MD
Maryland House Bill HB567

Maryland 2024 Regular Session

Maryland House Bill HB567 Compare Versions

OldNewDifferences
1- WES MOORE, Governor Ch. 454
21
3-– 1 –
4-Chapter 454
5-(House Bill 567)
62
7-AN ACT concerning
3+EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
4+ [Brackets] indicate matter deleted from existing law.
5+ Underlining indicates amendments to bill.
6+ Strike out indicates matter stricken from the bill by amendment or deleted from the law by
7+amendment.
8+ Italics indicate opposite chamber/conference committee amendments.
9+ *hb0567*
810
9-Maryland Online Data Privacy Act of 2024
11+HOUSE BILL 567
12+I3 (4lr1198)
13+ENROLLED BILL
14+— Economic Matters/Finance —
15+Introduced by Delegates Love, Valderrama, Boafo, Charkoudian, Feldmark,
16+Fraser–Hidalgo, Hill, Kaiser, Kaufman, Lehman, Palakovich Carr,
17+Pena–Melnyk, Shetty, Solomon, Stewart, Taveras, Watson, and Ziegler
1018
11-FOR the purpose of regulating the manner in which a controller or a processor in possession
12-of a consumer’s personal data may process the consumer’s personal data; authorizing
13-a consumer to exercise certain rights in regards to the consumer’s personal data;
14-requiring a controller of personal data to establish a method for a consumer to
15-exercise certain rights in regards to the consumer’s personal data; requiring a
16-controller to comply with a request by a consumer to exercise a certain right in a
17-certain manner, except under certain circumstances; authorizing a consumer to
18-designate an authorized agent to act on the consumer’s behalf to opt out of the
19-processing of the consumer’s personal data; requiring a controller to provide a
20-consumer with a certain privacy notice; requiring a controller that uses a processor
21-to process the personal data of consumers to enter into a contract with the processor
22-that governs the processor’s data processing procedures; requiring a controller to
23-conduct and document a data protection assessment for consumer data processing
24-activities that present a heightened risk of harm to a consumer; making a violation
25-of this Act an unfair, abusive, or deceptive trade practice that is subject to
26-enforcement and penalties under the Maryland Consumer Protection Act; and
27-generally relating to online data privacy.
19+Read and Examined by Proofreaders:
2820
29-BY repealing and reenacting, with amendments,
30- Article – Commercial Law
31-Section 13–301(14)(xl)
32- Annotated Code of Maryland
33- (2013 Replacement Volume and 2023 Supplement)
21+_______________________________________________
22+Proofreader.
23+_______________________________________________
24+Proofreader.
3425
35-BY repealing and reenacting, without amendments,
36- Article – Commercial Law
37-Section 13–301(14)(xli)
38- Annotated Code of Maryland
39- (2013 Replacement Volume and 2023 Supplement)
26+Sealed with the Great Seal and presented to the Governor, for his approval this
4027
41-BY adding to
42- Article – Commercial Law
43-Section 13–301(14)(xlii); and 14–4601 through 14–4613 14–4614 to be under the new
44-subtitle “Subtitle 46. Online Data Privacy Act”
45- Annotated Code of Maryland
46- (2013 Replacement Volume and 2023 Supplement)
28+_______ day of _______________ at ________________________ o’clock, ________M .
4729
48- SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND,
49-That the Laws of Maryland read as follows: Ch. 454 2024 LAWS OF MARYLAND
30+______________________________________________
31+Speaker.
5032
51-– 2 –
33+CHAPTER ______
5234
53-Article – Commercial Law
35+AN ACT concerning 1
5436
55-13–301.
37+Maryland Online Data Privacy Act of 2024 2
5638
57- Unfair, abusive, or deceptive trade practices include any:
39+FOR the purpose of regulating the manner in which a controller or a processor in possession 3
40+of a consumer’s personal data may process the consumer’s personal data; authorizing 4
41+a consumer to exercise certain rights in regards to the consumer’s personal data; 5
42+requiring a controller of personal data to establish a method for a consumer to 6
43+exercise certain rights in regards to the consumer’s personal data; requiring a 7
44+controller to comply with a request by a consumer to exercise a certain right in a 8
45+certain manner, except under certain circumstances; authorizing a consumer to 9
46+designate an authorized agent to act on the consumer’s behalf to opt out of the 10
47+processing of the consumer’s personal data; requiring a controller to provide a 11
48+consumer with a certain privacy notice; requiring a controller that uses a processor 12
49+to process the personal data of consumers to enter into a contract with the processor 13 2 HOUSE BILL 567
5850
59- (14) Violation of a provision of:
6051
61- (xl) Title 14, Subtitle 13 of the Public Safety Article; [or]
52+that governs the processor’s data processing procedures; requiring a controller to 1
53+conduct and document a data protection assessment for consumer data processing 2
54+activities that present a heightened risk of harm to a consumer; making a violation 3
55+of this Act an unfair, abusive, or deceptive trade practice that is subject to 4
56+enforcement and penalties under the Maryland Consumer Protection Act; and 5
57+generally relating to online data privacy. 6
6258
63- (xli) Title 14, Subtitle 45 of this article; or
59+BY repealing and reenacting, with amendments, 7
60+ Article – Commercial Law 8
61+Section 13–301(14)(xl) 9
62+ Annotated Code of Maryland 10
63+ (2013 Replacement Volume and 2023 Supplement) 11
6464
65- (XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR
65+BY repealing and reenacting, without amendments, 12
66+ Article – Commercial Law 13
67+Section 13–301(14)(xli) 14
68+ Annotated Code of Maryland 15
69+ (2013 Replacement Volume and 2023 Supplement) 16
6670
67-SUBTITLE 46. ONLINE DATA PRIVACY ACT.
71+BY adding to 17
72+ Article – Commercial Law 18
73+Section 13–301(14)(xlii); and 14–4601 through 14–4613 14–4614 to be under the new 19
74+subtitle “Subtitle 46. Online Data Privacy Act” 20
75+ Annotated Code of Maryland 21
76+ (2013 Replacement Volume and 2023 Supplement) 22
6877
69-14–4601.
78+ SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 23
79+That the Laws of Maryland read as follows: 24
7080
71- (A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS
72-INDICATED.
81+Article – Commercial Law 25
7382
74- (B) “AFFILIATE” MEANS A PERSON THAT , DIRECTLY OR INDIRECT LY
75-THROUGH ONE OR MORE INTERMED IARIES, CONTROLS, IS CONTROLLED BY , OR IS
76-UNDER COMMON CONTROL WITH ANOTHER PERSON , SUCH THAT THE PERSON :
83+13–301. 26
7784
78- (1) SHARES COMMON BRANDIN G WITH ANOTHER PERSO N; OR
85+ Unfair, abusive, or deceptive trade practices include any: 27
7986
80- (2) CONTROLS, IS CONTROLLED BY , OR IS UNDER COMMON C ONTROL
81-WITH ANOTHER P ERSON.
87+ (14) Violation of a provision of: 28
8288
83- (1) OWNS OR HAS THE POWER TO VOTE MORE THAN 50 PERCENT %
84-OF THE OUTSTANDING S HARES OF ANY VOTING CLASS OF THE OTHER P ERSON’S
85-SECURITIES;
89+ (xl) Title 14, Subtitle 13 of the Public Safety Article; [or] 29
8690
87- (2) HAS THE POWER TO ELEC T OR INFLUENCE THE E LECTION OF A
88-MAJORITY OF THE DIRE CTORS, MEMBERS, OR MANAGERS OF THE OTHER PERSON ;
91+ (xli) Title 14, Subtitle 45 of this article; or 30
8992
90- (3) HAS THE POWER TO DIRE CT THE MANAGEMENT OF THE OTHER
91-PERSON; OR
93+ (XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR 31
9294
93- (4) IS SUBJECT TO THE OTH ER PERSON’S EXERCISE OF THE PO WERS
94-DESCRIBED IN ITEM (1), (2), OR (3) OF THIS SUBSECTION .
95- WES MOORE, Governor Ch. 454
95+SUBTITLE 46. ONLINE DATA PRIVACY ACT. 32
9696
97-– 3 –
98- (C) “AUTHENTICATE ” MEANS TO USE REASONA BLE MEANS TO DETERMI NE
99-THAT A REQUEST TO EX ERCISE A CONSUMER RI GHT IN ACCORDANCE WI TH §
100-14–4605 OF THIS SUBTITLE IS BEING MADE BY, OR ON BEHALF OF , A CONSUMER WHO
101-IS ENTITLED TO EXERCISE THE CONSUMER RIGHT W ITH RESPECT TO THE PERSONAL
102-DATA AT ISSUE.
97+14–4601. 33 HOUSE BILL 567 3
10398
104- (D) (1) “BIOMETRIC DATA ” MEANS DATA GENERATED BY AUTOMATIC
105-MEASUREMENTS OF THE BIOLOGICAL CHARACTER ISTICS OF A CONSUMER THAT CAN
106-BE USED TO UNIQUELY AUTHENTICATE A CONSU MER’S IDENTITY.
10799
108- (2) “BIOMETRIC DATA ” INCLUDES:
109100
110- (I) A FINGERPRINT ;
101+ (A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 1
102+INDICATED. 2
111103
112- (II) A VOICE PRINT;
104+ (B) “AFFILIATE” MEANS A PERSON THAT , DIRECTLY OR INDIRECT LY 3
105+THROUGH ONE OR MORE INTERMEDIARIES , CONTROLS, IS CONTROLLED BY , OR IS 4
106+UNDER COMMON CONTROL WITH ANOTHER PERSON , SUCH THAT THE PERSON : 5
113107
114- (III) AN EYE RETINA OR IRIS IMAGE; AND
108+ (1) SHARES COMMON BRANDIN G WITH ANOTHER PERSO N; OR 6
115109
116- (IV) ANY OTHER UNIQUE BIOL OGICAL CHARACTERISTI CS THAT
117-CAN BE USED TO UNIQU ELY AUTHENTICATE A C ONSUMER’S IDENTITY.
110+ (2) CONTROLS, IS CONTROLLED B Y, OR IS UNDER COMMON C ONTROL 7
111+WITH ANOTHER PERSON . 8
118112
119- (3) “BIOMETRIC DATA ” DOES NOT INCLUDE :
113+ (1) OWNS OR HAS THE POWER TO VOTE MORE THAN 50 PERCENT % 9
114+OF THE OUTSTANDING S HARES OF ANY VOTING CLASS OF THE OTHER P ERSON’S 10
115+SECURITIES; 11
120116
121- (I) A DIGITAL OR PHYSICAL PHOTOGRAPH ;
117+ (2) HAS THE POWER TO ELEC T OR INFLUENCE THE E LECTION OF A 12
118+MAJORITY OF THE DIRE CTORS, MEMBERS, OR MANAGERS OF THE O THER PERSON ; 13
122119
123- (II) AN AUDIO OR VIDEO REC ORDING; OR
120+ (3) HAS THE POWER TO DIRE CT THE MANAGEMENT OF THE OTHER 14
121+PERSON; OR 15
124122
125- (III) ANY DATA GENERATED FR OM A DIGITAL OR PHYS ICAL
126-PHOTOGRAPH OR AN AUD IO OR VIDEO RECORDIN G, UNLESS THE DATA IS
127-GENERATED TO IDENTIF Y A SPECIFIC CONSUME R.
123+ (4) IS SUBJECT TO THE OTH ER PERSON’S EXERCISE OF THE PO WERS 16
124+DESCRIBED IN ITEM (1), (2), OR (3) OF THIS SUBSECTION . 17
128125
129- (E) “BUSINESS ASSOCI ATE” HAS THE MEANING STAT ED IN HIPAA.
126+ (C) “AUTHENTICATE ” MEANS TO USE REASONA BLE MEANS TO DETERMI NE 18
127+THAT A REQUEST TO EX ERCISE A CONSUMER RI GHT IN ACCORDANCE WI TH § 19
128+14–4605 OF THIS SUBTITLE IS BEING MADE BY, OR ON BEHALF OF , A CONSUMER WHO 20
129+IS ENTITLED TO EXERCISE THE CONSUMER RIGHT W ITH RESPECT TO THE PERSO NAL 21
130+DATA AT ISSUE. 22
130131
131- (F) “CHILD” HAS THE MEANING STAT ED IN COPPA.
132+ (D) (1) “BIOMETRIC DATA ” MEANS DATA GENERATED BY AUTOMATIC 23
133+MEASUREMENTS OF THE BIOLOGICAL CHARACTER ISTICS OF A CONSUMER THAT CAN 24
134+BE USED TO UNIQUELY AUTHENTICATE A CONSU MER’S IDENTITY. 25
132135
133- (G) (1) “CONSENT” MEANS A CLEAR AFFIRM ATIVE ACT SIGNIFYING A
134-CONSUMER ’S FREELY GIVEN , SPECIFIC, INFORMED, AND UNAMBIGUOUS
135-AGREEMENT TO ALLOW T HE PROCESSING OF PER SONAL DATA RELATING TO THE
136-CONSUMER FOR A PARTI CULAR PURPOSE .
136+ (2) “BIOMETRIC DATA ” INCLUDES: 26
137137
138- (2) “CONSENT” INCLUDES:
138+ (I) A FINGERPRINT ; 27
139139
140- (I) A WRITTEN STATEMENT ;
141- Ch. 454 2024 LAWS OF MARYLAND
140+ (II) A VOICE PRINT; 28
142141
143-– 4 –
144- (II) A WRITTEN STATEMENT BY ELECTRONIC MEANS ; OR
142+ (III) AN EYE RETINA OR IRIS IMAGE; AND 29
143+ 4 HOUSE BILL 567
145144
146- (III) ANY OTHER UNAMBIGUOUS AFFIRMATIVE ACTION .
147145
148- (3) “CONSENT” DOES NOT INCLUDE :
146+ (IV) ANY OTHER UNIQUE BIOL OGICAL CHARACTERISTI CS THAT 1
147+CAN BE USED TO UNIQU ELY AUTHENTICATE A C ONSUMER’S IDENTITY. 2
149148
150- (I) ACCEPTANCE OF A GENER AL OR BROAD TERMS OF USE OR
151-SIMILAR DOCUMENT THA T CONTAINS DESCRIPTI ONS OF PERSONAL DATA
152-PROCESSING ALONG WIT H OTHER UNRELATED IN FORMATION;
149+ (3) “BIOMETRIC DATA ” DOES NOT INCLUDE : 3
153150
154- (II) HOVERING OVER , MUTING, PAUSING, OR CLOSING A PIECE
155-OF CONTENT; OR
151+ (I) A DIGITAL OR PHYSICAL PHOTOGRAPH ; 4
156152
157- (III) AGREEMENT OBTAINED THROUGH THE USE OF DARK
158-PATTERNS.
