Maryland Online Data Privacy Act of 2024 (“MODPA”) (MD. Commercial Law Code § 14-4701, et seq.) (Effective October 1, 2025)

Maryland Online Data Privacy Act of 2024 (“MODPA”)

MD. Commercial Law Code § 14-4701, et seq.

Effective: October 1, 2025

 

SUMMARY:

The Maryland Online Data Privacy Act of 2024 establishes regulations for how controllers and processors handle consumers' personal data. It grants consumers specific rights regarding their data, including the ability to request its processing or opt-out, and allows them to designate agents to act on their behalf. Controllers must provide privacy notices, ensure contracts with processors, and perform data protection assessments for high-risk processing activities. Violations of the Act are considered unfair or deceptive trade practices, subject to enforcement and penalties under the Maryland Consumer Protection Act.

 

CITATION:

Commercial Law

Title 14 - Miscellaneous Consumer Protection Provisions

Subtitle 47 - Maryland Online Data Privacy Act of 2024

 

§14–4701.    

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    In this subtitle the following words have the meanings indicated.

    (b)    “Affiliate” means a person that, directly or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with another person, such that the person:

        (1)    Owns or has the power to vote more than 50% of the outstanding shares of any voting class of the other person’s securities;

        (2)    Has the power to elect or influence the election of a majority of the directors, members, or managers of the other person;

        (3)    Has the power to direct the management of the other person; or

        (4)    Is subject to the other person’s exercise of the powers described in item (1), (2), or (3) of this subsection.

    (c)    “Authenticate” means to use reasonable means to determine that a request to exercise a consumer right in accordance with § 14–4705 of this subtitle is being made by, or on behalf of, a consumer who is entitled to exercise the consumer right with respect to the personal data at issue.

    (d)    (1)    “Biometric data” means data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer’s identity.

        (2)    “Biometric data” includes:

            (i)    A fingerprint;

            (ii)    A voice print;

            (iii)    An eye retina or iris image; and

            (iv)    Any other unique biological characteristics that can be used to uniquely authenticate a consumer’s identity.

        (3)    “Biometric data” does not include:

            (i)    A digital or physical photograph;

            (ii)    An audio or video recording; or

            (iii)    Any data generated from a digital or physical photograph or an audio or video recording, unless the data is generated to identify a specific consumer.

    (e)    “Business associate” has the meaning stated in HIPAA.

    (f)    “Child” has the meaning stated in COPPA.

    (g)    (1)    “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer for a particular purpose.

        (2)    “Consent” includes:

            (i)    A written statement;

            (ii)    A written statement by electronic means; or

            (iii)    Any other unambiguous affirmative action.

        (3)    “Consent” does not include:

            (i)    Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information;

            (ii)    Hovering over, muting, pausing, or closing a piece of content; or

            (iii)    Agreement obtained through the use of dark patterns.

    (h)    (1)    “Consumer” means an individual who is a resident of the State.

        (2)    “Consumer” does not include:

            (i)    An individual acting in a commercial or employment context; or

            (ii)    An individual acting as an employee, an owner, a director, an officer, or a contractor of a company, a partnership, a sole proprietorship, a nonprofit organization, or a governmental unit whose communications or transactions with a controller occur only within the context of the individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or governmental unit.

    (i)    (1)    “Consumer health data” means personal data that a controller uses to identify a consumer’s physical or mental health status.

        (2)    “Consumer health data” includes data related to:

            (i)    Gender–affirming treatment; or

            (ii)    Reproductive or sexual health care.

    (j)    “Control” means:

        (1)    Ownership of or the power to vote more than 50% of the outstanding shares of any class of voting security of a business;

        (2)    Any manner of control over the election of a majority of the directors of a business, or individuals exercising similar functions; or

        (3)    The power to exercise a controlling influence over the management of a business.

    (k)    “Controller” means a person that, alone or jointly with others, determines the purpose and means of processing personal data.

    (l)    “COPPA” means the federal Children’s Online Privacy Protection Act of 1998 and the regulations, rules, guidance, and exemptions adopted under the Act, and as the Act and the regulations, rules, guidance, and exemptions may be amended.

    (m)    “Covered entity” has the meaning stated in HIPAA.

    (n)    (1)    “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting user autonomy, decision making, or choice.

        (2)    “Dark pattern” includes any practice the Federal Trade Commission refers to as a “dark pattern”.

    (o)    “Decisions that produce legal or similarly significant effects concerning the consumer” means decisions that result in the provision or denial of:

        (1)    Financial or lending services;

        (2)    Housing;

        (3)    Education enrollment or opportunity;

        (4)    Criminal justice;

        (5)    Employment opportunities;

        (6)    Health care services; or

        (7)    Access to essential goods or services.

    (p)    “De–identified data” has the meaning stated in § 14–4401 of this title.

