Maryland has made headlines in the realm of data privacy legislation with the passing of the Maryland Online Data Privacy Protection Act (MODPA). This comprehensive Maryland privacy law introduces novel provisions and sets a new standard for consumer protection in the state.
Privacy Attorney David Strauss says, “Maryland took the existing WPA model and grafted on concepts from the federal American Data Privacy and Protection Act. The idea is to create a law that is more consumer protective than the existing laws in states like Connecticut, Colorado, Oregon, and Delaware through the use of novel data minimization and other requirements. In doing so, Maryland injects a new wrinkle into the state privacy law debate much like Washington did with last year’s My Health My Data Act.”
Let’s dive into the specifics of the new Maryland privacy law, MODPA.
Context and Significance
- Innovative Approach: The Maryland privacy law has merged elements of the existing Washington Privacy Act (WPA) with concepts from the federal American Data Privacy and Protection Act to create a more consumer-centric law.
- Low Applicability Threshold: Despite its population size, the Maryland privacy law’s threshold for applicability is set at 35,000 consumers, making it one of the lowest in the nation.
Data Minimization
- Core Provision: MODPA emphasizes data minimization, requiring controllers to limit data collection to what is reasonably necessary for providing requested products or services.
- Sensitive Data Protection: The Maryland privacy law prohibits the sale of sensitive data and mandates strict limitations on the collection, processing, and sharing of such data.
Protection for Minors
- Targeted Advertising: Controllers are barred from processing personal data for targeted advertising or selling the data of consumers under 18 years old.
- Age Verification Implications: The inclusion of a “should have known” standard raises questions about the need for age verification measures, potentially impacting First Amendment rights.
Enforcement and Effective Date
- Attorney General Enforcement: The Maryland Attorney General will enforce MODPA, with a limited right to cure violations expiring in 2027.
- Effective Date: The law is slated to take effect on October 1, 2025, providing businesses with time to prepare for compliance.
Unique Features and Implications
- Universal Opt-Out Mechanisms (UOOMs): The Maryland privacy law introduces UOOMs as an alternative to traditional “do not sell” mechanisms, offering flexibility for compliance.
- Sunset Provision on Right to Cure: The inclusion of a sunset provision on the right to cure violations highlights Maryland’s enforcement strategy and the role of the Attorney General in overseeing compliance.
Maryland’s MODPA represents a significant step forward in state privacy legislation, setting a new standard for consumer protection and data governance. With its emphasis on data minimization, enhanced protections for minors, and innovative enforcement mechanisms, the law underscores the state’s commitment to safeguarding individual privacy rights in the digital age.
As businesses navigate the evolving landscape of data privacy regulations, proactive measures to ensure compliance with MODPA will be essential. Stay tuned for further insights and analysis as Maryland prepares for the implementation of this groundbreaking legislation.