A New Privacy Paradigm: Understanding Maryland’s Trailblazing Approach to Online Privacy

The end of Maryland's legislative session has ushered in one of the year's most ambitious and comprehensive consumer privacy laws. 

Maryland Governor Wes Moore officially signed into law the Maryland Online Data Privacy Act (MODPA) on May 9, 2024. Set to take effect on October 1, 2025, this law not only expands the online protections consumers have come to expect from state privacy laws, but it also introduces additional measures designed to protect consumer data, including, among other things:

• Increased protections for processing sensitive data.
• Protections for consumer health data.
• New standards for processing biometric data.
• Increased protections for treatment of youth data.
• New limitations for loyalty programs.
• Heightened data minimization standards.

Historically, states have modeled their privacy frameworks on either the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act (VCDPA). The MODPA sets a new benchmark for data protection, with additional restrictions that businesses will need to navigate. Below, we discuss some noteworthy provisions that distinguish MODPA from other state privacy laws.

Lower Threshold for Defining Controllers Under the Law

MODPA applies to persons who control or process the personal data of at least 35,000 Maryland residents (consumers), or to persons who control or process the personal data of at least 10,000 consumers and derive more than 20% of their gross revenue from the sale of personal data. Compared to other states with similar populations, MODPA has a lower applicability threshold, meaning that smaller businesses doing business in Maryland may have to navigate the robust data protection framework there.

Sale and Collection of Sensitive Data

MODPA broadly prohibits the sale of sensitive data and the collection, processing, or sharing of sensitive data unless it is "strictly necessary" to provide or maintain a specific product or service requested by the consumer. The exceptions to these prohibitions, however, may still allow controllers to sell personal data in cases where the consumer affirmatively requests a service, directs the controller to disclose the personal data, or intentionally uses the controller to interact with a third party.

Consumer Health Data Protections

Going beyond other state laws, MODPA includes robust protections for consumer health data, akin to the health data definitions found in Washington's My Health My Data (MHMD) and Nevada's Consumer Health Data law. Under MODPA, "consumer health data" includes any personal data used to identify a consumer's physical or mental health status. The definition also explicitly includes gender-affirming treatment and reproductive or sexual care, and all consumer health data is considered sensitive data. MODPA also imposes a smaller radius than other laws for virtual boundaries around certain health facilities and prohibits the use of geofencing technology to create a virtual boundary within 1,750 feet (as opposed to 2,000 feet under Washington's MHMD) of any mental health, reproductive, or sexual health facility, for the purpose of tracking or collecting data from consumers, or sending them health-related notifications.

Biometric Data

Additionally, MODPA's definition of biometric data is broader than that found in other state laws. Where most other state laws have defined biometric data to mean data generated by automatic measurements of the biological characteristics of a consumer used to uniquely authenticate a consumer, MODPA broadens the definition to mean data that can be used to uniquely identify a consumer. This modification creates uncertainty regarding review and enforcement of what data could be considered biometric data under MODPA.

Increased Protection for Children

Maryland is now one of two states to offer enhanced protections for all minors over 13 years old. Most notably, MODPA prohibits controllers from selling or processing personal data for the purposes of targeted advertising to consumers the controller knows or should know are under 18 years old. This markedly expands the rights of minors in two ways: first, it incorporates a more subjective "should have known" standard which may increase the obligations controllers have to manage knowledge of the age of their consumers; and second, it moves away from an opt-in standard towards a complete bar on the sale or processing of personal data for the purposes of targeted advertising to minors. While other states have opt-in provisions to allow controllers to process the data of minors who give their consent, there is no consent provision found in this section of MODPA. Although MODPA allows controllers to sell personal data in cases where the consumer affirmatively requests a service, the extent to which that applies here is unclear.

Limitations on Bona Fide Loyalty Programs

Additionally, MODPA restricts controllers from offering bona fide loyalty programs where the sale of personal data is a "condition of participation in the program." While "condition of participation" is undefined under MODPA, this new language places potential limitations on bona fide loyalty programs not found in any other state's privacy law.

Data Minimization

Lastly, MODPA requires controllers to comply with data minimization standards by precluding controllers from processing data that is not reasonably necessary or compatible with disclosed purposes, unless the consumer consents. And, when it comes to processing sensitive data, MODPA employs a higher standard, restricting controllers from collecting, processing, or sharing sensitive data concerning a consumer unless it is strictly necessary to provide or maintain a specific product or service requested by the consumer. "Strictly necessary" is not defined and, thus, it is unclear how this provision will be interpreted for enforcement.

Enforcement

With its new approach to biometric data, children's privacy, and data minimization, MODPA is poised to significantly impact both consumers and businesses. The bill does not grant consumers a private right of action, but consumers are not prevented from pursuing any other remedy provided by law. Additionally, MODPA empowers the Maryland Attorney General with discretion to provide a 60 day cure-period that sunsets on April 1, 2027. While the statutory text does not explicitly grant the attorney general with rulemaking authority, Maryland Code § 13-205 allows the Division of Consumer Protection to engage in permissive rulemaking with respect to unfair or deceptive trade practices.

* * * * *

MODPA contains many provisions that may be over and above what companies are currently required to adhere to under state laws. As a result, businesses should take this opportunity to consider reviewing their privacy practices in light of this new state law.