Maryland

• Maryland Online Data Privacy Act of 2024
• Code: Md. Code Ann., Com. Law §§ 14-4701 to 14-4714 (2024)

Effective Date: October 1, 2025

Threshold

Conducts business in Maryland or provides products or services that are targeted to residents of the state and:

During the preceding calendar year, controlled or processed personal data of at least 35,000 consumers, excluding personal data controlled or processed solely to complete a payment transaction; or

Controlled or processed the personal data of at least 10,000 consumers and derived more than 20 percent of its gross revenue from the sale of personal data.

Definition of "Personal Data"

Any information that is linked or can be reasonably linked to an identified or identifiable consumer. "Personal Data" does not include de-Identified data or publicly available information.

Definition of "Sensitive Data"

As with all state general privacy laws, includes the following Personal Data:

• Race or ethnic origin;
• Religious beliefs;
• Citizenship or immigration status;
• Genetic data;
• Biometric data;
• Physical or mental health diagnosis; and
• Sexual orientation.

In addition, Maryland's definition also includes:

• National origin;
• Sex life;
• Precise geolocation data;
• Status as transgender or nonbinary; and
• Personal data collected from known child.

Definition of "Sell" or "Sale"

"Sale of personal data" means the exchange of personal data to a third party for monetary or other valuable consideration.

Data Protection Assessments

Yes

Opt-In Consent Required for Processing Sensitive Data

No, but only because processing only permitted if "strictly necessary" to provide or maintain a product or service that the consumer requested.

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Yes

Consumer Right to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads/Sharing

Yes

Consumer Right to Opt Out of Profiling

Yes

Consumer Right to Opt Out of Certain Profiling

Yes

Pseudonymous Data Exempt from Consumer Requests

No

Appeal Rights

Yes

Universal Opt-Out Mechanism Required Recognition/Date

Not required, but discretionary (on or before October 1, 2025)

Data of Minors

Process personal data of a known child in accordance with COPPA.

No sales or processing of personal data for targeted advertising if the controller "knew or should have known" the consumer was a minor. "Minor" means a person under the age of 18.

Data Minimization Requirements

Strict data minimization requirements:

• Limit personal data collection to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer, regardless of consumer consent.
• Collect, process, and share consumers' sensitive personal data only as strictly necessary to provide or maintain a specific product or service requested by the consumer, regardless of consumer consent.
• Collect, process, and share consumers' personal data only as reasonably necessary for the purposes disclosed to the consumer, or compatible with those purposes, unless the consumer consents.

GLBA Exemption

Yes, (both entity and data level)

HIPAA Exemption

Yes (only data level)

Applies/Does Not Apply to Personal Information in a Commercial or Employment Context

Does not apply to commercial or employment context; applies in an individual or household context only.

Nonprofit Exemption

Limited to certain non-profit organizations.

Private Right of Action

No

Cure Period

60 days

Cure Period Expiration

April 1, 2027

Enforcement Authority/Damages

Attorney General through the division of the consumer protection/up to $10,000 per violation (and up to $25,000 per subsequent violation)