Maryland Online Data Privacy Act: Key Provisions and Implications

Maryland Legislature Passes Maryland Online Data Privacy Act

In a landmark move, the Maryland legislature recently passed the Maryland Online Data Privacy Act (MODPA), pending the Governor’s signature. If signed into law, Maryland will join a growing list of states with comprehensive privacy legislation, including California, Virginia, and Colorado.

The MODPA contains unique provisions that will require careful analysis to ensure compliance. These provisions include data minimization requirements, restrictions on the collection, sale, or transfer of sensitive data, and consumer health data-related obligations. Companies operating in Maryland will need to pay close attention to these new requirements to avoid potential penalties.

One key aspect of the MODPA is its scope, which applies to processors targeting Maryland residents and processing the data of a certain number of Maryland consumers. The Act also includes exemptions for certain entities, such as nonprofits and financial institutions, as well as protected health information under HIPAA.

Consumer rights are also a focal point of the MODPA, providing consumers with access, correction, deletion, and portability rights. Additionally, consumers will have the right to opt-out of processing for targeted advertising, the sale of personal data, and profiling for automated decisions.

Data minimization requirements are another important aspect of the MODPA, restricting the collection of personal data to what is reasonably necessary. The Act also prohibits the sale of sensitive personal data and imposes restrictions on the collection, processing, or sharing of such data.

Consumer health data is given special attention under the MODPA, with strict requirements for its handling and processing. The Act also prohibits the use of geofence technology to collect data related to consumer health.

Other provisions of the MODPA include protections for consumers under 18 years old, anti-discrimination measures, data protection assessments, and restrictions on loyalty program conditions.

Enforcement of the MODPA will be overseen by the Maryland Attorney General, with a 60-day cure period for violations. Companies operating in Maryland will need to ensure compliance with the Act to avoid potential penalties and legal action.

Overall, the passage of the Maryland Online Data Privacy Act represents a significant step towards protecting consumer privacy in the state and ensuring that companies handle personal data responsibly.