The Act would take effect in October 2025.
Maryland is diverging from the typical approach taken in the majority of state privacy laws. In short, the Act is broader, stricter, and more easily triggered. Thus, it warrants careful scrutiny from covered businesses.
Here are some of the ways the Act would be stricter and broader in scope:
- Lower threshold for coverage. The Act would apply to any business that (1) controls or processes personal data of at least 35,000 consumers or (2) controls or processes the personal data of at least 10,000 consumers and derives more than 20 percent of its gross revenue from the sale of personal data.
- Bans on sales of personal data. The Act would ban the sale of “Sensitive Personal Data” without exception. “Sensitive Personal Data” would include data related to an individual's race, religious beliefs, sex life or orientation, genetic or biometric data, Consumer Health Data, or precise (within 1,750 feet) geolocation. The Act would also ban the sale of any personal data about individuals who are under the age of 18.
- Consumer health data. The Act would impose strict data access controls for personnel or subcontractors who access Consumer Health Data. “Consumer Health Data” would be personal data that identifies a consumer’s physical or mental health status, gender-related treatment, or reproductive or sexual health care.
- Children’s data. The Act would prohibit businesses from selling Personal Data without consent if the business knows or “should have known” the individual at issue is under age 18. This language is similar to that found in the Children’s Online Privacy Protection Act, which requires businesses to more proactively monitor whether children under the age of 13 may be using a website. The Act’s requirement may prompt businesses to adopt similar monitoring or age-verification requirements in Maryland (or stop processing such data altogether).
- Universal opt-out mechanisms. The Act’s language with respect to universal opt-out mechanisms, or "UOOMs,” is one area where the Act appears to be more lenient than many other state laws. A UOOM is a signal set at the user’s browser level that tells a site not to collect information like cookies. The Act would appear to make adoption of an UOOM Most state privacy laws make UOOMs mandatory after a certain date. Notably, the Act states that if a business recognizes UOOMs approved by other states, the UOOM will be deemed compliant with the Act.
The Act allows the Maryland Attorney General discretion over when to permit a 60-day cure period for violations. The cure period under the Act is available through April 1, 2027.
If the Act becomes law, covered businesses should review their privacy practices moving into 2025. The Act may require more fine-tuning of compliance processes than other state privacy laws taking effect in the next two years. In particular, businesses covered by the Act should continue carefully evaluating the data they collect, share, and sell in light of the stricter requirements found in this Act.