On April 6, 2024, the Maryland Legislature passed the Maryland Online Data Privacy Act of 2024 (MODPA), sending the comprehensive privacy bill to Governor Wes Moore to sign into law. MODPA shares similarities with previous state privacy laws but introduces unique provisions that could potentially require affected companies to adjust their compliance programs. While MODPA would take effect on October 1, 2025, however, it will not “have any effect on or application to any personal data processing activities before April 1, 2026.”
MODPA applies to any entity or person person who conducts business in Maryland or provides services or products targeted to Maryland residents and, during the immediately preceding calendar year controlled or processed the personal data of at least 35,000 Maryland consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or controlled or processed the personal data of at least 10,000 Maryland consumers and derives more than 20% of their gross revenue from the sale of personal data.
MODPA’s triggering scenarios are significantly lower than most other state consumer privacy laws. MODPA defines "personal data" as information that is connected or reasonably connectable to an identified or identifiable individual, excluding de-identified data and publicly available information.
In cases involving violations that occur up to April 1, 2027, the attorney general can issue a notice allowing a 60-day window for remediation. Failure to address the issue within this period may lead to enforcement action by the attorney general. Penalties for violations can reach up to $10,000 per violation, escalating to $25,000 for repeat offenses.
MODPA incorporates entity-level and data-level exemptions to its regulations. At the entity level, exemptions cover administrative, advisory, regulatory, executive, appointive, legislative, or judicial bodies or instrumentalities of the state of Maryland, nonprofit organizations aiding law enforcement investigations, national securities associations under under the Securities Exchange Act of 1934 or registered futures associations under the Commodity Exchange Acts, and financial institutions regulated by the Gramm-Leach-Bliley Act. Moreover, MODPA's data-level exemptions align with federal laws like HIPAA, the Common Rule, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, and others.
Controllers operating under MODPA are bound by a series of obligations aimed at safeguarding personal data and respecting consumer privacy rights. These obligations include restricting the collection of personal data to what is necessary for providing requested products or services and avoiding processing personal data for secondary reasons absent consumer consent. Additionally, controllers must establish and maintain robust data security practices to protect the confidentiality, integrity, and accessibility of personal data. They are prohibited from collecting, processing, or sharing sensitive data unless strictly necessary for fulfilling consumer requests and are forbidden from selling such data. Moreover, controllers must refrain from processing personal data in violation of anti-discrimination laws and must not engage in targeted advertising or selling personal data to minors without appropriate consent. Furthermore, MODPA mandates that controllers provide consumers with clear and accessible privacy notices containing disclosures common to state consumer privacy laws, ensuring transparency and informed decision-making regarding data usage.
While there is no comprehensive federal online data privacy act in the United States that provides overarching regulation specifically focused on online data privacy, the federal government has enacted several federal data privacy laws to address the protection of personal data and regulate the activities of organizations that collect, process, or handle such data. These acts include the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996 to primarily focus on protecting the privacy and security of individuals' health information.
Another key act is the Gramm-Leach-Bliley Act (GLBA), passed in 1999, which requires financial institutions to explain their information-sharing practices to customers and safeguard sensitive data, including non-public personal information (NPI) such as financial records and account information. Additionally, the Children's Online Privacy Protection Act (COPPA), enacted in 1998 and revised in 2013, regulates the online collection of personal information from children under the age of 13, requiring website operators and online service providers to obtain verifiable parental consent before collecting such data.
The Fair Credit Reporting Act (FCRA), which was passed in 1970 and amended multiple times, regulates the collection, dissemination, and use of consumer credit information to ensure accuracy, fairness, and privacy, including provisions for consumer access to credit reports and procedures for correcting inaccuracies. Finally, the Electronic Communications Privacy Act (ECPA), enacted in 1986, governs the interception of electronic communications and unauthorized access to electronic communications and stored electronic data, including wiretapping, electronic surveillance, and restrictions on disclosure by law enforcement agencies.
These federal data privacy acts represent significant efforts to protect individuals' privacy rights and regulate the handling of personal data across various sectors and contexts. Ongoing discussions and proposals for additional federal legislation aim to address emerging privacy challenges, however, such as comprehensive consumer data privacy laws providing individuals with greater control over their personal information and establishing uniform standards for data protection.