153+ (II) AN AUDIO OR VIDEO REC ORDING; OR 5
159154
160- (H) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE
161-STATE.
155+ (III) ANY DATA GENERATED FR OM A DIGITAL OR PHYS ICAL 6
156+PHOTOGRAPH OR AN AUD IO OR VIDEO RECORDIN G, UNLESS THE DATA IS 7
157+GENERATED TO IDENTIF Y A SPECIFIC CONSUME R. 8
162158
163- (2) “CONSUMERDOES NOT INCLUDE :
159+ (E) “BUSINESS ASSOCIATEHAS THE MEANING STAT ED IN HIPAA. 9
164160
165- (I) AN INDIVIDUAL ACTING IN A COMMERCIAL OR
166-EMPLOYMENT CONTEXT ; OR
161+ (F) “CHILD” HAS THE MEANING STAT ED IN COPPA. 10
167162
168- (II) AN INDIVIDUAL ACTING AS AN EMPLOYEE , AN OWNER, A
169-DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, A PARTNERSHIP , A SOLE
170-PROPRIETORSHIP , A NONPROFIT ORGANIZA TION, OR A GOVERNMENTAL UN IT
171-WHOSE COMMUNICATIONS OR TRANSACTIONS WITH A CONTROLLER OCCUR O NLY
172-WITHIN THE CONTEXT O F THE INDIVIDUAL ’S ROLE WITH THE COMP ANY,
173-PARTNERSHIP , SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR
174-GOVERNMENTAL UNIT .
163+ (G) (1) “CONSENT” MEANS A CLEAR AFFIRM ATIVE ACT SIGNIFYING A 11
164+CONSUMER ’S FREELY GIVEN , SPECIFIC, INFORMED, AND UNAMBIGUOUS 12
165+AGREEMENT TO ALLOW T HE PROCESSING OF PE RSONAL DATA RELATING TO THE 13
166+CONSUMER FOR A PARTI CULAR PURPOSE . 14
175167
176- (I) (1) “CONSUMER HEALTH DATA ” MEANS PERSONAL DATA THAT A
177-CONTROLLER USES TO I DENTIFY A CONSUMER ’S PHYSICAL OR MENTAL HEALTH
178-STATUS.
168+ (2) “CONSENT” INCLUDES: 15
179169
180- (2) “CONSUMER HEALTH DATA ” INCLUDES DATA RELATE D TO:
170+ (I) A WRITTEN STATEMENT ; 16
181171
182- (I) GENDER–AFFIRMING CARE TREATMENT ; OR
172+ (II) A WRITTEN STATEMENT BY ELECTRONIC MEANS ; OR 17
183173
184- (II) REPRODUCTIVE OR SEXUA L HEALTH CARE .
174+ (III) ANY OTHER UNAMBIGUOUS AFFIRMATIVE ACTION . 18
185175
186- (J) “CONTROL” MEANS:
187- WES MOORE, Governor Ch. 454
176+ (3) “CONSENT” DOES NOT INCLUDE: 19
188177
189-– 5 –
190- (1) OWNERSHIP OF OR THE P OWER TO VOTE MORE TH AN 50% OF THE
191-OUTSTANDING SHARES O F ANY CLASS OF VOTING SECU RITY OF A BUSINESS ;
178+ (I) ACCEPTANCE OF A GENER AL OR BROAD TERMS OF USE OR 20
179+SIMILAR DOCUMENT THA T CONTAINS DESCRIPTI ONS OF PERSONAL DATA 21
180+PROCESSING ALONG WIT H OTHER UNRELATED IN FORMATION; 22
192181
193- (2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY
194-OF THE DIRECTORS OF A BUSINESS, OR INDIVIDUALS EXERC ISING SIMILAR
195-FUNCTIONS; OR
182+ (II) HOVERING OVER , MUTING, PAUSING, OR CLOSING A PIECE 23
183+OF CONTENT; OR 24
196184
197- (3) THE POWER TO EXERCISE A CONTROLLING INFLUE NCE OVER THE
198-MANAGEMENT OF A BUSINESS.
185+ (III) AGREEMENT OBTAINED TH ROUGH THE USE OF DAR K 25
186+PATTERNS. 26
199187
200- (K) “CONTROLLER ” MEANS A PERSON THAT , ALONE OR JOINTLY WIT H
201-OTHERS, DETERMINES THE PURPO SE AND MEANS OF PROC ESSING PERSONAL DATA .
188+ (H) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 27
189+STATE. 28 HOUSE BILL 567 5
202190
203- (L) (1) “COPPA” MEANS THE FEDERAL CHILDREN’S ONLINE PRIVACY
204-PROTECTION ACT OF 1998 AND THE REGULATIONS , RULES, GUIDANCE, AND
205-EXEMPTIONS ADOPTED U NDER THE ACT, AND AS THE ACT AND THE REGULATIO NS,
206-RULES, GUIDANCE, AND EXEMPTIONS MAY B E AMENDED.
207191
208- (2) “COPPA” INCLUDES REGULATIONS ADOPTED UNDER THE
209-FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998.
210192
211- (M) “COVERED ENTITY HAS THE MEANING STAT ED IN HIPAA.
193+ (2) “CONSUMERDOES NOT INCLUDE : 1
212194
213- (N) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED OR
214-MANIPULATED WITH THE SUBSTANTIAL EFFECT O F SUBVERTING USER AU TONOMY,
215-DECISION MAKING , OR CHOICE.
195+ (I) AN INDIVIDUAL ACTING IN A COMMERCIAL OR 2
196+EMPLOYMENT CONTEXT ; OR 3
216197
217- (2) “DARK PATTERN ” INCLUDES ANY PRACTIC E THE FEDERAL
218-TRADE COMMISSION REFERS TO AS A “DARK PATTERN ”.
198+ (II) AN INDIVIDUAL ACTING AS AN EMPLOYEE, AN OWNER, A 4
199+DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, A PARTNERSHIP , A SOLE 5
200+PROPRIETORSHIP , A NONPROFIT ORGANIZA TION, OR A GOVERNMENTAL UN IT 6
201+WHOSE COMMUNICATIONS OR TRANSACTIONS WITH A CONTROLLER OCCUR O NLY 7
202+WITHIN TH E CONTEXT OF THE IND IVIDUAL’S ROLE WITH THE COMP ANY, 8
203+PARTNERSHIP , SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR 9
204+GOVERNMENTAL UNIT . 10
219205
220- (O) “DECISIONS THAT PRODUC E LEGAL OR SIMILARLY SIGNIFICANT
221-EFFECTS CONCERNING T HE CONSUMER ” MEANS DECISIONS THAT RESULT IN THE
222-PROVISION OR DENIAL OF:
206+ (I) (1) “CONSUMER HEALTH DATA ” MEANS PERSONAL DATA THAT A 11
207+CONTROLLER USES TO I DENTIFY A CONSUMER ’S PHYSICAL OR MENTAL HEALTH 12
208+STATUS. 13
223209
224- (1) FINANCIAL OR LENDING SERVICES;
210+ (2) “CONSUMER HEALTH DATA ” INCLUDES DATA RELATE D TO: 14
225211
226- (2) HOUSING;
212+ (I) GENDER–AFFIRMING CARE TREATMENT ; OR 15
227213
228- (3) INSURANCE;
214+ (II) REPRODUCTIVE OR SEXUA L HEALTH CARE . 16
229215
230- (4) (3) EDUCATION ENROLLMENT OR OPPORTUNITY ;
216+ (J) “CONTROL” MEANS: 17
231217
232- (5) (4) CRIMINAL JUSTICE ;
233- Ch. 454 2024 LAWS OF MARYLAND
218+ (1) OWNERSHIP OF OR THE P OWER TO VOTE MORE TH AN 50% OF THE 18
219+OUTSTANDING SHARES OF ANY CLASS OF VOTING SECURITY O F A BUSINESS; 19
234220
235-– 6 –
236- (6) (5) EMPLOYMENT OPPORTUNIT IES;
221+ (2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY 20
222+OF THE DIRECTORS OF A BUSINESS, OR INDIVIDUALS EXERC ISING SIMILAR 21
223+FUNCTIONS; OR 22
237224
238- (7) (6) HEALTH CARE SERVICES ; OR
225+ (3) THE POWER TO EXERCISE A CONTROLLING INFLUE NCE OVER THE 23
226+MANAGEMENT OF A BUSI NESS. 24
239227
240- (8) (7) ACCESS TO ESSENTIAL G OODS OR SERVICES .
228+ (K) “CONTROLLER ” MEANS A PERSON THAT , ALONE OR JOINTLY WIT H 25
229+OTHERS, DETERMINES THE PURPO SE AND MEANS OF PROC ESSING PERSONAL DATA . 26
241230
242- (P) “DE–IDENTIFIED DATA ” MEANS DATA THAT CANN OT REASONABLY BE
243-USED TO INFER INFORM ATION ABOUT OR OTHER WISE BE LINKED TO AN IDENTIFIED
244-OR IDENTIFIABLE CONS UMER, OR A DEVICE THAT MAY BE LINKED TO AN IDEN TIFIED
245-OR IDENTIFIABLE CONS UMER, IF THE CONTROLLER TH AT POSSESSES THAT
246-INFORMATION :
231+ (L) (1) “COPPA” MEANS THE FEDERAL CHILDREN’S ONLINE PRIVACY 27
232+PROTECTION ACT OF 1998 AND THE REGU LATIONS, RULES, GUIDANCE, AND 28
233+EXEMPTIONS ADOPTED U NDER THE ACT, AND AS THE ACT AND THE REGULATIO NS, 29
234+RULES, GUIDANCE, AND EXEMPTIONS MAY B E AMENDED. 30
235+ 6 HOUSE BILL 567
247236
248- (1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE
249-INFORMATION CANNOT B E LINKED WITH A CONS UMER;
250237
251- (2) COMMITS IN PUBLICLY A VAILABLE TERMS AND C ONDITIONS OR IN
252-A PUBLICLY AVAILABLE PRIVACY POLICY TO MA INTAIN AND USE THE I NFORMATION
253-IN DE–IDENTIFIED FORM; AND
238+ (2) “COPPA” INCLUDES REGULATIONS ADOPTED UNDER THE 1
239+FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998. 2
254240
255- (3) CONTRACTUALLY OBLIGES ANY RECIPIENTS OF TH E
256-INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION HAS THE
257-MEANING STATED IN § 14–4401 OF THIS TITLE.
241+ (M) “COVERED ENTITY ” HAS THE MEANING STAT ED IN HIPAA. 3
258242
259- (Q) “GENDER–AFFIRMING TREATMENT ” HAS THE MEANING STAT ED IN §
260-15–151(A) OF THE HEALTH – GENERAL ARTICLE.
243+ (N) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED OR 4
244+MANIPULATED WITH THE SUBSTANTIAL EFFECT O F SUBVERTING USER AU TONOMY, 5
245+DECISION MAKING , OR CHOICE. 6
261246
262- (Q) (R) (1) “GENETIC DATAMEANS DATA IN ANY FO RMAT THAT
263-CONCERNS THE GENETIC CHARACTE RISTICS OF A CONSUME R.
247+ (2) “DARK PATTERNINCLUDES ANY PR ACTICE THE FEDERAL 7
248+TRADE COMMISSION REFERS TO AS A “DARK PATTERN ”. 8
264249
265- (2) “GENETIC DATA” INCLUDES:
250+ (O) “DECISIONS THAT PRODUC E LEGAL OR SIMILARLY SIGNIFICANT 9
251+EFFECTS CONCERNING T HE CONSUMER ” MEANS DECISIONS THAT RESULT IN THE 10
252+PROVISION OR DENIAL OF: 11
266253
267- (I) RAW SEQUENCE DATA THA T RESULTS FROM SEQUE NCING
268-OF A CONSUMER ’S COMPLETE EXTRACTED DNA OR A PORTION OF THE CONSUMER ’S
269-COMPLETE EXTRACTED DNA;
254+ (1) FINANCIAL OR LENDING SERVICES; 12
270255
271- (II) GENOTYPIC AND PHENOTY PIC INFORMATION THAT
272-RESULTS FROM ANALYZI NG RAW SEQUENCE DATA ;
256+ (2) HOUSING; 13
273257
274- (III) INFORMATION EXTRAPOLA TED, DERIVED, OR INFERRED
275-FROM THE ANALYSIS OF RAW SEQUENCE DA TA; AND
276- WES MOORE, Governor Ch. 454
258+ (3) INSURANCE; 14
277259
278-– 7 –
279- (IV) SELF–REPORTED HEALTH INFO RMATION SUBMITTED TO A
280-DIRECT–TO–CONSUMER GENETIC TES TING COMPANY BY A CO NSUMER REGARDING
281-THE CONSUMER ’S HEALTH CONDITIONS :
260+ (4) (3) EDUCATION ENROLLMENT OR OPPORTUNITY ; 15
282261
283- 1. THAT IS USED FOR SCIE NTIFIC RESEARCH OR
284-PRODUCT DEVELOPMENT ; AND
262+ (5) (4) CRIMINAL JUSTICE ; 16
285263
286- 2. ANALYZED IN CONNECTION WITH T HE CONSUMER ’S
287-RAW SEQUENCE DATA HAS THE MEANING STAT ED IN § 14–4401 OF THIS TITLE.
264+ (6) (5) EMPLOYMENT OPPORTUNIT IES; 17
288265
289- (R) (S) (1) “GEOFENCE” MEANS TECHNOLOGY THA T ESTABLISHES A
290-VIRTUAL GEOGRAPHICAL BOUNDARY.
