Maryland enacts comprehensive state privacy law

Introduction

The Maryland privacy law, known as the Maryland Online Data Privacy Act (MODPA), applies to a wide range of personal data, including biometric data, genetic data, and data related to racial or ethnic origin, national origin, religious beliefs, sexual orientation, and immigration status. This comprehensive approach ensures that all aspects of personal data are protected, providing high security for sensitive information.

Under this law, any identified or identifiable consumer’s data falls under its protection. The law also addresses data processed in various commercial or employment-related contexts. This extensive coverage ensures that individuals’ personal data is adequately protected regardless of how it is used or collected.

Key provisions and consumer rights

Maryland’s new comprehensive state privacy law, known as the Maryland Online Data Privacy Act (MODPA), introduces several key provisions and consumer rights to enhance data privacy and protection for Maryland residents.

Key provisions

1. Data protection assessments: Businesses must conduct regular data protection assessments to identify and mitigate risks associated with personal data processing activities. These assessments must be documented and made available to regulatory authorities upon request.

2. Prohibition on the sale of sensitive data: The law prohibits the sale of sensitive data, including biometric data, genetic data, and health information, unless explicit consent is obtained from the consumer.

3. Strict data processing requirements: Businesses are restricted from collecting and processing personal data unless it is strictly necessary to provide a product or service requested by the consumer.

4. Employee data protection: The law prevents companies from accessing the consumer health data of their employees unless a confidentiality agreement is in place.

Consumer rights

1. Right to access: Consumers have the right to access their personal data and obtain information about how their data is being processed.

2. Right to correct: Consumers can request corrections to inaccuracies in their personal data.

3. Right to delete: Consumers have the right to request the deletion of their personal data under certain conditions.

4. Right to opt-out: Consumers can opt-out of the sale of their personal data and the use of their data for targeted advertising.

5. Right to data portability: Consumers have the right to receive their personal data in a commonly used, machine-readable format and transfer it to another service provider.

Data protection assessments and compliance obligations

Businesses that process personal data must conduct data protection assessments to identify and mitigate risks associated with their data processing activities. These assessments are crucial for ensuring that data protection measures are in place and that personal data is processed in compliance with the law.

The law mandates businesses to document data protection assessments and maintain reasonable administrative, physical, and technical safeguards to protect personal data. Compliance obligations also include training employees on data privacy practices and ensuring that third-party service providers adhere to the same data protection standards.

Handling consumer health data

Under Maryland’s privacy law, consumer health data, including data related to mental health status and services requested from mental health facilities, is given special attention. The law recognizes the sensitive nature of health data and imposes stringent requirements on its processing and protection.

Protected health information (PHI) collected by covered entities under HIPAA is also subject to this law, ensuring that health data is handled with the highest level of security. This includes traditional health data and data collected through consumer health applications and devices.

Regulation of biometric and genetic data

Maryland privacy law includes specific provisions for protecting biometric and genetic data. Biometric data, such as fingerprints, facial recognition data, iris scans, and genetic data, are classified as sensitive data and are subject to strict processing and protection standards.

Businesses that collect or process such data must obtain explicit consumer consent before doing so. Additionally, they are required to implement robust security measures to prevent unauthorized access to and use of biometric and genetic data.

Excluding personal data controlled by financial institutions

Financial institutions are subject to specific regulations under the Fair Credit Reporting Act (FCRA) and other existing state laws. The Maryland privacy law excludes personal data controlled by financial institutions from its scope, recognizing that these entities are already heavily regulated.

However, financial institutions must still adhere to the general principles of data protection and ensure that personal data is processed in a manner that respects consumer rights and privacy. This includes implementing measures to secure personal data and prevent breaches.

Addressing data related to national securities associations

Data related to national securities associations registered under federal law is also excluded from the scope of the Maryland privacy law. These associations are governed by specific federal regulations that address data privacy and protection, ensuring that personal data is handled appropriately.

Nevertheless, these associations are encouraged to align with the broader principles of data protection outlined in the Maryland privacy law to ensure comprehensive privacy protections for all personal data processed.

