What is Maryland’s Online Data Privacy Protection Act?

Maryland Takes the Lead in Privacy Legislation with Comprehensive MODPA

The Maryland legislature enacted two comprehensive privacy bills to limit how big tech platforms can acquire and utilize customers’ and children’s data. 

The passage of MODPA represents a dramatic shift in the state privacy law landscape, with tough provisions that limit personal data collection and privacy rights abuse. Maryland has taken one of the strictest positions among U.S. states in enforcing its residents’ privacy rights thus far.

The measure prohibits the sale of sensitive data entirely, includes universal opt-out methods and anti-discrimination rules provisions, and provides a limited 60-day right to cure that expires in 2027.

Notably, the Maryland Online Data Privacy Act incorporates essential data minimization concepts and robust civil rights safeguards from that model. The Act’s data minimization requirements include limiting the collection of personal data to what is reasonably necessary for the product or service requested by a consumer, prohibiting the sale of sensitive personal data, prohibiting targeted advertising to children and teenagers, and prohibiting discriminatory personal data processing methods. 

Scope of MODPA: To Whom Does It Apply?

MODPA covers any person or entity conducting business in Maryland or targeting Maryland residents with their products or services. Specifically, it targets entities that have controlled or processed the personal data of at least 35,000 Maryland consumers or have controlled or processed the data of at least 10,000 Maryland consumers while deriving more than 20% of their gross revenue from the sale of personal data. 

These thresholds make MODPA one of the country’s most comprehensive consumer data privacy laws, aligning closely with the New Hampshire Privacy Act.

Defining “Consumer” and “Personal Data”

Under MODPA, a “consumer” is defined as a Maryland resident acting in an individual context, excluding commercial or employment contexts. “Personal data” encompasses any information linked or reasonably linked to an identifiable individual, excluding de-identified data and publicly available information.

Enforcement and Exemptions

The enforcement of MODPA falls under the purview of Maryland’s attorney general, who holds exclusive authority. Penalties for violations can reach up to $10,000 per violation, escalating to $25,000 for repeat offenses. However, MODPA includes exemptions for various entities and data types, such as regulatory bodies, nonprofit organizations aiding law enforcement, and data processed under federal laws like HIPAA and the Fair Credit Reporting Act.

Obligations Imposed by MODPA

Controllers subject to MODPA must adhere to several obligations, including limiting data collection to what is reasonably necessary for providing requested services, establishing robust data security practices, and refraining from processing personal data for targeted advertising or selling personal data related to minors under 18. Notably, MODPA prohibits the sale of sensitive data, a provision unparalleled in other state privacy laws.

Consumer Rights and Sensitive Data

MODPA grants Maryland consumers various rights, including access to their personal data, correction, deletion, and data portability. It also provides opt-out mechanisms for targeted advertising and the sale of personal data. Sensitive data categories under MODPA include racial or ethnic origin, religious beliefs, health data, genetic or biometric data, data related to minors, and precise geolocation data.

Response to Consumer Requests and Data Protection Assessments

Controllers must respond to consumer requests within 45 days and conduct data protection assessments for processing activities presenting a heightened risk of harm. These assessments must weigh the benefits against potential risks to consumer rights and apply to processing activities occurring on or after October 1, 2025.

Effective Date and Transition Period

MODPA will take effect on October 1, 2025, with no retroactive application to processing activities before April 1, 2026. This transition period allows businesses time to adapt their practices and ensure compliance with the new law.

As Maryland pioneers comprehensive privacy legislation with MODPA, organizations face the challenge of navigating a complex landscape of state privacy laws. Compliance requires implementing robust privacy programs regularly reviewing applicability, and updating internal policies to meet evolving regulatory standards. With MODPA, Maryland sets a precedent for prioritizing consumer privacy and data protection in the digital era.

The History of Data Privacy Laws in Maryland

Maryland’s PIPA (Personal Information Protection Act) was enacted in May 2022 to ensure that Maryland consumers are reasonably protected as identity theft establishes itself as a growing threat. The law requires consumers to be notified in the case of a breach of their personal information so they can take steps to protect themselves. 

The Maryland Personal Information Protection Act (PIPA) does not make the bar of comprehensive privacy laws. The most recent revisions, however, will bring it closer to the level of sweeping privacy laws enacted by the five states that lead the way in comprehensive privacy laws: California, Colorado, Connecticut, Utah, and Virginia. 

The new PIPA law (HB962) took effect on October 1, 2022. We’ll outline the key revisions below.