266+ (7) (6) HEALTH CARE SERVICES ; OR 18
291267
292- (2) “GEOFENCE” INCLUDES BOUNDARIES THAT ARE ESTABLISHED
293-OR MONITORED THROUGH TH E USE OF:
268+ (8) (7) ACCESS TO ESSENTIAL G OODS OR SERVICES . 19
294269
295- (I) GLOBAL POSITIONING TE CHNOLOGY;
270+ (P) “DE–IDENTIFIED DATA ” MEANS DATA THAT CANN OT REASONABLY BE 20
271+USED TO INFER INFORM ATION ABOUT OR OTHER WISE BE LINKED TO AN IDENTIFIED 21
272+OR IDENTIFIABLE CONS UMER, OR A DEVICE THAT MAY BE LINKED TO AN IDEN TIFIED 22
273+OR IDENTIFIABLE CONS UMER, IF THE CONTROLLER TH AT POSSESSES THAT 23
274+INFORMATION : 24
296275
297- (II) CELL TOWER CONNECTIVI TY;
276+ (1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE 25
277+INFORMATION CANNOT B E LINKED WITH A CONS UMER; 26
298278
299- (III) CELLULAR DATA ;
279+ (2) COMMITS IN PUBLICLY A VAILABLE TERMS AND C ONDITIONS OR IN 27
280+A PUBLICLY AVAILABLE PRIVACY POLICY TO MA INTAIN AND USE THE I NFORMATION 28
281+IN DE–IDENTIFIED FORM ; AND 29 HOUSE BILL 567 7
300282
301- (IV) RADIO FREQUENCY IDENT IFICATION;
302283
303- (V) WIRELESS FIDELITY TEC HNOLOGY; OR
304284
305- (VI) ANY OTHER FORM OF LOC ATION DETERMINATION
306-TECHNOLOGY .
285+ (3) CONTRACTUALLY OBLIGES ANY RECIPIENTS OF TH E 1
286+INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION HAS THE 2
287+MEANING STATED IN § 14–4401 OF THIS TITLE. 3
307288
308- (S) (T) “HIPAAMEANS THE FEDERAL HEALTH INSURANCE
309-PORTABILITY AND ACCOUNTABILITY ACT OF 1996.
289+ (Q) “GENDER–AFFIRMING TREATMENT HAS THE MEANING STAT ED IN § 4
290+15–151(A) OF THE HEALTH – GENERAL ARTICLE. 5
310291
311- (T) (U) “IDENTIFIED OR IDENTIF IABLE CONSUMER ” MEANS A CONSUMER
312-WHO CAN READILY BE I DENTIFIED, EITHER DIRECTLY OR I NDIRECTLY.
292+ (Q) (R) (1) “GENETIC DATA ” MEANS DATA IN ANY FO RMAT THAT 6
293+CONCERNS THE GENETIC CHARACTE RISTICS OF A CONSUME R. 7
313294
314- (U) (V) “MENTAL HEALTH FACILIT Y” MEANS A HEALTH CARE FACILITY IN
315-WHICH NOT LESS THAN 70% OF HEALTH CARE SERVI CES OFFERED ARE MENT AL
316-HEALTH SERVICES .
295+ (2) “GENETIC DATA” INCLUDES: 8
317296
318- (V) (W) (1) “PERSONAL DATA ” MEANS ANY INFORMATIO N THAT IS
319-LINKED OR CAN BE REA SONABLY LINKED TO AN IDENTIFIED OR IDENTIFIABLE
320-CONSUMER .
297+ (I) RAW SEQUENCE DATA THA T RESULTS FROM SEQUE NCING 9
298+OF A CONSUMER ’S COMPLETE EXTRACTED DNA OR A PORTION OF THE CONSUMER ’S 10
299+COMPLETE EXTRACTED DNA; 11
321300
322- (2) “PERSONAL DATA ” DOES NOT INCLUDE : Ch. 454 2024 LAWS OF MARYLAND
301+ (II) GENOTYPIC AND PHENOTY PIC INFORMATION THAT 12
302+RESULTS FROM ANALYZI NG RAW SEQUENCE DATA ; 13
323303
324-– 8 –
304+ (III) INFORMATION EXTRAPOLA TED, DERIVED, OR INFERRED 14
305+FROM THE ANALYSIS OF RAW SEQUENCE DATA ; AND 15
325306
326- (I) DE–IDENTIFIED DATA ; OR
307+ (IV) SELF–REPORTED HEALTH INFO RMATION SUBMITTED TO A 16
308+DIRECT–TO–CONSUMER GENETIC TES TING COMPANY BY A CO NSUMER REGARDING 17
309+THE CONSUMER ’S HEALTH CONDITIONS : 18
327310
328- (II) PUBLICLY AVAILABLE IN FORMATION.
311+ 1. THAT IS USED FOR SCIE NTIFIC RESEARCH OR 19
312+PRODUCT DEVELOPMENT ; AND 20
329313
330- (W) (X) (1) “PRECISE GEOLOCATION D ATA” MEANS INFORMATION
331-DERIVED FROM TECHNOL OGY THAT CAN PRECISE LY AND ACCURATELY IDENTIFY
332-THE SPECIFIC LOCATIO N OF A CONSUMER WITH IN A RADIUS OF 1,750 FEET.
314+ 2. ANALYZED IN CONNECTIO N WITH THE CONSUMER ’S 21
315+RAW SEQUENCE DATA HAS THE MEANING STAT ED IN § 14–4401 OF THIS TITLE. 22
333316
334- (2) “PRECISE GEOLOCATION D ATA” INCLUDES GLOBAL POSI TIONING
335-SYSTEM LEVEL LATITUD E AND LONGITUDE COOR DINATES OR OTHER SIM ILAR
336-MECHANISMS .
317+ (R) (S) (1) “GEOFENCE” MEANS TECHNOLOGY THA T ESTABLISHES A 23
318+VIRTUAL GEOGRAPHICAL BOUNDARY. 24
337319
338- (3) “PRECISE GEOLOCATION D ATA” DOES NOT INCLUDE:
320+ (2) “GEOFENCE” INCLUDES BOUNDARIES THAT ARE ESTABLISHED 25
321+OR MONITORED THROUGH THE USE OF: 26
339322
340- (I) THE CONTENT OF COMMUN ICATIONS DATA;
323+ (I) GLOBAL POSITIONING TE CHNOLOGY; 27
341324
342- (II) DATA GENERATED BY OR CONN ECTED TO AN ADVANCED
343-UTILITY METERING INF RASTRUCTURE SYSTEM ; OR
325+ (II) CELL TOWER CONNECTIVI TY; 28
344326
345- (II) (III) EQUIPMENT DATA GENERATED BY EQU IPMENT USED
346-BY A UTILITY COMPANY .
327+ (III) CELLULAR DATA ; 29 8 HOUSE BILL 567
347328
348- (X) (Y) (1) “PROCESS” MEANS AN OPERATION O R SET OF OPERATIONS
349-PERFORMED BY MANUAL OR AUTOMATED MEANS O N PERSONAL DATA .
350329
351- (2) “PROCESS” INCLUDES COLLECTING , USING, STORING,
352-DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L DATA.
353330
354- (Y) (Z) “PROCESSOR” MEANS A PERSON THAT PROCESSE S PERSONAL
355-DATA ON BEHALF OF A CONTROLLER .
331+ (IV) RADIO FREQUENCY IDENT IFICATION; 1
356332
357- (Z) (AA) “PROFILING” MEANS ANY FORM OF AU TOMATED PROCESSING
358-PERFORMED ON PERSONA L DATA TO EVALUATE , ANALYZE, OR PREDICT PERSONAL
359-ASPECTS RELATED TO A N IDENTIFIED OR IDEN TIFIABLE CONSUMER ’S ECONOMIC
360-SITUATION, HEALTH, DEMOGRAPHIC CHARACTE RISTICS, PERSONAL PREFERENCES ,
361-INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS .
333+ (V) WIRELESS FIDELITY TEC HNOLOGY; OR 2
362334
363- (AA) (BB) “PROTECTED HEALTH INFO RMATION” HAS THE MEANING STAT ED
364-IN HIPAA.
335+ (VI) ANY OTHER FORM OF LOCATION DET ERMINATION 3
336+TECHNOLOGY . 4
365337
366- (BB) (CC) (1) “PUBLICLY AVAILABLE IN FORMATION” MEANS
367-INFORMATION THAT A PERSON:
368- WES MOORE, Governor Ch. 454
338+ (S) (T) “HIPAA” MEANS THE FEDERAL HEALTH INSURANCE 5
339+PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 6
369340
370-– 9 –
371- (I) IS LAWFULLY MADE READ ILY AVAILABLE TO THE GENERAL
372-PUBLIC THROUGH FEDER AL, STATE, OR LOCAL GOVERNMENT RECORDS; OR
341+ (T) (U) “IDENTIFIED OR IDENTIF IABLE CONSUMER ” MEANS A CONSUMER 7
342+WHO CAN READILY BE I DENTIFIED, EITHER DIRECTLY OR I NDIRECTLY. 8
373343
374- (II) A CONTROLLER HAS A REA SONABLE BASIS TO BEL IEVE
375-THAT A CONSUMER HAS LAWFULLY MADE AVAILABLE TO THE GEN ERAL PUBLIC
376-THROUGH WIDELY DISTR IBUTED MEDIA.
344+ (U) (V) “MENTAL HEALTH FACILIT Y” MEANS A HEALTH CARE FACILITY IN 9
345+WHICH NOT LESS THAN 70% OF HEALTH CARE SERVI CES OFFERED ARE MENT AL 10
346+HEALTH SERVICES . 11
377347
378- (I) LAWFULLY OBTAINS FROM A RECORD OF A GOVERN MENTAL
379-ENTITY;
348+ (V) (W) (1) “PERSONAL DATA ” MEANS ANY INFORMATIO N THAT IS 12
349+LINKED OR CAN BE REA SONABLY LINKED TO AN IDENTIFIED OR IDENTIFIABLE 13
350+CONSUMER . 14
380351
381- (II) REASONABLY BELIEVES A CONSUMER OR WIDELY
382-DISTRIBUTED MEDIA HA S LAWFULLY MADE AVAI LABLE TO THE GENERAL PUBLIC;
383-OR
352+ (2) “PERSONAL DATA ” DOES NOT INCLUDE : 15
384353
385- (III) IF THE CONSUMER HAS N OT RESTRICTED THE
386-INFORMATION TO A SPE CIFIC AUDIENCE , OBTAINS FROM A PERSO N TO WHOM THE
387-CONSUMER DISCLOSED T HE INFORMATION .
354+ (I) DE–IDENTIFIED DATA ; OR 16
388355
389- (2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE
390-BIOMETRIC DATA COLLE CTED BY A BUSINESS A BOUT A CONSUMER WITHOUT THE
391-CONSUMER ’S KNOWLEDGE .
356+ (II) PUBLICLY AVAILABLE IN FORMATION. 17
392357
393- (CC) (DD) (1) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” MEANS CARE
394-RELATED TO A HEALTH CARE –RELATED SERVICE OR P RODUCT RENDERED OR
395-PROVIDED CONCERNING A CONSUMER ’S REPRODUCTIVE SYSTE M OR SEXUAL
396-WELL–BEING., INCLUDING:
358+ (W) (X) (1) “PRECISE GEOLOCATION D ATA” MEANS INFORMATION 18
359+DERIVED FROM TECHNOL OGY THAT CAN PRECISELY AND ACCURA TELY IDENTIFY 19
360+THE SPECIFIC LOCATIO N OF A CONSUMER WITH IN A RADIUS OF 1,750 FEET. 20
397361
398- (2) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” INCLUDES:
362+ (2) “PRECISE GEOLOCATION D ATA” INCLUDES GLOBAL POSI TIONING 21
363+SYSTEM LEVEL LATITUD E AND LONGITUDE COOR DINATES OR OTHER SIM ILAR 22
364+MECHANISMS . 23
399365
400- (I) (1) A SERVICE OR PRODUCT P ROVIDED RELATED TO A N
401-INDIVIDUAL HEALTH CO NDITION, STATUS, DISEASE, DIAGNOSIS, TEST, OR
402-TREATMENT ;
366+ (3) “PRECISE GEOLOCATION DATA ” DOES NOT INCLUDE : 24
403367
404- (II) (2) A SOCIAL, PSYCHOLOGICAL , BEHAVIORAL , OR
405-MEDICAL INTERVENTION ;
368+ (I) THE CONTENT OF COMMUN ICATIONS DATA; 25
406369
407- (III) (3) A SURGERY OR PROCEDURE ;
370+ (II) DATA GENERATED BY OR CONN ECTED TO AN ADVANCED 26
371+UTILITY METERING INF RASTRUCTURE SYSTEM ; OR 27
372+ HOUSE BILL 567 9
408373
409- (IV) (4) THE PURCHASE OR USE O F A MEDICATION ,
410-INCLUDING A MEDICATI ON PURCHASED OR USED FOR THE PURPOSES OF AN
411-ABORTION;
412374
413- (V) (5) A SERVICE OR PRODUCT R ELATED TO A BODILY
414-FUNCTION, VITAL SIGN, OR MEASUREMENT THEREOF SYMPTOM; Ch. 454 2024 LAWS OF MARYLAND
375+ (II) (III) EQUIPMENT DATA GENERATED BY EQU IPMENT USED 1
376+BY A UTILITY COMPANY. 2
415377
416-– 10 –
378+ (X) (Y) (1) “PROCESS” MEANS AN OPERATION O R SET OF OPERATIONS 3
379+PERFORMED BY MANUAL OR AUTOMATED MEANS O N PERSONAL DATA . 4
417380
418- (6) A MEASUREMENT OF A BOD ILY FUNCTION , VITAL SIGN, OR
419-SYMPTOM; AND
381+ (2) “PROCESS” INCLUDES COLLECTING , USING, STORING, 5
382+DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L DATA. 6
420383
421- (VI) (7) AN ABORTION , WHETHER SURGICAL OR MEDICAL;
422-AND
384+ (Y) (Z) “PROCESSOR” MEANS A PERSON THAT PROCESSES PERSONAL 7
385+DATA ON BEHALF OF A CONTROLLER . 8
423386
424- (VII) A SERVICE RELATED TO AN ABORTION AND MEDICAL AND
425-NONMEDICAL SERVICES , PRODUCTS, DIAGNOSTICS, COUNSELING , AND FOLLOW –UP
426-SERVICES FOR AN ABOR TION.
387+ (Z) (AA) “PROFILING” MEANS ANY FORM OF AU TOMATED PROCESSING 9
388+PERFORMED ON PERSONA L DATA TO EVALUATE , ANALYZE, OR PREDICT PERSONAL 10
389+ASPECTS RELATED TO A N IDENTIFIED OR IDENTIFIABLE CONSUME R’S ECONOMIC 11
390+SITUATION, HEALTH, DEMOGRAPHIC CHARACTE RISTICS, PERSONAL PREFERENCES , 12
391+INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS . 13
427392
428- (DD) (EE) “REPRODUCTIVE OR SEXUA L HEALTH FACILITY ” MEANS A
429-HEALTH CARE FACILITY WHERE NOT LESS THAN 70% OF SERVICES OFFERED ARE
430-REPRODUCTIVE OR SEXUA L HEALTH CARE SERVIC ES.
