On March 7, 2024, Senate Bill 0541, cross-filed with House Bill 0567, on an Act concerning the Maryland Online Data Privacy Act of 2024 was referred to the Committee of Finance after passing its first reading on January 24, 2024.

In particular, the bill aims to generally establish the manner in which a controller or processor may process a consumer's personal data, authorizing a consumer to exercise certain rights in regards to their personal data, require a controller of personal data to establish a method for a consumer to exercise certain rights in regard to the consumer's personal data.

Scope of the bill

The bill would apply to a person who conducts business in the State of Maryland or produces services or products that are targeted to residents of the State of Maryland that during the immediately preceding calendar year have:

• controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

The bill does not apply to:

• regulatory, administrative, advisory, executive, appointive, legislative, or judicial bodies of the State of Maryland;
• national securities associations that are registered under Section 15 of the Federal Securities Exchange Act of 1934 or registered futures associations designated in accordance with Section 17 of the Federal Commodity Exchange Act; or
• financial institutions or affiliates of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act (GLBA) and regulations adopted under the GLBA.

Key provisions of the bill

The bill prohibits persons from the following:

• providing employees or contractors access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality;
• providing processors access to consumer health data unless the person providing access and the processor comply with Section 14-4607 of the bill;
• using a geofence to identify, track, collect data from, or send a notification to a consumer regarding the consumer's health data and within 1,750 feet of a mental health or reproductive or sexual health facility; or
• sell or offer to sell consumer health data without the consent of the consumer.

Furthermore, the bill provides consumers with the rights to:

• confirm the processing of personal data;
• access personal data;
• correct inaccuracies in personal data;
• delete personal data;
• obtain a copy of the personal data;
• obtain a list of categories of third parties to which the controller has disclosed the consumer's data; and
• opt-out of personal data processing for targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. 

Additionally, consumers may designate an authorized agent to opt out of the processing of personal data on their behalf.

Lastly, the bill provides definitions for terms such as 'unfair, abusive, or deceptive trade practices,' 'biometric data,' 'child,' 'consent,' 'identified or identifiable consumer,' 'controller,' 'processor,' 'dark pattern,' 'decisions that produce legal or similarly significant effects concerning the consumer,' 'personal information,' 'sale of personal data,' 'sensitive data,' and 'targeted advertising.'

If enacted, the bill would come into effect from October 1, 2024, and not have any effect on any personal data processing activities before April 1, 2025.

You can read the bill here and track its progress here.

Update: March 14, 2024

Bill passes second reading

On March 11, 2024, the bill passed its second reading with amendments.

You can read the bill here and track its progress here.

Update: March 26, 2024

Bill referred to Committee on Economic Matters

On March 15, 2024, the bill was referred to the House Committee on Economic Matters, after having passed its third reading in the Senate on March 14, 2024.

You can read the bill here and track its progress here.

On April 6, 2024, the bill was passed by the Senate and sent to the Governor, after having passed its third reading in the House on April 4, 2024.

You can read the bill here and track its progress here.