Impact on targeted advertising and data sales

The Maryland privacy law places significant restrictions on targeted advertising and the sale of sensitive data. Businesses are prohibited from selling sensitive data without obtaining explicit consumer consent. This includes data related to race, ethnicity, religious beliefs, sexual orientation, health, and biometric information.

Consumers have the right to opt-out of targeted advertising, ensuring that their personal data is not used for profiling or advertising purposes without their consent. This provision aims to protect consumers from invasive marketing practices and enhance their control over their personal data.

Requirements for data controllers and processors

Under Maryland privacy law, data controllers and processors must adhere to stringent data protection standards and implement measures to ensure that personal data is processed lawfully, transparently, and securely. This includes conducting data protection impact assessments and maintaining detailed records of data processing activities.

Controllers and processors must also ensure they have appropriate contractual or statutory obligations with third-party service providers to safeguard personal data. This ensures that data protection extends beyond the primary controller and includes all parties involved in the data processing.

Safeguarding sensitive data and physical data security practices

The Maryland privacy law emphasizes the importance of safeguarding sensitive data and implementing physical data security practices. This includes protecting data from unauthorized access, breaches, and other security threats. Businesses must ensure that they have robust security protocols to protect personal data from physical and cyber threats.

Regular audits and assessments of data security practices are required to identify vulnerabilities and implement corrective actions. This proactive approach ensures that personal data remains secure and businesses are prepared to respond to potential security incidents.

The role of the Consumer Protection Division

The Consumer Protection Division (CPD) of Maryland plays a vital role in safeguarding consumers’ rights and interests. The CPD offers various services and performs multiple functions to ensure consumer protection and fair business practices.

Key functions

1. Investigating complaints: The CPD investigates consumer complaints about unfair, abusive, and deceptive trade practices. This includes handling issues with businesses, health insurance carriers, and other service providers.

2. Mediating disputes: The division also mediates disputes between consumers and businesses to reach amicable resolutions. This can include landlord-tenant disputes and other consumer-related conflicts.

3. Enforcing consumer laws: The CPD enforces state and federal consumer protection laws, bringing actions against entities that violate these regulations to protect Maryland consumers from fraudulent and deceptive practices.

Services provided

1. Consumer education: The division provides educational resources to inform consumers about their rights and responsibilities, helping them make informed decisions and avoid scams.

2. Identity theft assistance: CPD offers assistance to consumers who have been victims of identity theft, helping them recover and protect their personal information.

3. Complaint filing: Consumers can file complaints through the CPD, which become matters of public record. This transparency helps in the broader effort to monitor and improve consumer protection efforts.

4. Home builder information: The division provides information on home builders, including a guaranty fund and sales representative information, ensuring that consumers can access reliable information before making significant purchases.

By fulfilling these roles, the Consumer Protection Division of Maryland ensures that consumer rights are upheld and that there is a fair and just marketplace for all residents.

Compliance and penalties for violations

Businesses that fail to comply with the Maryland privacy law face significant penalties. The law provides for both civil and criminal penalties for violations, depending on the severity and nature of the breach. This includes fines, sanctions, and potential imprisonment for egregious violations.

Penalties for violations

• Civil penalties: The Maryland Attorney General’s Office enforces the MODPA and can impose civil penalties for non-compliance. For first-time offenses, fines can be up to $10,000 per violation.

• Repeat violations: The penalties for repeat violations are more severe, with fines reaching up to $25,000 per violation. This escalation aims to deter businesses from recurring non-compliance and ensure adherence to the law.

• Enforcement actions: The Attorney General can bring actions in court to seek injunctive relief and other remedies to enforce compliance. This includes the authority to investigate potential violations and take appropriate legal action.

The law also includes provisions for consumers to seek redress for violating their data privacy rights. This includes the right to file complaints with the CPD and pursue legal action for damages resulting from data breaches or other law violations.

Conclusion

Maryland’s comprehensive state privacy law significantly advances data protection and privacy rights. By addressing the full spectrum of personal data, from consumer health data to biometric and genetic data, the law ensures that individuals’ personal information is safeguarded against unauthorized access and misuse.

The law empowers consumers with robust rights to control their personal data and places stringent obligations on businesses to protect this data. Maryland’s lead in state-level privacy protections sets a high standard for other states to follow, promoting a culture of transparency, accountability, and respect for privacy in the digital age.