by: Dave Radmore

On Thursday May 9, Maryland governor Wes Moore signed a pair of data privacy bills that arguably make Maryland the strictest protector of consumer data in the nation. The pair of data privacy laws, Senate Bill 541 named the Maryland Online Data Privacy Act of 2024 (“MODPA”), and Senate Bill 571, referred to as the Maryland Kids’ Code (“MKC”), are set to go into effect on October 1st, 2025, although MODPA will not apply to companies’ data processing activities until April 1st, 2026. In this blog post, we outline some of the key differences from existing privacy laws in the Maryland statutes that companies doing business in the state should be aware of.

Who does MODPA cover?

Maryland’s bill takes a marginally different approach to other state privacy laws in its coverage provisions. The law is applicable to any person or business[1] that conducts business in the state or provides products and services targeted to Maryland residents, and that over the previous 12 months either:

• Controlled or processed the personal data of 35,000 or more Maryland residents (excluding data that is used solely to complete a payment transaction); or

• Controlled or processed the personal data of 10,000 or more Maryland residents and derived more than 20% of the business’ gross annual revenue from the sale[2] of personal data.

Unlike most other comprehensive data privacy laws, nonprofits are not exempted from coverage, except in the extremely narrow scenario where a nonprofit processes personal data to assist law enforcement in investigating insurance fraud or other insurance-related crime or to assist first responders.

What kind of data does MODPA cover?

“Personal Data” is defined as “any information that is linked or can be reasonably linked to an identified or identifiable consumer.” Excluded from the definition of personal data are deidentified data and publicly available data such as government records. This is broadly in line with what appears in other states’ comprehensive data privacy laws.

As seen commonly in other state data privacy laws, there are exemptions from the law for certain types of data, such as exemptions for data regulated under HIPAA, Gramm-Leach-Bliley, FCRA, and including data collected or processed in an employment or business-to-business context. However, unlike any other state law passed to date, there is also a carve-out in MODPA for any personal data collected or used by anyone subject to Maryland’s insurance regulations in furtherance of the business of insurance.

Notable Differences from Other State Privacy Laws

MODPA implements stricter data minimization provisions than have appeared in other state privacy laws to date. MODPA limits the collection of consumer personal data only to what is "reasonably necessary and proportionate to provide or maintain a service/product requested by consumer." This means that, whereas under other state privacy laws a business may collect personal information for essentially any purpose so long as those purposes were disclosed in a notice prior to collection, Maryland has tightened the ability of businesses to collect personal data of consumers only for purposes that can be rationally linked to the business’ actual services or products. This likely means that a business will not be able to operate a “one-size-fits-all” approach to data collected from Maryland consumers, and instead will need to carefully design its data collection practices to tie in to each specific product or service offered, potentially with different data collection practices required for each different product or service.

MODPA implements stricter restrictions on the collection and processing of sensitive personal data. “Sensitive personal data” is defined along broadly similar lines as other state privacy laws. As such, the types of data considered to be “sensitive personal data” includes data about a consumer’s racial or ethnic origin, sex life or sexual orientation, status as transgender or nonbinary, religious beliefs, national origin, citizenship or immigration status, genetic data, biometric data, or precise geolocation data (defined as precisely identifying a person’s location within a radius of 1,750 feet, roughly a third of a mile).  Similar to Connecticut, MODPA’s definition of sensitive personal data also includes “consumer health data”, defined as personal data used to identify a consumer’s mental or physical health status, and including data related to reproductive or sexual health care or gender-affirming treatment.

Most notably, though, MODPA includes within the definition of sensitive personal data any personal data of a consumer that the business knows or has reason to know is a child. MODPA’s definition of “child” references the federal Children’s Online Privacy Protection Act (“COPPA”), which defines “child” as an individual under the age of 13.

Here we see similarly strict data minimization principles appear again, with businesses limited to collecting and processing a consumer’s sensitive personal data only for purposes that are "strictly necessary" to provide or maintain the service or product requested by the consumer. Furthermore, businesses are entirely prohibited from selling sensitive personal data under MODPA. Given the broad definition of “sale”, this means that businesses should begin planning now to assess if they engage in any transfers of data that would constitute sensitive personal data and identify if any such transfers would be prohibited once the law takes effect.

MODPA implements stricter prohibitions on the sale and sharing of consumers’ personal data; including a blanket ban on targeted advertising to anyone under 18. As noted above, MODPA prohibits the sale of any sensitive personal data, but it doesn’t stop there. Businesses are further prohibited from selling personal data of a consumer if the business knows or should have known that the consumer is under the age of 18 years; and similarly, businesses are prohibited from processing a consumer’s personal data for targeted advertising if the consumer is known or should be known to be under 18. This creates a stricter standard than many other state privacy laws that allow for opt-in or opt-out consent of targeted advertising to minors depending on age, and instead effectively blanket bans any targeted advertising to all minors in the state of Maryland.

