The Old Line State Does Something New on Privacy

FILTER
April 23, 2024
Jordan Francis
Policy Counsel
About Jordan
Blogs by Jordan

On April 6, the Maryland Senate concurred with House amendments to SB 541, the Maryland Online Data Privacy Act (MODPA), sending the bill to Governor Moore for signature. If enacted, MODPA could be a paradigm-shifting addition to the state privacy law landscape. While recent state comprehensive privacy laws generally have added to the existing landscape in an iterative fashion by making adjustments to the popular Washington Privacy Act (WPA) framework, MODPA is a significant departure from the status quo. Infused with elements derived from the 2022 proposed federal privacy bill, the American Data Privacy and Protection Act of 2022 (ADPPA), MODPA includes novel provisions concerning data minimization, civil rights, and more. In light of these significant substantive differences, there is an argument that MODPA should be regarded as a distinct third model for state comprehensive privacy laws. 

In this blog post, we highlight 10 things to know about MODPA that set Maryland apart in the state privacy law landscape. 

1. Novel Data Minimization Rules Create Potential Tension with Purpose Limitation Rule

MODPA’s approach to data minimization—default limitations on the ability to collect personal data—sets Maryland apart in the state privacy landscape. Prior to MODPA, state privacy laws typically restricted the collection and use of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which the data is processed. California, in its regulations, follows a different rule that provides that purposes for which personal information is collected or processed must be consistent with individuals’ reasonable expectations and that collection and processing must be limited to what is reasonably necessary and proportionate to achieve a disclosed purpose. 

MODPA establishes a new data minimization framework that places default limitations on both the collection and the processing of personal data. Influenced by the ADPPA, MODPA provides that a controller shall “limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.” This is a substantive limit on the purposes for which a controller may collect personal data. When it comes to processing more broadly, however, MODPA includes the standard purpose limitation rule seen in a majority of the states—unless a controller obtains consent, the controller shall not “process personal data for a purpose that is neither reasonably necessary to, nor compatible with, the disclosed purposes for which the personal data is processed, as disclosed to the consumer.” 

The distinct standards for “collection” and “processing” create a potential tension between these rules, given that “process” is defined to include “collecting,” which could be read to mean that a controller can collect personal data when not reasonably necessary if the controller obtains consent.

With respect to sensitive data (which, as discussed below, is defined broadly), MODPA again establishes new substantive limits that differ from those in other states. Under MODPA, controllers are prohibited from collecting, processing, or sharing sensitive data except where the collection or processing is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.” This is different from the states’ existing approaches—California allows individuals to opt-out of unnecessary sensitive data processing, whereas most other states require opt-in consent for sensitive data processing.

This new data minimization paradigm has at least three significant ambiguities: 

  • What are the criteria for assessing when collection, processing, and sharing are ‘reasonably’ or ‘strictly’ necessary? 
  • What does it mean to provide or maintain a product or service? 
  • What does it mean for a product or service to be ‘specifically requested’ by a consumer?

The answers to these questions will have significant impact on businesses, especially with respect to back-end data uses that are not apparent in a business-customer relationship, such as product improvement and the launch of new products and features. 

This new paradigm also increases the importance of exceptions and limitations to the law, given that controllers will now face stronger limits on the purposes for which they can collect or process personal data. Section 14–4612, for example, preserves controllers’ and processors’ ability to collect, use, or retain personal data for certain internal uses, such as identifying and repairing technical errors or performing internal operations that are either (1) “reasonably aligned with” the consumer’s reasonable expectations or can be “reasonably anticipated based on the consumer’s existing relationship with the controller,” or (2) compatible with processing data in furtherance providing a specifically requested product or service or performance of a contract. Even if a controller or process is relying on an exception to justify a processing activity, however, that processing must still be both “reasonably necessary and proportionate” to the excepted purpose and “adequate, relevant, and limited to what is necessary in relation to the specific purpose listed.”

In adopting these data minimization provisions, Maryland has forged a new path in state privacy law. This approach could provide significant protections for individuals by limiting the collection and use of personal data to purposes that more closely align with reasonable expectations. On the other hand, this approach could foreclose certain socially beneficial and low-risk processing activities that are ancillary to the business-consumer relationship. As stakeholders wait to see the full impact of this approach develop over time, all eyes will be on other state legislatures currently considering similar such standards. 

2. Prohibitions against Selling Sensitive Data, Targeted Ads to Minors, and Selling Minors’ Personal Data

MODPA’s strong data minimization rules are supplemented by additional prohibitions on specific processing activities, including: 

  • selling sensitive data (defined broadly to include exchanges for non-monetary valuable consideration); 
  • processing the personal data of an individual for the purpose of targeted advertising if the controller knew or should have known that the individual is under the age of 18; and 
  • selling the personal data of an individual if the controller knew or should have known that the individual is under the age of 18

These are flat prohibitions with no specific opt-in consent alternatives. The “should have known” standard for minors’ data also differs from the “wilfully disregards” standard included in other state laws and could arguably be interpreted as requiring age-gating of online products and services, as explored by Husch Blackwell’s David Stauss. These prohibitions are still subject to the exceptions to MODPA found in Section 14–4612, such as the performance of a contract to which a consumer is a party.

3. Novel Civil Rights Protection Applicable to Processing Publicly Available Data

State privacy laws typically prohibit controllers from processing personal data in violation of state or federal laws that prohibit unlawful discrimination. MODPA incorporates an additional civil rights protection derived from the ADPPA that prohibits controllers from collecting, processing, or transferring personal data or publicly available data in a manner that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability,” subject to limited exceptions (including self-testing to prevent or mitigate unlawful discrimination and diversifying an applicant or customer pool). One thing to note is that this provision uses the undefined term “publicly available data” rather than the defined term “publicly available information.” Assuming the drafters meant publicly available information, including processing of that data in this provision is notable given that publicly available information is generally outside the scope of the bill and other state privacy laws. Another notable aspect of this prohibition is that it only prohibits unlawful discrimination, which is potentially a higher threshold than other potential standards, such as all discrimination or unjustified differential treatment

4. Heightened Protections for Consumer Health Data

2023 was notable for a rise in consumer health privacy laws, including the enactment of the Washington My Health My Data Act (WMHMDA) and the Nevada Consumer Health Data Privacy Law. Connecticut also introduced a novel requirement in 2023 when it passed SB 3, which amended the state’s nascent comprehensive privacy law to include expanded protections for “consumer health data” above and beyond what was already covered by its definition of sensitive data. MODPA incorporates Connecticut-style protections for consumer health data, which it defines as “personal data that a controller uses to identify a consumer’s physical or mental health status” and which includes data related to “gender-affirming treatment or reproductive or sexual health care. Unlike CT SB 3, however, it appears that under MODPA a person must meet the applicability thresholds of the Act to be subject to these provisions. Additionally, because consumer health data is included in the definition of sensitive data, the minimization rule limiting the collecting, processing, or sharing of sensitive data to what is “strictly necessary” to provide or maintain a product of service applies to consumer health data as well. This could mean that MODPA creates stricter requirements for the use of most health information than WMHMDA, which has an opt-in consent alternative to its “necessary” health data processing standard. For more on WMHMDA’s necessity standard, see this recent analysis from Hintze Law’s Kate Black and Felicity Slater and FPF’s Jordan Wrigley and Niharika Vattikonda.

5. Data Protection Assessments May Have Narrower Applicability but Broader Scope

Like most state privacy laws, MODPA will require a controller to conduct and document a data protection assessment (DPA) for each of their processing activities that “present a heightened risk of harm to a consumer.” MODPA’s requirements for conducting a DPA, however, contain a number of unique provisions that could require covered entities to rework their internal strategies for conducting assessments: 

  • Exclusive: Like many states based on the WPA framework, MODPA requires a DPA for processing personal data for targeted advertising, sale of personal data, processing sensitive data, and processing personal data for profiling that presents a reasonably foreseeable risk of certain enumerated harms. However, in contrast to those other states, MODPA provides that heightened risk of harm “means” those activities rather than “includes” those activities. MODPA thus has an exclusive rather than inclusive standard for when a DPA is required, and therefore, the scope of when a DPA is required could be narrower than under other laws. 
  • Algorithms: Under MODPA, a controller shall conduct DPAs for processing activities that present a heightened risk of harm, “including an assessment for each algorithm that is used.” This requirement is novel and, if read strictly (a definition of “algorithm” is not provided), could require covered organizations to conduct hundreds or thousands of assessments.
  • Necessity & Proportionality: MODPA contains a novel DPA provision that requires controllers to consider “the necessity and proportionality of processing in relation to the stated purpose of the processing.” This requirement ties back to the general data minimization rule that collection of personal data must be “reasonably necessary and proportionate to provide or maintain a specific product or service requested.”

6. Broad and Divergent Definitions

MODPA’s definitions contain a number of unique and divergent definitions compared to other state privacy laws, including—

  • Biometric Data: The definition of biometric data in MODPA is broad, encompassing data that can be used to uniquely identify a consumer’s identity. This differs from most state privacy laws which instead limit biometric data to include only data that are, or are intended to be, used to identify an individual.
  • Decisions that Produce Legal or Similarly Significant Effects: MODPA follows the majority of states in allowing individuals to opt out of solely automated profiling in furtherance of decisions that produce legal or similarly significant effects, but MODPA does not include decisions relating to insurance in that definition. 
  • De-identified data: MODPA cross-references the Maryland Genetic Information Privacy Act to define de-identified data. Although that definition is substantially similar to the language found in a majority of state comprehensive privacy laws, it is not identical because it does not address data that can reasonably be used to infer information about or otherwise be linked to a device that may be linked to an identified or identifiable consumer. 
  • Publicly Available Information: MODPA incorporates Utah’s three-part definition of publicly available information, which, in contrast to narrower definitions in states like Connecticut or Delaware, includes information obtained from a person to whom the consumer disclosed the information if the consumer did not restrict that information to a specific audience. Although this broader definition generally exempts more data from coverage under the bill than under other laws, publicly available information is still subject to MODPA’s novel civil rights protection highlighted above. Publicly available information does not include biometric data collection by a business without a consumer’s knowledge. 
  • Sale of Personal Data: MODPA broadens the definition of sale to explicitly include exchanges of personal data to third parties by processors and affiliates of controllers or processors. 
  • Sensitive Data: MODPA’s definition of sensitive data includes many elements seen in laws enacted in recent years (such as data revealing sex life, sexual orientation, or status as transgender or nonbinary). It is also broader than other states’ definitions in a few ways.
    • In contrast to Connecticut, sensitive data includes data revealing consumer health data (rather than “is” consumer health data). 
    • Sensitive data includes biometric data which, as specified above, is broader than in other state laws. 
    • Sensitive data includes personal data “of a consumer that the controller knows or has reason to know is a child.” This differs from “known child” language seen in other states.

7. Low Applicability Thresholds & Limited Entity-level Exemptions

MODPA will apply to persons that either (1) control or process the personal data of at least 35,000 consumers during a calendar year, excluding data processed solely for the purpose of completing a payment transaction, or (2) control or process the personal data of at least 10,000 individuals and derive more than 20% of gross revenue from the sale of personal data. These thresholds are uniquely low relative to Maryland’s population of 6.2 million. For comparison, Colorado has a similar population of 5.9 million but sets thresholds of 100K and 25K, whereas Delaware has similar thresholds of 35K and 10K but a total population of only 1 million

In addition to the low applicability thresholds, MODPA includes notable entity-level and data-level exemptions. MODPA includes an entity-level exemption for financial institutions and affiliates (and data) subject to GLBA. Additionally, although nonprofits are generally subject to MODPA, there is a specific exemption for non-profits that process or share personal data solely for the purpose of assisting either law enforcement in investigating insurance crime or fraud or “first responders in responding to catastrophic events.” MODPA includes data-level exemptions for data subject to HIPAA, FCRA, FERPA, and personal data collected by or on behalf of a person subject to Maryland’s Insurance article “in furtherance of the business of insurance.” 

8. No Fraud Exception for Complying with Opt-out Requests

The Act provides relatively standard consumer rights of access, correction, deletion, portability, and to opt-out of targeted advertising, sales of personal data, and solely automated profiling in furtherance of decisions with legal or similarly significant effects. Unlike other state laws, however, MODPA does not give controllers an explicit right to reject opt-out requests that are suspected to be fraudulent. 

9. Enforcement is Vested in the Attorney General, but Other Remedies Provided by Law Are Not Foreclosed

Violations of MODPA are tied to the Maryland Consumer Protection Act, and the Act specifically denies private enforcement under Md. Code Com. Law § 13-408, leaving enforcement solely with the Division of Consumer Protection of the Office of the Attorney General. However, the Act specifies that “[t]his section does not prevent a consumer from pursuing any other remedy provided by law.” This language differs from that seen in other states, some of which say that nothing in the law shall be construed as providing the basis for a private right of action for violations of that law “or any other law.” This provision thus could be interpreted as allowing individuals to bring private suits for violations under other causes of action. Similar concerns were raised by industry members when New Jersey enacted S332 in January.

10. Notice Required for Third-Party Use Inconsistent with Past Promises

MODPA contains a novel provision requiring that “[i]f a third party uses or shares a consumer’s information in a manner inconsistent with the promises made to the consumer at the time of collection . . . , the third party shall provide an affected consumer with notice of the new or changed practice before implementing the new or changed practice,” so as to allow a consumer to exercise their rights under the Act. The scope of this provision is ambiguous as the Act neither defines information nor specifies when a third party’s use or sharing of information is inconsistent with promises made to an individual. Additionally, the notice provision does not specify any requirements with respect to consent (such as allowing an individual to revoke previously given consent). 

Conclusion

MODPA could portend a paradigm shift in state privacy laws if policymakers in other states follow suit and venture towards rules that impose default limitations on companies’ ability to collect and use personal data. Much will depend on how MODPA’s novel provisions are interpreted. As David Stauss identified in his analysis of MODPA, the Maryland Attorney General has inherent, permissive rulemaking authority with respect to unfair or deceptive trade practices, so it is possible that clarifying regulations could be issued to guide compliance. 

On April 6, Maryland became the second state to pass an Age-Appropriate Design Code when the Maryland Senate concurred with House amendments to SB 571. That bill, if enacted by the Governor, will take effect on October 1, 2024, a year before MODPA would take effect. Stay tuned for FPF’s forthcoming analysis of the Maryland Age-Appropriate Design Code Act. 

Published: Last Updated: April 22, 2024
Tags:

Explore

Issues

authors

dates

Posts by Jordan

internet,security,and,a,personal,data,protection,concept.,protect,a
Do LLMs Contain Personal Information? California AB 1008 Highlights Evolving, Complex Techno-Legal Debate
Read More
state,flag,of,rhode,island
Comprehensive Privacy Anchors in the Ocean State
Read More
businessman,on,blurred,background,using,planet,earth,network,sphere,interface
Top Six Major Privacy Enforcement Trends: A U.S. Legislation Retrospective
Read More
View More