Last month, the Maryland legislature passed the Maryland Online Data Privacy Act (“MODPA”). Pending Governor’s signature, Maryland will become the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Nebraska.

MODPA contains unique provisions that will require careful analysis to ensure compliance, including: data minimization requirements; restrictions on the collection, sale, or transfer of sensitive data; and consumer health data-related obligations.  These unique provisions have the potential to create additional work streams even for companies who have come into compliance for existing state laws.  This blog post summarizes the statute’s key takeaways.

  • Scope: The MODPA applies to processors whose business targets Maryland residents and, who during the preceding year, controlled or processed the data of at least 35,000 Maryland consumers or of at least 10,000 Maryland consumers while deriving more than 20% of gross revenue from the sale of personal data.  The MODPA includes many exemptions present in other state comprehensive privacy laws, including exemptions for certain nonprofits, state government entities, financial institutions, and protected health information under HIPAA, among others. 
  • Consumer Rights:  The MODPA provides consumers with rights found in many other state comprehensive privacy laws.  These rights include access, correction, deletion, and portability, and rights to opt-out of processing for targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions.  The MODPA also will require controllers to honor opt-out preference signals.
  • Data Minimization Requirements:  The MODPA restricts the collection of personal data to what is reasonably necessary to maintain or provide the requested product or service, with even more stringent data minimization expectations for sensitive data, as discussed below.  Additionally, the Act would require controllers to obtain consent prior to processing personal data for a purpose that is not reasonably necessary to or compatible with the disclosed purpose for which the personal data is processed.  Helpfully, the MODPA provides that controllers and processors are not restricted from their ability to engage in an enumerated list of processing activities (e.g., protecting against and investigating fraud and security incidents and for internal use to perform certain internal operations reasonably anticipated by consumers), although only to the extent such processing is reasonably necessary and proportionate to the enumerated purposes.
  • Sensitive Personal Data Restrictions:  The MODPA would broadly prohibit the sale of sensitive personal data, and restrict the collection, processing, or sharing of sensitive personal data except when “strictly necessary to provide or maintain a specific product or service requested by the consumer.”  The MODPA defines sensitive personal data to include:  racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizenship or immigration status, genetic or biometric data, personal data collected from a consumer under 13 years old, precise geolocation data, and certain consumer health data. 
  • Consumer Health Data:  The MODPA’s definition of consumer health data encompasses personal data that the controller uses to identify a consumer’s physical or mental health status, including data related to gender-affirming treatment or reproductive or sexual healthcare.  A person may not grant an employee or contractor access to consumer health data unless the recipient subject to a contractual or statutory duty of confidentiality, or confidentiality is required as a condition of employment.  Consumer health data is considered sensitive personal data under the MODPA.  As such, the MODPA’s restrictions on sensitive personal data would similarly apply to consumer health data.  Like Connecticut, Maryland’s privacy law would also prohibit the use of geofence technology to establish a virtual boundary around certain health facilities for the purpose of identifying, tracking, or collecting data from, or sending notifications to consumers regarding the consumers’ consumer health data.
  • Consumers Under 18 Years Old:  The MODPA would prohibit the sale, or processing for purposes of targeted advertising, of personal data of consumers under the age of 18 years. 
  • Anti-discrimination:  The MODPA would prohibit, with limited exceptions, the collection, processing, or transferring of personal data or publicly available data “in a manner that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability.” 
  • Data Protection Assessments:  The Act would require data protection assessments for processing activities that involve targeted advertising, the sale of personal data, profiling (in limited circumstances), the processing of sensitive data, among others.
  • Loyalty Program Conditions:  Under the MODPA, controllers would be prohibited from conditioning consumer participation in loyalty programs on the sale of consumer personal data. 
  • Enforcement: MODPA grants exclusive enforcement power to the Maryland Attorney General and provides for a 60-day cure period that sunsets April 1, 2027. 
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Hensey A. Fenton III Hensey A. Fenton III

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development…

Hensey Fenton specializes in providing advice and guidance to clients on legislative and regulatory strategies. Hensey counsels clients on a myriad of issues in the policy and regulatory space, including issues involving cybersecurity, financial services, artificial intelligence, digital assets, international trade and development, and tax.

Another facet of Hensey’s practice involves cutting-edge legal issues in the cybersecurity space. Having published scholarly work in the areas of cybersecurity and cyberwarfare, Hensey keeps his finger on the pulse of this fast-developing legal field. His Duke Journal of Comparative & International Law article, “Proportionality and its Applicability in the Realm of Cyber Attacks,” was highlighted by the Rutgers Computer and Technology Law Journal as one of the most important and timely articles on cyber, technology and the law. Hensey counsels clients on preparing for and responding to cyber-based attacks. He regularly engages with government and military leaders to develop national and global strategies for complex cyber issues and policy challenges.

Hensey’s practice also includes advising international clients on various policy, legal and regulatory challenges, especially those challenges facing developing nations in the Middle East. Armed with a distinct expertise in Middle Eastern foreign policy and the Arabic language, Hensey brings a multi-faceted approach to his practice, recognizing the specific policy and regulatory concerns facing clients in the region.

Hensey is also at the forefront of important issues involving Diversity, Equity and Inclusion (DEI). He assists companies in developing inclusive and sustainable DEI strategies that align with and incorporate core company values and business goals.

Prior to joining Covington, Hensey served as a Judicial Law Clerk for the Honorable Judge Johnnie B. Rawlinson, United States Court of Appeals for the Ninth Circuit. He also served as a Diplomatic Fellow in the Kurdistan Regional Government’s Representation (i.e. Embassy) in Washington, DC.

Photo of Jorge Ortiz Jorge Ortiz

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related…

Jorge Ortiz is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Technology and Communications Regulation Practice Groups.

Jorge advises clients on a broad range of privacy and cybersecurity issues, including topics related to privacy policies and compliance obligations under U.S. state privacy regulations like the California Consumer Privacy Act.

Photo of Priya Leeds Priya Leeds

Priya Sundaresan Leeds is an associate in the firm’s San Francisco office. She is a member of the Privacy and Cybersecurity Practice Group. She also maintains an active pro bono practice with a focus on gun control and criminal justice.

Photo of Jess Gonzalez Valenzuela Jess Gonzalez Valenzuela

Jess (they/them & she/her) is an associate in the firm’s Palo Alto office and is a member of the Privacy and Cybersecurity and Corporate practice groups.

Jess helps clients address complex, cutting-edge challenges to manage data privacy and cybersecurity risk, including by providing…

Jess (they/them & she/her) is an associate in the firm’s Palo Alto office and is a member of the Privacy and Cybersecurity and Corporate practice groups.

Jess helps clients address complex, cutting-edge challenges to manage data privacy and cybersecurity risk, including by providing regulatory compliance advice in connection with specific business practices and assisting in responding to cybersecurity incidents. Jess also maintains an active pro bono practice.

Jess is committed to DEI efforts in the legal profession, is a member of Covington’s LGBTQ+ and Latino Affinity Groups, and is working to develop a first generation professionals network and a disability advocacy network at Covington.