Publications

Maryland Enacts Comprehensive Privacy Law and Kids Code

On May 9, 2024, Maryland’s Governor signed two privacy laws: the Maryland Online Data Privacy Act of 2024 (the “MODPA”), a comprehensive privacy law, and the Maryland Age-Appropriate Design Code Act (the “Kids Code”), a privacy law directed specifically towards businesses that offer an online product reasonably likely to be accessed by children under age 18. By enacting the MODPA, Maryland becomes the seventeenth state with a comprehensive privacy law, and, by enacting the Kids Code, Maryland joins a minority of states with laws similar to Kids Code, including California and Florida. The MODPA will take effect on October 1, 2025, and the Kids Code will take effect on October 1, 2024, just under five months after its enactment.

MODPA

Applicability

The MODPA applies to persons or entities conducting business in Maryland or providing products or services that are targeted to residents of Maryland and that during the preceding calendar year either:

  1. controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of gross revenue from the sale of personal data.

Of note, the MODPA applies to institutions of higher education and non-profit organizations, except when a non-profit organization processes or shares personal data solely for assisting law enforcement in investigating criminal or fraudulent acts relating to insurance or first responders in responding to catastrophic events. Additionally, the MODPA exempts certain types of information such as protected health information under HIPAA, personal data processed by a consumer reporting agency under the Fair Credit Reporting Act, and personal data regulated by the Family Educational Rights and Privacy Act.

As is the norm with state comprehensive privacy laws, the MODPA narrowly defines “consumer” to mean an individual who is a Maryland resident, but excluding individuals acting in a commercial or employment context. As a result, employee personal data and business-to-business personal data are not within the scope of the MODPA.

Compliance

The MODPA contains certain compliance obligations that are substantially similar to those found in the other state comprehensive privacy laws, such as requiring controllers to provide a compliant privacy notice to consumers, enter into contracts with processors that process personal data on their behalf, and conduct and document data protection assessments for processing activities that involve personal data used in targeting advertising, the sale of personal data, the processing of sensitive data, and profiling (in certain instances).

However, the MODPA contains uniquely strict compliance obligations when it comes to sensitive data. The MODPA prohibits controllers from collecting, processing, or sharing sensitive data of a consumer except where strictly necessary to provide or maintain a product or service that the consumer requested. The MODPA also prohibits controllers from selling "sensitive data," which is defined to mean (i) data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizenship or immigration status; (ii) genetic or biometric data; (iii) personal data of a consumer that the controller knows or has reason to know is a child (i.e., an individual under thirteen); or (iv) precise geolocation data. Additionally, the MODPA prohibits controllers from processing personal data for targeted advertising and selling personal data if they knew or should have known that a consumer is under the age of 18.

Consumer Rights and Requests

The MODPA grants consumers rights that most closely align to those granted under Delaware’s comprehensive privacy law, namely the right to request a controller to (1) confirm whether the controller is processing the consumer’s personal data and access such personal data; (2) correct inaccuracies in their personal data (taking into account the nature of the personal data and the purposes of processing such data); (3) delete their personal data unless retention is required by law; (4) provide a copy of their personal data when the controller processes it by automatic means; (5) obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data (or any consumer’s personal data if the controller does not maintain the information in a format specific to one consumer); and (6) opt out of the processing of the consumer’s personal data for targeted advertising, the sale of personal data, or certain types of profiling. A controller must respond to a request within 45 days, which may be extended once by an additional 45 days when reasonably necessary. Additionally, if it denies a consumer’s request, a controller must allow a consumer to appeal and respond to an appeal within 60 days.

Enforcement

Like most other state comprehensive privacy laws, the MODPA has no private right of action. The Maryland Attorney General’s Office, through its Division of Consumer Protection, has the exclusive authority to enforce violations and may seek damages up to $10,000 per violation and up to $25,000 per violation for repeated violations. However, until April 1, 2027, prior to initiating an enforcement action, Attorney General’s Office may allow a controller 60 days to cure a violation that is curable.

