Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Maryland - Data Protection Overview
Back

Maryland - Data Protection Overview

June 2024

1. Governing Texts

On May 9, 2024, the Governor of Maryland signed the Maryland Online Data Privacy Act of 2024 (the MODPA). MODPA will take effect from October 1, 2025, but does not have any effect on or application to any personal data processing activities before April 1, 2026.

1.1. Key acts, regulations, directives, bills

  • the MODPA

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

MODPA applies to a person that conducts business in Maryland or provides products or services that are targeted to Maryland residents, and that during the preceding calendar year did any of the following (§14-4602 of the MODPAI):

  • controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

  • controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

MODPA does not apply to (§14-4603 of the MODPA):

  • regulatory, administrative, advisory, executive, appointive, legislative, judicial body, or instrumentality of Maryland;

  • a national securities association that is registered under §15 of the Federal Securities Exchange Act of 1934 or a registered futures association designated in accordance with §17 of the Federal Commodity Exchange Act of 1936;

  • a financial institution or an affiliate of a financial institution that is subject to Title V of the Federal Gramm-Leach-Bliley Act of 1999 (the GLBA) and Regulations adopted thereunder; or

  • a nonprofit controller that processes or shares personal data solely for the purposes of assisting:

    • law enforcement agencies in investigating criminal or fraudulent acts relating to insurance; or

    • first responders in responding to catastrophic events.

2.2. Territorial scope

MODPA applies to a person that conducts business in Maryland or provides products or services that are targeted to Maryland residents (§14-4602 of the MODPA).

2.3. Material scope

MODPA does not apply to the following:

  • data that is subject to Title V of the GLBA and thereunder (§14-4603(A)(3) of the MODPA);

  • protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (§14-4603(B)(1) of the MODPA);

  • patient-identifying information for the purposes of  §290dd-2 of Part D Subchapter III-A of Chapter 6A of 42 U.S. Code (U.S.C.) (§14-4603(B)(2) of the MODPA);

  • information that is a medical record under §4-301 of the Code of Maryland Health-General Article (the Health-General Article) if (§14-4603(B)(6)(II) of the MODPA):

    • the information is held by an entity that is a covered entity or business associate under HIPAA because it collects, uses, or discloses protected health information; and

    • the entity applies the same standards for the collection, use, and disclosure of the information as required for protected health information under HIPAA and medical records under §4-301 of the Health-General Article;

  • information that is de-identified in accordance with the requirements for de-identification set forth in Part 164.514 of Title 45 of the Code of Federal Regulations (C.F.R.) that is derived from individually identifiable health information as described in HIPAA or personal information consistent with the human subject protection requirements of the U.S. Food and Drug Administration (§14-4603(B)(6)(III) of the MODPA);

  • the collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a use of a consumer report, but only to the extent that the activity is regulated by and authorized under the Federal Fair Credit Reporting Act (§14-4603(B)(7) of the MODPA);

  • personal data collected, processed, sold, or disclosed in compliance with the Federal Driver's Privacy Protection Act of 1994 (§14-4603(B)(8) of the MODPA);

  • personal data regulated by the Federal Family Educational Rights and Privacy Act (§14-4603(B)(9) of the MODPA);

  • personal data collected, processed, sold, or disclosed in compliance with the Federal Farm Credit Act (§14-4603(B)(10) of the MODPA);

  • data processed or maintained (§14-4603(B)(11) of the MODPA);

    • in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of the role;

    • as the emergency contact information of a consumer if the data is used for emergency contact purposes; or

    • that is necessary to retain to administer benefits

  • personal data collected, processed, sold, or disclosed in relation to price, route, or service by an air carrier subject to the Federal Airline Deregulation Act to the MODPA is preempted by the same (§14-4603(B)(12) of the MODPA); and

  • personal data collected by or on behalf of a person regulated under the Code of Maryland Insurance Article or an affiliate of such a person, in furtherance of the business of insurance (§14-4603(B)(13) of the MODPA).