    (q)    “Gender–affirming treatment” has the meaning stated in § 15–151(a) of the Health – General Article.

    (r)    “Genetic data” has the meaning stated in § 14–4401 of this title.

    (s)    (1)    “Geofence” means technology that establishes a virtual geographical boundary.

        (2)    “Geofence” includes boundaries that are established or monitored through the use of:

            (i)    Global positioning technology;

            (ii)    Cell tower connectivity;

            (iii)    Cellular data;

            (iv)    Radio frequency identification;

            (v)    Wireless fidelity technology; or

            (vi)    Any other form of location determination technology.

    (t)    “HIPAA” means the federal Health Insurance Portability and Accountability Act of 1996.

    (u)    “Identified or identifiable consumer” means a consumer who can readily be identified, either directly or indirectly.

    (v)    “Mental health facility” means a health care facility in which not less than 70% of health care services offered are mental health services.

    (w)    (1)    “Personal data” means any information that is linked or can be reasonably linked to an identified or identifiable consumer.

        (2)    “Personal data” does not include:

            (i)    De–identified data; or

            (ii)    Publicly available information.

    (x)    (1)    “Precise geolocation data” means information derived from technology that can precisely and accurately identify the specific location of a consumer within a radius of 1,750 feet.

        (2)    “Precise geolocation data” includes global positioning system level latitude and longitude coordinates or other similar mechanisms.

        (3)    “Precise geolocation data” does not include:

            (i)    The content of communications;

            (ii)    Data generated by or connected to an advanced utility metering infrastructure system; or

            (iii)    Data generated by equipment used by a utility company.

    (y)    (1)    “Process” means an operation or set of operations performed by manual or automated means on personal data.

        (2)    “Process” includes collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.

    (z)    “Processor” means a person that processes personal data on behalf of a controller.

    (aa)    “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable consumer’s economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.

    (bb)    “Protected health information” has the meaning stated in HIPAA.

    (cc)    (1)    “Publicly available information” means information that a person:

            (i)    Lawfully obtains from a record of a governmental entity;

            (ii)    Reasonably believes a consumer or widely distributed media have lawfully made available to the general public; or

            (iii)    If the consumer has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.

        (2)    “Publicly available information” does not include biometric data collected by a business about a consumer without the consumer’s knowledge.

    (dd)    “Reproductive or sexual health care” means a health care–related service or product rendered or provided concerning a consumer’s reproductive system or sexual well–being, including:

        (1)    A service or product provided related to an individual health condition, status, disease, diagnosis, test, or treatment;

        (2)    A social, psychological, behavioral, or medical intervention;

        (3)    A surgery or procedure;

        (4)    The purchase or use of a medication, including a medication purchased or used for the purposes of an abortion;

        (5)    A service or product related to a bodily function, vital sign, or symptom;

        (6)    A measurement of a bodily function, vital sign, or symptom; and

        (7)    An abortion, and medical and nonmedical services, products, diagnostics, counseling, and follow–up services for an abortion.

    (ee)    “Reproductive or sexual health care facility” means a health care facility where not less than 70% of services offered are reproductive or sexual health care services.

    (ff)    (1)    “Sale of personal data” means the exchange of personal data by a controller, a processor, or an affiliate of a controller or processer to a third party for monetary or other valuable consideration.

        (2)    “Sale of personal data” does not include:

            (i)    The disclosure of personal data to a processor that processes personal data on behalf of a controller if limited to the purposes of the processing;

            (ii)    The disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer;

            (iii)    The disclosure or transfer of personal data to an affiliate of the controller;

            (iv)    The disclosure of personal data where the consumer:

                1.    Directs the controller to disclose the personal data; or

                2.    Intentionally uses the controller to interact with a third party;

            (v)    The disclosure of personal data that the consumer:

                1.    Intentionally made available to the general public through a channel of mass media; and

                2.    Did not restrict to a specific audience; or

            (vi)    The disclosure or transfer of personal data to a third party as an asset that is part of an actual or proposed merger, acquisition, bankruptcy, or other transaction where the third party assumes control of all or part of the controller’s assets.

    (gg)    “Sensitive data” means personal data that includes:

        (1)    Data revealing:

            (i)    Racial or ethnic origin;

            (ii)    Religious beliefs;

            (iii)    Consumer health data;

            (iv)    Sex life;

            (v)    Sexual orientation;

            (vi)    Status as transgender or nonbinary;

            (vii)    National origin; or

            (viii)    Citizenship or immigration status;

        (2)    Genetic data or biometric data;

        (3)    Personal data of a consumer that the controller knows or has reason to know is a child; or

        (4)    Precise geolocation data.

