News Stories

Maryland Governor signs into law their new Maryland Online Data Protection Act of 2024! This law will apply to those who conduct business in the state or provide products or services to residents of the state. The effective date is October 1, 2025. Maryland does not provide a private right of action but does offer consumers to pursue other remedies provided by law, however, that will not be an option until on or after April 1, 2027.

Controlled or processed personal data of at least 35,000 consumers or at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

Consumers will be afforded the following rights free of charge once every 12-month period:

• Right to Know
• Right to Access
• Right to Correct
• Right to Delete
• Right to Data Portability
• Right to Obtain a List of Categories of Third Parties
• Right to Opt Out of
• Targeted Advertising
• Sale of Personal Data
• Automated Decisioning

Businesses will have up to 45 days to respond and may obtain an additional 45 days if it is reasonably necessary based on the complexity and the consumer is informed of the extension within the first 45 days of the initial request. If a consumer request is declined, the business shall inform the consumer without delay and within 45 days with the justification for declining the request and provide instruction on how to appeal the decision. If an appeal is made a consumer should be informed within 60 days in writing of any action taken or not taken and the reasons. If the appeal is denied the consumer must be provided with an online option, if available, to submit a complaint to the Division.

Business must:

• Establish a secure and reliable method for consumer to exercise their rights
• Establish an appeal process for declined request
• Limit collection of personal data with what is reasonably necessary to provide or maintain specific products or services requested by a consumer
• Establish and maintain reasonable data security practices
• Provide an effective option for consumers to revoke consent as easily as they provided consent
• Revocation of consent shall be as soon as possible but not later than 30 days
• Include a link on the webpage that allows a consumer to opt out of targeted advertising for the sale of personal data
• By October 1, 2025, the business must be able to receive the consumers opt-out preference signals

Business may not:

• Collect or share sensitive data unless strictly necessary to provide or maintain a specific product or service;
• Sell sensitive data;
• Process personal data in violation of state or federal law that prohibits unlawful discrimination;
• Process personal data of consumers for targeted advertising if they know or should have known the consumer is under the age of 18;
• Sell personal data of consumers if they know or should have known the consumer is under the age of 18;
• Discriminate against consumer for exercising their rights;
• Process personal data for a purpose that is not reasonably necessary or compatible with the disclosed purpose unless they obtain consumer consent;
• The Privacy Policy must provide the consumer with a reasonably accessible, clear, and meaningful notice that includes;
• Categories of personal and sensitive data processed;
• The purpose for processing;
• How they may exercise their rights;
• Make an appeal;
• Revoke consent;
• Categories of third parties they share personal data, with levels of details so consumers understand the type of business or processing each third party does;
• Categories of personal and sensitive data shared with third parties;
• Active email or other method a consumer can contact the business;

There are exemptions offered.  See the bill text at link below.

Text – Enrolled – Maryland Online Data Privacy Act of 2024
HB0567