On May 9, 2024, Senate Bill 0541 on an Act concerning the Maryland Online Data Privacy Act of 2024 (MODPA) was signed by Governor Wes Moore and shall take effect on October 1, 2025. The bill would establish the manner in which a controller or processor may process a consumer's personal data, authorizing a consumer to exercise certain rights regarding their personal data and requiring a controller to establish a method for a consumer to exercise certain rights regarding a consumer's personal data.

Scope

MODPA would apply to a person who conducts business in the State of Maryland or produces services or products that are targeted to residents of the State of Maryland that during the immediately preceding calendar year have controlled or processed the personal data of:

• at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

• at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

MODPA excludes:

• regulatory, administrative, advisory, executive, appointive, legislative, or judicial bodies of the State of Maryland;

• national securities associations that are registered under Section 15 of the Federal Securities Exchange Act of 1934 or registered future associations designated in accordance with Section 17 of the Federal Commodity Exchange Act; or

• financial institutions or affiliates of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act (GLBA) and regulations adopted under the GLBA.

Key provisions

MODPA prohibits persons from the following:

• providing employees or contractors access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality;

• providing processors access to consumer health data unless the person providing access and the processor comply with Section 14-4607 of MODPA; or

• sell or offer to sell consumer health data without the consent of the consumer.

Furthermore, MODPA provides consumers with the rights to:

• confirm the processing of personal data;

• access personal data;

• correct inaccuracies in personal data;

• delete personal data;

• obtain a copy of the personal data;

• obtain a list of categories of third parties to which the controller has disclosed the consumer's data; and

• opt out of personal data processing for targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

Additionally, consumers may designate an authorized agent to opt out of the processing of personal data on their behalf.

You can read the bill here and its legislative history here.