Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Maryland: Senate Bill establishing Online Data Privacy Act passed by Senate

On April 6, 2024, Senate Bill 0541, cross-filed with House Bill 0567, on an Act concerning the Maryland Online Data Privacy Act of 2024 was passed by the Senate and sent to the Governor for signing. This follows the passing of its third reading in the House on April 4, 2024, and its third reading in the Senate on April 6, 2024.

The bill would come into effect from October 1, 2025, and would not have any effect on any personal data processing activities before April 1, 2026.

Scope of the bill

The bill would apply to a person who conducts business in the State of Maryland or provides services or products that are targeted to residents of the State of Maryland who during the immediately preceding calendar year have:

  • controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

  • controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

The bill does not apply to:

  • regulatory, administrative, advisory, executive, appointive, legislative, or judicial bodies of the State of Maryland;

  • national securities associations that are registered under Section 15 of the Federal Securities Exchange Act of 1934 or registered futures associations designated in accordance with Section 17 of the Federal Commodity Exchange Act; or

  • financial institutions or affiliates of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act (GLBA) and regulations adopted under the GLBA.

Key provisions of the bill

The bill prohibits persons from the following:

  • providing employees or contractors access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality or confidentiality is required as a condition of employment;

  • providing processors access to consumer health data unless the person providing access and the processor comply with Section 14-4608 of the bill; and

  • using a geofence to establish a virtual boundary that is within 1,750 feet of a mental health, reproductive, or sexual health facility.

Furthermore, the bill provides consumers with the rights to:

  • confirm the processing of personal data;

  • access personal data;

  • correct inaccuracies in personal data;

  • delete personal data;

  • obtain a copy of the personal data;

  • obtain a list of categories of third parties to which the controller has disclosed the consumer's data; and

  • opt-out of personal data processing for targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

Additionally, consumers may designate an authorized agent to opt out of the processing of personal data on their behalf.

You can read the bill here and track its progress here.