INTRODUCTION

On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (“MODPA”) into law. This makes Maryland the fifth state this year and eighteenth state in total to adopt comprehensive data privacy legislation. Unlike data privacy laws in other states, MODPA is applicable to controllers at a lower threshold and imposes a prohibition on the sale of a consumer’s sensitive data without exceptions. MODPA will take effect on October 1, 2025, but it does not have any effect on or application to any personal data processing activities before April 1, 2026.

COVERED ENTITIES

Similar to data privacy laws in other states, MODPA applies to both “controllers” and “processors” of personal data. A controller is an entity that, alone or jointly with others, determines the purpose and means of processing personal data.[1] A processor is an entity that processes personal data on behalf of a controller.[2] Personal data means any information that is linked or that can be reasonably linked to an identified or identifiable consumer.[3] Personal data does not include de-identified data or publicly available information.

MODPA applies to any controller or processor that conducts business in Maryland or provides products or services that are targeted at the residents of Maryland, and during the preceding year either:

• (1) controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled solely for the purpose of completing a payment transaction; or
• (2) controlled or processed the personal data of at least 10,000 consumers and derived more than 20 percent of its gross revenue from the sale of personal data.[4]

MODPA’s threshold requirements are lower than similar data privacy laws in other states. Indeed, application of MODPA’s obligations is triggered at a lower number of consumers and percentage of gross income derived by the sale of personal data than compared to data privacy laws passed earlier this year in New Jersey and New Hampshire.[5]

EXEMPTED ENTITIES AND DATA

The law includes exemptions from coverage for certain types of entities and categories of personal data. MODPA exempts several types of entities, including state and local governments; national securities associations registered under the Securities Exchange Act; futures associations registered under the Commodity Exchange Act; financial institutions subject to the Gramm-Leach-Bliley Act; and nonprofit agencies that process or share personal data solely for assisting law enforcement or first responders.[6] Additionally, MODPA exempts categories of personal data, including health information protected under HIPAA and other health statutes; consumer credit report data; personal data collected under the Driver’s Privacy Protection Act, Family Education Rights and Privacy Act, or Farm Credit Act; and certain employment-related information.[7]

CONSUMER RIGHTS ESTABLISHED

MODPA allows consumers to exercise the following rights regarding their personal data:

• Confirm whether a controller is processing a consumer’s personal data;
• Access the consumer’s personal data;
• Correct inaccuracies in the consumer’s personal data;
• Require the controller to delete personal data about the consumer unless retention is required by law;
• Obtain a copy of the consumer’s personal data processed by the controller if the processing of personal data is done by automatic means;
• Obtain a list of third parties to which the controller has disclosed the consumer’s personal data or a list of the categories of third parties to which the controller has disclosed any consumer’s personal data; and
• Opt out of the processing of personal data for purposes of: (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.[8]

Controllers are required to establish a secure and reliable method for a consumer to exercise their rights established by MODPA. Controllers must respond to a consumer request within 45 days and may extend the request completion period by 45 days if reasonably necessary based on the complexity and number of consumer requests.[9]

EXPANSIVE “SENSITIVE DATA” DEFINITION

MODPA defines “sensitive data” as:

• Data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizen or immigration status;
• Genetic data or biometric data;
• Personal data of a consumer that the controller knows or has reason to know is a child; and
• Precise geolocation data (specific location of a consumer within a radius of 1,750 feet).[10]

Within the scope of sensitive data, MODPA has a potentially expansive definition for consumer health data and biometric data. Consumer health data is defined as personal data that a controller uses to identify a consumer’s physical or mental health status, including data relating to gender-affirming treatment and reproductive or sexual health care.[11] Biometric data is defined as data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer’s identity, including a fingerprint, voice print, eye retina or iris image, and any other unique biological characteristic that can be used to uniquely authenticate a consumer’s identity.[12]

OBLIGATIONS ON CONTROLLERS

Prohibition on the Sale of Sensitive Data

MODPA contains a prohibition on the sale of sensitive data. Contrary to data privacy laws in other states, MODPA contains no exception to the prohibition by allowing controllers to obtain informed consent from the consumer.[13]

Personal Data Minimalization

Controllers are required to limit their collection of personal data to what is “reasonably necessary.”[14] Controllers are additionally required to establish and maintain reasonable data security practices to protect consumer’s personal data that they have collected.