393+ (AA) (BB) “PROTECTED HEALTH INFO RMATION” HAS THE MEANING STAT ED 14
394+IN HIPAA. 15
431395
432- (EE) (FF) (1) “SALE OF PERSONAL DATA ” MEANS THE EXCHANGE O F
433-PERSONAL DATA BY A C ONTROLLER , A PROCESSOR , OR AN AFFILIATE OF A
434-CONTROLLER OR PROCES SOR TO A THIRD PARTY FOR MONETARY OR OTHER
435-VALUABLE CONSIDERATION .
396+ (BB) (CC) (1) “PUBLICLY AVAILABLE INF ORMATION” MEANS 16
397+INFORMATION THAT A PERSON: 17
436398
437- (2) “SALE OF PERSONAL DATA ” DOES NOT INCLUDE :
399+ (I) IS LAWFULLY MADE READ ILY AVAILABLE TO THE GENERAL 18
400+PUBLIC THROUGH FEDER AL, STATE, OR LOCAL GOVERNMENT RECORDS; OR 19
438401
439- (I) THE DISCLOSURE OF PER SONAL DATA TO A PROC ESSOR
440-THAT PROCESSES PERSO NAL DATA ON BEHALF O F A CONTROLLER IF LI MITED TO
441-THE PURPOSES OF THE PROCESSING;
402+ (II) A CONTROLLER HAS A REA SONABLE BASIS TO BEL IEVE 20
403+THAT A CONSUMER HAS LAWFULLY MADE AV AILABLE TO THE GENER AL PUBLIC 21
404+THROUGH WIDELY DISTR IBUTED MEDIA. 22
442405
443- (II) THE DISCLOSURE OF PER SONAL DATA TO A THIRD PART Y
444-FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE AFFIRMATIVELY
445-REQUESTED BY THE CON SUMER;
406+ (I) LAWFULLY OBTAINS FROM A RECORD OF A GOVERN MENTAL 23
407+ENTITY; 24
446408
447- (III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN
448-AFFILIATE OF THE CON TROLLER FOR THE PURPOSE OF P ROVIDING A PRODUCT O R
449-SERVICE AFFIRMAT IVELY REQUESTED BY T HE CONSUMER ;
409+ (II) REASONABLY BELIEVES A CONSUMER OR WIDELY 25
410+DISTRIBUTED MEDIA HA S LAWFULLY MADE AVAI LABLE TO THE GEN ERAL PUBLIC; 26
411+OR 27
450412
451- (IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE
452-CONSUMER :
413+ (III) IF THE CONSUMER HAS N OT RESTRICTED THE 28
414+INFORMATION TO A SPE CIFIC AUDIENCE , OBTAINS FROM A PERSO N TO WHOM THE 29
415+CONSUMER DISCLOSED T HE INFORMATION . 30
416+ 10 HOUSE BILL 567
453417
454- 1. DIRECTS THE CONTROLLE R TO DISCLOSE THE
455-PERSONAL DATA ; OR
456418
457- 2. INTENTIONALLY USES TH E CONTROLLER TO
458-INTERACT WITH A THIR D PARTY;
459- WES MOORE, Governor Ch. 454
419+ (2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE 1
420+BIOMETRIC DATA COLLE CTED BY A BUSINESS ABOUT A C ONSUMER WITHOUT THE 2
421+CONSUMER ’S KNOWLEDGE . 3
460422
461-– 11 –
462- (V) THE DISCLOSURE OF PERSONAL DATA THA T THE
463-CONSUMER :
423+ (CC) (DD) (1) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” MEANS CARE 4
424+RELATED TO A HEALTH CARE –RELATED SERVICE OR P RODUCT RENDERED OR 5
425+PROVIDED CONCERNING A CONSUMER ’S REPRODUCTIVE SYSTE M OR SEXUAL 6
426+WELL–BEING., INCLUDING: 7
464427
465- 1. INTENTIONALLY MADE AV AILABLE TO THE GENER AL
466-PUBLIC THROUGH A CHA NNEL OF MASS MEDIA ; AND
428+ (2) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” INCLUDES: 8
467429
468- 2. DID NOT RESTRICT TO A SPECIFIC AUDIENCE ; OR
430+ (I) (1) A SERVICE OR PRODUCT P ROVIDED RELATED TO A N 9
431+INDIVIDUAL HEALTH CO NDITION, STATUS, DISEASE, DIAGNOSIS, TEST, OR 10
432+TREATMENT ; 11
469433
470- (VI) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A
471-THIRD PARTY AS AN ASSET THAT IS PAR T OF AN ACTUAL OR PR OPOSED MERGER ,
472-ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION WHERE THE THIRD PART Y
473-ASSUMES CONTROL OF A LL OR PART OF THE CO NTROLLER’S ASSETS.
434+ (II) (2) A SOCIAL, PSYCHOLOGICAL , BEHAVIORAL, OR 12
435+MEDICAL INTERVENTION ; 13
474436
475- (FF) (GG) “SENSITIVE DATA” MEANS PERSONAL DATA THAT INCLUDES :
437+ (III) (3) A SURGERY OR PROCEDURE ; 14
476438
477- (1) DATA REVEALING:
439+ (IV) (4) THE PURCHASE OR USE O F A MEDICATION , 15
440+INCLUDING A MEDICATI ON PURCHASED OR USED FOR THE PURPOSES OF AN 16
441+ABORTION; 17
478442
479- (I) RACIAL OR ETHNIC ORIG IN;
443+ (V) (5) A SERVICE OR PRODUCT R ELATED TO A BODILY 18
444+FUNCTION, VITAL SIGN, OR MEASUREMENT THEREOF SYMPTOM; 19
480445
481- (II) RELIGIOUS BELIEFS ;
446+ (6) A MEASUREMENT OF A BOD ILY FUNCTION , VITAL SIGN, OR 20
447+SYMPTOM; AND 21
482448
483- (III) CONSUMER HEALTH DATA ;
449+ (VI) (7) AN ABORTION , WHETHER SURGICAL OR MEDICAL; 22
450+AND 23
484451
485- (IV) SEX LIFE;
452+ (VII) A SERVICE RELATED TO AN ABORTION AND MEDICAL AND 24
453+NONMEDICAL SERVICES , PRODUCTS, DIAGNOSTICS, COUNSELING , AND FOLLOW –UP 25
454+SERVICES FOR AN ABOR TION. 26
486455
487- (V) SEXUAL ORIENTATION ;
456+ (DD) (EE) “REPRODUCTIVE OR SEXUA L HEALTH FACILITY ” MEANS A 27
457+HEALTH CARE FACILITY WHERE NOT LESS THAN 70% OF SERVICES OFFERED ARE 28
458+REPRODUCTIVE OR SEXUA L HEALTH CARE SERVIC ES. 29
488459
489- (VI) STATUS AS TRANSGENDER OR NONBINARY ;
460+ (EE) (FF) (1) “SALE OF PERSONAL DATA ” MEANS THE EXCHANGE O F 30
461+PERSONAL DATA BY A C ONTROLLER , A PROCESSOR , OR AN AFFILIATE OF A 31 HOUSE BILL 567 11
490462
491- (VII) NATIONAL ORIGIN ; OR
492463
493- (VIII) CITIZENSHIP OR IMMIGRATION STATUS ;
464+CONTROLLER OR PROCES SOR TO A THIRD PARTY FOR MONETARY OR OTHER 1
465+VALUABLE CONSIDERATION . 2
494466
495- (2) GENETIC DATA OR BIOME TRIC DATA;
467+ (2) “SALE OF PERSONAL DATA ” DOES NOT INCLUDE : 3
496468
497- (3) PERSONAL DATA OF A CO NSUMER THAT THE CONT ROLLER KNOWS
498-OR HAS REASON TO KNO W IS A CHILD; OR
469+ (I) THE DISCLOSURE OF PER SONAL DATA TO A PROC ESSOR 4
470+THAT PROCESSES PERSO NAL DATA ON BEHALF O F A CONTROLLER IF LI MITED TO 5
471+THE PURPOSES OF THE PROCESSING; 6
499472
500- (4) PRECISE GEOLOCATION D ATA.
473+ (II) THE DISCLOSURE OF PER SONAL DATA TO A THIRD PART Y 7
474+FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE AFFIRMATIVELY 8
475+REQUESTED BY THE CON SUMER; 9
501476
502- (GG) (HH) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING
503-ADVERTISEMENTS TO A CONSUMER OR ON A DEV ICE IDENTIFIED BY A UNIQUE
504-IDENTIFIER, WHERE THE ADVERTISEM ENT IS SELECTED BASE D ON PERSONAL DATA
505-OBTAINED OR INFERRED FROM THE CONSUMER ’S ACTIVITIES OVER TI ME AND Ch. 454 2024 LAWS OF MARYLAND
477+ (III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN 10
478+AFFILIATE OF THE CON TROLLER FOR THE PURPOSE OF P ROVIDING A PRODUCT O R 11
479+SERVICE AFFIRMAT IVELY REQUESTED BY T HE CONSUMER ; 12
506480
507-– 12 –
508-ACROSS NONAFFILIATED WEBSITES OR ONLINE A PPLICATIONS THAT ARE
509-UNAFFILIATED WITH EA CH OTHER, IN ORDER TO PREDICT THE CONSUMER ’S
510-PREFERENCES OR INTER ESTS.
481+ (IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE 13
482+CONSUMER : 14
511483
512- (2) “TARGETED ADVERTISING ” DOES NOT INCLUDE :
484+ 1. DIRECTS THE CONTROLLE R TO DISCLOSE THE 15
485+PERSONAL DATA ; OR 16
513486
514- (I) ADVERTISEMENTS BASED ON THE CONTEXT IN WHICH THE
515-ADVERTISEM ENT APPEARS AND DOES NOT VARY BASED ON WH O IS VIEWING THE
516-ADVERTISEMENT OF A CONSUMER ’S CURRENT SEARCH QUE RY, VISIT TO A WEBSITE,
517-OR ONLINE APPLICATIO N;
487+ 2. INTENTIONALLY USES TH E CONTROLLER TO 17
488+INTERACT WITH A THIR D PARTY; 18
518489
519- (II) ADVERTISEMENTS BASED ON A CONSUMER ’S ACTIVITIES
520-WITHIN A CONTROLLER ’S WEBSITES OR ONLINE APPLICATIONS;
490+ (V) THE DISCLOSURE OF PERSONAL DATA THA T THE 19
491+CONSUMER : 20
521492
522- (III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN
523-RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR
493+ 1. INTENTIONALLY MADE AV AILABLE TO THE GENER AL 21
494+PUBLIC THROUGH A CHA NNEL OF MASS MEDIA ; AND 22
524495
525- (IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR
526-REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH.
496+ 2. DID NOT RESTRICT TO A SPECIFIC AUDIENCE ; OR 23
527497
528- (HH) (II) “THIRD PARTY” MEANS A PERSON OTHER THAN THE RELEVANT
529-CONSUMER , CONTROLLER , PROCESSOR, OR AFFILIATE OF THE CONTROLLER OR
530-PROCESSOR OF RELEVAN T PERSONAL DATA .
498+ (VI) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A 24
499+THIRD PARTY AS AN ASSET THAT IS PAR T OF AN ACTUAL OR PR OPOSED MERGER , 25
500+ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION WHERE THE THIRD PART Y 26
501+ASSUMES CONTROL OF A LL OR PART OF THE CO NTROLLER’S ASSETS. 27
531502
532- (II) (JJ) (1) “TRADE SECRET” MEANS INFORMATION TH AT:
503+ (FF) (GG) “SENSITIVE DATA” MEANS PERSONAL DATA THAT INCLUDES : 28
533504
534- (I) DERIVES INDEPENDENT E CONOMIC VALUE , ACTUAL OR
535-POTENTIAL, FROM NOT BEING GENER ALLY KNOWN TO , AND NOT BEING READIL Y
536-ASCERTAINABLE BY PRO PER MEANS BY , OTHER PERSONS WHO CO ULD OBTAIN
537-ECONOMIC VALUE FROM THE INFORMATION ’S DISCLOSURE OR USE ; AND
505+ (1) DATA REVEALING: 29
538506
539- (II) IS THE SUBJECT OF EFF ORTS THAT ARE REASON ABLE
540-UNDER THE CIRCUMSTAN CES TO MAINTAIN THE SECRECY OF THE INFOR MATION.
507+ (I) RACIAL OR ETHNIC ORIG IN; 30 12 HOUSE BILL 567
541508
542- (2) “TRADE SECRET ” INCLUDES A FORMULA , PATTERN,
543-COMPILATION , PROGRAM, DEVICE, METHOD, TECHNIQUE, OR PROCESS HAS THE
544-MEANING STATED IN § 11–1201 OF THIS ARTICLE.
545509
546- (KK) “TRANSFER” MEANS TO DISCLOSE , RELEASE, DISSEMINATE, MAKE
547-AVAILABLE, LICENSE, RENT, OR SHARE PERSONAL DA TA ORALLY, IN WRITING,
548-ELECTRONICALLY , OR BY ANY OTHER MEAN S.
549510
550-14–4602. WES MOORE, Governor Ch. 454
511+ (II) RELIGIOUS BELIEFS ; 1
551512
552-– 13 –
513+ (III) CONSUMER HEALTH DATA ; 2
553514
554- THIS SUBTITLE APPLIES TO A PERSON THAT CONDUCTS BUSINESS IN THE
555-STATE OR PROVIDES PRO DUCTS OR SERVICES THAT A RE TARGETED TO RESID ENTS
556-OF THE STATE, AND THAT DURING THE PRECEDING CALENDAR Y EAR DID ANY OF
557-THE FOLLOWING :
515+ (IV) SEX LIFE; 3
558516
559- (1) CONDUCTS BUSINESS IN THE STATE; OR
517+ (V) SEXUAL ORIENTATION ; 4
560518
561- (2) (I) PRODUCES SERVICES OR PRODUCTS THAT ARE TA RGETED
562-TO RESIDENTS OF THE STATE; AND
519+ (VI) STATUS AS TRANSGENDER OR NONBINARY ; 5
563520
564- (II) DURING THE IMMEDIATEL Y PRECEDING CALENDAR YEAR:
521+ (VII) NATIONAL ORIGIN ; OR 6
565522
566- 1. (1) CONTROLLED OR PROCESS ED THE PERSONAL DATA
567-OF AT LEAST 35,000 CONSUMERS , EXCLUDING PERSONAL D ATA CONTROLLED OR
568-PROCESSED SOLELY FOR THE PURPOSE OF COMPL ETING A PAYMENT TRAN SACTION;
569-OR
523+ (VIII) CITIZENSHIP OR IMMIGRATION STATUS ; 7
570524
571- 2. (2) CONTROLLED OR PROCESS ED THE PERSONAL DATA
572-OF AT LEAST 10,000 CONSUMERS AND DERIVE D MORE THAN 20% OF ITS GROSS
573-REVENUE FROM THE SAL E OF PERSONAL DATA .