    (hh)    (1)    “Targeted advertising” means displaying advertisements to a consumer or on a device identified by a unique identifier, where the advertisement is selected based on personal data obtained or inferred from the consumer’s activities over time and across nonaffiliated websites or online applications that are unaffiliated with each other, in order to predict the consumer’s preferences or interests.

        (2)    “Targeted advertising” does not include:

            (i)    Advertisements based on the context of a consumer’s current search query, visit to a website, or online application;

            (ii)    Advertisements based on a consumer’s activities within a controller’s websites or online applications;

            (iii)    Advertisements directed to a consumer in response to the consumer’s request for information or feedback; or

            (iv)    Processing personal data solely to measure or report advertising frequency, performance, or reach.

    (ii)    “Third party” means a person other than the relevant consumer, controller, processor, or affiliate of the controller or processor of relevant personal data.

    (jj)    “Trade secret” has the meaning stated in § 11–1201 of this article.

 

§14–4702.   

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    This subtitle applies to a person that conducts business in the State or provides products or services that are targeted to residents of the State, and that during the preceding calendar year did any of the following:

        (1)    Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

        (2)    Controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

 

§14–4703.    

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    This subtitle does not apply to:

        (1)    A regulatory, administrative, advisory, executive, appointive, legislative, judicial body or instrumentality of the State, including a board, bureau, commission, or unit of the State or a political subdivision of the State;

        (2)    A national securities association that is registered under § 15 of the federal Securities Exchange Act of 1934 or a registered futures association designated in accordance with § 17 of the federal Commodity Exchange Act;

        (3)    A financial institution, an affiliate of a financial institution, or data that is subject to Title V of the federal Gramm–Leach–Bliley Act and regulations adopted under that act; or

        (4)    A nonprofit controller that processes or shares personal data solely for the purposes of assisting:

            (i)    Law enforcement agencies in investigating criminal or fraudulent acts relating to insurance; or

            (ii)    First responders in responding to catastrophic events.

    (b)    The following information and data are exempt from this subtitle:

        (1)    Protected health information under HIPAA;

        (2)    Patient–identifying information for purposes of 42 U.S.C. § 290dd–2;

        (3)    Identifiable private information that is used for purposes of the federal policy for the protection of human subjects in accordance with 45 C.F.R. § 46;

        (4)    Identifiable private information to the extent that it is collected and used as part of human subjects research in accordance with the ICH 36 Good Clinical Practice Guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 C.F.R. §§ 50 and 56;

        (5)    Patient safety work product that is created and used for purposes of patient safety improvement in accordance with 42 C.F.R. § 3, established in accordance with 42 U.S.C. §§ 299b–21 through 299b–26;

        (6)    (i)    Information to the extent it is used for public health, community health, or population health activities and purposes, as authorized by HIPAA, when provided by or to a covered entity or when provided by or to a business associate in accordance with the business associate agreement with a covered entity;

            (ii)    Information that is a medical record under § 4–301 of the Health – General Article if:

                1.    The information is held by an entity that is a covered entity or business associate under HIPAA because it collects, uses, or discloses protected health information; and

                2.    The entity applies the same standards for the collection, use, and disclosure of the information as required for protected health information under HIPAA and medical records under § 4–301 of the Health – General Article, including specific standards regarding legally protected health care; and

            (iii)    Information that is de–identified in accordance with the requirements for de–identification set forth in 45 C.F.R. 164.514 that is derived from individually identifiable health information as described in HIPAA or personal information consistent with the human subject protection requirements of the U.S. Food and Drug Administration;

        (7)    The collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the federal Fair Credit Reporting Act;

        (8)    Personal data collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994;

        (9)    Personal data regulated by the federal Family Educational Rights and Privacy Act;

        (10)    Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act;

        (11)    Data processed or maintained:

            (i)    In the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of the role;

            (ii)    As the emergency contact information of a consumer if the data is used for emergency contact purposes; or

            (iii)    That is:

                1.    Necessary to retain to administer benefits for another individual relating to the consumer who is the subject of the information under item (i) of this item; and

                2.    Used for the purposes of administering the benefits;

        (12)    Personal data collected, processed, sold, or disclosed in relation to price, route, or service by an air carrier subject to the federal Airline Deregulation Act to the extent this subtitle is preempted by the federal Airline Deregulation Act; and

        (13)    Personal data collected by or on behalf of a person regulated under the Insurance Article or an affiliate of such a person, in furtherance of the business of insurance.

    (c)    Controllers and processors that comply with the verifiable parental consent requirements of COPPA shall be considered compliant with an obligation to obtain parental consent in accordance with this subtitle with respect to a consumer who is a child.

 

§14–4704.    

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    A person may not:

        (1)    Provide an employee or a contractor access to consumer health data unless:

            (i)    The employee or contractor is subject to a contractual or statutory duty of confidentiality; or

            (ii)    Confidentiality is required as a condition of employment of the employee;

        (2)    Provide a processor access to consumer health data unless the person providing access to the consumer health data and the processor comply with § 14–4708 of this subtitle; or

        (3)    Use a geofence to establish a virtual boundary that is within 1,750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, or collecting data from, or sending any notification to a consumer regarding the consumer’s consumer health data.

 

§14–4705.    

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    Nothing in this section may be construed to require a controller to reveal a trade secret.

    (b)    A consumer shall have the right to:

        (1)    Confirm whether a controller is processing the consumer’s personal data;

        (2)    If a controller is processing a consumer’s personal data, access the consumer’s personal data;

        (3)    Considering the nature of the consumer’s personal data and the purposes of the processing of the personal data, correct inaccuracies in the consumer’s personal data;

        (4)    Require a controller to delete personal data provided by, or obtained about, the consumer unless retention of the personal data is required by law;

        (5)    If the processing of personal data is done by automatic means, obtain a copy of the consumer’s personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to easily transmit the data to another controller without hindrance;

        (6)    Obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data or a list of the categories of third parties to which the controller has disclosed any consumer’s personal data if the controller does not maintain this information in a format specific to the consumer; and

        (7)    Opt out of the processing of personal data for purposes of:

            (i)    Targeted advertising;

            (ii)    The sale of personal data; or

            (iii)    Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

    (c)    (1)    A controller shall establish a secure and reliable method for a consumer to exercise a consumer right under this section.

        (2)    A consumer may exercise a consumer right under this section by the method established by the controller under paragraph (1) of this subsection.

    (d)    (1)    A consumer may designate an authorized agent in accordance with § 14–4706 of this subtitle to opt out of the processing of the consumer’s personal data under subsection (b)(7) of this section on behalf of a consumer.

        (2)    A parent or legal guardian of a child may exercise a consumer right listed in subsection (b) of this section on the child’s behalf regarding the processing of personal data.

        (3)    A guardian or conservator of a consumer subject to a guardianship, conservatorship, or other protective arrangement may exercise a consumer right listed in subsection (b) of this section on the consumer’s behalf regarding the processing of personal data.

    (e)    (1)    Except as otherwise provided in this subtitle, a controller shall comply with a request by a consumer to exercise a consumer right listed in this section.

        (2)    (i)    A controller shall respond to a consumer request not later than 45 days after the controller receives the consumer request.

            (ii)    A controller may extend the completion period by an additional 45 days if:

                1.    It is reasonably necessary to complete the request based on the complexity and number of the consumer’s requests; and

                2.    The controller informs the consumer of the extension and the reason for the extension within the initial 45–day response period.

        (3)    If a controller declines to act regarding a consumer’s request, the controller shall:

            (i)    Inform the consumer without undue delay, but not later than 45 days after receiving the request, of the justification for declining to act; and

            (ii)    Provide instructions for how to appeal the decision.

        (4)    (i)    A controller shall provide information to a consumer in response to a consumer’s request to exercise rights under this subtitle free of charge once during any 12–month period.

            (ii)    If requests from a consumer are manifestly unfounded, excessive, technically infeasible, or repetitive, a controller may:

                1.    Charge the consumer a reasonable fee to cover the administrative costs of complying with the request; or

                2.    Decline to act on the request.

            (iii)    The controller has the burden of demonstrating the manifestly unfounded, excessive, technically infeasible, or repetitive nature of the request.

        (5)    If a controller is unable to authenticate a request to exercise a consumer right afforded under subsection (b)(1) through (5) of this section using commercially reasonable efforts, the controller:

            (i)    May not be required to comply with a request to initiate an action in accordance with this section; and

            (ii)    Shall provide notice to the consumer that the controller is unable to authenticate the request to exercise the right until the consumer provides additional information reasonably necessary to authenticate the consumer and the consumer’s request to exercise the consumer’s rights.

        (6)    A controller may not be required to authenticate an opt–out request.

        (7)    A controller that has obtained personal data about a consumer from a source other than the consumer shall be considered compliant with the consumer’s request to delete the consumer’s data in accordance with subsection (b)(4) of this section by retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring that the consumer’s personal data:

            (i)    Remains deleted from the controller’s records; and

            (ii)    Is not being used for any other purpose.

    (f)    (1)    A controller shall establish a process for a consumer to appeal the controller’s refusal to act on a consumer rights request within a reasonable period after the consumer receives the decision.

        (2)    The appeal process shall be:

            (i)    Conspicuously available; and

            (ii)    Similar to the process for submitting requests to initiate an action in accordance with this section.

        (3)    Not later than 60 days after receiving an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.

        (4)    If a controller denies an appeal, the controller shall provide the consumer with an online mechanism, if available, through which the consumer may contact the Division to submit a complaint.

