[co-author: Donara Aghajani]

Maryland joins the growing list of states to enact a privacy law but adds unique requirements for data minimization, sensitive data, and consumer health data

On May 10, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 ("MODPA" or the "Act"), bringing the number of comprehensive state privacy laws to 18 and establishing a new, more restrictive framework for businesses that collect, process, or disclose personal data. MODPA will become effective on October 1, 2025, but it will not apply to any personal data processing activities before April 1, 2026.

Like other comprehensive state privacy laws, MODPA gives consumers the right to confirm processing of and to access, correct, delete, and port their personal data, as well as the right to opt out of sales of their personal data and the use of such data for targeted advertising or profiling; requires controllers to post privacy policies and conduct data privacy impact assessments; and prohibits controllers from discriminating against consumers who exercise their rights; exempts certain entities and data from the Act entirely;[1] and defines many terms—such as "personal data" and "sale" of personal data—the way that other states have defined them. As explained below, however, MODPA diverges in other important respects from the approach that other states have taken, which will complicate privacy compliance and data use strategies.

Lower Application Thresholds

MODPA applies to entities that conduct business in Maryland or provide products or services that are targeted to residents of the state and that during the preceding calendar year met either of two criteria:

• Controlled or processed the personal data of at least 35,000 consumers (i.e., Maryland residents), excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• Controlled or processed the personal data of at least 10,000 consumers and derived more than 20 percent of its gross revenue from the sale of personal data.

Most states that are as populous as Maryland have established thresholds of 100,000 or more consumers. Maryland's low threshold, which aligns with the threshold in the Delaware Personal Data Privacy Act (DPDPA), means some entities that can avoid compliance with other states' privacy laws because they collect personal data from under 100,000 state residents will nonetheless need to comply with MODPA.

Different Definitions of Biometric Data, Consumer Health Data, and Sensitive Personal Data

While most of the definitions in MODPA mirror those in the other state privacy laws, several do not. For instance, most state privacy laws limit the definition of "biometric data" to information generated by automatic measurements of biological characteristics that is used or intended to be used to identify a specific individual. MODPA, however, defines "biometric data" to mean "data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer's identity."[2] (Emphasis added.) Because "biometric data" is "sensitive personal data" under the Act, controllers will have to comply with the strict requirements regarding such data, even if they never intend to use it to authenticate or identify a consumer.

MODPA also regulates "consumer health data," which means "personal data that a controller uses to identify a consumer's physical or mental health status," including, but not limited to, "data related to (1) gender affirming care, or (2) reproductive or sexual health care." (Emphasis added.) Other state laws that regulate "consumer health data" have defined the term more narrowly. For instance, the amended Connecticut Data Privacy Act defines the term to mean "personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis," and Washington's My Health My Data Act regulates only data that is "reasonably linkable" to a consumer's health. The definition in MODPA is broader because personal data that identifies an individual's health "status"—as opposed to "condition or diagnosis"—could include aspects of a consumer's health that have nothing to do with a "condition or diagnosis," such as information revealing a consumer's general fitness, nutrition habits, certain purchases, and so forth. Because "consumer health data" is "sensitive personal data," the broad definition will mean that more personal data will be subject to the strict requirements that govern "sensitive personal data."

As noted above, "sensitive personal data" includes "consumer health data," as well as data that reveals race or ethnic origin, religious beliefs, sex life or orientation, status as transgender or nonbinary, citizenship or immigration status, or national origin. Genetic or biometric data are also "sensitive personal data," regardless of whether they are used to identify a specific individual, as is the personal data of a known child under 13 years of age, and precise geolocation data. This definition differs from those in other state privacy laws, most of which do not include data revealing national origin or biometric and genetic data that is not used to identify specific individuals.