Furthermore, MODPA confirmed that it does not apply to the processing of personal data based on personal or household activities (§14–4612(E)(2) of the MODPA).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The Division of Consumer Protection in the Attorney General's office in Maryland (the Division) is responsible for the enforcement of the MODPA.

3.2. Main powers, duties and responsibilities

The Division has exclusive authority to enforce violations under the MODPA.

4. Key Definitions

Data controller: A person that, alone or jointly with others, determines the purpose and means of processing personal data (§14-4601(K) of the MODPA).

Data processor: A person that processes personal data on behalf of a controller (§14-4601(Z) of the MODPA).

Personal data: Any information that is linked or can be reasonably linked to an identified or identifiable consumer. This does not include de-identified data or publicly available information (§14-4601(W) of the MODPA).

Sensitive data: Personal data that includes data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizenship or immigration status, genetic data or biometric data, personal data of a consumer that the controller knows or has reason to know is a child, or precise geolocation data (§14-4601(GG) of the MODPA).

Health data: MODPA adopts the term 'consumer health data', which is personal data that a controller uses to identify a consumer's physical or mental health status. This includes data relating to gender-affirming treatment or reproductive or sexual health care (§14-4601(I) of the MODPA).

Biometric data: Data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer's identity. This includes fingerprints, voice print, eye retina or iris image, and any other unique biological characteristics that can be used to uniquely authenticate a consumer's identity (§14-4601(D)(1) and (2) of the MODPA).

Biometric data does not include (§14-4601(D)(3) of the MODPA):

  • digital or physical photographs;

  • audio or video recordings; or

  • any data generated from a digital or physical photograph or an audio or video recording ,are not included, unless the data is generated to identify a specific consumer.

Pseudonymization: The MODPA does not have a definition for the term 'pseudonymization' but MODPA adopts the definition of 'de-identified data' from §14-4401 of the Code of Maryland (§14-4601(P) of the MODPA).

5. Legal Bases

If a controller or processor processes personal data in accordance with an exemption as outlined below, the controller or processor must demonstrate that the processing qualifies for an exemption and personal data must be (§14-4612(F)-(G) of the MODPA):

  • subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data; and

  • may be processed to the extent that the processing is reasonably necessary and proportionate to the purposes listed and adequate, relevant, and limited to what is necessary in relation to the specific purposes.

5.1. Consent

Under the MODPA, consent is defined as a 'clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to consumer for a particular purpose (§14-4601(G)(1) of the MODPA). Consent can include a written statement (which can also be done by electronic means) or any other unambiguous affirmative action (§14-4601(G)(2) of the MODPA).

The following is not considered as consent (§14-4601(G)(3) of the MODPA):

  • acceptance of general or broad terms of use or similar document that contains descriptions of personal data processing along with unrelated information;

  • hovering over, muting, pausing, or closing a piece of content; or

  • agreement obtained through the use of dark patterns.

Controllers may not process personal data for a purpose that is neither reasonably necessary to, or compatible with, the disclosed purposes for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent (§14-4607(8) of the MODPA).

Lastly, under §14-4607(B)(1)(III) of the MODPA, controllers must provide an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent.

5.2. Contract with the data subject

The MODPA does not specifically provide that personal data can be processed for the performance of a contract with a consumer. However, the MODPA provides that nothing may restrict a controller or processor to provide a product or service requested by a consumer or perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty (§14-4612(A)(5)-(6) of the MODPA). The MODPA also provides that nothing may restrict a controller or processor to take steps at the request of a consumer before entering into a contract (§14-4612(A)(7) of the MODPA).

Additionally, controllers or processors can collect, use, or retain personal data for internal operations that are (§14-4612(B)(2)(iii) of the MODPA):

  • reasonably aligned with the expectations of the consumer or can reasonably be anticipated based on the consumer's existing relationship with the consumer; or

  • otherwise compatible with data processing in furtherance of:

    • the provision of a product or service specifically requested by a consumer; or

    • the performance of a contract to which the consumer is a party.

