What happened?

On April 6, the Maryland legislature passed the Maryland Online Data Privacy Act of 2024, sending the bill to the state’s governor for signing. In short, the Act is broader, stricter, and more easily triggered than its peers. Thus, it warrants scrutiny from covered businesses. 

What are the details?

Maryland decided to part ways with other states’ privacy laws.

Key Bites

• Covered entities: any business that:
  • (1) controls or processes the personal data of at least 35,000 consumers or
  • (2) controls or processes the personal data of at least 10,000 consumers and derives more than 20 percent of its gross revenue from the sale o personal data.

• Other items to consider:
  • Ban on sale of personal data
  • Consumer health data
  • Children’s data
  • Universal Opt-out Mechanisms (UOOM)
  • Data Minimization
  • Rulemaking

• As defined in the law, the consumer definition does not include anyone in the employment context (employee, employer, or contractor) and it expressly contemplates employment information as an exception, which means, employment information is not considered part of the potential bill.

• As defined in the law, the consumer definition does not include anyone in the employment context (employee, employer, or contractor) and it expressly contemplates employment information as an exception, which means, employment information is not considered part of the potential bill.
  • (2) “Consumer” does not include:
  • (ii) an individual acting as an employee…of a company, a partnership, a sole proprietorship, a nonprofit organization, or a governmental unit whose communications or transactions with a controller occur only within the context of the individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or governmental unit.
  • (A) this subtitle does not apply to:
  • (11) Data processed or maintained
  • (i) in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of the role;
• According to Hush Blackwell Partner David Stauss, the Maryland Data Privacy Act is different and very consequential. For more information click here

Business Considerations

• Complying with Maryland will take more than the standard compliance framework applied to most existing data privacy laws, so employers are encouraged to seek counsel to comply.
• Employers should review and update their privacy policies to ensure they are accurate and up to date. The policies should comply with the new law’s requirements.
• Employers should train their employees on the new law and the company’s privacy policy. This will help ensure that all staff understand the importance of data privacy and the company’s obligations under the new law.
• Employers should be aware of the penalties for non-compliance, in which case, they could be subject to MCPA’s civil and criminal penalty provisions.
• Employers are encouraged to take their time to review and implement accordingly the MODPA

Source References

• Maryland Online Data Privacy Act is broader, stricter, and more easily triggered than many state privacy laws (CONSTANGY, BROOKS, SMITH & PROPHETE, LLP)
• Maryland adds new dimensions to US comprehensive state privacy law patchwork (iapp)
• Maryland Legislature Passes Consumer Data Privacy Bill (Husch Blackwell LLP)
• MARYLAND JOINS GROWING RANKS AND PASSES ITS OWN CONSUMER DATA PRIVACY LAW (McDermott Will & Emery)

Resources

• SB 541

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.