The final weeks for many state legislatures have witnessed significant movements in the U.S. data privacy landscape. Last month, Nebraska Governor Jim Pillen signed the Data Privacy Act, LB1074, into law. This month, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act (MODPA), SB541/HB567, and the Maryland Age-Appropriate Design Code Act, HB 603 into law. Finally, Vermont and Minnesota stand ready with the Vermont Data Privacy Act, H.121, and the Minnesota Consumer Data Privacy Act, SF4942/HF4975, which were passed by both chambers in the respective states and currently await governor signature.
In this post, we discuss the first two updates listed above, with a specific focus on Maryland’s new privacy law because it meaningfully deviates from the state privacy models that have previously passed. As we elaborate upon below, the law has strict data minimization and sensitive data requirements, both of which may require companies to update their compliance programs. Companies should also pay attention to the discussions Congress is having about the American Privacy Rights Act, which, if passed, has the potential to preempt the entire patchwork of state comprehensive privacy laws.
To keep up-to-date on the latest patchwork of US data privacy laws, be sure to subscribe to the WilmerHale Cybersecurity and Privacy Law Blog.
The Maryland Online Data Privacy Act
The MODPA is modeled after the Washington Privacy Act and includes new and significant obligations that differentiate it from the current comprehensive state privacy law cohort. MODPA contains stricter sensitive data provisions and asserts an anti-discrimination provision that prohibits controllers from collecting, processing, or transferring personal data or publicly-owned data in a “in a manner that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services” on the basis of protected characteristics. A violation of the MODPA constitutes an unfair, abusive, or deceptive trade practice that subjects it to the enforcement authority of Maryland’s Consumer Protection Act (CPA). The CPA authorizes the Division of Consumer Protection in the Office of the Maryland Attorney General (the Division) to seek restitution, injunctive relief, and fines for violations.
Notable Takeaways
- Broad scope of applicability. Businesses that might have previously been exempt because they did not fall within scope of other enacted comprehensive state laws may find themselves subject to the MODPA. The Act applies to entities that conduct business or target products to Maryland residents and controlled or processed the data of at least 35,000 consumers or controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data. The 35,000 consumer threshold will oblige many small and mid-size companies to abide by the law’s requirements as there is also no small business exemption.
- Stricter treatment of sensitive data. The Act prohibits the selling of sensitive data, which deviates from other laws that create an opt-in or opt-out requirement for the processing of such data. The Act also mandates that sensitive data may only be collected or processed if “strictly necessary to provide or maintain a specific product or service requested by the consumer,” which establishes a high standard for any use of sensitive data by controllers.
- Potentially expansive definition for “consumer health data.” The Act includes “consumer health data” within the scope of sensitive data and defines consumer health data as “personal data that a controller uses to identify a consumer’s physical or mental health status”. The law also includes data relating to gender-affirming treatment and reproductive or sexual health care as part of this definition. If the data is considered consumer health data, all the elevated requirements for sensitive data (highlighted above) would apply.
- Two-tier compliance date. The Act takes effect on October 1, 2025 with the caveat that no actions will be taken on processing activities until April 1, 2026. This establishes a longer window for businesses to update their privacy practices, if needed.
- Privacy violations as unfair or deceptive trade practices. The MODPA states that any violation of the Act constitutes a violation of the state’s consumer protection act for unfair or deceptive trade practices. This establishes new enforcement areas into an already built and readymade enforcement structure found in the Division.
Key Provisions:
- Applies to entities that conduct business in Maryland or provide products or services targeted to Maryland residents and that in the preceding calendar year: (1) Controlled or processed the data of at least 35,000 consumers (excluding payment transactions) or (2) controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.
- Exempts various entities and information types, including: state and local government entities; financial institutions or data subject to the GLBA; personal data collected by insurance companies; protected health information governed by HIPAA; nonprofit entities that assist insurance fraud investigations and first responders; information governed by FCRA, the Driver’s Privacy Protection Act (DPPA), FERPA, and the Farm Credit Act; and certain employment-related information.
- Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
- Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
- Defines “sale of personal information” to include exchanges of personal information by a controller, a processor, or an affiliate of a controller or processor “for monetary or other valuable consideration.”
- Creates rights for consumers, including: the right to confirm whether a controller is processing a consumer’s personal information; the right to access said personal information; the right to correct inaccurate personal information; the right to delete personal information; obtain a copy of personal data processed by controller if it is processed automatically; and the right to opt-out of the processing of personal information for purposes of sale of personal information, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- The bill instructs a controller to establish a “secure and reliable method” for consumer to exercise rights.
- Controllers can either (1) provide a “clear and conspicuous link on [its website]to allow a consumer to opt out of targeted advertising or their personal data being sold or (2) recognize opt-out preference signals by the time the bill goes into effect (October 25, 2025).
- Unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer,” the bill prohibits controllers from collecting, processing sharing, or selling sensitive data.
- A controller is also prohibited from processing the personal data or selling the personal data of a consumer if it “knew or should have known” the consumer was under 18 years old.
- A controller must get a consumer’s consent to process personal data for a purpose beyond what is reasonably necessary or compatible with the initial disclosed purpose.
- Requires that controllers provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that includes: categories of personal information processed; purposes for said processing; description of how consumers may exercise their data rights; categories of personal information the controller sells to third parties; and categories of third parties to which controller sells personal information.
- Prohibits controllers from collecting, processing, or transferring personal data or publicly available data “in a manner that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability.”
- Requires that the controller conduct a data protection assessment for each activity that presents a heightened risk of harm to a consumer. This assessment must include an assessment of each algorithm that is used. It will only apply to processing activities that occurred after October 1, 2025
- Processing activities that “present a heightened risk of harm to a consumer” include targeted advertising, sensitive data, profiling if it presents a “reasonably foreseeable risk” of injury (i.e. unfair, abusive, deceptive treatment; disparate impact; financial; physical, or reputational injury; intrusion on seclusion; or other substantial injury to a consumer)
- A controller that discloses deidentified data shall exercise reasonable oversight to monitor compliance with any contractual commitments for the de-identified data, including addressing breaches.
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
- Does not establish a private right of action; rather, the Division of Consumer Protection in the Office of the Maryland Attorney General enforces against violations and can seek restitution, injunctive relief, and fines.
- Fines can be up to $10,000 per violation. However, in the instances of repeat violations, fines can increase up to $25,000 for each violation.
- Grants the Division the option to provide notice and a cure period of at least 60 days for a violation before initiating an action. The bill lists multiple factors that the Division may consider when determining whether to grant a cure period. These factors include the size and complexity of the controller or processor, whether the alleged violation was caused by a human or technical error or the entity.
- Likely permits rulemaking through another section of Maryland code (Maryland Code § 13-205) that authorizes the AG’s Division of Consumer Protection to engage in permissive rulemaking to clarify and define “specific unfair or deceptive trade practices.”
- Would take effect on October 1, 2025 but no actions will be taken on processing activities until April 1, 2026.
The Nebraska Data Privacy Act
The Nebraska Data Privacy Act (NDPA), which goes into effect on January 1, 2025, generally follows the model adopted by other states, though is most similar to Texas’s privacy law. Controllers must post privacy policies, minimize data collection, obtain consent for sensitive data processing, recognize universal opt-out mechanisms, and conduct data protection assessments for high-risk processing activities. The law also requires universal opt-out mechanisms, along with the common set of consumer data privacy rights found in other state laws. One notable provision is the mandate that even small businesses must obtain opt-in consumer consent to sell sensitive personal data. Enforcement is exclusive to the Nebraska attorney general, with penalties up to $7,500 per violation. Finally, NDPA allows a 30-day cure period before enforcement action can be taken.