First-of-a-Kind Data Minimization Requirements

MODPA establishes data minimization requirements for both personal data and sensitive personal data that are more restrictive than those in other state privacy laws and, in some respects, even the EU General Data Protection Regulation ("GDPR"). These obligations will have a significant impact on companies because in some cases, they will prohibit routine business operations that involve personal data. Specifically, MODPA will impose the following:

• Strict limits on the processing of sensitive personal data, regardless of consumer consent. Controllers may not process (i.e., collect, use, disclose, or maintain) sensitive personal data—regardless of consumer consent—except when doing so is "strictly necessary" to "provide or maintain a specific product or service requested by the consumer." Controllers therefore will not be able to use precise geolocation for geo-targeted advertisements and may be precluded from using data that reveals race or ethnicity to offer certain demographic groups content that is likely to be of interest to them or information about someone's diet or exercise for advertising. This provision also may prevent controllers from providing enhanced services to consumers if those enhancements require the use of sensitive data (such as precise geolocation information) but are not "strictly necessary" to provide the underlying service. The scope of this prohibition also will depend on how broadly or narrowly the state attorney general and the courts define "specific product or service requested by the consumer."
• Prohibition on sales of sensitive personal data, regardless of consumer consent. Similarly, controllers are prohibited from "selling" sensitive personal data—i.e., exchanging such data for monetary or other valuable consideration—regardless of whether a consumer consents. This will preclude the disclosure of sensitive personal data for purposes that are permissible with consumers' consent under other state laws. Because MODPA exempts consumer-directed disclosures from the definition of "sale," however, it may be possible to disclose sensitive personal data to third parties when the consumer has directed the disclosure or intentionally used the controller to interact with the third party. Moreover, controllers will be able to disclose sensitive personal data to third parties when necessary to provide the product or service requested, because such disclosures are also exempt from the definition of "sale."
• Limitation on collection of personal data, regardless of consumer consent. Controllers must "limit the collection of personal data" to what is "reasonably necessary and proportionate" to "provide or maintain a specific product or service requested by the consumer to whom the data pertains," regardless of whether a consumer consents. Controllers have some leeway in determining what is "reasonably necessary and proportionate," but they should document their reasoning so that they can explain to regulators, if necessary.

  Other state privacy laws do not restrict collection of personal data—or sensitive personal data—to what is necessary to provide a product or service but, rather, allow controllers to collect such data for purposes that were disclosed to the consumer and—in most states—with consumer consent. For instance, the Virginia Consumer Data Protection Act requires controllers to "limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer." (Emphasis added.) Connecticut and Colorado take a similar approach, as does California, which expands the minimization requirement to other types of processing—i.e., use, retention, and sharing of personal information.

• Limitation on processing of personal data to what is reasonably necessary for disclosed—or compatible—purposes, unless the consumer consents. Other states have adopted a similar approach to data minimization that allows controllers to process personal data, so long as such processing is reasonably necessary for the purposes that were disclosed to consumers in the privacy policy (or reasonably compatible with such purposes).

No Processing of Minors' Personal Data for Sales or Targeted Advertising

Under MODPA, a "minor" means a Maryland resident whom the controller "knew or should have known" is under 18 years of age. This heightened standard (i.e., "should have known" rather than an "actual knowledge" or "willful disregard" that the consumer was a minor) will require controllers that do business or target consumers in Maryland (and process personal data of the requisite number of consumers) to determine what information puts them on notice that a particular consumer is a minor so that they can avoid "selling" such consumers' data or targeting ads to them. Again, exceptions to the definitions of "sale" and "targeted advertising" may be useful; but regardless of whether exceptions apply in any given circumstance, controllers will need to modify their compliance programs—possibly by adding an age assurance or age verification mechanism—to satisfy this obligation.

Maryland's absolutist approach may be vulnerable to a First Amendment challenge on the grounds that the ban on sales and targeted advertising to teens imposes an impermissible content—and speaker-based restriction on commercial speech.

Obligations Regarding Consumer Health Data

Like several other state privacy laws, MODPA regulates "consumer health data" by prohibiting any person from (1) providing an employee or contractor access to such data unless that individual is subject to a contractual duty of confidentiality; (2) providing a processor access to consumer health data unless the controller and processor adhere to the obligations that controllers have under the Act; (3) using a geofence to identify, track, or collect data from—or send notifications to—a consumer within 1,750 feet of a health-care facility regarding the consumer's health data; or (4) selling or offering to sell consumer health data without the consumer's consent.

These obligations will create significant compliance challenges. For instance, the requirement to obtain consumers' consent before "selling" consumer health data conflicts with the blanket prohibition against sales of sensitive personal data (which is defined to include consumer health data) regardless of consumer consent, and it is not clear how controllers are expected to reconcile these two obligations, other than to apply the most restrictive provision. Moreover, controllers that are subject to other state laws—e.g., the Connecticut Data Privacy Act—that govern consumer health data will not be able to rely on the policies and procedures that they have implemented to comply with those laws because MODPA defines "consumer health data" more broadly and imposes greater restrictions on the processing of "sensitive personal data" (which includes "consumer health data").