5.3. Legal obligations

The MODPA does not specifically provide that personal data can be processed based on legal obligations. However, MODPA provides that nothing may restrict a controller or processor to (§14-4612(A)(1)-(4) of the MODPA):

  • comply with federal, state, or local laws or regulations;

  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental authority;

  • cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws or regulations; and

  • investigate, establish, exercise, prepare for, or defend a legal claim.

5.4. Interests of the data subject

The MODPA does not specifically provide that personal data can be processed based on the interest of consumers.

However, the MODPA provides that nothing may restrict a controller or processor to take immediate steps to protect an interest that is essential for the life or physical safety of a consumer or another individual and when the processing cannot be manifestly based on another legal basis (§14-4612(A)(8) of the MODPA).

5.5. Public interest

The MODPA does not specifically provide that personal data can be processed based on public interest.

5.6. Legitimate interests of the data controller

The MODPA does not specifically provide that personal data can be processed based on the legitimate interests of a data controller. However, the MODPA provides that controllers and processors can preserve the integrity or security of systems (§14-4612(A)(10) of the MODPA).

Furthermore, the MODPA provides that obligations imposed on controllers or processors shall not restrict a controller's or processor's ability to collect, use, or retain personal data for internal use to (§14-4612(B)(2) of the MODPA):

  • effectuate a product recall;

  • identify and repair technical errors that impair existing or intended functionality; or

  • perform internal operations that are:

    • reasonably aligned with the expectations of the consumer or can be reasonably anticipated based on the consumer's existing relationship with the controller; or

    • otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

Furthermore, MODPA does not restrict a controller's or processor's ability to prevent, detect, protect against, investigate, prosecute those responsible, or otherwise respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any other type of illegal activity (§14-4612(A)(9) MODPA).

5.7. Legal bases in other instances

The MODPA provides that its requirements do not restrict a controller's or processor's ability to assist another controller, processor, or third party with an obligation under the MODPA (§14-4612(A)(11) of the MODPA).

Additionally, the MODPA outlines that it does not apply in cases when compliance would violate an evidentiary privilege under Maryland state laws. In these cases, controllers and processors are not prevented from providing personal data concerning a consumer to a person covered by evidentiary privilege under Maryland state law as part of privileged communication (§14-4612(C) of the MODPA).

6. Principles

The following principles apply to personal data processing by controllers (§14-4607(B) of the MODPA):

Data minimization: Controllers must limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.

Confidentiality and integrity: Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

7. Controller and Processor Obligations

Under the MODPA, controllers and processors have specific obligations with regards to de-identified data. Controllers that disclose de-identified data must do the following (§14-4611(C) of the MODPA):

  • exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data is subject; and

  • take appropriate steps to address any breaches of any contractual commitments.

Furthermore, nothing in the MODPA shall be construed to require a controller or processor to re-identify de-identified data, maintain data in an identifiable form, or collect, obtain, retain, or access any data or technology in order to be capable of associating an authenticated consumer request with personal data (§14-4611(A) of the MODPA).

Additionally, controllers may not collect, process, or transfer personal data or publicly available data in a manner that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability, unless the collection, processing, or transfer of personal data is for the following (§14-4607(A)(7) of the MODPA):

  • the controller's self-testing to prevent or mitigate unlawful discrimination;

  • the controller's diversifying of an applicant, participant, or customer pool; or

  • a private club or group not open to the public as described in §201(E) of the Civil Rights Act of 1964.

7.1. Data processing notification

The MODPA does not specifically provide for data processing notification.

7.2. Data transfers

The MODPA does not specifically address cross-border data transfers but defines 'sale of personal data' as 'the exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration' (§14-4601(FF) of the MODPA). The sale of personal data does not include:

  • disclosure to a processor that processes personal data on behalf of a controller if limited to the purposes of the processing;

  • disclosure to a third party for purposes of providing a product or service affirmatively requested by the consumer;

  • disclosure to an affiliate of the controller;

  • disclosure where the consumer directs the controller to:

    • disclose the personal data; or

    • intentionally uses the controller to interact with a third party;

  • that the consumer intentionally made available to the general public through a channel of mass media and did not restrict to a specific audience; or

  • disclosure or transfer to a third party as an asset that is part of an actual or proposed merger, acquisition, bankruptcy, or other transaction where the third party assumes control of all or part of the controller's assets.

