; and
  • the rights and obligations of both parties.

The contract must also require the processor to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.” Finally, MODPA requires the processor to comply with reasonable requests for information from the controller and assist the controller with its obligation to respond to consumer requests for information regarding their personal data.

MODPA enforcement and penalties

The Maryland Attorney General has exclusive enforcement power over MODPA. A violation of MODPA is considered an “unfair, abusive, or deceptive trade practice” under the Maryland Consumer Protection Act (MCPA) and is “subject to the [MCPA’s] enforcement and penalty provisions[.]” However, MODPA provides controllers and processors a right to cure a violation, if the Division of Consumer Protection of the Office of the Attorney General (the Division): (1) determines that cure is possible and (2) issues a notice of violation. In determining whether to grant a controller or processor an opportunity to cure an alleged violation, the Division may consider the following specified factors:

  • The number of violations;
  • The size and complexity of the controller or processor;
  • The nature and extent of the controller’s or processor’s processing activities;
  • The likelihood of injury to the public;
  • The safety of persons or property;
  • Whether the alleged violation was likely caused by a human or technical error; and
  • The extent to which the controller or processor has violated MODPA or similar laws in the past.

Violators have 60 days to cure after receipt of the notice. If the violating party fails to cure, the Division “may bring an enforcement action[.]” Finally, MODPA does not provide for a private right of action.

Conclusion

MODPA is another example of the shift in the landscape of state data privacy regulations in the absence of federal regulation. If enacted, covered organizations should start to conduct internal assessments to determine any potential shortcomings in their data privacy policies and procedures, including data collection and/or processing methodologies for minors and “sensitive data," to ensure compliance moving into 2025.

For the full text of SB 541, please click here.

For the full text of HB 567, please visit here.

For more legislative updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates. If you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins' national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.