525+ (2) GENETIC DATA OR BIOME TRIC DATA; 8
574526
575-14–4603.
527+ (3) PERSONAL DATA OF A CO NSUMER THAT THE CONT ROLLER KNOWS 9
528+OR HAS REASON TO KNO W IS A CHILD; OR 10
576529
577- (A) THIS SUBTITLE DOES NO T APPLY TO:
530+ (4) PRECISE GEOLOCATION D ATA. 11
578531
579- (1) A REGULATORY , ADMINISTRATIVE , ADVISORY, EXECUTIVE,
580-APPOINTIVE, LEGISLATIVE, OR JUDICIAL BODY OR INSTRUMENTALITY OF THE
581-STATE, INCLUDING A BOARD , BUREAU, COMMISSION, OR UNIT OF THE STATE OR A
582-POLITICAL SUBDIVISIO N OF THE STATE;
532+ (GG) (HH) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 12
533+ADVERTISEMENTS TO A CONSUMER OR ON A DEV ICE IDENTIFIED BY A UNIQUE 13
534+IDENTIFIER, WHERE THE ADVERTISEM ENT IS SELECTED BASE D ON PERSONAL DATA 14
535+OBTAINED OR INFERRED FROM THE CONSUMER ’S ACTIVITIES OVER TI ME AND 15
536+ACROSS NONAFFILIATED WEBSITES OR ONLINE A PPLICATIONS THAT ARE 16
537+UNAFFILIATED WITH EA CH OTHER, IN ORDER TO PREDICT THE CONSUMER ’S 17
538+PREFERENCES OR INTER ESTS. 18
583539
584- (2) A NATIONAL SECURITIES ASSOCIATION THAT IS REGISTERED
585-UNDER § 15 OF THE FEDERAL SECURITIES EXCHANGE ACT OF 1934 OR A
586-REGISTERED FUTURES A SSOCIATION DESIGNATE D IN ACCORDANCE WITH § 17 OF
587-THE FEDERAL COMMODITY EXCHANGE ACT; OR
540+ (2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 19
588541
589- (3) A FINANCIAL INSTITUTIO N OR, AN AFFILIATE OF A F INANCIAL
590-INSTITUTION, OR DATA THAT IS SUBJECT TO TITLE V OF THE FEDERAL
591-GRAMM–LEACH–BLILEY ACT AND REGULATIONS A DOPTED UNDER THAT AC T; OR
542+ (I) ADVERTISEMENTS BASED ON THE CONTEXT IN WHICH THE 20
543+ADVERTISEM ENT APPEARS AND DOES NOT VARY BASED ON WH O IS VIEWING THE 21
544+ADVERTISEMENT OF A CONSUMER ’S CURRENT SEARCH QUE RY, VISIT TO A WEBSITE, 22
545+OR ONLINE APPLICATIO N; 23
592546
593- (4) A NONPROFIT CONTROLLER THAT PROCESSES OR SH ARES
594-PERSONAL DATA SOLELY FOR THE PURPOSES OF ASSISTING:
595- Ch. 454 2024 LAWS OF MARYLAND
547+ (II) ADVERTISEMENTS BASED ON A CONSUMER ’S ACTIVITIES 24
548+WITHIN A CONTROLLER ’S WEBSITES OR ONLINE APPLICATIONS; 25
596549
597-– 14 –
598- (I) LAW ENFORCEMENT AGENC IES IN INVESTIGATING
599-CRIMINAL OR FRAUDULE NT ACTS RELATING TO INSURANCE; OR
550+ (III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN 26
551+RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR 27
552+ HOUSE BILL 567 13
600553
601- (II) FIRST RESPONDERS IN R ESPONDING TO CATASTR OPHIC
602-EVENTS.
603554
604- (B) THE FOLLOWING INFORMA TION AND DATA ARE EX EMPT FROM THIS
605-SUBTITLE:
555+ (IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR 1
556+REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH. 2
606557
607- (1) PROTECTED HEALTH INFORMATION UNDER HIPAA;
558+ (HH) (II) “THIRD PARTY” MEANS A PERSON OTHER THAN THE RELEVANT 3
559+CONSUMER , CONTROLLER , PROCESSOR, OR AFFILIATE OF THE CONTROLLER OR 4
560+PROCESSOR OF RELEVAN T PERSONAL DATA . 5
608561
609- (2) PATIENT–IDENTIFYING INFORMAT ION FOR PURPOSES OF 42
610-U.S.C. § 290DD–2;
562+ (II) (JJ) (1) “TRADE SECRET” MEANS INFORMATION TH AT: 6
611563
612- (3) IDENTIFIABLE PRIVATE INFORMATION THAT IS USED FOR
613-PURPOSES OF THE FEDE RAL POLICY FOR THE P ROTECTION OF HUMAN S UBJECTS IN
614-ACCORDANCE WITH 45 C.F.R. § 46;
564+ (I) DERIVES INDEPENDENT E CONOMIC VALUE , ACTUAL OR 7
565+POTENTIAL, FROM NOT BEING GENER ALLY KNOWN TO , AND NOT BEING READIL Y 8
566+ASCERTAINABLE BY PRO PER MEANS BY , OTHER PERSONS WHO CO ULD OBTAIN 9
567+ECONOMIC VALUE FROM THE INFORMATION ’S DISCLOSURE OR USE ; AND 10
615568
616- (4) IDENTIFIABLE PRIVATE INFORMATION TO THE E XTENT THAT IT IS
617-COLLECTED AND USED A S PART OF HUMAN SUBJ ECTS RESEARCH IN ACC ORDANCE
618-WITH THE ICH 36 GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE
619-INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS
620-FOR PHARMACEUTICALS FOR HUMAN USE OR THE PROTECTION OF HUMAN
621-SUBJECTS UNDER 21 C.F.R. §§ 50 AND 56;
569+ (II) IS THE SUBJECT OF EFF ORTS THAT ARE REASON ABLE 11
570+UNDER THE CIRCUMSTAN CES TO MAINTAIN THE SECRECY OF THE INFOR MATION. 12
622571
623- (5) PATIENT SAFETY WORK P RODUCT THAT IS CREAT ED AND USED
624-FOR PURPOSES OF PATI ENT SAFETY IMPROVEME NT IN ACCORDANCE WIT H 42
625-C.F.R. § 3, ESTABLISHED IN ACCORDANCE W ITH 42 U.S.C. §§ 299B–21 THROUGH
626-299B–26;
572+ (2) “TRADE SECRET ” INCLUDES A FORMULA , PATTERN, 13
573+COMPILATION , PROGRAM, DEVICE, METHOD, TECHNIQUE, OR PROCESS HAS THE 14
574+MEANING STATED IN § 11–1201 OF THIS ARTICLE. 15
627575
628- (6) (I) INFORMATION TO THE EX TENT IT IS USED FOR PUBLIC
629-HEALTH, COMMUNITY HEALTH , OR POPULATION HEALTH ACTIVITIES AND
630-PURPOSES, AS AUTHORIZED BY HIPAA, WHEN PROVIDED BY OR TO A COVERED
631-ENTITY OR WHEN PROVIDED BY OR TO A BUSINESS ASS OCIATE IN ACCORDANCE WITH
632-THE BUSINESS ASSOCIA TE AGREEMENT WITH A COVERED ENTITY ; AND
576+ (KK) “TRANSFER” MEANS TO DISCLOSE , RELEASE, DISSEMINATE, MAKE 16
577+AVAILABLE, LICENSE, RENT, OR SHARE PERSONAL DA TA ORALLY, IN WRITING, 17
578+ELECTRONICALLY , OR BY ANY OTHER MEAN S. 18
633579
634- (II) INFORMATION COLLECTED , USED, OR DISCLOSED BY AN
635-ENTITY IF:
580+14–4602. 19
636581
637- 1. THE ENTITY IS A COVER ED ENTITY OR BUSINES S
638-ASSOCIATE UNDER HIPAA BECAUSE IT COLLECTS , USES, OR DISCLOSES
639-PROTECTED HEALTH INF ORMATION; AND
640- WES MOORE, Governor Ch. 454
582+ THIS SUBTITLE APPLIES TO A PERSON THAT CONDUCTS BUSINESS IN THE 20
583+STATE OR PROVIDES PRO DUCTS OR SERVICES THAT ARE TAR GETED TO RESIDENTS 21
584+OF THE STATE, AND THAT DURING THE PRECEDING CALENDAR Y EAR DID ANY OF 22
585+THE FOLLOWING : 23
641586
642-– 15 –
643- 2. THE ENTITY APPLIES TH E SAME FEDERAL AND STATE
644-STANDARDS FOR THE CO LLECTION, USE, AND DISCLOSURE OF IN FORMATION AS
645-PROVIDED TO PROTECTE D HEALTH INFORMATION UNDER HIPAA AND LEGALLY
646-PROTECTED HEALTH CAR E UNDER § 4–301 OF THE HEALTH – GENERAL ARTICLE
647-FOR INFORMATION THAT :
587+ (1) CONDUCTS BUSINESS IN THE STATE; OR 24
648588
649- A. IS CONSIDERED A MEDIC AL RECORD UNDER § 4–301
650-OF THE HEALTH – GENERAL ARTICLE; AND
589+ (2) (I) PRODUCES SERVICES OR PRODUCTS THAT ARE TA RGETED 25
590+TO RESIDENTS OF THE STATE; AND 26
651591
652- B. IS NOT CONSIDERED PRO TECTED HEALTH
653-INFORMATION UND ER HIPAA;
592+ (II) DURING THE IMMEDIATEL Y PRECEDING CALENDAR YEAR: 27
654593
655- (II) INFORMATION THAT IS A MEDICAL RECORD UNDER § 4–301
656-OF THE HEALTH – GENERAL ARTICLE IF:
594+ 1. (1) CONTROLLED OR PROCESS ED THE PERSONAL DATA 28
595+OF AT LEAST 35,000 CONSUMERS , EXCLUDING PERSONAL D ATA CONTROLLED OR 29
596+PROCESSED SOLELY FOR THE PURPOSE OF COMPL ETING A PAYMENT TRAN SACTION; 30
597+OR 31
598+ 14 HOUSE BILL 567
657599
658- 1. THE INFORMATION IS HE LD BY AN ENTITY THAT IS A
659-COVERED ENTITY OR BU SINESS ASSOCIATE UND ER HIPAA BECAUSE IT COLLECTS ,
660-USES, OR DISCLOSES PROTE CTED HEALTH INFORMAT ION; AND
661600
662- 2. THE ENTITY APPLIES TH E SAME STANDARDS FOR THE
663-COLLECTION, USE, AND DISCLOSURE OF TH E INFORMATION AS REQ UIRED FOR
664-PROTECTED HEALTH INF ORMATION UNDER HIPAA AND MEDICAL RECORDS UNDER
665-§ 4–301 OF THE HEALTH – GENERAL ARTICLE, INCLUDING SPECIFIC S TANDARDS
666-REGARDING LEGALLY PR OTECTED HEALTH CARE ; AND
601+ 2. (2) CONTROLLED OR PROCESS ED THE PERSONAL DATA 1
602+OF AT LEAST 10,000 CONSUMERS AND DERIVE D MORE THAN 20% OF ITS GROSS 2
603+REVENUE FROM THE SAL E OF PERSONAL DATA . 3
667604
668- (III) INFORMATION THAT IS D E–IDENTIFIED IN ACCORD ANCE
669-WITH THE REQUIREMENT S FOR DE–IDENTIFICATION SET F ORTH IN 45 C.F.R.