The Kids Code

Applicability

The Kids Code applies to “covered entities” who provide online services, products, or features “reasonably likely to be accessed by children.” A “covered entity” is a for-profit business that is a data controller doing business in Maryland and meets at least one of the following criteria:

  1. has annual gross revenue in excess of $25 million (adjusted every odd-numbered year to reflect adjustments in the Consumer Price Index);
  2. annually buys, receives, sells, or shares personal data of 50,000 or more consumers, households, or devices for the covered entity’s commercial purposes (alone or in combination with its affiliates or subsidiaries); or
  3. derives at least 50% of its annual revenues from the sale of consumers’ personal data.

An online service, product or feature is “reasonably likely to be accessed by children” when it is reasonable to expect, based on the indicators below, that such service, product, or feature would be accessed by children. Indicators of such access include that that a covered entity knows or should have known a user is a child (i.e., Maryland resident under age 18) or that the online service, product, or feature is at least one of the following:

  1. directed to children as defined by the Children’s Online Privacy Protection Act;
  2. determined to be routinely accessed by a significant number of children based on competent and reliable evidence regarding audience composition or is substantially similar to an online service, product, or feature determined as such;
  3. marketed to children; or
  4. determined, based on internal company research, to have a significant amount of the audience be children.

Like the MODPA, the Kids Code narrowly defines “consumer” to mean an individual who is a Maryland resident, but excluding individuals acting in a commercial or employment context. Of note, the Kids Code does not apply to broadband internet access services, telecommunications services, or the delivery or use of physical products.

Compliance

The Kids Code requires covered entities that provide an online service, product, or feature reasonably likely to be accessed by children to complete a data protection impact assessment, which is a systematic survey that assesses the covered entity’s compliance with its duty to act in the best interests of children. A covered entity must complete such an assessment before offering any new online services, products, or features to the public that are reasonably likely to be accessed by children and, for such online services, products, or features offered to the public before April 1, 2026 and that will continue to be offered to the public after July 1, 2026, the covered entity must complete an assessment prior to April 1, 2026. The covered entity must provide copies of the assessments within seven business days upon request from the Maryland Attorney General.

Additionally, covered entities subject to the Kids Code must configure all default privacy settings provided to children to offer a high level of privacy, unless there is a demonstrable, compelling reason that a different setting is in the best interests of the children. Further, such covered entities must provide privacy policies, terms of service, and community standards concisely, prominently, and using clear language suited to the age of the children likely to access the online service, product, or feature.

The Kids Code also subjects covered entities that provide an online service, product, or feature reasonably likely to be accessed by children to many data processing restrictions, such as prohibitions on (i) processing personal data of a child that is inconsistent with the best interests of the children reasonably likely to access the service, product, or feature, (ii) processing more personal data than is reasonably necessary or for any purposes other than the reason it was collected, (iii) processing precise geolocation data of a child unless strictly necessary and displaying an obvious sign to the child whenever collecting that information, and (iv) processing personal data for the purposes of estimating a child’s age unless reasonably necessary to provide the online service, product, or feature.

Enforcement

The Maryland Attorney General’s Office, through its Division of Consumer Protection, has exclusive enforcement authority under the Kids Code; there is no private right of action. Negligent violations of the Act carry civil penalties of up to $2,500 per affected child, while intentional violations carry civil penalties up to $7,500 per affected child. There is also a limited right to cure violations of the Kids Code. Specifically, if a business is in substantial compliance with the material requirements of the Kids Code, then the Attorney General must provide written notice of any violations and 90 days to cure such violations prior to bringing an enforcement action.

Conclusion

The number and scope of state privacy laws continue to increase in the United States. Further, the status of privacy law in the United States overall is ever-changing, with proposed federal laws gaining traction in Congress and existing state laws, such as California’s Age-Appropriate Design Code, facing challenges in court. As this continues to develop, businesses should remain cognizant of both ongoing and forthcoming compliance efforts. Developing and maintaining adaptable compliance efforts designed to align with current legal standards and industry best practices will be important for businesses as laws continue to evolve.

If you would like assistance with, or have any questions about, complying with the MODPA, the Kids Code, or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.