Don’t let talks of a potential federal privacy law overshadow the steady stream of state privacy bills becoming law.
On April 6th and 8th, Maryland passed companion bills in the Senate and House which, if signed by Governor Moore, would make Maryland the 16th state with a comprehensive consumer privacy law. If enacted, the Maryland Online Data Privacy Act (MODPA) would go into effect October 1, 2025.
Many of the state privacy laws are iterations of each other, but Maryland breaks from the mold in several ways, including its emphasis on data minimization, sensitive data, children’s data, and unlawful discrimination.
Notable Distinctions
While reflecting many other state privacy laws’ provisions, MODPA deviates from the norm in a few key ways:
Data Minimization & Sensitive Data
MODPA has a significant emphasis on data minimization. For all personal data, businesses must limit the collection of personal data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.” By comparison, most other state privacy laws limit collection to what is reasonably necessary for the processing purposes disclosed in their privacy notices. So, MODPA’s obligation centers on the consumer’s specific, affirmative request, and not the business’s public disclosure. This data minimization requirement could meaningfully limit the personal data that companies can collect from Maryland residents and potentially residents of other states as well as many companies will choose to comply with the most restrictive state privacy law because doing so is operationally most efficient and practical.
MODPA also has a unique guardrail for businesses’ processing of sensitive data. Most states with privacy laws require consumers to “opt in” to the collection, processing, disclosure, and sale of sensitive personal data. MODPA, however, restricts businesses from collecting or processing sensitive data unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.” MODPA goes further by prohibiting the sale of sensitive data, and notably does not expressly state that a consumer’s consent would allow for such a sale.
There is, however, some potentially good news because MODPA does not define “reasonably necessary” for data minimization or “strictly necessary,” for sensitive data. Thus, unless and until the Maryland Attorney General provides guidance on the meaning of these terms, businesses will have some flexibility in their approach to data minimization and sensitive data. Of course, the absence of definitions may also generate a multitude of implementation and compliance questions.
Children’s Data
Like other states, MODPA restricts a covered business’s ability to sell a child’s personal data, but under MODA, the restriction applies when the controller has actual knowledge (the most common standard) or “should have known” that the consumer was under the age of 18. The law is silent as to how the “should have known” standard will be determined, and whether that standard will require covered businesses to take affirmative steps to determine a consumer’s age.
Unlawful Discrimination
MODPA also diverges from other state privacy laws by providing added protection against discrimination. Covered businesses will be barred from collecting and processing data in a manner “that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability,” unless an exception applies (e.g., self-testing to prevent or mitigate unlawful discrimination). Other state privacy laws generally forbid any data processing that would violate state or federal laws prohibiting discrimination against consumers, but none go as far as MODPA’s targeted approach.
Geofences
Maryland now joins Connecticut, Nevada, and Washington by restricting companies from using geofences in certain circumstances. Like Connecticut and Nevada, MODPA restricts companies from establishing digital boundaries within 1,750 feet of mental or reproductive/sexual health facilities to identify, track, or collect data from consumers or to send notifications to consumers regarding their data. Washington’s My Health My Data Act, by contrast, more broadly prohibits geofences for those processing purposes within 2,000 feet of a location providing in-person healthcare services.
Scope
Given Maryland’s population of ~6.1 million residents, MODPA has a low threshold for applicability which may require smaller organizations to comply with the law, in contrast to comparable state privacy laws. Specifically, MODPA applies to anyone that conducts business in Maryland or who provides services or products that target Maryland residents that:
- Control or process the personal data of at least 35,000 consumers (excluding completing payment transactions); or
- Control or process the personal data of at least 10,000 consumers and also derive more than 20% of its gross revenue from selling personal data.
These thresholds mirror those set forth in the Delaware Personal Data Privacy Act, which, prior to the passage of MODPA, had the lowest absolute threshold for applicability (note that Delaware only has ~1 million residents). Maryland now ties Delaware for the lowest threshold, but is poised to apply more broadly since its threshold is only half of one percent of the state’s population. Moreover, as noted above, many businesses seeking a one-size-fits-all approach to state privacy law compliance may choose to comply with the more restrictive provisions in MODPA.
Like many other state privacy laws, MOPA excludes certain entities from the act including state bodies, businesses regulated by the Securities Exchange Act or the Federal Commodity Exchange Act, financial institutions regulated by Title V of the Gramm-Leach-Bliley Act, and nonprofits that process or share data solely to help law enforcement or first responders. Notably, the law also excludes many types of data, including data covered by HIPAA, patient-identifying information, certain data from human subject research, patient safety information, credit and credit worthiness data, data covered by the Federal Driver’s Privacy Protection Act, the Federal Airline Deregulation Act, data collected for insurance purposes, and personal data collected from an individual acting in an employment context.
Consumer Rights
MODPA offers the familiar slate of consumer rights to its residents and their authorized agents, including the rights to:
- Confirm whether or not a controller is processing the consumer’s personal data and access such personal data;
- Correct inaccuracies in the consumer’s personal data;
- Delete personal data provided by or obtained about the consumer;
- Obtain a copy of the data being processed about the consumer;
- Obtain a list of the categories of third parties the data has been disclosed to; and opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer
Enforcement
The Maryland Attorney General has broad enforcement discretion, including a discretionary 60-day cure period for alleged violations. While a cure period is welcome, the fact that the AG has discretion to provide it reduces the protection and risk mitigation on a non-discretionary cure period. Like most other laws, there is no explicit private right of action.
Maryland’s Other Move
Keep your eyes on Maryland – it also recently passed the Maryland Age-Appropriate Design Code Act (MD AADC) (SB571/HB603), which, if signed by Governor Moore, would impose new obligations on covered businesses offering online products that are reasonably likely to be accessed by children. The MD AADC is modeled after the California AADC, which became law in 2022.