670-164.514 THAT IS DERIVED FROM INDIVIDUALLY IDENTI FIABLE HEALTH
671-INFORMATION AS DESCR IBED IN HIPAA OR PERSONAL INFORMAT ION CONSISTENT
672-WITH THE HUMAN SUBJE CT PROTECTION REQUIR EMENTS OF THE U.S. FOOD AND
673-DRUG ADMINISTRATION ;
605+14–4603. 4
674606
675- (7) THE COLLECTION , MAINTENANCE , DISCLOSURE, SALE,
676-COMMUNICATION , OR USE OF PERS ONAL INFORMATION BEA RING ON A CONSUMER ’S
677-CREDITWORTHINESS , CREDIT STANDING , CREDIT CAPACITY , CHARACTER , GENERAL
678-REPUTATION, PERSONAL CHARACTERIS TICS, OR MODE OF LIVING BY A CONSUMER
679-REPORTING AGENCY , FURNISHER, OR USER THAT PROVIDE S INFORMATION FOR US E
680-IN A CONSUMER REPORT , AND BY A USER OF A C ONSUMER REPORT , BUT ONLY TO
681-THE EXTENT THAT THE ACTIVITY IS REGULATE D BY AND AUTHORIZED UNDER THE
682-FEDERAL FAIR CREDIT REPORTING ACT;
607+ (A) THIS SUBTITLE DOES NO T APPLY TO: 5
683608
684- (8) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED
685-IN COMPLIANCE WITH T HE FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994;
686- Ch. 454 2024 LAWS OF MARYLAND
609+ (1) A REGULATORY , ADMINISTRATIVE , ADVISORY, EXECUTIVE, 6
610+APPOINTIVE, LEGISLATIVE, OR JUDICIAL BODY OR INSTRUMENTALITY OF THE 7
611+STATE, INCLUDING A BOARD , BUREAU, COMMISSION, OR UNIT OF THE STATE OR A 8
612+POLITICAL SUBDIVISIO N OF THE STATE; 9
687613
688-– 16 –
689- (9) PERSONAL DATA REGULAT ED BY THE FEDERAL FAMILY
690-EDUCATIONAL RIGHTS AND PRIVACY ACT;
614+ (2) A NATIONAL SECURITIES ASSOCIATION THAT IS REGISTERED 10
615+UNDER § 15 OF THE FEDERAL SECURITIES EXCHANGE ACT OF 1934 OR A 11
616+REGISTERED FUTURES A SSOCIATION DESIGNATE D IN ACCORDANCE WITH § 17 OF 12
617+THE FEDERAL COMMODITY EXCHANGE ACT; OR 13
691618
692- (10) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED
693-IN COMPLIANCE WITH T HE FEDERAL FARM CREDIT ACT;
619+ (3) A FINANCIAL INSTITUTIO N OR, AN AFFILIATE OF A FINAN CIAL 14
620+INSTITUTION, OR DATA THAT IS SUBJECT TO TITLE V OF THE FEDERAL 15
621+GRAMM–LEACH–BLILEY ACT AND REGULATIONS A DOPTED UNDER THAT AC T; OR 16
694622
695- (11) DATA PROCESSED OR MAI NTAINED:
623+ (4) A NONPROFIT CONTROLLER THAT PROCESSES OR SH ARES 17
624+PERSONAL DATA SOLELY FOR THE PURPOSES OF ASSISTING: 18
696625
697- (I) IN THE COURSE OF AN I NDIVIDUAL APPLYING T O,
698-EMPLOYED BY , OR ACTING AS AN AGEN T OR INDEPENDENT CON TRACTOR OF A
699-CONTROLLER , PROCESSOR, OR THIRD PARTY , TO THE EXTENT THAT T HE DATA IS
700-COLLECTED AND USED W ITHIN THE CONTEXT OF THE ROLE ;
626+ (I) LAW ENFORCEMENT AGENC IES IN INVESTIGATING 19
627+CRIMINAL OR FRAUDULE NT ACTS RELATING TO INSURANCE; OR 20
701628
702- (II) AS THE EMERGENCY CONT ACT INFORMATION OF A
703-CONSUMER IF THE DATA IS USED FOR EMERGENC Y CONTACT PURPOSES ; OR
629+ (II) FIRST RESPONDERS IN R ESPONDING TO CATASTR OPHIC 21
630+EVENTS. 22
704631
705- (III) THAT IS:
632+ (B) THE FOLLOWING INFORMA TION AND DATA ARE EX EMPT FROM THIS 23
633+SUBTITLE: 24
706634
707- 1. NECESSARY TO RETAIN T O ADMINISTER BENEFIT S
708-FOR ANOTHER INDIVIDU AL RELATING TO THE C ONSUMER WH O IS THE SUBJECT OF
709-THE INFORMATION UNDE R ITEM (I) OF THIS ITEM; AND
635+ (1) PROTECTED HEALTH INFO RMATION UNDER HIPAA; 25
710636
711- 2. USED FOR THE PURPOSES OF ADMINISTERING THE
712-BENEFITS; AND
637+ (2) PATIENT–IDENTIFYING INFORMAT ION FOR PURPOSES OF 42 26
638+U.S.C. § 290DD–2; 27
713639
714- (12) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED
715-IN RELATION TO PRICE , ROUTE, OR SERVICE BY AN AIR CARRIER SUBJECT TO THE
716-FEDERAL AIRLINE DEREGULATION ACT TO THE EXTENT THI S SUBTITLE IS
717-PREEMPTED BY THE FED ERAL AIRLINE DEREGULATION ACT; AND
640+ (3) IDENTIFIABLE PRIVATE INFORMATION THAT IS USED FOR 28
641+PURPOSES OF THE FEDE RAL POLICY FOR THE P ROTECTION OF HUMAN S UBJECTS IN 29
642+ACCORDANCE WITH 45 C.F.R. § 46; 30
643+ HOUSE BILL 567 15
718644
719- (13) PERSONAL DATA COLLECT ED BY OR ON BEHALF O F A PERSON
720-REGULATED UNDER THE INSURANCE ARTICLE OR AN AFFILIA TE OF SUCH A PERSON,
721-IN FURTHERANCE OF TH E BUSINESS OF INSURA NCE.
722645
723- (C) CONTROLLERS AND PROCE SSORS THAT COMPLY WI TH THE VERIFIABLE
724-PARENTAL CONSENT REQ UIREMENTS OF COPPA SHALL BE CONSIDERED
725-COMPLIANT WITH AN OB LIGATION TO OBTAIN P ARENTAL CONSENT IN A CCORDANCE
726-WITH THIS SUBTITLE WITH RESP ECT TO A CONSUMER WH O IS A CHILD.
646+ (4) IDENTIFIABLE PRIVATE INFORMATION TO THE E XTENT THAT IT IS 1
647+COLLECTED AND USED A S PART OF HUMAN SUBJ ECTS RESEARCH IN ACC ORDANCE 2
648+WITH THE ICH 36 GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE 3
649+INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 4
650+FOR PHARMACEUTICALS FOR HUMAN USE OR THE PROTECTION OF HUMAN 5
651+SUBJECTS UNDER 21 C.F.R. §§ 50 AND 56; 6
727652
728-14–4604.
653+ (5) PATIENT SAFETY WORK P RODUCT THAT IS CREAT ED AND USED 7
654+FOR PURPOSES OF PATI ENT SAFETY IMPROVEME NT IN ACCORDANCE WITH 42 8
655+C.F.R. § 3, ESTABLISHED IN ACCOR DANCE WITH 42 U.S.C. §§ 299B–21 THROUGH 9
656+299B–26; 10
729657
730- A PERSON MAY NOT :
731- WES MOORE, Governor Ch. 454
658+ (6) (I) INFORMATION TO THE EX TENT IT IS USED FOR PUBLIC 11
659+HEALTH, COMMUNITY HEALTH , OR POPULATION HEALTH ACTIVITIES AND 12
660+PURPOSES, AS AUTHORIZED BY HIPAA, WHEN PROVIDE D BY OR TO A COVERED 13
661+ENTITY OR WHEN PROVI DED BY OR TO A BUSIN ESS ASSOCIATE IN ACC ORDANCE WITH 14
662+THE BUSINESS ASSOCIA TE AGREEMENT WITH A COVERED ENTITY ; AND 15
732663
733-– 17 –
734- (1) PROVIDE AN EMPLOYEE O R CONTRACTOR ACCESS TO CONSUMER
735-HEALTH DATA UNLESS THE:
664+ (II) INFORMATION COLLECTED , USED, OR DISCLOSED BY AN 16
665+ENTITY IF: 17
736666
737- (I) THE EMPLOYEE OR CONTRACT OR IS SUBJECT TO A
738-CONTRACTUAL OR STATU TORY DUTY OF CONFIDE NTIALITY; OR
667+ 1. THE ENTITY IS A COVER ED ENTITY OR BUSINESS 18
668+ASSOCIATE UNDER HIPAA BECAUSE IT COLLECTS , USES, OR DISCLOSES 19
669+PROTECTED HEALTH INF ORMATION; AND 20
739670
740- (II) CONFIDENTIALITY IS RE QUIRED AS A CONDITIO N OF
741-EMPLOYMENT OF THE EM PLOYEE;
671+ 2. THE ENTITY APPLIES TH E SAME FEDERAL AND STATE 21
672+STANDARDS FOR THE CO LLECTION, USE, AND DISCLOSURE OF IN FORMATION AS 22
673+PROVIDED TO PROTECTE D HEALTH INFORMATION U NDER HIPAA AND LEGALLY 23
674+PROTECTED HEALTH CAR E UNDER § 4–301 OF THE HEALTH – GENERAL ARTICLE 24
675+FOR INFORMATION THAT : 25
742676
743- (2) PROVIDE A PROCESSOR A CCESS TO CONSUMER HE ALTH DATA
744-UNLESS THE PERSON PR OVIDING ACCESS TO THE CONSUMER HEALTH DATA AND
745-THE PROCESSOR COMPLY WITH § 14–4607 14–4608 OF THIS SUBTITLE; OR
677+ A. IS CONSIDERED A MEDIC AL RECORD UNDER § 4–301 26
678+OF THE HEALTH – GENERAL ARTICLE; AND 27
746679
747- (3) USE A GEOFENCE :
680+ B. IS NOT CONSIDERED PRO TECTED HEALTH 28
681+INFORMATION UNDER HIPAA; 29
748682
749- (I) TO IDENTIFY, TRACK, COLLECT DATA FROM , OR SEND A
750-NOTIFICATION TO A CO NSUMER REGARDING THE CONSUMER ’S CONSUMER HEALTH
751-DATA; AND
683+ (II) INFORMATION THAT IS A MEDICAL RECORD UNDER § 4–301 30
684+OF THE HEALTH – GENERAL ARTICLE IF: 31
752685
753- (II) WITHIN 1,750 FEET OF A MENTAL HEA LTH FACILITY OR
754-REPRODUCTIVE OR SEXU AL HEALTH FACILITY ; OR
686+ 1. THE INFORMATION IS HE LD BY AN ENTITY THAT IS A 32
687+COVERED ENTITY OR BU SINESS ASSOCIATE UND ER HIPAA BECAUSE IT COLLECTS , 33
688+USES, OR DISCLOSES PROTECT ED HEALTH INFORMATIO N; AND 34
689+ 16 HOUSE BILL 567
755690
756- (4) SELL OR OFFER TO SELL CONSUMER HEALTH DATA WITHOUT THE
757-CONSENT OF THE CONSU MER WHOSE HEALTH DAT A IS TO BE SOLD OR O FFERED TO
758-BE SOLD TO ESTABLISH A VIRTU AL BOUNDARY THAT IS WITHIN 1,750 FEET OF ANY
759-MENTAL HEALTH FACILI TY OR REPRODUCTIVE O R SEXUAL HEALTH FACI LITY FOR
760-THE PURPOSE OF IDENT IFYING, TRACKING, COLLECTING DATA FROM , OR SENDING
761-ANY NOTIFICATION TO A CONSUMER REGARDING THE CONS UMER’S CONSUMER
762-HEALTH DATA .
763691
764-14–4605.
692+ 2. THE ENTITY APPLIES TH E SAME STANDARDS FOR THE 1
693+COLLECTION, USE, AND DISCLOSURE OF TH E INFORMATION AS REQ UIRED FOR 2
694+PROTECTED HEALTH INF ORMATION UNDER HIPAA AND MEDICAL RECORDS UNDER 3
695+§ 4–301 OF THE HEALTH – GENERAL ARTICLE, INCLUDING SPECIFIC S TANDARDS 4
696+REGARDING LEGALLY PR OTECTED HEALTH CARE ; AND 5
765697
766- (A) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO REQUIRE A
767-CONTROLLER TO REVEAL A TRADE SECRET .
698+ (III) INFORMATION THAT IS D E–IDENTIFIED IN ACCORD ANCE 6
699+WITH THE REQUIREMENT S FOR DE–IDENTIFICATION SET F ORTH IN 45 C.F.R. 7
700+164.514 THAT IS DERIVED FRO M INDIVIDUALLY IDENT IFIABLE HEALTH 8
701+INFORMATION AS DESCR IBED IN HIPAA OR PERSONAL INFORMAT ION CONSISTENT 9
702+WITH THE HUMAN SUBJE CT PROTECTION REQUIR EMENTS OF THE U.S. FOOD AND 10
703+DRUG ADMINISTRATION ; 11
768704
769- (B) A CONSUMER SHALL HAVE THE RIGHT TO:
705+ (7) THE COLLECTION , MAINTENANCE , DISCLOSURE, SALE, 12
706+COMMUNIC ATION, OR USE OF PERSONAL I NFORMATION BEARING O N A CONSUMER ’S 13
707+CREDITWORTHINESS , CREDIT STANDING , CREDIT CAPACITY , CHARACTER , GENERAL 14
708+REPUTATION, PERSONAL CHARACTERIS TICS, OR MODE OF LIVING BY A CONSUMER 15
709+REPORTING AGENCY , FURNISHER, OR USER THAT PROVIDE S INFORMATION FOR USE 16
710+IN A CONSUMER REPORT , AND BY A USER OF A C ONSUMER REPORT , BUT ONLY TO 17
711+THE EXTENT THAT THE ACTIVITY IS REGULATE D BY AND AUTHORIZED UNDER THE 18
712+FEDERAL FAIR CREDIT REPORTING ACT; 19
770713
771- (1) CONFIRM WHETHER A CON TROLLER IS PROCESSIN G THE
772-CONSUMER ’S PERSONAL DATA , UNLESS THAT CONFIRMA TION WOULD REQUIRE T HE
773-DISCLOSURE OF A TRAD E SECRET;
714+ (8) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 20
715+IN COMPLIANCE WITH TH E FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994; 21
774716
775- (2) IF A CONTROLLER IS PR OCESSING A CONSUMER ’S PERSONAL
776-DATA, ACCESS THE CONSUMER ’S PERSONAL DATA UNLESS THAT ACCESS W OULD
777-REQUIRE THE DISCLOSU RE OF A TRADE SECRET ; Ch. 454 2024 LAWS OF MARYLAND
717+ (9) PERSONAL DATA REGULAT ED BY THE FEDERAL FAMILY 22
718+EDUCATIONAL RIGHTS AND PRIVACY ACT; 23
778719
779-– 18 –
720+ (10) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 24
721+IN COMPLIANCE WITH T HE FEDERAL FARM CREDIT ACT; 25
780722
781- (3) CONSIDERING THE NATUR E OF THE CONSUMER ’S PERSONAL
782-DATA AND THE PURPOSE S OF THE PROCESSING OF THE PERSONAL DATA , CORRECT
783-INACCURACIES IN THE CONSUMER ’S PERSONAL DATA ;
723+ (11) DATA PROCESSED OR MAI NTAINED: 26
784724
785- (4) REQUIRE A CONTROLLER TO DELETE PERSONAL D ATA PROVIDED
786-BY, OR OBTAINED ABOUT , THE CONSUMER UNLESS RETENTION OF THE PERSONAL
787-DATA IS REQUIRED BY LAW;
725+ (I) IN THE COURSE OF AN I NDIVIDUAL APPLYING T O, 27
726+EMPLOYED BY , OR ACTING AS AN AGEN T OR INDEPENDENT CON TRACTOR OF A 28
727+CONTROLLER , PROCESSOR, OR THIRD PARTY , TO THE EXTENT THAT T HE DATA IS 29
728+COLLECTED AND USED WITHIN THE CONT EXT OF THE ROLE ; 30
788729
789- (5) IF THE PROCESSING OF PERSONAL DATA IS DON E BY AUTOMATIC
790-MEANS, OBTAIN A COPY OF THE CONSUMER ’S PERSONAL DATA PROC ESSED BY THE
791-CONTROLLER IN A PORT ABLE AND, TO THE EXTENT TECHNI CALLY FEASIBLE,
792-READILY USABLE FORMA T THAT ALLOWS THE CO NSUMER TO EASILY TRA NSMIT THE
793-DATA TO ANOTHER CONT ROLLER WITHOUT HINDR ANCE;
730+ (II) AS THE EMERGENCY CONT ACT INFORMATION OF A 31
731+CONSUMER IF THE DATA IS USED FOR EMERGENC Y CONTACT PURPOSES ; OR 32
794732
795- (6) OBTAIN A LIST OF THE CATEGORIES OF THIRD PARTIES TO WHICH
796-THE CONTROLLER HAS D ISCLOSED THE CONSUME R’S PERSONAL DATA OR A LIST OF
797-THE CATEGORIES OF TH IRD PARTIES TO WHICH THE CONTROLLER HAS D ISCLOSED
798-ANY CONSUMER ’S PERSONAL DATA IF T HE CONTROLLER DOES N OT MAINTAIN THIS
799-INFORMATION IN A FOR MAT SPECIFIC TO THE CONSUMER ; AND
733+ (III) THAT IS: 33
734+ HOUSE BILL 567 17
800735
801- (7) OPT OUT OF THE PROCES SING OF PERSONAL DAT A FOR PURPOSES
802-OF:
803736
804- (I) TARGETED ADVERTISING ;
737+ 1. NECESSARY TO RETAIN T O ADMINISTER BENEFIT S 1
738+FOR ANOTHER INDIVIDU AL RELATING TO THE CONSUMER WHO IS THE SUBJECT OF 2
739+THE INFORMATION UNDE R ITEM (I) OF THIS ITEM; AND 3
805740
806- (II) THE SALE OF PERSONAL DATA; OR
741+ 2. USED FOR THE PURPOSES OF ADMINISTERING THE 4
742+BENEFITS; AND 5
807743
808- (III) PROFILING IN FURTHERA NCE OF SOLELY AUTOMA TED
809-DECISIONS THAT PRODU CE LEGAL OR SIMILARL Y SIGNIFICANT EFFECT S
810-CONCERNING THE CONSU MER.