 

§14–4706.    

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    (1)    A consumer may designate an individual to serve as the consumer’s authorized agent and act on the consumer’s behalf to opt out of the processing of the consumer’s personal data for one or more of the purposes specified in § 14–4705(b)(7) of this subtitle.

        (2)    A consumer may designate an authorized agent by an Internet link or a browser setting, browser extension, global device setting, or other similar technology, indicating a consumer’s intent to opt out of the processing of the consumer’s personal data.

    (b)    A controller shall comply with an opt–out request received from an authorized agent if, using commercially reasonable efforts, the controller is able to authenticate:

        (1)    The identity of the consumer; and

        (2)    The authorized agent’s authority to act on the consumer’s behalf.

 

§14–4707.   

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    A controller may not:

        (1)    Except where the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains, collect, process, or share sensitive data concerning a consumer;

        (2)    Sell sensitive data;

        (3)    Process personal data in violation of State or federal laws that prohibit unlawful discrimination;

        (4)    Process the personal data of a consumer for the purposes of targeted advertising if the controller knew or should have known that the consumer is under the age of 18 years;

        (5)    Sell the personal data of a consumer if the controller knew or should have known that the consumer is under the age of 18 years;

        (6)    Discriminate against a consumer for exercising a consumer right contained in this subtitle, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer;

        (7)    Collect, process, or transfer personal data or publicly available data in a manner that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability, unless the collection, processing, or transfer of personal data is for:

            (i)    The controller’s self–testing to prevent or mitigate unlawful discrimination;

            (ii)    The controller’s diversifying of an applicant, participant, or customer pool; or

            (iii)    A private club or group not open to the public, as described in § 201(e) of the Civil Rights Act of 1964; or

        (8)    Unless the controller obtains the consumer’s consent, process personal data for a purpose that is neither reasonably necessary to, nor compatible with, the disclosed purposes for which the personal data is processed, as disclosed to the consumer.

    (b)    (1)    A controller shall:

            (i)    Limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains;

            (ii)    Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue; and

            (iii)    Provide an effective mechanism for a consumer to revoke the consumer’s consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer’s consent.

        (2)    If a consumer revokes consent under this section, the controller shall stop processing the consumer’s personal data as soon as practicable, but not later than 30 days after receiving the request.

    (c)    Nothing in subsection (a) or (b) of this section may be construed to:

        (1)    Require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain; or

        (2)    Prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program, provided that the selling of personal data is not a condition of participation in the program.

    (d)    A controller shall provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:

        (1)    The categories of personal data processed by the controller, including sensitive data;

        (2)    The controller’s purpose for processing personal data;

        (3)    How a consumer may exercise the consumer’s rights under this subtitle, including how a consumer may appeal a controller’s decision regarding the consumer’s request or may revoke consent;

        (4)    The categories of third parties with which the controller shares personal data with a level of detail that enables a consumer to understand the type of, business model of, or processing conducted by each third party;

        (5)    The categories of personal data, including sensitive data, that the controller shares with third parties; and

        (6)    An active e–mail address or other online mechanism that a consumer may use to contact the controller.

    (e)    (1)    If a controller sells personal data to third parties or processes personal data for targeted advertising or for the purposes of profiling the consumer in furtherance of decisions that produce legal or similarly significant effects, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

        (2)    The disclosure required under paragraph (1) of this subsection shall be prominently displayed, and use clear, easy to understand, and unambiguous language, to state whether the consumer’s information will be sold or shared with a third party.

    (f)    (1)    The privacy notice under subsection (d) of this section shall establish one or more secure and reliable methods for a consumer to submit a request to exercise a consumer right in accordance with this subtitle that take into account:

            (i)    The ways in which consumers normally interact with the controller;

            (ii)    The need for secure and reliable communication of consumer requests; and

            (iii)    The ability of the controller to verify the identity of a consumer making the request.

        (2)    (i)    A controller may not require a consumer to create a new account in order to exercise a consumer right.

            (ii)    A controller may require a consumer to use an existing account to exercise a consumer right.

        (3)    A controller may utilize the following methods to satisfy paragraph (1) of this subsection:

            (i)    Providing a clear and conspicuous link on the controller’s website to a webpage that allows a consumer, or an authorized agent of the consumer, to opt out of the targeted advertising or the sale of the consumer’s personal data; or

            (ii)    On or before October 1, 2025, allowing a consumer to opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of personal data, through an opt–out preference signal sent, with the consumer’s consent, by a platform, technology, or mechanism to the controller indicating the consumer’s intent to opt out of the processing or sale.

