The proposed legislation would require companies to comply with strong provisions around data minimization and limitations on the collection and use of sensitive consumer data, making it similar to other comprehensive privacy laws like the General Data Protection Regulation (GDPR) and California's privacy laws. In fact, the MODPA has been described by some as one of the most comprehensive state online privacy laws second only to California.

Proposed scope and application

The MODPA would apply to:

• individuals/businesses who conduct business in Maryland; or
• individuals/businesses who provide services or products that are targeted to Maryland residents if during the immediately preceding calendar year, the individuals or businesses:
  • controlled or processed the personal data of at least 35,000 consumers unless the personal data was controlled or processed solely for purposes of completing a payment transaction; or
  • controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

The MODPA's requirements would not apply to Maryland state and local agencies, courts, and certain businesses that are subject to related federal laws (i.e., financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)). The MODPA is not applicable to certain data such as health and financial data, which are the subject of federal laws.

Limits on the collection and use of personal data

As currently drafted, a business subject to the MODPA would only be permitted to collect personal data that is reasonably necessary to provide a product or service requested by the consumer. The MODPA would prohibit a business from processing, sharing, or selling sensitive data in ways unrelated to delivering the requested product or service. Sensitive data includes health information, race or ethnicity, sexual orientation, citizenship or immigration status, religious beliefs, biometric or genetic information, and precise geolocation information, among others. In addition to a corollary bill, the Maryland Online Child Protection Act (also known as the Maryland Kids Code), directed at the protection of the collection and sale of children's data, sensitive data under the MODPA would also include the personal data of a consumer that the business knows or has reason to know is a child.

Consumer rights

The MODPA establishes several consumer rights and protections related to the collecting and processing of personal data. Consumers would have the right to require the deletion of personal data provided by or obtained about them, often known as the right to be forgotten, unless retention of the personal data is required by law. Consumers would also have the right to opt out of the sale of personal data, targeted advertising, and certain automated decisions. Consumers would also have the right to request copies of their personal data and request corrections to inaccuracies in their data.

Obligations and requirements for businesses subject to the MODPA

Similar to the GDPR, the MODPA would impose obligations on 'controllers' (the person who determines the purposes and means of processing personal data either alone or jointly with others), and 'processors' (the person who processes personal data on behalf of a controller). Those obligations include the following, among others:

• controllers would have to establish a secure and reliable method for a consumer to exercise their rights under the MODPA;
• controllers would have to provide an effective mechanism for consumers to revoke consent for data collection and to stop processing data within 30 days from receipt of the request;
• controllers would be prohibited from discriminating against a consumer for exercising their rights under the MODPA;
• controllers would be required to notify the consumer in a specified manner if the controller elects not to take action on a request;
• controllers would have to provide a consumer with the information a consumer requests free of charge, subject to certain exceptions;
• controllers would have to establish an appeal process for consumers regarding controller decisions;
• controllers would be required to disclose specified information if they sell personal data to third parties or process personal data for targeted advertising;
• controllers would be required to provide their consumers with a reasonably accessible, clear, and meaningful privacy notice that includes specified information about the controller's data processing practices and information about how a consumer can exercise the rights established by the MODPA; and
• controllers and processors would be required to enter into a written, binding contract that includes specified requirements if a controller uses a processor to process the personal data of consumers.

Enforcement and penalties

Significantly, there is no private cause of action for violations of the MODPA. Rather, the Maryland Office of the Attorney General (AG) would be responsible for its enforcement. The AG would be able to request Data Protection Impact Assessments (DPIAs) from controllers to evaluate compliance with the MODPA's requirements. Those DPIAs would be confidential and shielded from the disclosure requirements under the Maryland Public Information Act. The DPIAs would apply to processing activities that occur on or after October 1, 2025.

The enforcement scheme under the MODPA permits the AG to issue a notice of violation to a controller or processor regarding violations for which the AG determines a cure is possible. The controller or processor would have 60 days to cure the violation after receipt of the notice. If the violation is not cured within that time, then the AG is authorized to bring an enforcement action. The MODPA enumerates various factors that the AG may consider in determining whether to grant the controller or processor an opportunity to cure a violation including the number of violations, the size and complexity of the controller or processor, the likelihood of injury to the public, and whether the alleged violation was caused by a human or technical error, among others.

Violations of the MODPA would also be considered a violation of Maryland's Consumer Protection Act (MCPA), which prohibits unfair, false, and/or misleading business practices. Violations of the MCPA can result in civil money penalties of up to $10,000 for each violation and up to $25,000 for each subsequent violation. Violations of the MCPA are also considered a misdemeanor and can lead to fines (maximum $1,000) and/or imprisonment (maximum one year). 

Impact and analysis

The MODPA would establish a comprehensive regulatory framework for the protection of Marylanders' personal data. Maryland's proposed legislation contains stronger data privacy protections compared to many other state laws. For example, unlike Virginia and Connecticut, the MODPA does not permit companies to collect and use data for a broad range of purposes so long as the data collection practices are disclosed in a privacy policy.

Further, the consumer rights that would be established under the MODPA are extensive. Consumers would have control over the collection and processing of their personal data including opt-out mechanisms, the right to delete their personal data, the right to notices regarding how personal data is being collected, processed, and sold, and the right to opt out of targeted advertising. Businesses that fall under the MODPA's scope would have to ensure there are mechanisms for customers to exercise their rights and may have to revise their privacy notices to comply with the law if passed.

Although there is no private cause of action, the MODPA would subject covered businesses to the MCPA, which could result in sizeable civil money penalties depending on the nature and number of violations. We will continue to monitor the MODPA as it moves through the General Assembly and update this article at the conclusion of the 2024 legislative session.  

Alexandra P. Moylan Esq., CIPP/US, Partner
[email protected]
Michael J. Halaiko Esq., CIPP/E, Partner
[email protected]
Nelson Mullins Riley & Scarborough LLP, Baltimore