744+ (12) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 6
745+IN RELATION TO PRICE , ROUTE, OR SERVICE BY AN AIR CARRIER SUBJE CT TO THE 7
746+FEDERAL AIRLINE DEREGULATION ACT TO THE EXTENT THI S SUBTITLE IS 8
747+PREEMPTED BY THE FED ERAL AIRLINE DEREGULATION ACT; AND 9
811748
812- (C) (1) A CONTROLLER SHALL ESTABLISH A SECURE A ND RELIABLE
813-METHOD FOR A CONSUME R TO EXERCISE A CONS UMER RIGHT UNDER THI S SECTION.
749+ (13) PERSONAL DATA COLLECT ED BY OR ON BEHALF O F A PERSON 10
750+REGULATED UNDER THE INSURANCE ARTICLE OR AN AFFILIATE OF SUCH A PERSON, 11
751+IN FURTHERANCE OF TH E BUSINESS OF INSURA NCE. 12
814752
815- (2) A CONSUMER MAY EXERCIS E A CONSUMER RIGHT U NDER THIS
816-SECTION BY THE METHO D ESTABLISHED BY THE CONTROLLER UNDER PAR AGRAPH
817-(1) OF THIS SUBSECTION .
753+ (C) CONTROLLERS AND PROCE SSORS THAT COMPLY WI TH THE VERIFIABLE 13
754+PARENTAL CONSENT REQ UIREMENTS OF COPPA SHALL BE CONSIDERED 14
755+COMPLIANT WITH AN OB LIGATION TO OBTAIN P ARENTAL CONSENT IN ACCORDANCE 15
756+WITH THIS SUBTITLE W ITH RESPECT TO A CON SUMER WHO IS A CHILD . 16
818757
819- (D) (1) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT IN
820-ACCORDANCE WITH § 14–4606 OF THIS SUBTITLE TO OPT OUT OF THE PROCE SSING
821-OF THE CONSUMER ’S PERSONAL DATA UNDE R SUBSECTION (B)(7) OF THIS SECTION
822-ON BEHALF OF A CONSU MER. WES MOORE, Governor Ch. 454
758+14–4604. 17
823759
824-– 19 –
760+ A PERSON MAY NOT : 18
825761
826- (2) A PARENT OR LEGAL GUAR DIAN OF A CHILD MAY EX ERCISE A
827-CONSUMER RIGHT LISTE D IN SUBSECTION (B) OF THIS SECTION ON T HE CHILD’S
828-BEHALF REGARDING THE PROCESSING OF PERSON AL DATA.
762+ (1) PROVIDE AN EMPLOYEE O R CONTRACTOR ACCESS TO CONSUMER 19
763+HEALTH DATA UNLESS THE: 20
829764
830- (3) A GUARDIAN OR CONSERVA TOR OF A CONSUMER SU BJECT TO A
831-GUARDIANSHIP , CONSERVATORSHIP , OR OTHER PROTEC TIVE ARRANGEMENT MAY
832-EXERCISE A CONSUMER RIGHT LISTED IN SUBS ECTION (B) OF THIS SECTION ON T HE
833-CONSUMER ’S BEHALF REGARDING T HE PROCESSING OF PER SONAL DATA.
765+ (I) THE EMPLOYEE OR CONTRACT OR IS SUBJECT TO A 21
766+CONTRACTUAL OR STATU TORY DUTY OF CONFIDE NTIALITY; OR 22
834767
835- (E) (1) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, A
836-CONTROLLER SHALL COM PLY WITH A REQUEST B Y A CONSUMER TO EXERCI SE A
837-CONSUMER RIGHT LISTE D IN THIS SECTION.
768+ (II) CONFIDENTIALITY IS RE QUIRED AS A CONDITIO N OF 23
769+EMPLOYMENT OF THE EM PLOYEE; 24
838770
839- (2) (I) A CONTROLLER SHALL RES POND TO A CONSUMER R EQUEST
840-NOT LATER THAN 45 DAYS AFTER THE CONTR OLLER RECEIVES THE C ONSUMER
841-REQUEST.
771+ (2) PROVIDE A PROCESSOR A CCESS TO CONSUMER HE ALTH DATA 25
772+UNLESS THE PERSON PR OVIDING ACCESS TO THE CONSUMER HEALTH DATA AND 26
773+THE PROCESSOR COMPLY WITH § 14–4607 14–4608 OF THIS SUBTITLE; OR 27
842774
843- (II) A CONTROLLER MAY EXTEN D THE COMPLETION PER IOD BY
844-AN ADDITIONAL 45 DAYS IF:
775+ (3) USE A GEOFENCE : 28
845776
846- 1. IT IS REASONABLY NECE SSARY TO COMPLETE TH E
847-REQUEST BASED ON THE COMPLEXITY AND NUMBE R OF THE CONSUMER ’S
848-REQUESTS; AND
777+ (I) TO IDENTIFY, TRACK, COLLECT DATA FROM , OR SEND A 29
778+NOTIFICATION TO A CO NSUMER REGARDING THE CONSUMER ’S CONSUMER HEALTH 30
779+DATA; AND 31
780+ 18 HOUSE BILL 567
849781
850- 2. THE CONTROLLER INFORM S THE CONSUMER OF TH E
851-EXTENSION AND THE RE ASON FOR THE EXTENSI ON WITHIN T HE INITIAL 45–DAY
852-RESPONSE PERIOD .
853782
854- (III) A CONTROLLER SHALL NOT IFY THE CONSUMER WIT HIN 30
855-DAYS AFTER COMPLYING WITH THE CONSUMER ’S REQUEST THAT THE C ONTROLLER
856-HAS COMPLIED WITH TH E CONSUMER ’S REQUEST.
783+ (II) WITHIN 1,750 FEET OF A MENTAL HEA LTH FACILITY OR 1
784+REPRODUCTIVE OR SEXU AL HEALTH FACILITY ; OR 2
857785
858- (3) IF A CONTROLLER DECLI NES TO ACT REGARDING A CONSUMER ’S
859-REQUEST, THE CONTROLLER SHALL :
786+ (4) SELL OR OFFER TO SELL CONSUMER HEALTH DATA WITHOUT THE 3
787+CONSENT OF THE CONSU MER WHOSE HEALTH DAT A IS TO BE SOLD OR O FFERED TO 4
788+BE SOLD TO ESTABLISH A VIRTU AL BOUNDARY THAT IS WITHIN 1,750 FEET OF ANY 5
789+MENTAL HEALTH FACILI TY OR REPRODUCTIVE O R SEXUAL HEALTH FACI LITY FOR 6
790+THE PURPOSE OF IDENT IFYING, TRACKING, COLLECTING DATA FROM , OR SENDING 7
791+ANY NOTIFICATION TO A CONSUMER REGARDING THE CONS UMER’S CONSUMER 8
792+HEALTH DATA . 9
860793
861- (I) INFORM THE CONSUMER W ITHOUT UNDUE DELAY , BUT NOT
862-LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST , OF THE JUSTIFICATION FOR
863-DECLINING TO ACT ; AND
794+14–4605. 10
864795
865- (II) PROVIDE INSTRUCTIONS FOR HOW TO APPEAL TH E
866-DECISION.
867- Ch. 454 2024 LAWS OF MARYLAND
796+ (A) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO REQUIRE A 11
797+CONTROLLER TO REVEAL A TRADE SECRET . 12
868798
869-– 20 –
870- (4) (I) A CONTROLLER SHALL PRO VIDE INFORMATION TO A
871-CONSUMER IN RESPONSE TO A CONSUMER ’S REQUEST TO EXERCIS E RIGHTS UNDER
872-THIS SUBTITLE FREE O F CHARGE ONCE DURING ANY 12–MONTH PERIOD .
799+ (B) A CONSUMER SHALL HAVE THE RIGHT TO: 13
873800
874- (II) IF REQUESTS FROM A CO NSUMER ARE MANIFESTL Y
875-UNFOUNDED , EXCESSIVE, TECHNICALLY INFEASIB LE, OR REPETITIVE , A
876-CONTROLLER MAY :
801+ (1) CONFIRM WHETHER A CON TROLLER IS PROCESSIN G THE 14
802+CONSUMER ’S PERSONAL DATA , UNLESS THAT CONFIRMA TION WOULD REQUIRE T HE 15
803+DISCLOSURE OF A TRAD E SECRET; 16
877804
878- 1. CHARGE THE CONSUMER A REASONABLE FEE TO
879-COVER THE ADMINISTRA TIVE COSTS OF COMPLY ING WITH THE REQUEST ; OR
805+ (2) IF A CONTROLLER IS PR OCESSING A CONSUMER ’S PERSONAL 17
806+DATA, ACCESS THE CONSUMER ’S PERSONAL DATA UNLESS THAT ACCESS W OULD 18
807+REQUIRE THE DISCLOSU RE OF A TRADE SECRET ; 19
880808
881- 2. DECLINE TO ACT ON THE REQUEST.
809+ (3) CONSIDERING THE NATUR E OF THE CONSUMER ’S PERSONAL 20
810+DATA AND THE PURPOSE S OF THE PROCESSING OF THE PERSONAL DATA , CORRECT 21
811+INACCURACIES IN THE CONSUMER ’S PERSONAL DATA ; 22
882812
883- (III) THE CONTROLLER HAS TH E BURDEN OF DEMONSTRATING
884-THE MANIFESTLY UNFOU NDED, EXCESSIVE, TECHNICALLY INFEASIB LE, OR
885-REPETITIVE NATURE OF THE REQUEST .
813+ (4) REQUIRE A CONTROLLER TO DELETE PERSONAL D ATA PROVIDED 23
814+BY, OR OBTAINED ABOUT , THE CONSUMER UNLESS RETENTION OF THE PERSONAL 24
815+DATA IS REQUIRED BY LAW; 25
886816
887- (5) IF A CONTROLLER IS UN ABLE TO AUTHENTICATE A REQUEST TO
888-EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5)
889-OF THIS SECTION USING COMMER CIALLY REASONABLE EF FORTS, THE
890-CONTROLLER :
817+ (5) IF THE PROCESSING OF PERSONAL DATA IS DON E BY AUTOMATIC 26
818+MEANS, OBTAIN A COPY OF THE CONSUMER ’S PERSONAL DATA PROC ESSED BY THE 27
819+CONTROLLER IN A PORT ABLE AND, TO THE EXTENT TECHNI CALLY FEASIBLE, 28
820+READILY USABLE FORMA T THAT ALLOWS THE CO NSUMER TO EASILY TRA NSMIT THE 29
821+DATA TO ANOTHER CONT ROLLER WITHOUT HINDR ANCE; 30
891822
892- (I) MAY NOT BE REQUIRED T O COMPLY WITH A REQU EST TO
893-INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION; AND
823+ (6) OBTAIN A LIST OF THE CATEGORIES OF THIRD PARTIES TO WHICH 31
824+THE CONTROLLER HAS D ISCLOSED THE CONSUME R’S PERSONAL DATA OR A LIST OF 32
825+THE CATEGORIES OF TH IRD PARTIES TO WHICH THE CONTROLLER HAS D ISCLOSED 33 HOUSE BILL 567 19
894826
895- (II) SHALL PROVIDE NOTICE TO THE CONSUMER THAT THE
896-CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUE ST TO EXERCISE THE R IGHT
897-UNTIL THE CONSUMER P ROVIDES ADDITIONAL I NFORMATION REASONABL Y
898-NECESSARY TO AUTHENT ICATE THE CONSUMER A ND THE CONSUMER ’S REQUEST TO
899-EXERCISE THE CONSUME R’S RIGHTS.
900827
901- (6) A CONTROLLER MAY NOT B E REQUIRED TO AUTHENTICATE AN
902-OPT–OUT REQUEST .
828+ANY CONSUMER ’S PERSONAL DATA IF T HE CONTROLLER DOES N OT MAINTAIN THIS 1
829+INFORMATION IN A FOR MAT SPECIFIC TO THE CONSUMER ; AND 2
903830
904- (7) A CONTROLLER THAT HAS OBTAINED PERSONAL DA TA ABOUT A
905-CONSUMER FROM A SOUR CE OTHER THAN THE CO NSUMER SHALL BE CONS IDERED
906-COMPLIANT WITH THE C ONSUMER’S REQUEST TO DELETE THE CONSUMER ’S DATA IN
907-ACCORDANCE WITH SUBS ECTION (B)(4) OF THIS SECTION BY R ETAINING A RECORD
908-OF THE DELETION REQU EST AND THE MINIMUM DATA NECESSARY FOR T HE
909-PURPOSE OF ENSURING THAT THE CONSUMER ’S PERSONAL DATA :
831+ (7) OPT OUT OF THE PROCES SING OF PERSONAL DAT A FOR PURPOSES 3
832+OF: 4
910833
911- (I) REMAINS DELETED FROM THE CONTROLLER ’S RECORDS;
912-AND WES MOORE, Governor Ch. 454
834+ (I) TARGETED ADVERTISING ; 5
913835
914-– 21 –
836+ (II) THE SALE OF PERSONAL DATA; OR 6
915837
916- (II) IS NOT BEING USED FOR ANY OTHER PURPOSE .