MODPA creates more stringent restrictions on controllers regarding the collection of sensitive data. Controllers can only collect, process or share sensitive data concerning a consumer where “strictly necessary” to provide a specific product or service requested by the consumer.[15] Covered business must assess all instances of collecting, processing, or sharing sensitive data to determine whether the collection, processing, or sharing is “strictly necessary” to provide a specific product or service that is requested by the consumer, and document these assessments.

Required Privacy Notice

MODPA requires controllers to provide a privacy notice to consumers which includes categories of personal data processed by the controller; purpose for processing the personal data; how the consumer can exercise their rights; categories of third parties with which the controller shares personal data; categories of personal data shared with third parties; and an active email address or other online mechanism that the consumer can use to contact the controller.[16]

OBLIGATIONS ON PROCESSORS

If a controller uses a processor to process personal data of consumers, the controller and processor must enter into a written agreement that governs the processor’s data processing procedures with respect to processing performed on behalf of the controller. The agreement must clearly set instructions for processing data; the nature and purpose of processing; the duration of processing; and the rights and obligations of both parties.[17]

The agreement between controller and processor must require the processor to ensure each person processing personal data is subject to a duty of confidentiality, establish and maintain reasonable data security practices to protect personal data processed, and cooperate with the controller’s request for the processor to stop processing data, delete personal data, and provide information to demonstrate the processors compliance with MODPA.[18] Additionally, the processor must assist the controller in meeting the controller’s obligation under the MODPA.[19]

In determining whether a person is acting as a controller or processor with respect to a specific processing of personal data, MODPA mandates a fact-based determination based on the context in which the personal data is being processed. A processor is to be considered a controller if the processor is not limited in their processing of specific personal data in accordance with a controller’s instructions or fails to adhere to a controller’s instructions regarding a specific processing of personal data.[20] If a processor begins to determine the purposes and means of the processing of personal data, the processor is a controller subject to MODPA’s obligations and may be subject to an enforcement action.[21]

ENFORCEMENT AND PENALTIES

MODPA does not create a private right of action for consumers. Rather, the Maryland Attorney General (Consumer Protection Division) has exclusive authority to enforce violations of MODPA. Before initiating an enforcement action under MODPA, the Division may issue a notice of violation to the controller or processor if the Division determines that a cure is possible. The Division may consider factors including the number of violations, size and complexity of the entity, the likelihood of injury to the public, and the extent the controller or processor has violated the subtitle in the past in determine whether to grant the controller or processor an opportunity to cure an alleged violation.[22]

If the controller or processor fails to cure the violation within 60 days of receiving notice, the Division may bring an enforcement action. Controllers and processors in violation of MODPA could face actions for injunctive relief, civil penalties, and attorney’s fees.[23] Controllers could receive civil penalties of up to $10,000 for each violation and up to $25,000 per violation for repeat violations.[24]

* Special thanks to Summer Associate Tessa Quade for assistance in drafting this article.

[1] Id. at § 14-4601(K).

[2] Id. at § 14-4601(Z).

[3] Maryland Online Data Privacy Act of 2024, Md. Code Ann., Com. Law § 14-4601(W) (2024).

[4] Id. at § 14-4602. “Sale of personal data” is defined as the exchange of personal data by a controller, a processor, or an affiliate of a controller or processer to a third party for monetary or other valuable consideration.

[5] New Jersey Data Privacy Act is applied to an entity that either (1) controlled or processed the personal data at least 100,000 consumers; or (2) control or process the personal data of at least 25,000 consumers and derives revenue, or receives discounts, from the sale of personal data. See New Jersey Privacy Act, SB 332 (2024). New Hampshire’s recent comprehensive data privacy is applicable to an entity that either (1) controlled or processed the personal data of at least 35,000 consumers; or (2) controlled or processed the personal data of at least 10,000 consumers and derived more than 25 percent of its gross revenue from the sale of personal data. See SB 255-FN (2024).

[6] Com. Law § 14-4603.

[7] Id.

[8] Id. at § 14-4605.

[9] Id.

[10] Id. at § 14-4601(GG).

[11] Id. at § 14-4601(I).

[12] Id. at § 14-4601(D).

[13] Id. at § 14-4607(A)(2).

[14] Id. at § 14-4607(B)(1).

[15] Id. at § 14-4607(A)(1).

[16] Id. at §§ 14-4607(D)(1)-(6).

[17] Id. at § 14-4608(A).

[18] Id.

[19] Id. at § 14-4608(B).

[20] Id. at § 14-4608(D).

[21] Id.

[22] Id. at § 14-4613.

[23] Consumer Protection Act, Md. Code Ann., Com. Law § 13-408 (2024).

[24] Id. at § 13-410.