Maryland Online Data Privacy Act is broader, stricter, and more easily triggered than many state privacy laws

Constangy, Brooks, Smith & Prophete, LLP
Contact

Constangy, Brooks, Smith & Prophete, LLP

On April 6, the Maryland legislature passed the Maryland Online Data Privacy Act of 2024, sending the bill to the state’s governor for signing.  The bill comes on the heels of the Kentucky Consumer Data Protection Act, which was signed into law on April 4.  If the Act is signed into law, it will bring the number of states with comprehensive privacy laws to 16.

The Act would take effect in October 2025.

Maryland is diverging from the typical approach taken in the majority of state privacy laws. In short, the Act is broader, stricter, and more easily triggered. Thus, it warrants careful scrutiny from covered businesses. 

Here are some of the ways the Act would be stricter and broader in scope:

  • Lower threshold for coverage. The Act would apply to any business that (1) controls or processes personal data of at least 35,000 consumers or (2) controls or processes the personal data of at least 10,000 consumers and derives more than 20 percent of its gross revenue from the sale of personal data.
  • Bans on sales of personal data. The Act would ban the sale of “Sensitive Personal Data” without exception. “Sensitive Personal Data” would include data related to an individual's race, religious beliefs, sex life or orientation, genetic or biometric data, Consumer Health Data, or precise (within 1,750 feet) geolocation. The Act would also ban the sale of any personal data about individuals who are under the age of 18.
  • Consumer health data. The Act would impose strict data access controls for personnel or subcontractors who access Consumer Health Data. “Consumer Health Data” would be personal data that identifies a consumer’s physical or mental health status, gender-related treatment, or reproductive or sexual health care.
  • Children’s data. The Act would prohibit businesses from selling Personal Data without consent if the business knows or “should have known” the individual at issue is under age 18. This language is similar to that found in the Children’s Online Privacy Protection Act, which requires businesses to more proactively monitor whether children under the age of 13 may be using a website. The Act’s requirement may prompt businesses to adopt similar monitoring or age-verification requirements in Maryland (or stop processing such data altogether).
  • Universal opt-out mechanisms. The Act’s language with respect to universal opt-out mechanisms, or "UOOMs,” is one area where the Act appears to be more lenient than many other state laws. A UOOM is a signal set at the user’s browser level that tells a site not to collect information like cookies. The Act would appear to make adoption of an UOOM Most state privacy laws make UOOMs mandatory after a certain date. Notably, the Act states that if a business recognizes UOOMs approved by other states, the UOOM will be deemed compliant with the Act.

The Act allows the Maryland Attorney General discretion over when to permit a 60-day cure period for violations. The cure period under the Act is available through April 1, 2027.

If the Act becomes law, covered businesses should review their privacy practices moving into 2025. The Act may require more fine-tuning of compliance processes than other state privacy laws taking effect in the next two years. In particular, businesses covered by the Act should continue carefully evaluating the data they collect, share, and sell in light of the stricter requirements found in this Act.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Constangy, Brooks, Smith & Prophete, LLP

Written by:

Constangy, Brooks, Smith & Prophete, LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Constangy, Brooks, Smith & Prophete, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide