Maryland's new comprehensive data privacy law, the Maryland Online Data Privacy Act, was recently signed into law by Governor Moore. This brings the total number of state "comprehensive" privacy laws to 18, five of which have been passed in 2024. Maryland's law will take effect in 2025 along with several others. Maryland's effective date is October 1, 2025 (after Tennessee (July 1, 2025) and before Indiana and Kentucky (January 1, 2026)). For a full list of effective dates, as well as other details of these state privacy laws, visit our resource page.
While many provisions mirror that which we have seen in other states, there are some differences. Key provisions of the law include the following:
- Applicability. Maryland's law will apply to businesses that either (1) process personal data of at least 35,000 Maryland residents; or (2) control or process personal data of at least 10,000 consumers and derive more than twenty percent of their gross revenue from the sale of personal data. The law exempts certain non-profits. It also has entity-level HIPAA and GLBA exemptions. The law covers only consumers, not employees.
- Collection and Notice Obligations. The content requirements for privacy policies under the Maryland law echoes that in other jurisdictions. Additionally, the law will require that businesses describe categories of third parties with whom information is shared in sufficient detail that a consumer can understand the type of, business model of, or processing conducted by each third party. This is similar only to Oregon's privacy law. The Maryland law will also require information collected to be aligned with what is needed to provide someone with a product or service. This differs from other states, with minimization provisions tied to specified purposes (i.e., what is disclosed to someone). Finally, unlike other states, Maryland's law has a non-discrimination provision: companies cannot collect, use, process information in a way that "unlawfully discriminates" against someone.
- Sensitive Information. Businesses that process the sensitive information of Maryland residents will need to first get consent. The list of information deemed "sensitive" is familiar and aligns with other state laws. The law also contains data minimization obligations for sensitive data, which differs from other states. Also different, businesses will not be able to sell sensitive information. There are no exceptions listed for this prohibition.
- Health Data. Maryland's law also contains provisions specific to consumer health data, unlike other state privacy laws. Employees and contractors will not be able to access this information unless they have signed a confidentiality agreement, or confidentiality is a condition of employment. Processors are not allowed access to consumer health data unless they, and the controller, both comply with Maryland's law.
- Minors.In addition to mirroring parental consent provisions of other states, Maryland also prohibits selling children's information. Under the law, companies will also not be able to engage in targeted advertising to children. Children are defined as those under 18. These obligations apply both with actual knowledge, as well as if the company "should have known" the person was a child.
- Consumer Rights. Maryland consumers will have rights (access, correction, deletion) that mirror those provided by other state laws. Like other states, businesses cannot discriminate against a consumer for exercising their rights. Timing will be 45 days. Consumers can also designate an authorized agent to submit the request on their behalf. Maryland departs from other states as far as universal opt-out mechanisms. Businesses can provide an online opt-out link mechanism or recognize a universal opt-out mechanism.
- Impact Assessments. Like all states except Iowa and Utah, businesses must conduct data protection impact assessments if processing data that presents a heightened risks to consumers. This includes processing consumer data for targeted advertising, risky profiling, selling consumer data, or processing sensitive information. Unlike other states, Maryland's this includes a data protection assessment "for each algorithm that is used." Unfortunately, the law is silent as to what is meant by "algorithm."
Consumers do not have a private right of action. The law contains a 60-day cure period which sunsets on April 1, 2027. The law does not provide for additional rulemaking.
Putting it Into Practice: Over a third of US jurisdictions now have "comprehensive" privacy laws. We may reach half of states -if not more- by the end of this year. With this in mind, now is a good time for companies to revisit their privacy programs to ensure they are sufficiently flexible and adaptable.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.