Consumer Protection - Online and Biometric Data Privacy
HB807 amends the Maryland Commercial Law to establish detailed requirements for the management of personal and biometric data. It introduces obligations for data controllers, such as conducting data protection assessments and implementing robust security measures to protect consumer data. The bill aligns state laws with emerging national standards on data privacy, thus aimed at strengthening consumer trust and providing clear guidelines on data handling practices. Non-compliance with the provisions set forth in this act will be classified as an unfair, abusive, or deceptive trade practice, hence enforceable under the Maryland Consumer Protection Act.
House Bill 807, titled the Online and Biometric Data Privacy Act, is designed to enhance consumer protection by regulating the processing of personal data by controllers and processors. One of the primary goals of the bill is to empower consumers with specific rights concerning their data, including the ability to access, correct, delete, and opt-out of the processing of their personal data. Additionally, controllers are mandated to provide a privacy notice to consumers that clearly outlines how their data is processed and the rights available to them under this act.
While the bill is largely seen as a positive step toward enhancing consumer rights, it does invite some contention regarding the balance between privacy protection and the operational flexibility of businesses. Critics argue that stringent regulations could impose significant burdens on small and medium-sized enterprises, potentially stifling innovation and complicating compliance efforts. There are also concerns regarding how the bill's requirements may impact the use of biometric data in various industries, especially in sectors that heavily rely on biometric systems for identity verification and security.
The bill includes the establishment of a Task Force to Study Online Data Privacy, which will assess data privacy issues and recommend measures for future legislation. Furthermore, it requires controllers in possession of biometric data to create and maintain policies for retention and destruction, ensuring that data is not held longer than necessary. Such provisions are aimed at minimizing the risks associated with data breaches and enhancing the overall framework of consumer data protection in Maryland.