Maryland’s Proposed Data Privacy Act – Part of a Trend?

Authentication of Entire Video When Witness Observed Only Part of the Events Portrayed in the Video
March 1, 2024
Privilege Logs:  New Techniques to Achieve Proportionality – The “Certification Log”
March 4, 2024

The Maryland Online Data Privacy Act of 2024 is currently pending before the General Assembly as HB0567, cross-filed as SB0541.

Senate President Bill Ferguson said: “Maryland is a middle-temperament state. We learn from others, we’re often not the first but we aren’t the last, and so we like to learn from what’s working and what’s not….”  L. Hogan, MD politics: Lawmakers continue push for stricter online data privacy ( 13, 2024).

The Fiscal and Policy Note to HB 567 states that: “This bill establishes numerous consumer protections and regulatory requirements related to online data…. Violation of the bill is an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act (MCPA), subject to MCPA’s civil and criminal penalty provisions. However, a violator is not subject to specified MCPA penalty provisions related to private causes of actions for damages.”

The Fiscal Note states that the bill will have a “[m]eaningful” effect on small business: “The bill establishes a significant regulatory framework related to online and biometric data. Thus, to the extent any small businesses in the State qualify as a controller and/or processor, they may be meaningfully affected.”

The Fiscal Note explains that the bill includes a number of definitional terms, including “controllers”[1] and “processors”[2] of consumer’s personal data, and states that the bill specifies the types of data and entities to which it does, and does not, apply.  In brief summary, if enacted, it will apply to someone that conducts business in Maryland or produces services or products “targeted” to residents and that meet certain other statutory requirements. Id. [3]

The Fiscal Note lists five categories of consumer protection and states: “The bill defines the rights a consumer may exercise to protect the consumer’s personal data, including, among other things, the right to require the deletion of personal data provided by (or obtained about) the consumer and to opt out of the processing of personal data (e.g., targeted advertising).”

However, the proposed bill will not prohibit “preserving and protecting the integrity or security of a system….”  Id.  “Additionally, the bill’s requirements may not restrict a controller’s or processor’s ability to collect, use, or retain data for internal use to effectuate a product recall, identify and repair technical errors, or perform internal operations, as specified.”  Id.

“Similar legislation has been introduced within the last three years.” Id.  That might indicate a low probability of passage.

However, the Maryland Daily Record reports that: “With support from the legislature’s presiding officers and Attorney General Anthony Brown, state lawmakers are hoping this session to establish a comprehensive data privacy law after several years in which proposals failed.”  Jack Hogan, MD politics: Lawmakers continue push for stricter online data privacy ( 13, 2024).

Mr. Hogan reported on the proponent’s goals:

“Companies should not be gathering all our information for their own profit without our knowledge and consent,” state Del. Sara Love, a Montgomery County Democrat, said during a bill hearing Tuesday. “Collecting all of this data and building these online profiles puts us at risk.”

Maryland’s comprehensive data privacy law, Love said, would grant consumers more say in what data companies can collect and how they use it.

She said her proposal is a “compromise,” adding protections but omitting a private right of action or the right for consumers to opt-in for data collection.

The new law would apply to companies controlling or processing the personal data of at least 35,000 consumers, or companies handling the data of at least 10,000 customers and receiving more than 20% of gross revenue from selling it.

The Daily Record also notes: “Private companies, industry advocates, nonprofit organizations and more have continued to push against parts of the proposal, like how it could affect advertising, including for news organizations, and whether the state should afford data collectors a right to cure, allowing them a period of time to resolve issues before facing penalties.”

Further, Mr. Hogan reported: “In a separate bill, dubbed the Maryland Kids Code, lawmakers have proposed prohibiting companies of a certain size from selling children’s information or tracking them online, among other data collection and sharing practices.”[4]

The US State Privacy Legislation Tracker (Feb. 16, 2024) reports that: “State-level momentum for comprehensive privacy bills is at an all-time high.”  It lists thirteen states as having enacted comprehensive privacy laws and nineteen with “active bills.”

In State Privacy Law Update ( 12, 2024), Lakshmi Gopal reports that these laws have “transformed” the “privacy landscape.”  She states that all of the statutes “contain a comparable basket of core consumer rights, including the right to know about, access, delete, and port [move[ personal data.”

Ms. Gopal concludes: “This year, states have shown clear willingness to establish privacy safeguards on a range of privacy issues. The states’ efforts share important commonalities, which streamline compliance. At the same time, on going state-level debate, for example, concerning the absence, or the length, of a cure period for any violation, suggest further changes through implementation or promulgations of rules lie ahead. Given continual emergence of new issues and given the increasing speed of legislative and regulatory responses, businesses should keep abreast of new developments in this field and take measures, as soon as possible, to not only ensure compliance but to develop privacy-sensitive work cultures in tune with the underlying principles driving privacy laws.”

This blog was initially posted on  Electronic Discovery Reference Model.


[1] In brief summary, a “controller” determines the purpose and means of processing personal data.

[2] In brief summary, a “processor” processes personal data on behalf of a controller.

[3] The bill is more than 33 pages long and this blog makes no attempt to exhaustively describe it.

[4] The Fiscal Note provides a comparison with the current Maryland Personal Information Protect Act.