Last month, the Maryland legislature passed the Maryland Online Data Privacy Act (“MODPA”). Pending Governor’s signature, Maryland will become the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Nebraska.
MODPA contains unique provisions that will require careful analysis to ensure compliance, including: data minimization requirements; restrictions on the collection, sale, or transfer of sensitive data; and consumer health data-related obligations. These unique provisions have the potential to create additional work streams even for companies who have come into compliance for existing state laws. This blog post summarizes the statute’s key takeaways.
- Scope: The MODPA applies to processors whose business targets Maryland residents and, who during the preceding year, controlled or processed the data of at least 35,000 Maryland consumers or of at least 10,000 Maryland consumers while deriving more than 20% of gross revenue from the sale of personal data. The MODPA includes many exemptions present in other state comprehensive privacy laws, including exemptions for certain nonprofits, state government entities, financial institutions, and protected health information under HIPAA, among others.
- Consumer Rights: The MODPA provides consumers with rights found in many other state comprehensive privacy laws. These rights include access, correction, deletion, and portability, and rights to opt-out of processing for targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions. The MODPA also will require controllers to honor opt-out preference signals.
- Data Minimization Requirements: The MODPA restricts the collection of personal data to what is reasonably necessary to maintain or provide the requested product or service, with even more stringent data minimization expectations for sensitive data, as discussed below. Additionally, the Act would require controllers to obtain consent prior to processing personal data for a purpose that is not reasonably necessary to or compatible with the disclosed purpose for which the personal data is processed. Helpfully, the MODPA provides that controllers and processors are not restricted from their ability to engage in an enumerated list of processing activities (e.g., protecting against and investigating fraud and security incidents and for internal use to perform certain internal operations reasonably anticipated by consumers), although only to the extent such processing is reasonably necessary and proportionate to the enumerated purposes.
- Sensitive Personal Data Restrictions: The MODPA would broadly prohibit the sale of sensitive personal data, and restrict the collection, processing, or sharing of sensitive personal data except when “strictly necessary to provide or maintain a specific product or service requested by the consumer.” The MODPA defines sensitive personal data to include: racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizenship or immigration status, genetic or biometric data, personal data collected from a consumer under 13 years old, precise geolocation data, and certain consumer health data.
- Consumer Health Data: The MODPA’s definition of consumer health data encompasses personal data that the controller uses to identify a consumer’s physical or mental health status, including data related to gender-affirming treatment or reproductive or sexual healthcare. A person may not grant an employee or contractor access to consumer health data unless the recipient subject to a contractual or statutory duty of confidentiality, or confidentiality is required as a condition of employment. Consumer health data is considered sensitive personal data under the MODPA. As such, the MODPA’s restrictions on sensitive personal data would similarly apply to consumer health data. Like Connecticut, Maryland’s privacy law would also prohibit the use of geofence technology to establish a virtual boundary around certain health facilities for the purpose of identifying, tracking, or collecting data from, or sending notifications to consumers regarding the consumers’ consumer health data.
- Consumers Under 18 Years Old: The MODPA would prohibit the sale, or processing for purposes of targeted advertising, of personal data of consumers under the age of 18 years.
- Anti-discrimination: The MODPA would prohibit, with limited exceptions, the collection, processing, or transferring of personal data or publicly available data “in a manner that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability.”
- Data Protection Assessments: The Act would require data protection assessments for processing activities that involve targeted advertising, the sale of personal data, profiling (in limited circumstances), the processing of sensitive data, among others.
- Loyalty Program Conditions: Under the MODPA, controllers would be prohibited from conditioning consumer participation in loyalty programs on the sale of consumer personal data.
- Enforcement: MODPA grants exclusive enforcement power to the Maryland Attorney General and provides for a 60-day cure period that sunsets April 1, 2027.