Data Protection Assessments for Processing That Presents a Heightened Risk of Harm

Controllers must conduct and document on a regular basis a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer, including an assessment for each algorithm that is used. Unlike other state privacy laws, MODPA limits the scope of processing activities that presents a "heightened risk of harm" to the following: (1) targeted advertising; (2) sales of personal data; (3) processing sensitive personal data; and (4) processing personal data for profiling that presents certain types of reasonably foreseeable risks—i.e., unfair, abusive, or deceptive treatment; disparate impact; financial, physical, or reputational injury; physical or other intrusion on the solitude or seclusion or private affairs or concerns, when it would be offensive to a reasonable person; or other substantial injury. What is different—and more expansive—is the requirement to conduct an assessment for "each algorithm" that the controller uses, although regulations implementing the Colorado Privacy Act require controllers to conduct a data protection assessment when the level of risk for a particular processing activity increases, and they include the use of an algorithm as something that could increase risk.

Consumers' Rights

As noted above, MODPA gives consumers the right to confirm the processing of their personal data, as well as to request access to and correction, deletion, and export of their personal data. Regarding opt-out rights, controllers have discretion to recognize universal opt-out signals that consumers use to opt out of sales, targeted advertising, or profiling, but they are not required to do so. Like the Oregon Consumer Privacy Act, MODPA requires controllers to provide consumers with a list of the categories of third parties to which that particular consumer's personal data has been disclosed or, if that is not possible, a list of categories of third parties to which the controller has disclosed any consumer's personal data.

Like other state privacy laws, MODPA prohibits controllers from discriminating against consumers for exercising their rights. Unlike other state privacy laws, MODPA prohibits controllers from collecting, processing, or transferring personal data or publicly available information in a manner that has an unlawful discriminatory impact on the equal enjoyment of goods and services on the basis of protected characteristics (e.g., race), unless this different treatment is due to certain permissible purposes, such as to diversify an applicant pool. Other state privacy laws prohibit processing personal data in a way that is unlawful under antidiscrimination laws, but they do not regulate the use of publicly available information in this manner.

Notice to Consumers

MODPA requires controllers to provide consumers with a privacy notice that explains, among other things, the personal data collected, for what purpose the personal data is collected, and the categories of third parties to whom the controller discloses personal data. The Act also requires third parties that use or share a consumer's "information" to provide the consumer with notice of any new or changed practice that is inconsistent with the representation made to the consumer at the time the data was collected. It is not clear whether third parties could rely on the controller to provide this notice. Presumably, third parties could obligate controllers to do so in their agreements with controllers but, ultimately, third parties will be responsible for ensuring that consumers receive this notice.

Exceptions

MODPA provides the usual exceptions for processing personal data necessary to comply with applicable law, to protect cybersecurity and prevent fraud, and so forth. Unlike other state privacy laws, however, MODPA does not provide an exception for internal processing of personal data for product and service development or improvement. It does allow controllers and processors to "[p]erform internal operations that are (1) reasonably aligned with the expectations of the consumer or can be reasonably anticipated based on the consumer's existing relationship with the controller or (2) otherwise compatible with processing in furtherance of (a) the provision of a product or service specifically requested by a consumer, or (b) the performance of a contract to which a consumer is a party." It may be possible to argue that the internal use of personal data for product development and improvement fits into this category.

Enforcement and Sunset Provisions

The Maryland attorney general and the Division of Consumer Protection have exclusive enforcement authority. With respect to an alleged violation on or before April 1, 2027, the attorney general must give controllers and processors sixty days to cure an alleged violation after receiving notice. If the controller or processor fails to cure the alleged violation within sixty days, the attorney general may initiate an enforcement action under Maryland Consumer Protection Act ("MCPA") and may collect up to $10,000 per violation (and up to $25,000 per subsequent violation). While MODPA states that consumers are not prohibited from pursuing any other remedy under law, it does make clear that consumers may not bring a private right of action under the MCPA. It does not state that the criminal penalties available for violations of the MCPA will not apply, however.