        (4)    A platform, technology, or mechanism used in accordance with paragraph (3) of this subsection shall:

            (i)    Be consumer–friendly and easy to use by the average consumer;

            (ii)    Use clear, easy to understand, and unambiguous language;

            (iii)    Be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or State law or regulation;

            (iv)    Enable the controller to reasonably determine whether the consumer:

                1.    Is a resident of the State; and

                2.    Has made a legitimate request to opt out of any sale of the consumer’s personal data or targeted advertising; and

            (v)    Require a consumer to make an affirmative, unambiguous, and voluntary choice in order to opt out of any processing of the consumer’s personal data.

        (5)    A platform, technology, or mechanism used in accordance with paragraph (3) of this subsection may not:

            (i)    Unfairly disadvantage another controller; or

            (ii)    Use a default setting to opt a consumer out of any processing of the consumer’s personal data.

    (g)    (1)    If a consumer’s decision to opt out of the processing of the consumer’s personal data for the purposes of targeted advertising, or the sale of personal data through an opt–out preference signal sent in accordance with subsection (f)(3) of this section conflicts with the consumer’s existing controller–specific privacy setting or the consumer’s voluntary participation in a controller’s bona fide loyalty, rewards, premium features, discounts, or club card program, the controller may notify the consumer of a conflict and provide the choice to confirm controller–specific privacy settings or participation in a program listed in this paragraph.

        (2)    A controller that recognizes signals approved by other states shall be considered in compliance with this section.

 

§14–4708.    

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    (1)    If a controller uses a processor to process the personal data of consumers, the controller and the processor shall enter into a contract that governs the processor’s data processing procedures with respect to processing performed on behalf of the controller.

        (2)    The contract shall be binding and shall clearly set forth:

            (i)    Instructions for processing data;

            (ii)    The nature and purpose of processing;

            (iii)    The type of data subject to processing;

            (iv)    The duration of processing; and

            (v)    The rights and obligations of both parties.

        (3)    The contract shall require that the processor:

            (i)    Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the personal data;

            (ii)    Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, considering the volume and nature of the personal data;

            (iii)    Stop processing data on request by the controller made in accordance with a consumer’s authenticated request;

            (iv)    At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of service, unless retention of the personal data is required by law;

            (v)    On the reasonable request of the controller, make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance with the obligations in this subtitle;

            (vi)    After providing the controller an opportunity to object, engage a subcontractor to assist with processing personal data on the controller’s behalf only in accordance with a written contract that requires the subcontractor to meet the processor’s obligations regarding the personal data under the processor’s contract with the controller; and

            (vii)    Allow and cooperate with reasonable assessments by the controller, the controller’s designated assessor, or a qualified and independent assessor arranged for by the processor to assess the processor’s policies and technical and organizational measures in support of the obligations under this subtitle.

        (4)    (i)    On request, the processor shall provide a report of an assessment required by paragraph (3)(v) of this subsection to the controller.

            (ii)    An assessment conducted in accordance with paragraph (3)(v) of this subsection shall be conducted using an appropriate and accepted control standard or framework and assessment procedure for the assessments.

    (b)    A processor shall:

        (1)    Adhere to the contract and instructions of a controller;

        (2)    Assist the controller in meeting the controller’s obligations under this subtitle, including:

            (i)    By appropriate technical and organizational measures as much as reasonably practicable to fulfill the controller’s obligation to respond to consumer rights requests, considering the nature of processing and the information available to the processor; and

            (ii)    By assisting the controller in meeting the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of a system, as defined in § 14–3504 of this title; and

        (3)    Provide necessary information to enable the controller to conduct and document data protection assessments.

    (c)    Nothing in this section may be construed to relieve a controller or a processor from the liabilities imposed on the controller or processor by virtue of the controller’s or processor’s role in the processing relationship in accordance with this section.

    (d)    (1)    The determination of whether a person is acting as a controller or a processor with respect to a specific processing of data is a fact–based determination that depends on the context in which personal data is being processed.

        (2)    A person is considered to be a controller if the person:

            (i)    Is not limited in the person’s processing of specific personal data in accordance with a controller’s instructions; or

            (ii)    Fails to adhere to a controller’s instructions with respect to a specific processing of personal data.

        (3)    A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor.

        (4)    If a processor or third party begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor:

            (i)    Is a controller with respect to the processing; and

            (ii)    May be subject to an enforcement action under this subtitle.

    (e)    Nothing in this section may be construed to alter a controller’s obligation to limit a person’s processing of personal data or to take steps to ensure that a processor adheres to the controller’s instructions.

 

§14–4709.    

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    If a third party uses or shares a consumer’s information in a manner inconsistent with promises made to the consumer at the time of collection of the information, the third party shall provide an affected consumer with notice of the new or changed practice before implementing the new or changed practice.

    (b)    The notice provided under subsection (a) of this section shall be provided in a manner and at a time reasonably calculated to allow a consumer to exercise the rights provided under this subtitle.

