Maryland’s New Approach to Data Minimization Creates Unique Compliance Issues

On May 9, 2024, Governor Wes Moore signed the Maryland Online Data Privacy Act (MODPA) making Maryland the seventeenth state to enact a comprehensive data privacy law. The law takes effect October 1, 2025, but it does not apply to any personal data processing activities before April 1, 2026. The full text can be found here. For more information on MODPA’s applicability thresholds, exemptions, and consumer rights, check out our client alert on the law, which you can view here.

While MODPA shares certain similarities with other “Virginia Model” state laws, it deviates substantially from the laws we’ve seen thus far in a few key ways. The law lays out new, robust data minimization requirements that may significantly alter the way personal data is collected. It also creates enhanced protections for sensitive data, health data, and children’s data.

Where MODPA differs the most from other states’ privacy laws is in its data minimization requirements. The current norm across most states’ laws requires that a business’s collection of a consumer’s personal data be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected. This standard is relatively permissive: while a business must disclose the purposes for which it collects personal information, so long as it does, its ability to process that data is not restricted (barring limitation on the processing of certain types of data). Maryland’s data minimization requirements, however, are the first of their kind, imposing a stricter standard for evaluating what collection is permissible.

To comply with Maryland’s law, companies must limit personal data collection to what is reasonably necessary and proportionate to maintain or provide a product or service requested by the consumer. The collection of data must be connected to the product or service being provided, not just to a disclosed, but otherwise unrelated, purpose. Based on this statutory language, this limitation applies even if a controller were to obtain a consumer’s consent for collection unrelated to a requested product or service. This may impose significant limitations on the collection of data for things like targeted advertising, marketing campaigns, and other consumer research that is not directly related to product improvements. It is worth pointing out that this limitation applies only to collection, and not to either processing or disclosure. MODPA’s purpose limitation specifies that a controller may not, “unless [it] obtains the consumer’s consent, process personal data for a purpose that is neither reasonably necessary to, nor compatible with, the disclosed purposes for which the personal data is processed.” (emphasis added.  Thus, while collection may not be premised on consent, processing may.  Additionally, the definition of “connected to a product requested by the consumer” is not clearly laid out in MODPA, so how strict of a requirement this will be in practice remains to be seen. Companies should evaluate their current data collection processes to see if they can currently adhere to MODPA’s new data minimization requirements, and if not, what changes they need to implement to comply with the law.

The data minimization requirement in MODPA is even stricter for sensitive personal data, which includes, data revealing a consumer’s race, ethnicity, sexual orientation. Controllers may only collect, process, and share consumers’ sensitive personal data when the data is strictly necessary to provide or maintain a product or service requested by the consumer. The law also prohibits the sale of sensitive personal data. “Sale of personal data” means the exchange of personal data by a controller, a processor, or an affiliate of a controller or processer to a third party for monetary or other valuable consideration. Note, however, that MODPA’s definition of “sale” contains several exceptions. For example, the disclosure of personal data to a third party for the purposes of providing a product or service affirmatively requested by the consumer is not a sale.

Maryland defines biometric data more broadly than other states. While CCPA and similar laws limit biometric data to biological characteristics that are used or intended to be used to identify an individual. MODPA’s broader definition includes biological characteristics that can be used to authenticate a consumer’s identity, regardless of intent or actual use. This broader definition does not require a company to actually connect the biometric data to a specific person or intend to identify a specific person. Rather, it includes any information that can be used to identify a person, significantly widening the amount of data that can be considered biometric. The combination of stringent data minimization requirements for sensitive personal data, the prohibition on sales of sensitive personal data regardless of consumer consent, and the broad definition of biometric data can make compliance with Maryland’s law uniquely challenging.

In addition, MODPA follows a growing body of laws creating strong protections for consumer health data. It also defines consumer health data a bit broader than some other states do. Connecticut’s Data Privacy Act, for example, defines the term to mean “personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis.” MODPA takes an approach closer to the one used in Washington’s My Health, My Data Act, which defines consumer health data as information that is “linked or reasonably linkable” to consumer health. Consumer health data under Maryland’s law is any personal data that a controller uses to identify a consumer’s physical or mental health status. This includes data related to gender-affirming care treatment; or reproductive or sexual health care. Maryland’s law is broader in that it applies to data that is used to identify a consumer’s health “status” with no requirement of a condition or diagnosis. Companies in the health space that are not governed by HIPPA should be aware of these distinctions.

The law requires employees, contractors, and data processors to sign confidentiality agreements before accessing health data. It also prohibits the creation of a virtual boundary – also known as a geofence – within 1,750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, or collecting data from, or sending any notification to a consumer regarding the consumer’s consumer health data. This mirrors similar prohibitions found in both the Connecticut Data Privacy Act (CTDPA), as amended by Public Act No. 23-56, and the Washington My Health, My Data Act (MHMD), though My Health, My Data uses 2,000 feet. New York law contains a similar ban, but focuses more narrowly on digital advertisers.

MODPA also creates stronger protections for children’s data than other state privacy laws by prohibiting the sale of children’s data and banning targeted advertising to children. These requirements apply when a company knew or “should have known” someone is under 18. This is stricter than other laws, which require actual knowledge of a consumers’ age and often allow for opt-in consent for targeted advertising to minors. The exceptions to the definition of sale may be useful when determining how a company will comply with MODPA’s protections of children’s data. For example, “sale” does not include the disclosure of information that a consumer made available to the general public through a channel of mass media and did not restrict to a specific audience – potentially including information shared on social.

Lastly, MODPA differs from most state privacy laws by including an anti-discrimination provision. Companies may not process personal data in a way that unlawfully discriminates on the basis of race, religion, national origin, sex, sexual orientation, or disability.

As states continue to come out with their own privacy laws, companies should be vigilant in assessing the differences between them. Due to the low threshold requirements, companies should evaluate whether they will need to comply with Maryland’s law. While the law is not yet enforceable, businesses should start planning for future compliance.

This article was written with the assistance of Aline Martins, a 2024 summer associate in the firm’s New York, New York office.

About The Authors
Tagged with: , , , , , ,
Posted in Legislation, Privacy
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs