Maryland Becomes the Next Chip to Fall in US Data Privacy Dominoes

Data privacy is a hot topic as legislators at both the state and federal level reckon with developing guardrails to safeguard consumer data and privacy in the wake of increasingly sophisticated technology advances and artificial intelligence.  The rush of state legislatures to enact protections has resulted in a patchwork approach, creating a compliance conundrum for businesses with multistate operations, as inconsistent state level approaches require implicated businesses to establish separate policies and procedures for relatively small collections of users in different states. For early state companies trying to bootstrap growth with a limited number of employees, the burdens created by these diasporic state laws may create impassable roadblocks to success. 

This article highlights the Maryland Online Data Privacy Act of 2024 that was enacted only last week, along with other recent state and federal developments.

Maryland Online Data Privacy Act of 2024

Last week, Maryland became the most recent to state to pass what is now one of the most comprehensive data privacy laws in the country with the enactment of  the  Maryland Online Data Privacy Act of 2024 (MODPA). MODPA is similar to other state consumer privacy laws that pre-date this legislation; however, MODPA contains key provisions that may require companies affected by MODPA to adjust their compliance programs.

The triggers for MODPA’s application are much lower than the majority of existing state privacy laws. Specifically, MODPA applies to businesses that control or process personal data or provide products or services that are targeted to Maryland residents, and during the immediately preceding calendar year, either:

• Controlled or processed data with respect to more than 35,000 consumers or,

• Controlled or processed data with respect to more than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.

For businesses meeting the above definition, MODPA imposes a number of restrictions and obligations, including, for example, restrictions on the sale of personal data, imposing a limitation on the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer, among a host of other restrictions and obligations.

MODPA’s overarching prohibition on the sale of “sensitive data,” which is defined to (among other things) include consumer health data such as genetic or biometric data, is unique among state privacy laws and makes MODPA one of the most onerous state data privacy laws from a compliance perspective.

MODPA will go into effect October 1, 2025, but will not apply to personal data processing activities before April 1, 2026.

Other Recently Enacted State Privacy Law - 2024

Although Maryland now leads the pack as one of the most restrictive state regulatory schemes for data protection laws, it is one of many states in the last several years to enact state privacy legislation.  It’s the third state to enact such a law in 2024 alone, on the heels of Kentucky and New Hampshire. 

• Kentucky: On April 4, 2024, the Governor of Kentucky signed into law the Kentucky Consumer Data Protection Act (KCDPA). KCDPA is generally modeled after Virginia’s privacy law passed in 2021. Unlike other states legislative approaches that take a broader view of privacy restrictions (a la California or Colorado), Kentucky limits its definition of “sale of personal data” to include only “exchange[s] of personal data for monetary consideration.” The law will go into effect January 1, 2026.

•  New Hampshire: On March 6, 2024, the Governor of New Hampshire signed into law SB 255, a comprehensive state data privacy law that, like most comprehensive state privacy laws, contains fundamental data minimization, purpose limitation, and data protection requirements. Similar to MODPA, SB 255 applies to persons that “conduct business” in New Hampshire or offer products or services that are targeted to residents of New Hampshire, and that in the period of a year either (i) controlled or processed the personal data of not less than 35,000 unique consumers; or (ii) controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data. The law will go into effect January 1, 2025.

To date, with the addition of Maryland, 16 states (California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire) have enacted comprehensive consumer data privacy laws and many more have proposed legislation in the pipeline.

Proposed Federal Legislation

At the federal level, the House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) recently unveiled the American Privacy Rights Act (APRA). The purpose of the draft bipartisan, bicameral federal privacy bill is to “establish a uniform national data privacy and data security standard” in the U.S. As a result, the draft legislation would generally preempt state privacy laws, with some exceptions.

As currently drafted, APRA would apply to covered entities that, alone or jointly with others, determine the purposes and means of collecting, processing, retaining, or transferring covered data, and are: (i) subject to the FTC Act; (ii) common carriers; or (iii) an organization not organized to carry on business for their own profit or that of their members. APRA also applies to service providers of such covered entities. The protections provided by APRA are generally similar to many state privacy laws, but the definition for “sensitive covered data” is more expansive. See the section-by-section of the draft legislation here.

For additional information on consumer privacy laws, please contact Jennifer Whitton or Laurice Rutledge Lambert.

Authors: Jennifer Whitton, Dorrin Shams