On May 9, 2024, Maryland Governor Wes Moore signed Senate Bill 541, known as the Maryland Online Data Privacy Act, making Maryland the eighteenth state in the U.S. to implement comprehensive data privacy legislation. The law will take effect on October 1, 2025, and will be enforced exclusively by the Maryland Office of the Attorney General’s Consumer Protection Division. There is no private right of action under this act.
The Maryland Online Data Privacy Act applies to individuals or legal entities that control or process personal data of at least 35,000 Maryland consumers or 10,000 Maryland consumers while deriving more than 20% of gross revenue from the sale of personal data. This threshold is notably lower than other state laws. The Act exempts certain entities, including government agencies, financial institutions, and non-profit organizations that assist law enforcement, as well as specific types of data, such as consumer credit-reporting data and health care data covered by HIPAA.
The Act grants Maryland residents rights similar to those in other state data privacy laws, such as confirming data processing, correcting inaccuracies, deleting personal data, obtaining a copy of their data, and opting out of data processing for targeted advertising. Controllers must respond to consumer requests within 45 days and provide a mechanism for consumers to appeal denials. Controllers are also required to disclose if they sell personal data and provide a method for consumers to opt out.
The Maryland Online Data Privacy Act imposes several obligations on controllers, including limiting data collection, implementing data security practices, and conducting data protection assessments. Controllers must also provide a clear privacy notice to consumers and ensure that processors comply with the Act’s requirements. The Attorney General can enforce the law by issuing notices of violation and seeking court actions, including civil penalties of up to $25,000 for repeated violations.
Reference:
