Press "Enter" to skip to content

Maryland Enacts Expansive Comprehensive Consumer Data Privacy Law

Maryland Online Data Privacy ActMaryland Gov. Wes Moore on May 9 signed into law House Bill 567/Senate Bill 541, the Maryland Online Data Privacy Act of 2024, making Maryland the 17th state to enact a comprehensive consumer data privacy law.

The Act will go into effect Oct. 1, 2025, but “may not be applied or interpreted to have any effect on or application to any personal data processing activities before April 1, 2026.”

Other states to have enacted data privacy laws are California, Virginia, Colorado, Utah, ConnecticutIowa, Indiana, Tennessee, Montana, Texas, Oregon,  Delaware,  New Jersey, New HampshireKentucky, and Nebraska


The Act applies to persons that conduct business in Maryland or produce services or products that are targeted to Maryland residents and that during the immediately preceding calendar year:

  1. Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Controlled or processed the personal data of at least 10,000 consumers and derived more than 20 percent of its gross revenue from the sale of personal data.

Exemptions include, but are not limited to:

  1. Financial institutions, their affiliates, or data subject to Title V of the Gramm-Leach-Bliley Act and regulations adopted thereunder;
  2. Protected health information under the Health Insurance Portability and Accountability Act of 1996;
  3. The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act;
  4. Data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party.

Consumers have the right to:

  1. Confirm whether a controller is processing their personal data;
  2. Access their personal data being processed;
  3. Correct inaccuracies in their personal data, considering the nature of the personal data and the purposes of the processing;
  4. Delete personal data provided by or obtained about the consumer unless retention is required by law;
  5. Obtain a portable copy of their personal data being processed if the processing is done by automatic means;
  6. Obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data, or a list of categories to which the controller has disclosed any consumer’s personal data if the controller does not maintain the information in a customer-specific format;
  7. Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

A controller may not collect, process, or share sensitive data unless necessary to provide or maintain a specific product or service requested by the consumer. Additionally, a controller may not, among other things, sell sensitive data or, if the consumer is under the age of 18, sell personal data or process personal data for the purpose of targeted advertising.

“Sensitive data” means personal data that includes:

  1. Data revealing:
    1. Racial or ethnic origin;
    2. Religious beliefs;
    3. Consumer health data;
    4. Sex life;
    5. Sexual orientation;
    6. Status as transgender or nonbinary;
    7. National origin; or
    8. Citizenship or immigration status;
  2. Genetic data or biometric data;
  3. Personal data of a consumer that the controller knows or has reason to know is a child; or
  4. Precise geolocation data.

A contract between a controller and a processor must govern the processor’s data processing procedures and state:

  1. Instructions for processing;
  2. The nature and purpose of processing;
  3. The type of data to be processed;
  4. The rights and obligations of the controller and processor.

Additionally, the contract must require that the processor:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality;
  2. Establish, implement, and maintain reasonably data security practices;
  3. Stop processing if requested by the controller in accordance with a consumer’s authenticated request;
  4. At the controller’s direction, delete or return all personal data;
  5. On reasonable request of the controller, make available all information necessary to demonstrate the processor’s compliance;
  6. Only engage a subcontractor to assist with processing pursuant to a written contract, and after providing the controller the opportunity to object;
  7. Allow and cooperate with the controller’s reasonable assessments.

A controller must conduct and document a data protection assessment on a regular basis for processing activities that present a heightened risk of harm, which is:

  1. The processing of personal data for the purposes of targeted advertising;
  2. The sale of personal data;
  3. The processing of sensitive data;
  4. The processing of personal data for the purposes of profiling that presents a reasonably foreseeable risk of:
    1. Unfair, abusive, or deceptive treatment of a consumer;
    2. Having an unlawful disparate impact;
    3. Financial, physical, or reputational injury;
    4. Physical or other intrusion on a consumer’s solitude or seclusion, or private affairs;
    5. Other substantial injury.

A violation is an unfair, abusive, or deceptive trade practice and subject to the penalty provisions of the Consumer Protection Act, Md. Code Ann., Com. Law § 13-101, et seq., enforceable only by the Attorney General. However, the Act states it does not prevent a private right of action under any other remedy provided by law. The Act provides a 60-day cure provision which expires April 1, 2027.


While similar in many respects to some of the post-California comprehensive data privacy laws, the Act ventures farther with its approach to collection and sale of personal information, the processing of sensitive data and the data of minors, and the triggers that mandate data protection assessments, among other things. For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.