Additionally, according to §14-4612(D) of MODPA provides that a controller or processor that discloses personal data to a processor or a third-party in compliance with MODPA is not in violation if the processor or third-party controller that receives the personal data violates the provisions of MODPA and the following applies:

  • at the time the disclosing controller or processor disclosed the personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate MODPA; and

  • the disclosing controller was, and remained, in compliance with its obligations as the discloser of the personal data.

7.3. Data processing records

The MODPA does not specifically oblige controllers or processors to create and maintain data processing records.

7.4. Data protection impact assessment

Controllers shall conduct and document, on a regular basis, a data protection assessment (DPA) for each processing activity that present a heightened risk of harm to a consumer, including an DPA of each algorithm that is used (§14-4610(B) of the MODPA)

In this case, 'processing activities that present a heightened risk of harm to a consumer' is defined as processing of personal data for purposes of:

  • targeted advertising, the sale of personal data;

  • the processing of sensitive data; and

  • the processing of personal data for the purposes of profiling, in which the profiling presents a reasonably foreseeable risk of:

    • unfair, abusive, or deceptive treatment of a consumer;

    • having an unlawful disparate impact on a consumer;

    • financial, physical, or reputational injury to a consumer;

    • a physical or other intrusion on the solitude or seclusion or the private affairs or concerns of a consumer in which the intrusion would be offensive to a reasonable person; or

    • other substantial injury to a consumer.

DPAs shall identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, the consumer, other interested parties, and the public against (§14-4610(C)(1) of the MODPA):

  • the potential risks to the rights of the consumer associated with the processing as mitigated by safeguards that may be employed by the controller to reduce these risks; and

  • the necessity and proportionality of processing in relation to the stated purpose of the processing.

Additionally, the following should be factors in a DPA (§14-4610(C)(2) of the MODPA):

  • the use of de-identified data;

  • the reasonable expectations of consumers;

  • the context of the processing; and

  • the relationship between the controller and the consumer whose personal data will be processed.

According to §14-4610(E) of the MODPA, a single DPA may address a comparable set of processing operations that include similar activities. If a DPA is conducted for the purpose of complying with another applicable law or regulation, the DPA shall be considered to satisfy the requirements under the MODPA if the DPA is reasonably similar in scope and effect to the DPA that would otherwise be conducted in accordance with the MODPA (§14-4610(F) of the MODPA).

Please note that DPAs conducted under MODPA shall apply to processing activities that occur on or after October 1, 2025, and is not required for processing activities that occur before October 1, 2025 (§14-4610(H) of the MODPA)

7.5. Data protection officer appointment

The MODPA does not specifically address data protection officer appointments.  

7.6. Data breach notification

The MODPA does not specifically provide for breach notification requirements but does specify that processors must assist controllers in meeting the obligations of the controller in relation to the notification of a breach of security or of the system of the processor (§14-4608(B)(2)(II) of the MODPA).

For further information, see Maryland – Data Breach.

7.7. Data retention

The MODPA does not specifically address data retention.

7.8. Children's data

The MODPA adopts the same definition for the term 'child' as provided under COPPA (§14-4601(F) of the MODPA). Controllers may not process the personal data of a consumer for the purposes of targeted advertising if the controller knew or should have known that the consumer is under the age of 18 years or sell the personal data of a consumer if the controller knew or should have known that the consumer is under the age of 18 years (§14-4607(A)(4)-(5) of the MODPA).

The personal data of a consumer that a controller knows or has reason to know is a child is considered as 'sensitive data' under MODPA (§14-4601(GG)(3) of the MODPA). Additionally, the MODPA provides that a parent or legal guardian of a child may exercise a consumer right on a child's behalf (§14-4605(D)(2) of the MODPA).

Controllers and processors that comply with the verifiable parental consent requirements of COPPA shall be considered compliant with an obligation to obtain parental consent in MODPA with respect to a consumer who is a child (§14-4603(C) of the MODPA).