 

§14–4710.    

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    In this section, “processing activities that present a heightened risk of harm to a consumer” means:

        (1)    The processing of personal data for the purposes of targeted advertising;

        (2)    The sale of personal data;

        (3)    The processing of sensitive data; and

        (4)    The processing of personal data for the purposes of profiling, in which the profiling presents a reasonably foreseeable risk of:

            (i)    Unfair, abusive, or deceptive treatment of a consumer;

            (ii)    Having an unlawful disparate impact on a consumer;

            (iii)    Financial, physical, or reputational injury to a consumer;

            (iv)    A physical or other intrusion on the solitude or seclusion or the private affairs or concerns of a consumer in which the intrusion would be offensive to a reasonable person; or

            (v)    Other substantial injury to a consumer.

    (b)    A controller shall conduct and document, on a regular basis, a data protection assessment for each of the controller’s processing activities that present a heightened risk of harm to a consumer, including an assessment for each algorithm that is used.

    (c)    (1)    A data protection assessment conducted in accordance with this section shall identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, the consumer, other interested parties, and the public against:

            (i)    The potential risks to the rights of the consumer associated with the processing as mitigated by safeguards that may be employed by the controller to reduce these risks; and

            (ii)    The necessity and proportionality of processing in relation to the stated purpose of the processing.

        (2)    The controller shall factor into a data protection assessment:

            (i)    The use of de–identified data;

            (ii)    The reasonable expectations of consumers;

            (iii)    The context of the processing; and

            (iv)    The relationship between the controller and the consumer whose personal data will be processed.

    (d)    (1)    The Division may require that a controller make available to the Division a data protection assessment that is relevant to an investigation conducted by the Division.

        (2)    (i)    The Division may evaluate a data protection assessment for compliance with the responsibilities established in this subtitle.

            (ii)    A controller’s data protection assessment may be used in an action to enforce this subtitle.

        (3)    A data protection assessment is confidential and is exempt from disclosure under the federal Freedom of Information Act or the Public Information Act.

    (e)    A single data protection assessment may address a comparable set of processing operations that include similar activities.

    (f)    If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be considered to satisfy the requirements established in this section if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted in accordance with this section.

    (g)    To the extent that any information contained in a data protection assessment disclosed to the Division includes information subject to attorney–client privilege or work product protection, the disclosure may not constitute a waiver of that privilege or protection.

    (h)    A data protection assessment conducted under this section:

        (1)    Shall apply to processing activities that occur on or after October 1, 2025; and

        (2)    Is not required for processing activities that occur before October 1, 2025.

 

§14–4711.   

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    Nothing in this subtitle may be construed to require a controller or a processor to:

        (1)    Re–identify de–identified data;

        (2)    Maintain data in an identifiable form; or

        (3)    Collect, obtain, retain, or access any data or technology in order to be capable of associating an authenticated consumer request with personal data.

    (b)    Nothing in this subtitle may be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller:

        (1)    Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;

        (2)    Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and

        (3)    Does not sell the personal data to a third party or otherwise voluntarily disclose the personal data to a third party other than a processor, except as otherwise allowed in this subtitle.

    (c)    (1)    A controller that discloses de–identified data shall:

            (i)    Exercise reasonable oversight to monitor compliance with any contractual commitments to which the de–identified data is subject; and

            (ii)    Take appropriate steps to address any breaches of any contractual commitments.

        (2)    The determination of whether oversight is reasonable and whether appropriate steps were taken in accordance with paragraph (1) of this subsection shall take into account whether the disclosed data includes data that would be considered sensitive data if the data were re–identified.

 

§14–4712.    

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    Nothing in this subtitle may be construed to restrict a controller’s or processor’s ability to:

        (1)    Comply with federal, State, or local laws or regulations;

        (2)    Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, State, local, or other governmental authority;

        (3)    Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, State, or local laws or regulations;

        (4)    Investigate, establish, exercise, prepare for, or defend a legal claim;

        (5)    Provide a product or service specifically requested by a consumer;

        (6)    Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty;

        (7)    Take steps at the request of a consumer before entering into a contract;

        (8)    Take immediate steps to protect an interest that is essential for the life or physical safety of a consumer or another individual and when the processing cannot be manifestly based on another legal basis;

        (9)    Prevent, detect, protect against, investigate, prosecute those responsible, or otherwise respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any other type of illegal activity;

        (10)    Preserve the integrity or security of systems; or

        (11)    Assist another controller, processor, or third party with an obligation under this subtitle.

    (b)    (1)    This subsection does not apply to an obligation required under § 14–4711 of this subtitle.