Maintaining Reasonable Security

Starting from Oct. 2022, entities that maintain personal information about residents of Maryland must maintain “reasonable security” practices that are proportional to the type of information and the nature and size of the business that holds the data. 

Notably, the new amendment updates the requirement of maintaining reasonable security safeguards for any business that maintains the information, even if it doesn’t own or license it. Third-party service providers are an example of maintainers.

Unlike the NY SHIELD Act, Maryland’s data protection act does not outline the specific security safeguards to implement. Instead, the bill uses the somewhat ambiguous word “reasonable” to describe the measures expected to protect personal data.

Personal Information

Maryland’s most recent PIPA law updated the definition of personal information. In the newest revision to the law, personal information includes  a person’s first and last name combined with any of the following data:

• Social security number
• Driver’s license ID number
• Credit card or debit card number that in combination with a required security code or password, would permit access to an individual’s financial account
• Individual taxpayer identification number
• Passport numbers and other federally issued ID numbers
• State ID card numbers
• Health information
• Health insurance policy number in combination with a unique identifier code that permits access to the health-related information
• Biometric data
• Username or email address in combination with a password or security question 
• Genetic information (more on that below.)

Genetic Information

Maryland was one of a select group of states that included genetic information in their listing of personal information categories in previous Maryland consumer protection acts. HB962 expands and specifies exactly which types of genetic information are subject to breach notification requirements.

The revised specification of genetic information broadly refers to any data that results from the analysis of a biological sample of the individual. It also includes the following information types:

• DNA
• RNA
• Genes
• Chromosomes
• Alleles
• Genomes
• Alterations or modifications to DNA or RNA
• Single nucleotide polymorphisms
• Uninterrupted data that results from the analysis of a biological sample from the individual or other sources
• Information extrapolated, derived, or inferred from the 10 information types listed above.

Substitute Notice

The act stipulates that notification should be communicated by substitute notice if the business lacks sufficient contact information to notify affected individuals. 

The bill requires substitute notice to include notification in major print or broadcast media in the areas where affected individuals reside.

Risk of Harm Threshold

The PIPA law describes a threshold for determining whether a breach would trigger notification requirements. After the discovery of a security breach, the targeted business must “conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach…Unless the business reasonably determines that the breach of the security of the system does not create a likelihood that personal information has been or will be misused, the owner or licensee of the computerized data shall notify the individual of the breach.” 

In other words, if the business determines there is no possibility that the personal information contained in a breach will be exploited, notification requirements are not activated. 

The risk of harm threshold is a familiar inclusion in other state legislation requiring data breach notification. It is also mentioned in some well-known privacy laws, including GDPR and HIPAA.  

Notification Timelines

The PIPA amendments of 2022 reduce the period for the notification of a data breach. Notification timeline instructions are divided into two categories:

1. Notification requirements for information owners or licensed parties
2. Notification requirements for entities that maintain personal information such as third-party service providers

Owners or Licensed Parties

Disclosure notification must be delivered by the information owners or licensed parties within 45 days after the discovery of a security breach. This is to replace a previous clause that the 45 days commences after the conclusion of the investigation of the incident. 

The disclosure requirements state that notification is required unless the business determines that the breach is not likely to exploit personal information.

Maintainers

Service providers that maintain personal information must provide notice to the owner of the information within 10 days after the discovery.

Investigation Delays

In the case where law enforcement delays the notification process because it “determines that the notification will impede a criminal investigation or jeopardize homeland or national security”, the owner of the personal information is required to provide notice of the breach within 7 days or the expiration of the original 45 day period, whichever occurs first.

Tighter notification timelines will help individuals mitigate the damage and likelihood of identity theft as a result of a data breach.

Notice to Attorney General

The new PIPA amendment includes some new specifics in the process of reporting to the attorney general of Maryland. The report must now include:

• The number of affected Maryland residents
• A description of the breach that describes how and when the breach occurred
• The remediation steps the business has taken or plans on taking regarding the breach
• A sample notification letter that is to be used to disclose details of the breach to impacted Maryland residents

Next Steps for Maryland Privacy Law

New trends likely will continue to prompt amendments to Maryland state data breach notification laws. Businesses should develop their incident response plans with flexibility in mind to ensure ease of compliance with constantly evolving breach notification requirements.

Contact Centraleyes with your questions about state privacy developments.

Centraleyes State Privacy Law Tracking

Centraleyes has you covered on the latest updates to state privacy policies. 

Check out our other articles on pertinent laws like California’s CPRA, Colorado’s CPA, Utah’s UCPA, and Virginia’s VCDPA.