7.9. Special categories of personal data

Under the MODPA, controllers may not collect, process, or share sensitive data concerning a consumer except in cases where the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer (§14-4607(A)(1) of the MODPA). Additionally, controllers may not sell sensitive data (§14-4607(A)(2) of the MODPA).

According to §14-4604 of the MODPA, persons may not:

  • provide an employee or contractor access to consumer health data unless;

    • the employee or contractor is subject to a contractual or statutory duty of confidentiality; or

    • confidentiality is required as a condition of employment of the employee;

  • provide a processor access to consumer health data unless the person providing access to the consumer health data and the processor comply with §14-4608 of the MODPA; or

  • use a geofence to establish a virtual boundary that is within 1,750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from, or sending any notification to a consumer regarding the consumer's consumer health data.

7.10. Controller and processor contracts

Under §14-4608(B) of the MODPA, processor obligations include:

  • adhering to the contract and instructions of a controller;

  • assisting the controller in meeting the controller's MODPA obligations by:

    • appropriate technical and organizational measures as much as reasonably practicable to fulfil the controller's obligation to consumer rights requests, considering the nature of processing and the information available to the processor; and

    • assisting the controller in meeting the controller's obligations in relation to the security of processing the personal ata and in relation to the notification of a breach of the security of a system; and

  • providing necessary information to enable the controller to conduct and document DPAs.

A contract is needed if a controller uses a processor to process the personal data of consumers and that this contract governs the processor's data processing procedures with respect to processing carried out on behalf of the controller. This contract is binding and clearly set forth the following (§14-4608(A)(2) of the MODPA):

  • instructions for processing data;

  • the nature and purpose of processing;

  • the type of data subject to processing

  • the duration of processing; and

  • the rights and obligations of both parties.

Contracts should require that processors (§14-4608(A)(3) of the MODPA):

  • are subject to a duty of confidentiality with respect to the personal data;

  • establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, considering the volume and nature of the personal data;

  • stop processing data on request by the controller made in accordance with a consumer's authenticated request;

  • delete or return all personal data to the controller as requested at the end of the provision of service, unless retention is required by law;

  • make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations under MODPA;

  • after providing the controller an opportunity to object, engage a subcontractor to assist with processing personal data on the controller's behalf only in accordance with a written contract that requires the subcontractor to meet the processor's obligations regarding the personal data under the processor's contract with the controller; and

  • allow and cooperate with reasonable assessments by the controller, the controller's designated assessor, or a qualified and independent assessor arranged for by the processor to assess the processor's policies and technical and organizational measures in support of the obligations under MODPA.

On the request of a controller, the processor must provide a report of an assessment when making available to the controller all information in their possession to demonstrate compliance with the MODPA (§14-4608(A)(4)(I) MODPA).

Under §14-4608(C) of the MODPA, controllers or processors are not relieved from the liabilities imposed on them by virtue of the controller's or processor's role in the processing relationship, as described by the MODPA.

The determination of whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the context in which personal data is being processed. A person that is not limited in the person's processing of specific personal data in accordance with a controller's instructions or fails to adhere to a controller's instructions with respect to a specific processing of personal data, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action (§14-4608(D) of the MODPA).

Nothing in the MODPA may be construed to alter a controller's obligation to limit a person's processing of personal data or to take steps to ensure that a processor adheres to the controller's instructions (§14-4608(E) of the MODPA).

8. Data Subject Rights

Under the MODPA, consumers have a series of rights that they may exercise and controllers must establish a secure and reliable method for a consumer to exercise a consumer right (§14-4605(C) of the MODPA).

Parents or legal guardians of a child may exercise a consumer right on the child's behalf, and a guardian or conservator of a consumer subject to a guardianship, conservatorship, or other protective arrangement may exercise a consumer right on the consumer's behalf (§14-4605(D)(2)-(3) of the MODPA).

Lastly, controllers may not require a consumer to create a new account to exercise a consumer right (§14-4607(F)(2) of the MODPA) and must not discriminate against a consumer for exercising a consumer right, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer (§14-4607(A)(6) of the MODPA).