Businesses are prohibited from processing data in violation of anti-discrimination laws. MODPA includes a prohibition on processing personal data in violation of state or federal laws that prohibit unlawful discrimination. Although we have seen states beginning to pass laws or regulations that regulate against discriminatory impact in the field of AI processing, Maryland’s law appears to extend this to any form of consumer data processing. The impact here means that businesses will have to take extra care to mitigate any risks that their processing of Maryland consumers’ personal data could create discriminatory impacts.

What about the Maryland Kid’s Code?

The second data privacy law signed into effect by Governor Wes Moore, the MKC is officially titled the Maryland Age-Appropriate Design Code. If you think that title seems familiar, you’d be correct: the Maryland law is modeled on California’s Age-Appropriate Design Code law, which is currently enjoined by the federal courts following a lawsuit against its constitutionality.

MKC’s coverage provisions differ from MODPA. Somewhat unhelpfully, the MKC defines a “child” differently from MODPA as any Maryland consumer under the age of 18 years old. Similarly, the MKC’s coverage requirements are also different to MODPA, applying to only for-profit entities doing business in Maryland, that collect consumer personal data and determine the purposes and means of processing consumer personal data, and that either have gross annual revenue above $25 million, annually buy, receive, sell or share the personal data of 50,000 consumers, households or devices for commercial purposes, or derive at least 50% of their annual revenue from the sale of consumer personal data. Note that because MKC follows a different coverage model to what is set forth in MODPA, companies will need to engage in two sets of analyses to determine if they fall within the remit of either, both or none of the Maryland data privacy laws, and it may be possible that a company could be required to comply with one but not both of the laws.

MKC prohibits certain activities in relation to products that are “reasonably likely” to be accessed by children. “Reasonably likely” means that it is reasonable to expect that an online product will be accessed by children, based on criteria such as the product is directed to children as defined under COPPA[3], there is reliable evidence based on audience composition that the online product or a substantially similar online product is routinely accessed by children, the product features ads marketed to children. MKC also includes as criteria under the “reasonably likely” standard that the business knows or should know that a user is a child, meaning that potentially any online product where a business determines that one of its users is under the age of 18 could be pulled into coverage under the MKC.

Businesses whose products are “reasonably likely” to be accessed by children are prohibited from certain activities under MKC. Some notable provisions include profiling child users by default, unless safeguards are put in place to ensure profiling is consistent with the best interests of children and such profiling is necessary to provide the specifically requested online product. Businesses are also prohibited from processing children’s personal data that is not reasonably necessary to provide the specific online product that the child is engaging with, echoing the strict data minimization requirements of MODPA. Businesses may not process precise geolocation data of a child unless strictly necessary to provide the online product, and only with an obvious signal to the child that processing is occurring at all times while the geolocation data is being collected. Finally, businesses may not allow anyone other than the child’s parent or guardian to monitor the child’s online activity without first notifying the child and the child’s parents or guardians.

Data protection impact assessments required for online products reasonably likely to be accessed by children. No later than April 1, 2026, any covered business that provides an online product reasonably likely to be accessed by children, that is offered to the public on or before April 1, 2026 and will continue to be offered to the public after July 1, 2026, must prepare a data protection impact assessment (“DPIA”) for the product. These DPIAs must assess the risks of whether the product’s data processing practices could lead to various types of harm, including emotional or financial harm, to children using the product, for example through exposing children to being targeted by harmful contacts within the product, signing children up to exploitative contracts, or using design features to encourage continued use of the product in a harmful way. DPIAs must include descriptions of the steps taken to ensure the product and the business have complied with a duty to act consistently with the best interests of children. DPIAs will need to be retained for as long as the respective online product is likely to be accessed by children, and must be revised within 90 days of any material changes made to the relevant online product.

Takeaways

Companies should start to consider whether or not they are covered by either of Maryland’s new laws and if so, what changes to existing compliance practices they may need to make before October 2025 and April 2026. As we’ve discussed here, the Maryland laws are similar to other state privacy laws, but there are sufficient differences in what the laws require, even between the two Maryland laws, that companies cannot rely solely on their existing practices based on compliance with other state laws. 

[1] For ease of reference, we use the term “business” throughout the remainder of this post.

[2] “Sale” is defined as the exchange of personal data by a controller, processor, or the affiliate of a controller or processor, to a third party for monetary or other valuable consideration.

[3] Noting that the definition of a child under COPPA sets a lower age threshold of 13 years compared to the threshold of 18 years under MKC.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.