Maryland Legislature Passes Comprehensive Data Privacy Bills

On April 6 and April 8, 2024, respectively, the Maryland legislature passed the Maryland Online Data Privacy Act of 2024 (“MODPA”) and the Maryland Kids Code. The bills are awaiting Governor Wes Moore’s signature before becoming law. MODPA would mandate restrictions on how companies may collect and use consumers’ personal data in the state and is expected to have far-reaching effect on the policies and practices of companies that reach Maryland consumers. If signed the law would take effect October 1, 2025, though it will not “have effect on or application to any personal data processing activities before April 1, 2026.”

The Maryland Kids Code would prohibit social media, video game and other online platforms from tracking individuals under 18 and employing tactics like auto-playing videos or flooding children’s devices with notifications to keep kids addicted to their screens.

Assuming MODPA becomes law, Maryland will be the sixteenth state to enact comprehensive consumer data privacy legislation. (Nebraska’s Data Privacy Act is on track to be enacted shortly thereafter.) Maryland’s law is one of the toughest, despite having been modeled on the Washington Privacy Act (WPA), with provisions taken from the consumer data privacy laws of Connecticut, Delaware and Oregon and Connecticut’s consumer health provisions. MODPA contains provisions that address data minimization, sensitive data, the data privacy of minors and unlawful discrimination. The bill, however, contains no private right of action.

Significantly, compared to the laws of other states, MODPA’s data minimization requirement has a very low coverage threshold - applying to businesses that control or process personal data on more than 35,000 consumers or derive 20% of their revenue from selling the data of more than 10,000 consumers. MODPA also sets forth the first all-out ban on sensitive data sales, provides for universal-opt out mechanisms and anti-discrimination prohibitions. Maryland’s definition of “sensitive data,” like the definitions found in the statutes of Connecticut, Delaware and Oregon, includes any data related to an individual’s health, ethnicity and religion, as well as biometric data, geolocation data and data belonging to a known minor under 18. There are suggestions that the Maryland legislation may have been one impetus for the unanticipated release on April 7, 2024 of the draft American Privacy Rights Act, a bipartisan and bicameral effort to enact federal privacy legislation.

Meanwhile states are continuing their efforts to pass comprehensive privacy legislation. While the list updates regularly, 15 states have already passed legislation; Wisconsin, Pennsylvania and Vermont have bills in cross committee; and 14 states have proposed statutes in committee. Georgia and West Virginia have inactive bills, and there are still 15 states where no comprehensive bills have been introduced.