Response time

Controllers must respond to a consumer request not later than 45 days after the controller receives the request. This may be extended by an additional 45 days if it is reasonably necessary to complete the request based on the complexity and number of requests, and where the controller informs the consumer of the extension and the reason for such within the initial 45-day response period (§14-4605(E)(2) of the MODPA).

Authentication

Where a controller is unable to authenticate a request to exercise a consumer right using commercially reasonable efforts, controllers may not be required to comply with a request to initiate an action and must provide notice to the consumer that they are unable to authenticate the request unless the consumer provides additional information reasonably necessary to authenticate the consumer and the request to exercise their rights (§14-4605(E)(5) of the MODPA).

In addition, nothing in the MODPA shall be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller (§14-4611(B) of the MODPA):

  • is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;

  • does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and

  • does not sell the personal data to a third party or otherwise involuntarily disclose the personal data to a third party other than a processor, except as otherwise allowed.

Declining requests and appeals

Where a controller declines to act regarding a consumer request, they must inform the consumer without undue delay, but not later than 45 days after receiving the request, of the justification for declining and provide instructions for how to appeal (§14-4605(E)(3) of the MODPA).

Information provided in response to a consumer's request must be provided free of charge, once during any 12-month period (§14-4605(E)(4)(I) of the MODPA) and if consumer requests are found to be manifestly unfounded, excessive, technically infeasible, or repetitive, controllers may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request (§14-4605(E)(4)(II) of the MODPA).

Appeals

Controller must establish a process for the consumer to appeal the controller's refusal to act on a consumer rights request within a reasonable time after the consumer receives the decision. The appeals process shall be conspicuously available and similar to the process for submitting requests to initiate an action pursuant to the MODPA. Not later than 60 days after receiving an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. Where a controller denies an appeal, the controller shall provide the consumer with an online mechanism, if available, or other methods through which the consumer may contact the Division to submit a complaint (§14-4605(F)(4) of the MODPA).

8.1. Right to be informed

Under §14-4605(B)(1)-(2) of the MODPA, consumers have a right to confirm whether a controller is processing their personal data.

Controllers must provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that includes (§14-4607(D) of the MODPA):

  • the categories of personal data processed by the controller, including sensitive data;

  • the controller's purpose for processing personal data;

  • how a consumer may exercise their consumer's rights, including how a consumer may appeal a controller's decision regarding a consumer request or may revoke consent;

  • the categories of third parties with which the controller shares personal data with a level of detail that enables a consumer to understand the type of business model of or processing conducted by each third party;

  • the categories of personal data, including sensitive data, that the controller shares with third parties; and

  • an active e-mail address or other online mechanism that a consumer may use to contact the controller. 

Additionally, consumers have the right to obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data or a list of the categories of third parties to which the consumer has disclosed any consumer's personal data if the controller does not maintain this information in a format specific to the consumer (§14-4605(B)(6) of the MODPA). If a third party uses or shares a consumer's personal information in a manner inconsistent with promises made to the consumer at the time of collection of the information, the third party shall provide an affected consumer with notice of the new or changed practice before implementing such practice and such notice shall be provided in a manner and at a time reasonably calculated to allow a consumer to exercise the rights provided for under the MODPA (§14-4609 of the MODPA).

Where a controller sells personal data to third parties or processes personal data for targeted advertising or for profiling the consumer in furtherance of decisions that produce legal or similarly significant effects, the controller must clearly and conspicuously disclose such sale or processing, as well as the manner in which the consumer may exercise their right to opt out (§14-4607(E)(1) of the MODPA). Disclosures must be prominently displayed and use clear, easy to understand, and unambiguous language, to state whether the consumer's personal data will be sold or shared with a third party (§14-4607(E)(2) of the MODPA).

Additionally, controllers must establish and describe one or more secure and reliable means for consumers to submit a request to exercise their consumer rights in the privacy notice that take into account (§14-4607(F)(1) of the MODPA):

  • the ways in which consumers normally interact with the controller through (§14-4607(F)(3) of the MODPA);

  • the need for secure and reliable communication of consumer requests; and

  • the ability of the controller to verify the identity of a consumer making the request.

