Maryland Online Data Privacy Act:
A New Privacy Standard?

The Maryland General Assembly has continued the national trend of states passing their own comprehensive data privacy laws, in the absence of a federal standard. On April 8, 2024, the Assembly gave its final approval to the Maryland Online Data Privacy Act (MD-ODPA), sending it to Governor Moore’s desk for signing.

While the new law definitely takes most of its content and structure from similar laws from other states, it is more than a mere copy. Notably, the MD-ODPA seems to be inspired by recent changes to Connecticut and Virginia's privacy laws on the subject of consumer health data and children’s data, respectively. It also strikes out on its own in a few ways that could potentially become significant. Time will tell whether this signals an evolution of the standard model for state privacy laws.

Here is a brief introduction to the Maryland Online Data Privacy Act and what it means for businesses.

When Does the Law Go Into Effect?

The Maryland privacy law goes into effect on October 1, 2025.

What Organizations Must Comply?

The Maryland Online Data Privacy Act applies to any person or organization that does business in the state or targets its products or services toward state residents, and meets at least one of the following requirements:

• Controls or processes the personal data of at least 35,000 state residents per year (excluding data processed solely to complete a payment transaction), OR
• Controls or processes the personal data of at least 10,000 state residents per year AND derives over 20% of its revenue from the sale of personal data

For a state of Maryland’s size (with approximately 6 million residents), these consumer thresholds are on the lower end of the spectrum. For comparison, Colorado’s privacy law has a minimum consumer threshold of 100,000, even though that state’s total population is slightly lower at 5.8 million residents. The result is that the MD-ODPA has the potential to apply to more small businesses than other privacy laws.

It’s also worth noting that the MD-ODPA can apply to nonprofit organizations.

What Rights Do Consumers Have Under Maryland's Law?

The MD-ODPA gives consumers the following rights.

• Right to Know - Consumers have the right to confirm whether a business is processing their personal data and to access that data.

• Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.

• Right to Delete - Upon request, businesses must delete personal data concerning the consumer.

• Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.

• Right to Opt Out - Consumers can opt out of:

• • The sale of their personal data 
    • Note: Businesses are not allowed to sell any sensitive data
  • Targeted advertising
  • Profiling in furtherance of automated decisions that produce legal or similarly significant effects

Can Businesses Be Sued by Consumers?

The MD-ODPA does not grant a private right of action to consumers, meaning they cannot sue an organization over violations. 

What’s Different in this Law?

The MD-ODPA deviates a bit from what has become the standard model for state privacy laws. In some sections it has incorporated unique amendments by other states, in other places it sets out new rules not found anywhere else.

Personal Data from Minors

Most state privacy laws apply special rules to the processing of personal data from children under the age of 13. However, general concern is growing among lawmakers that at least some of these protections should be expanded to all minors under the age of 18, such as in the case with Virginia’s recent changes to its privacy law.

Maryland’s new privacy law is somewhere in the middle. As with other states, data from children under 13 is considered “sensitive data” the processing of which is significantly restricted (see more on that below). The MD-ODPA goes even further by completely prohibiting the sale of the personal data of minors under the age of 18, or the use of their data for targeted advertising. These rules apply if the business “knows or should have known” that the consumer was a minor; unfortunately, the MD-ODPA doesn’t provide much guidance on what that means.

Consumer Health Data

Consumer health data is another area that has been singled out lately for special privacy protections. Connecticut, for example, passed major amendments to its privacy law on the subject. The overall concern is that certain data can be used to identify a consumer’s health condition (which most people would agree is sensitive information), but it falls completely outside of HIPAA protections. 

For example, a retailer may infer from a woman’s purchase of maternity clothes and prenatal vitamins that she is pregnant. Alternatively, a business could establish a virtual geofence around a doctor’s office and identify people who come and go from that location.

Maryland’s privacy law borrows heavily from the Connecticut model. Consumer health data is defined as any data that a business “uses to identify a consumer’s physical or mental health status,” and the following rules apply to its processing:

• It is considered “sensitive data,” which means it may only be processed when strictly necessary, and the business may not sell it under any circumstances.
• All employees who handle consumer health data must be subject to a duty of confidentiality.
• All processors who handle consumer health data must be contractually limited in how they can use it.
• Businesses may not establish a geofence within 1,750 feet of a mental health or reproductive health facility for the purpose of tracking, identifying, collecting data from, or sending notifications to a consumer regarding their health data.

As with the Connecticut law, one of the biggest hurdles for businesses will be determining which data counts as consumer health data. Any company in a field that is even remotely health-related should take a careful look at their privacy practices.

Data Minimization

The MD-ODPA takes a stricter approach when it comes to data minimization, and the implications for compliance are not entirely clear.

Here is what the Maryland law says about the duty to minimize data collection:

Now compare it to the language from the Colorado Privacy Act:

Instead of being necessary in relation to the processing purposes specified in a business’s privacy notice, all data collection must be necessary and proportionate to provide or maintain a specific product or service requested by the consumer. 

How does this apply in the context of an eCommerce website that uses targeted advertising? Is that collection of data necessary to “maintain” the website, and is the site a “specific service requested by the consumer”? Perhaps. The law certainly contemplates the use of targeted advertising (via opt-out rights), so we’re stuck with trying to figure out how it fits within this strict data minimization rule.

Sensitive Data

The MD-ODPA also varies significantly in its general rule regarding sensitive data. Most other state privacy laws require prior consent for processing sensitive data. While the Maryland law similarly defines what sensitive data is, it prohibits all processing of sensitive data unless it is strictly necessary to provide or maintain a specific product or service requested by the consumer.

Consent does not appear to overcome this restriction. In fact, a previous draft of the statute stated that sensitive data processing was only allowed if strictly necessary and the consumer consented to it.

Cross-Country Privacy Compliance

The pace of state privacy legislation is picking up, with many more states likely to pass their own laws in the near future. With each new law, compliance becomes a little more complicated to manage, especially for businesses without in-house privacy experts.

TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Built by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.

To learn more about how TrueVault US can help your business, contact our team today.