What is the Maryland Online Data Privacy Act?
July 29, 2021 | 5 minutes read
With the amount of information transferred via the internet now, it’s increasingly important to adopt strong data security guidelines. Consider the last time you provided your email or phone number to create an account or shared your banking information for an online purchase. Due to the frequent nature of these interactions, prioritizing digital privacy is essential.
The Maryland Online Data Privacy Act, or MODPA, is designed around the idea that consumers should have control over how their data is handled. It sounds outlandish that regulations like this would even need to be put into writing in the first place, but instances of data breaches in companies like Yahoo or data exploitation by companies like Facebook have proven that standards for data usage are necessary in a world that is driven by clicks and the giving and taking of personal information.
What businesses must adhere to SB 541?
The bill determines that “Controllers,” or those who work alone or jointly with others to determine the purpose and means of processing data, are the demographic affected by this bill. Not all Controllers are affected though, only the ones included in the following specifications:
- Conduct Business in Maryland or provide products and services targeted to residents of Maryland
- Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.
In the context of SB 541, personal data is identified as any information that is linked or can be reasonably linked to an identified or identifiable consumer. So, with these criteria in place, the Maryland State Government has decided to follow in the footsteps of 17 other U.S. States by adopting policies that directly protect the consumers.
This bill will affect tons of companies due to its wide parameters and robust language that seems to be aimed at targeting as many businesses as possible. Thresholds of this size will most likely affect all large data-collecting entities that do business in Maryland, but it could affect smaller companies as well. Businesses like tech startups, digital marketing agencies, or social media influencers could find themselves having to comply with a brand new set of standards when the bill takes effect.
What does the act do?
MODPA affects digital consumers by giving them the direct right to know how their data is being used and to control what the companies that collect it are doing with it. Within the guidelines set by the bill, consumers have the right to:
- Confirm whether a controller is processing their personal data;
- If a controller is processing a consumer’s personal data, access their personal data;
- Correct inaccuracies in their personal data;
- Delete their personal data unless retention of the personal data is required by law;
- Obtain a copy of their personal data processed by the controller in a portable and readily usable format that allows the consumer to easily transmit the data to another controller;
- Obtain a list of the categories of third parties to which the controller has disclosed their personal data or a list of the categories of third parties to which the controller has disclosed their data in general;
- Opt out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling.
The only stipulation to these rules is that they may never be construed to require a controller to reveal a trade secret. In the scenario that complying with these rules would reveal trade secrets, they can be overridden.
The act also requires controllers to comply with consumer requests within a reasonable time frame, with the act giving a time period of 45 days after the request has been received. This timeframe may be extended, but only under the conditions that it is reasonably necessary based on the complexity and number of the consumer’s requests or if the consumer is notified of the extension and the reason behind it within the initial 45-day response window. This process also must include the ability for a consumer to appeal any denial of their request.
Along with all of this, the act puts restraints on what Controllers can and cannot collect. Under SB 541, controllers are to limit the data they collect to what is reasonably necessary, maintain proper data security practices, provide effective means for consumers to revoke their consent for data sharing, process their data in a non-discriminatory manner, and more.
This act gives all of the power to the consumers of the world and keeps in check the companies that attempt to profit from their information. Information is the most valuable and largest industry in the world right now, meaning that tying some rules to it to prevent exploitation is a necessity.
What are the consequences?
The important part of bills such as SB 541 is what sort of repercussions they pledge when violated. Otherwise, how do we expect the regulations to be enforced? For MODPA, these statutes are protected by a hefty amount of legal repercussions.
Maryland’s Online Data Privacy Act, like most state data privacy laws in the U.S., does not give individuals the right to file private lawsuits. Instead, enforcement is managed exclusively by the Maryland Attorney General’s Consumer Protection Division. The Attorney General can pursue legal action in court, seeking remedies such as injunctive relief, civil penalties, and attorney’s fees. Courts have the authority to impose civil penalties of up to $10,000 for each violation and up to $25,000 for repeated offenses.
Before taking legal action, the Attorney General may issue a notice of violation to the data controller or processor, who then has 60 days to address the issue. Whether to allow this opportunity for correction depends on several factors, including the number of violations, the size of the entity involved, the severity of the violations, and the potential harm to the public.
In this world that is rapidly changing due to innovations and new inventions every day, the Maryland State Government has reminded us that our data is as precious as it is valuable to companies. With this bill, we are a step closer to having full protection over our data, securing the future of data gathering and sharing practices as something that the consumer can control.