8.2. Right to access

Consumers have a right to access the personal data in cases where the controller is processing their personal data under §14-4605(B)(1)-(2) of the MODPA.

8.3. Right to rectification

Consumers have the right to correct inaccuracies in their personal data, considering the nature of the personal data and the purposes of the processing (§14-4605(B)(3) of the MODPA).

8.4. Right to erasure

Consumers have the right to require a controller to delete personal data provided by or obtained about them unless retention of personal data is required by law (§14-4605(B)(4) of the MODPA).

Furthermore, a controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data by retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the controller's records and is not being used for any other purpose (§14-4605(E)(7) of the MODPA).

8.5. Right to object/opt-out

Consumers have the right to opt out of the processing of their personal data for the following purposes (§14-4605(B)(7) MODPA): 

  • targeted advertising;

  • the sale of personal data; or

  • profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Consumers may designate an authorized agent to opt out of the processing of their personal data on behalf of a consumer (§§14-4605(D)(1) and §4-4606 (A)(1) of the MODPA). Additionally, consumers may designate an authorized agent by an internet link or a browser setting, browser extension, global device setting, or other similar technology, indicating a consumer's intent to opt out of the processing of the consumer's personal data (§14-4606(A)(2) of the MODPA).

Under §14-4606(B) of the MODPA, controllers must comply with an opt-out request received from an authorized agent if, using commercially reasonable efforts, the controller is able to authenticate the identity of the consumer and the authorized agent's authority to act on the consumer's behalf (§14-4606(B) of the MODPA).

To note, if a consumer's decision to opt out of the processing of the consumer's personal data for the purposes of targeted advertising, or the sale of personal data through an opt-out preference signal sent conflicts with the consumer's existing controller-specific privacy setting or the consumer's voluntary participation In a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller may notify the consumer of the conflict and provide the choice to confirm controller-specific privacy settings or participation in the program (§14-4607(G)(1) of the MODPA).

Lastly, a controller that recognizes signals approved by other states shall be considered as compliant (§14-4607(G)(2) of the MODPA).

8.6. Right to data portability

If processing is done by automatic means, consumers have a right to obtain a copy of their personal data processed by the controller in a portable and, to the extent feasible, readily usable format that allows the consumer to easily transmit the data to another controller without hinderance (§14-4605(B)(5) of the MODPA).

8.7. Right not to be subject to automated decision-making

Profiling means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable consumer's economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements (§14-4601(AA) of the MODPA)

As mentioned above in the section on the right to object/opt-out, consumers have the right to opt-out of processing of personal data for the purposes of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer (§14-4605(B)(7)(III) of the MODPA).

8.8. Other rights

Not applicable.

9. Penalties

Violations under MODPA are considered to be unfair, abusive, or deceptive trade practice and are subject to the enforcement and penalty provisions contained in Title 13 of the Code of Maryland Commercial Law Article (§14-4613(A) of the MODPA). Furthermore, MODPA does not prevent consumers from pursuing any other remedies provided by law (§14-4613(B) of the MODPA). 

Before initiating any actions in line with the above, the Division may issue a notice of violation to the controller or processor if the Division determines that a cure is possible. After receiving a notice of violation, the controller or processor has at least 60 days to cure the violation after receipt of the notice. If the controller or processor fails to cure the violation within the time period specified by the Division, an enforcement action as provided above can be brought (§14-4614 of the MODPA). Note that the aforementioned is applicable to enforcement actions for alleged violations that occur on or before April 1, 2027.

The Division may consider the following when determining whether to grant a controller or processor an opportunity to cure an alleged violation (§14-4614(D) of the MODPA):

  • the number of violations;

  • the size and complexity of controller or processor;

  • the nature and extent of the controller's or processor's processing activities;

  • the likelihood of injury to the public;

  • the safety of persons or property;

  • whether the alleged violation was likely caused by a human or technical error; and

  • the extent to which the controller or processor has violated the MODPA or similar laws in the past.

9.1 Enforcement decisions

Not applicable.