        (2)    An obligation imposed on a controller or processor under this subtitle may not restrict a controller’s or processor’s ability to collect, use, or retain personal data for internal use to:

            (i)    Effectuate a product recall;

            (ii)    Identify and repair technical errors that impair existing or intended functionality; or

            (iii)    Perform internal operations that are:

                1.    Reasonably aligned with the expectations of the consumer or can be reasonably anticipated based on the consumer’s existing relationship with the controller; or

                2.    Otherwise compatible with processing data in furtherance of:

                A.    The provision of a product or service specifically requested by a consumer; or

                B.    The performance of a contract to which the consumer is a party.

    (c)    (1)    An obligation imposed on a controller or a processor under this subtitle does not apply when compliance by the controller or processor with the subtitle would violate an evidentiary privilege under State law.

        (2)    Nothing in this subtitle may be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under State law as part of a privileged communication.

    (d)    (1)    A controller or processor that discloses personal data to a processor or a third–party controller in compliance with this subtitle is not in violation of this subtitle if the processor or third–party controller that receives the personal data violates this subtitle and:

            (i)    at the time the disclosing controller or processor disclosed the personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third–party controller would violate this subtitle; and

            (ii)    the disclosing controller was, and remained, in compliance with its obligations as the discloser of the personal data.

        (2)    A third–party controller or processor that receives personal data from a controller or processor in compliance with this subtitle is not in violation of this subtitle for the independent misconduct of the controller or processor from which the third–party controller or processor received the personal data.

    (e)    Nothing in this subtitle may be construed to:

        (1)    Impose an obligation on a controller or a processor that adversely affects the rights or freedoms of any person, including the rights of a person to freedom of speech or freedom of the press as guaranteed in the First Amendment to the U.S. Constitution; or

        (2)    Apply to a person’s processing of personal data during the person’s personal or household activities.

    (f)    If a controller or processor processes personal data in accordance with an exemption under this section, the controller or processor shall demonstrate that the processing:

        (1)    Qualifies for an exemption; and

        (2)    Complies with the requirements of subsection (g) of this section.

    (g)    Personal data processed by a controller or processor in accordance with this section:

        (1)    Shall be subject to reasonable administrative, technical, and physical measures to:

            (i)    Protect the confidentiality, integrity, and accessibility of the personal data; and

            (ii)    Reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data; and

        (2)    May be processed to the extent that the processing is:

            (i)    Reasonably necessary and proportionate to the purposes listed in this section; and

            (ii)    Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section.

    (h)    A person that processes personal data for a purpose expressly identified in this section may not be considered a controller solely based on the processing of personal data.

 

§14–4713.   

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    Except as provided in subsection (b) of this section, a violation of this subtitle is:

        (1)    An unfair, abusive, or deceptive trade practice within the meaning of Title 13 of this article; and

        (2)    Subject to the enforcement and penalty provisions contained in Title 13 of this article, except for § 13–408 of this article.

    (b)    This section does not prevent a consumer from pursuing any other remedy provided by law.

 

§14–4714.    

    ** TAKES EFFECT OCTOBER 1, 2025 PER CHAPTERS 454 AND 455 OF 2024 **

    (a)    This section applies to an enforcement action under § 14–4713 of this subtitle for an alleged violation that occurs on or before April 1, 2027.

    (b)    Before initiating any action under § 14–4713 of this subtitle, the Division may issue a notice of violation to the controller or processor if the Division determines that a cure is possible.

    (c)    (1)    If the Division issues a notice of violation under subsection (b) of this section, the controller or processor shall have at least 60 days to cure the violation after receipt of the notice.

        (2)    If the controller or processor fails to cure the violation within the time period specified by the Division, the Division may bring an enforcement action under § 14–4713 of this subtitle.

    (d)    In determining whether to grant a controller or processor an opportunity to cure an alleged violation, the Division may consider the following factors:

        (1)    The number of violations;

        (2)    The size and complexity of the controller or processor;

        (3)    The nature and extent of the controller’s or processor’s processing activities;

        (4)    The likelihood of injury to the public;

        (5)    The safety of persons or property;

        (6)    Whether the alleged violation was likely caused by a human or technical error; and

        (7)    The extent to which the controller or processor has violated this subtitle or similar laws in the past.

 

Stay Ahead of the Curve! Explore our comprehensive CLIClaw Maryland Privacy Compliance Library for in-depth resources and insights.

 

For more information, see here:  https://mgaleg.maryland.gov/mgawebsite/Laws/StatuteText?article=gcl&section=14-4701&enactments=True&archived=False

 

These materials were obtained directly from the State Government public websites and are posted here for your review and reference only.  No Claim to Original State Government Works.  This may not be the most recent version.  The State may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.

These materials were obtained directly from the U.S. Federal Government public websites, U.S. State Government public websites, or the International Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works, Original U.S. State Government Works, or Original International Government Works. This information may not be the most recent version. The U.S. Government, U.S. States, or International Governments may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.