Maryland became the eighteenth state to adopt comprehensive data privacy legislation with the enactment of the Maryland Online Data Privacy Act (MODPA) of 2024. Governor Wes Moore signed the act on May 9, 2024, and it will become effective on October 1, 2025. This legislation aims to provide strong privacy protections for Maryland residents and includes unique provisions that distinguish it from other state privacy laws.

Scope and Applicability

The Maryland Online Data Privacy Act applies to businesses that either:

1. Control or process the personal data of Maryland residents not less than 35,000.
2. Control or process the personal data of Maryland residents of not less than 10,000 and derive more than 20% of their gross revenue from the sale of personal data.

The law applies to any entity that conducts business in the state or targets products or services to Maryland residents and does not require a business to be physically located in Maryland. 

This broad applicability is similar to that of the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the European Union, both of which also apply to businesses outside their respective jurisdictions if they process the data of residents within the jurisdiction.

Exemptions

The Maryland Online Data Privacy Act (MODPA) exempts the following categories of businesses from its requirements: –

• State and Local government departments: This includes all regulatory, administrative, advisory, executive, appointive, legislative, or judicial bodies of Maryland.
• Financial institutions: Businesses covered under the Gramm-Leach-Bliley Act (GLBA) are exempt from MODPA. This applies to banks, credit unions, insurance companies, and other financial institutions.
• Non-profit Organizations are exempted if theyprocess or share data solely to assist law enforcement agencies investigating insurance fraud or first responders during emergencies.
• National securities and futures associations registered under the Securities Exchange Act are not required to comply with MODPA.

Key Definitions

Personal Data: Defined as any information that is linked or can be reasonably linked to an identified or identifiable individual. This includes names, emails, phone numbers, physical addresses, and IP addresses and does not include De-identified data and publicly available information.

Sensitive Personal Data: Includes data related to an individual’s race, religious beliefs, sex life or orientation, genetic or biometric data, consumer health data, or precise geolocation within 1,750 feet. The sale of such data is completely banned without exception.

Sale of Personal Data: Defined as the exchange of personal data for monetary or other valuable consideration.

Consumer Health Data: Personal data that identifies a consumer’s physical or mental health status, gender-related treatment, or reproductive or sexual health care. Access to this data is strictly controlled.

Obligations of Data Controllers and Service Providers

MODPA imposes several obligations on data controllers and service providers:

• Data Minimization: Businesses must ensure that the collection and processing of personal data are limited to what is reasonably necessary to provide the requested product or service.
  
• Privacy Policy Requirements: Businesses must provide a clear and accessible Privacy Policy that includes:
  • Categories of personal data processed.
  • Purposes for processing personal data.
  • How consumers can exercise their privacy rights.
  • Categories of third parties with whom data is shared.
  • Disclosures about data sales or targeted advertising.
    
• Data Protection Impact Assessments (DPIAs): These are required for processing activities that have higher consumer risks, such as targeted advertising, risk profiling, selling consumer data, or processing sensitive information. Maryland uniquely requires DPIAs for each algorithm used.
  
• Consent: Controllers must provide a mechanism for consumers to revoke consent to data processing and cease processing within 30 days of revocation.
  
• Security Safeguards: Implement appropriate security measures to protect the confidentiality, integrity, and accessibility of personal data.
  
• Consent for Sensitive Data: Explicit consent is required before processing sensitive personal data. This is stricter than many other state laws, which may allow processing with certain safeguards.
  
• Non-Discrimination: Businesses cannot discriminate against consumers for exercising their privacy rights, a provision also found in the CCPA and GDPR.

Processors

• Compliance with Controller Instructions: Process personal data only according to the Controller’s instructions and applicable laws.
• Security Measures: Implement appropriate technical and organizational measures to protect personal data.
• Sub-processors: Hire sub-processors only with the Controller’s authorization and must ensure that they provide the same level of security.
• Assisting Controller: Help the Controller fulfill consumer requests related to access, correction, deletion, and portability.
• Data Breach Notification: Notify the Controller if they experience a data breach impacting Maryland residents’ personal data.

Rights of Consumers

MODPA grants Maryland residents several privacy rights, including:

• Right to Access: Consumers can confirm whether a business is processing their personal data and access that data.
• Right to Correct: Consumers can correct inaccuracies in their personal data.
• Right to Delete: Consumers can request the deletion of their personal data.
• Right to Data Portability: Consumers can obtain a copy of their personal data in a portable format.
• Right to Opt-Out: Consumers can opt out of targeted advertising, sell their personal data, and use their data for profiling in automated decisions.
• Non-Discrimination: Businesses cannot discriminate against consumers for exercising their privacy rights.

Enforcement

Enforcement Authority: MODPA will be enforced exclusively by the Maryland Attorney General’s Office.

Notice and Cure Period: Before initiating an enforcement action, the Attorney General must provide a 60-day prior notice of an alleged violation and an opportunity to cure the violation. This cure period sunsets on April 1, 2027, after which providing a cure period becomes discretionary.

Penalties

The Maryland Online Data Privacy Act (MODPA) imposes significant penalties for non-compliance. 

• Civil Penalties: For first-time violations, civil penalties can be up to $10,000 per violation.
• For repeat violations, civil penalties can be up to $25,000 per violation.
• No Private Right of Action: Unlike some other state privacy laws, MODPA does not provide for a private right of action by individual consumers.

Proper compliance with MODPA’s requirements is crucial to avoid these significant financial and legal consequences.

How PrivacyPillar Can Help

PrivacyPillar offers an all-in-one solution. Our team of professionals can help you create privacy policies, manage cookie consent, and ensure compliance with DSAR (Data Subject Access Request) regulations.

We provide a modern consent management platform that-

•  Simplifies obtaining and handling user consent.
• Ensures compliance with data privacy regulations.
• Improve the user experience and increase genuine consent rates.

Our solution is to automate the handling of Data Subject Access Requests (DSARs). With its automated workflows and data discovery systems, the platform-

• Streamlines handling of Data Subject Access Requests (DSARs).
• Simplify response processes.
• Ensures continuous compliance and seamless operations.
• Facilitate clear communication with data subjects with Real-time notifications.

Conclusion

The Maryland Online Data Privacy Act of 2024 is a major step forward in protecting consumer data. With its wide-reaching scope, strict demands, and extensive consumer rights, businesses must take proactive measures to ensure compliance. PrivacyPillar is prepared to guide you through this process, providing the expertise and support needed for compliance with MODPA and other state privacy laws. Contact us today to discover how we can assist your business in achieving and maintaining compliance.