The United States privacy landscape becomes more cluttered by the week. While most of the legal media is focusing on federal legislation coming out of Washington, the most significant privacy development in the United States has come 30 miles from the east, in Annapolis. The Maryland legislature recently passed two privacy bills that could disrupt the current legal landscape.

In this alert, we cover three timely developments from the last couple of months:

1. Maryland passed a comprehensive privacy law
2. Maryland passed the “Online Kids Code” (if signed, it will take effect on October 1, 2024)
3. Nebraska passed a comprehensive privacy law

We discuss each of these developments in turn, below.

Maryland Online Data Privacy Act of 2024

On April 6, the Maryland legislature passed a comprehensive privacy bill containing many unique provisions that could impact companies’ privacy compliance programs. If signed, the measure would take effect on October 1, 2025.

The bill has low thresholds for applicability, meaning that it could apply to more companies than some similar laws. The law applies to any person (excluding individuals who are acting in an employment or commercial context) who conducts business in Maryland or provides products or services targeted to Maryland residents and either:

(i) controls or processes the personal data of at least 35,000 Maryland consumers; or
(ii) controls or processes the personal data of at least 10,000 Maryland consumers and derives more than 20% of gross revenue from selling personal data.

The bill materially restricts how companies may use sensitive data, including a blanket prohibition on the sale of sensitive data. Controllers must also avoid collecting sensitive data unless such information is strictly necessary to provide or maintain a product or service requested by the consumer.

Some other unique aspects of the law are as follows:

• The law defines targeted advertising quite narrowly. It is defined as advertising which displays ads based on a consumer’s predicted interest generated from activity across non-affiliated services and websites. Furthermore, the law bans targeted advertising to individuals under 18.
• The law contains stringent data minimization requirements even if the data isn’t sensitive. First, with respect to processing, controllers can process personal information only for purposes disclosed to consumers at the time of collection. Second, and more stringently, controllers may collect information only if reasonably necessary to provide a service.
• The law defines biometrics narrowly. Data extracted from images and audio that isn’t used to identify a consumer is not biometric data.

Maryland’s Online Kids Code

SB 571 was passed on April 6 and is awaiting the Governor’s signature. If signed, it would be effective on October 1, 2024, and Maryland would join California (the California AADC is temporarily enjoined) and Florida in having its own “age-appropriate design code.”

The law would apply to covered entities that provide an online product reasonably likely to be accessed by children. The law contains four main provisions:

• Ensure the best interests of children in the design, development, and provision of online products.
• Prioritize children’s privacy, safety, and well-being of children.
• Process children’s data in a manner consistent with the best interests of children.
• Conduct a data protection impact assessment for any product reasonably likely to be accessed by children.

Some key takeaways of the law are as follows:

• “Best interests of child” is narrowly defined. Any processing that does not trigger one or more of four tangible harms to children is in the child’s best interest. This is much narrower than California’s restriction, which could be a result of the Maryland legislature’s attempt to avoid constitutional scrutiny.
• The law prohibits covered entities from estimating a user’s age other than as necessary for offering the online product.
• The law prohibits covered entities from profiling children unless it is in the best interests of the child or necessary to deliver the product. Profiling is broadly defined to include any automated processing that infers a child’s characteristics or preferences.
• The law prohibits processing personal information except as necessary to offer products to children.
• The law limits the purposes for which a covered entity can collect precise geolocation information, and an obvious signal must be provided when location is being tracked. That requirement is often satisfied with tools implement to comply with app store requirements.

Nebraska Data Privacy Act

The Nebraska legislature passed a comprehensive privacy bill on April 12, 2024. If signed, the law becomes effective on January 1, 2025. Unlike many US privacy laws, Nebraska’s law does not have an applicability threshold. Instead, it follows the Texas approach and applies to all companies that conduct business in Nebraska or produce a product or service consumed by Nebraska residents, process or engage in the sale of personal data, and are not small businesses under the Small Business Act. The law excludes individuals acting in an employment or commercial context.

The law is not unique. Instead, it mirrors Texas’ Data Privacy and Security Act. Some notable provisions include:

• A 30-day cure period in the event of an enforcement by the Attorney General;
• Data minimization requirements (companies must limit collection to that which is reasonably necessary for the purpose disclosed to the consumer);
• Opt-in consent is required prior to companies processing sensitive data;
• Various data protection assessment requirements; and
• Companies must recognize global opt-out signals.

Businesses already compliant with other US comprehensive state privacy laws should not have a heavy lift to ensure compliance in Nebraska.

The rate at which state privacy laws are proposed and enacted does not seem to be slowing down for 2024. Perhaps the uniqueness of the Maryland law or the sheer volume of state laws will at some point trigger a tipping point and a demand for federal legislation.