838+ (III) PROFILING IN FURTHERA NCE OF SOLELY AUTOMA TED 7
839+DECISIONS THAT PRODU CE LEGAL OR SIMILARL Y SIGNIFICANT EFFECT S 8
840+CONCERNING THE CONSU MER. 9
917841
918- (F) (1) A CONTROLLER SHALL EST ABLISH A PROCESS FOR A CONSUMER
919-TO APPEAL THE CONTRO LLER’S REFUSAL TO ACT ON A CONSUMER RIGHTS RE QUEST
920-WITHIN A REASONABLE PERIOD AFTER THE CON SUMER RECEIVES THE D ECISION.
842+ (C) (1) A CONTROLLER SHALL ESTABLISH A SECURE A ND RELIABLE 10
843+METHOD FOR A CONSUME R TO EXERCISE A CONS UMER RIGHT UNDER THI S SECTION. 11
921844
922- (2) THE APPEAL PROCESS SH ALL BE:
845+ (2) A CONSUMER MAY EXERCIS E A CONSUMER RIGHT U NDER THIS 12
846+SECTION BY THE METHO D ESTABLISHED BY THE CONTROLLER UNDER PAR AGRAPH 13
847+(1) OF THIS SUBSECTION . 14
923848
924- (I) CONSPICUOUSLY AVAILAB LE; AND
849+ (D) (1) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT IN 15
850+ACCORDANCE WITH § 14–4606 OF THIS SUBTITLE TO OPT OUT OF THE PROCE SSING 16
851+OF THE CONSUMER ’S PERSONAL DATA UNDE R SUBSECTION (B)(7) OF THIS SECTION 17
852+ON BEHALF OF A CONSU MER. 18
925853
926- (II) SIMILAR TO THE PROCES S FOR SUBMITTING REQ UESTS TO
927-INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION.
854+ (2) A PARENT OR LEGAL GUAR DIAN OF A CHILD MAY EX ERCISE A 19
855+CONSUMER RIGHT LISTE D IN SUBSECTION (B) OF THIS SECTION ON T HE CHILD’S 20
856+BEHALF REGARDING THE PROCESSING OF PERSON AL DATA. 21
928857
929- (3) NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A
930-CONTROLLER SHALL INF ORM THE CONSUMER IN WRITING OF ANY ACTION TAKEN OR
931-NOT TAKEN IN RESPONS E TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF
932-THE REASONS FOR THE DECISIONS.
858+ (3) A GUARDIAN OR CONSERVA TOR OF A CONSUMER SU BJECT TO A 22
859+GUARDIANSHIP , CONSERVATORSHIP , OR OTHER PROTEC TIVE ARRANGEMENT MAY 23
860+EXERCISE A CONSUMER RIGHT LISTED IN SUBS ECTION (B) OF THIS SECTION ON T HE 24
861+CONSUMER ’S BEHALF REGARDING T HE PROCESSING OF PER SONAL DATA. 25
933862
934- (4) IF A CONTROLLER DENIE S AN APPEAL, THE CONTROLLER SHALL
935-PROVIDE THE CONSUMER WITH AN ONLINE MECHA NISM, IF AVAILABLE, THROUGH
936-WHICH THE CONSUMER M AY CONTACT THE DIVISION TO SUBMIT A COMPLAINT.
863+ (E) (1) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, A 26
864+CONTROLLER SHALL COM PLY WITH A REQUEST B Y A CONSUMER TO EXERCI SE A 27
865+CONSUMER RIGHT LISTE D IN THIS SECTION. 28
937866
938-14–4606.
867+ (2) (I) A CONTROLLER SHALL RES POND TO A CONSUMER R EQUEST 29
868+NOT LATER THAN 45 DAYS AFTER THE CONTR OLLER RECEIVES THE C ONSUMER 30
869+REQUEST. 31
870+ 20 HOUSE BILL 567
939871
940- (A) (1) A CONSUMER MAY DESIGNA TE AN INDIVIDUAL TO SERVE AS THE
941-CONSUMER ’S AUTHORIZED AGENT A ND ACT ON THE CONSUM ER’S BEHALF TO OPT
942-OUT OF THE PROCESSIN G OF THE CONSUMER ’S PERSONAL DATA FOR ON E OR MORE
943-OF THE PURPOSES SPEC IFIED IN § 14–4605(B)(7) OF THIS SUBTITLE.
944872
945- (2) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT BY AN
946-INTERNET LINK OR A BR OWSER SETTING , BROWSER EXTENSION , GLOBAL DEVICE
947-SETTING, OR OTHER SIMILAR TEC HNOLOGY, INDICATING A CONSUME R’S INTENT TO
948-OPT OUT OF THE PROCE SSING OF THE CONSUME R’S PERSONAL DATA .
873+ (II) A CONTROLLER MAY EXTEN D THE COMPLETION PER IOD BY 1
874+AN ADDITIONAL 45 DAYS IF: 2
949875
950- (B) A CONTROLLER SHALL COM PLY WITH AN OPT–OUT REQUEST RECEIVED
951-FROM AN AUTHORIZED A GENT IF, USING COMMERCIALLY R EASONABLE EFFORTS ,
952-THE CONTROLLER IS AB LE TO AUTHENTICATE THE :
876+ 1. IT IS REASONABLY NECE SSARY TO COMPLETE TH E 3
877+REQUEST BASED ON THE COMPLEXITY AND NUMBE R OF THE CONSUMER ’S 4
878+REQUESTS; AND 5
953879
954- (1) IDENTITY OF THE CONSU MER; AND
880+ 2. THE CONTROLLER INFORM S THE CONSUMER OF TH E 6
881+EXTENSION AND THE RE ASON FOR THE EXTENSI ON WITHIN T HE INITIAL 45–DAY 7
882+RESPONSE PERIOD . 8
955883
956- (2) AUTHORIZED AGENT ’S AUTHORITY TO ACT O N THE CONSUMER ’S
957-BEHALF.
958- Ch. 454 2024 LAWS OF MARYLAND
884+ (III) A CONTROLLER SHALL NOT IFY THE CONSUMER WIT HIN 30 9
885+DAYS AFTER COMPLYING WITH THE CONSUMER ’S REQUEST THAT THE C ONTROLLER 10
886+HAS COMPLIED WITH TH E CONSUMER ’S REQUEST. 11
959887
960-– 22 –
961-14–4607.
888+ (3) IF A CONTROLLER DECLI NES TO ACT REGARDING A CONSUMER ’S 12
889+REQUEST, THE CONTROLLER SHALL : 13
962890
963- (A) A CONTROLLER OR PROCESSOR MAY NOT:
891+ (I) INFORM THE CONSUMER W ITHOUT UNDUE DELAY , BUT NOT 14
892+LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST , OF THE JUSTIFICATION FOR 15
893+DECLINING TO ACT ; AND 16
964894
965- (1) COLLECT PERSONAL DATA FOR THE SOLE PURPOSE OF CONTENT
966-PERSONALIZATION OR MARKETING WITHOUT TH E CONSENT OF THE CON SUMER
967-WHOSE PERSONAL DATA IS COLLECTED;
895+ (II) PROVIDE INSTRUCTIONS FOR HOW TO APPEAL TH E 17
896+DECISION. 18
968897
969- (2) (1) EXCEPT WHERE THE COLL ECTION OR PROCESSING IS
970-STRICTLY NECESSARY T O PROVIDE OR MAINTAI N A SPECIFIC PRODUCT OR SERVICE
971-REQUESTED BY THE CON SUMER TO WHOM THE PE RSONAL DATA PERTAINS AND
972-UNLESS THE CONTROLLE R OBTAINS THE CONSUM ER’S CONSENT , COLLECT,
973-PROCESS, OR SHARE SENSITIVE DATA CONCERNING A CONSUME R;
898+ (4) (I) A CONTROLLER SHALL PRO VIDE INFORMATION TO A 19
899+CONSUMER IN RESPONSE TO A CONSUMER ’S REQUEST TO EXERCIS E RIGHTS UNDER 20
900+THIS SUBTITLE FREE O F CHARGE ONCE DURING ANY 12–MONTH PERIOD . 21
974901
975- (3) (2) SELL SENSITIVE DATA ;
902+ (II) IF REQUESTS FROM A CO NSUMER ARE MANIFESTL Y 22
903+UNFOUNDED , EXCESSIVE, TECHNICALLY INFEASIB LE, OR REPETITIVE , A 23
904+CONTROLLER MAY : 24
976905
977- (4) (3) PROCESS PERSONAL DATA IN VIOLATION OF STATE OR
978-FEDERAL LAWS THAT PR OHIBIT UNLAWFUL DISC RIMINATION;
906+ 1. CHARGE THE CONSUMER A REASONABLE FEE TO 25
907+COVER THE ADMINISTRA TIVE COSTS OF COMPLY ING WITH THE REQUEST ; OR 26
979908
980- (5) (4) PROCESS THE PERSONAL DATA OF A CONSUMER F OR THE
981-PURPOSES O F TARGETED ADVERTISI NG IF THE CONTROLLER KNEW OR SHOULD
982-HAVE KNOWN THAT THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE
983-OF 18 YEARS;
909+ 2. DECLINE TO ACT ON THE REQUEST. 27
984910
985- (6) (5) SELL THE PERSONAL DAT A OF A CONSUMER WITHOUT THE
986-CONSUMER ’S CONSENT IF THE CONTROLLER KN EW OR SHOULD HAVE KN OWN THAT
987-THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE OF 18 YEARS;
911+ (III) THE CONTROLLER HAS TH E BURDEN OF DEMONSTRATING 28
912+THE MANIFESTLY UNFOU NDED, EXCESSIVE, TECHNICALLY INFEASIB LE, OR 29
913+REPETITIVE NATURE OF THE REQUEST . 30
988914
989- (7) (6) DISCRIMINATE AGAINST A CONSUMER FOR EXERC ISING A
990-CONSUMER RIGHT CONTA INED IN THIS SUBTITL E, INCLUDING DENYING GO ODS OR
991-SERVICES, CHARGING DIFFERENT P RICES OR RATES FOR G OODS OR SERVICES , OR
992-PROVIDING A DIFFEREN T LEVEL OF QUALITY O F GOODS OR SERVICES TO THE
993-CONSUMER ;
915+ (5) IF A CONTROLLER IS UN ABLE TO AUTHENTICATE A REQUEST TO 31
916+EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5) 32 HOUSE BILL 567 21
994917
995- (8) (7) COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR
996-PUBLICLY AVAILABLE D ATA IN A MANNER THAT UNLAWFULL Y DISCRIMINATES IN O R
997-OTHERWISE UNLAWFULLY MAKES UNAVAILABLE TH E EQUAL ENJOYMENT OF GOODS
998-OR SERVICES ON THE B ASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN , SEX,
999-SEXUAL ORIENTATION , GENDER IDENTITY , OR DISABILITY , UNLESS THE
1000-COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DA TA IS FOR:
1001918
1002- (I) THE CONTROLLER ’S SELF–TESTING TO PREVENT O R
1003-MITIGATE UNLAWFUL DI SCRIMINATION ; WES MOORE, Governor Ch. 454
919+OF THIS SE CTION USING COMMERCI ALLY REASONABLE EFFO RTS, THE 1
920+CONTROLLER : 2
1004921
1005-– 23 –
922+ (I) MAY NOT BE REQUIRED T O COMPLY WITH A REQU EST TO 3
923+INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION; AND 4
1006924
1007- (II) THE CONTROLLER ’S DIVERSIFYING OF AN APPLICANT,
1008-PARTICIPANT, OR CUSTOMER POOL ; OR
925+ (II) SHALL PROVIDE NOTICE TO THE CONSUMER THAT THE 5
926+CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUEST TO EXERCISE THE RIGH T 6
927+UNTIL THE CONSUMER P ROVIDES ADDITIONAL I NFORMATION REASONABL Y 7
928+NECESSARY TO AUTHENT ICATE THE CONSUMER A ND THE CONSUMER ’S REQUEST TO 8
929+EXERCISE THE CONSUME R’S RIGHTS. 9
1009930
1010- (III) A PRIVATE CLUB OR GROU P NOT OPEN TO THE PUBLIC, AS
1011-DESCRIBED IN § 201(E) OF THE CIVIL RIGHTS ACT OF 1964; OR
931+ (6) A CONTROLLER MAY NOT B E REQUIRED TO AUTHENTICATE AN 10
932+OPT–OUT REQUEST . 11
1012933
1013- (9) (8) UNLESS THE CONTROLLER OBTAINS THE CONSUMER ’S
1014-CONSENT, PROCESS PERSONAL DAT A FOR A PURPOSE THAT IS NEITHER
1015-REASONABLY NECESSARY TO, NOR COMPATIBLE WITH , THE DISCLOSED PURPOS ES
1016-FOR WHICH THE PERSON AL DATA IS PROCESSED , AS DISCLOSED TO THE CONSUMER .
934+ (7) A CONTROLLER THAT HAS OBTAINED PERSONAL DA TA ABOUT A 12
935+CONSUMER FROM A SOUR CE OTHER THAN THE CO NSUMER SHALL BE CONS IDERED 13
936+COMPLIANT WITH THE C ONSUMER’S REQUEST TO DELETE THE CONSUMER ’S DATA IN 14
937+ACCORDANCE WITH SUBS ECTION (B)(4) OF THIS SECTION BY R ETAINING A RECORD 15
938+OF THE DELETION REQU EST AND THE MINIMUM DATA NECESSARY FOR T HE 16
939+PURPOSE OF ENSURING THAT THE CONSUMER ’S PERSONAL DATA : 17
1017940
1018- (B) (1) A CONTROLLER OR PROCESSOR SHALL:
941+ (I) REMAINS DELETED FROM THE CONTROLLER ’S RECORDS; 18
942+AND 19
1019943
1020- (I) LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS
1021-REASONABLY NECESSARY AND PROPORTIONATE TO PROVIDE OR MAINTAIN A
1022-SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE CONSUMER TO WHOM THE
1023-DATA PERTAINS ;
944+ (II) IS NOT BEING USED FOR ANY OTHER PURPOSE . 20
1024945
1025- (II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE
1026-ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO
1027-PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL
1028-DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT
1029-ISSUE; AND
946+ (F) (1) A CONTROLLER SHALL EST ABLISH A PROCESS FOR A CONSUMER 21
947+TO APPEAL THE CONTRO LLER’S REFUSAL TO ACT ON A CONSUMER RIGHTS RE QUEST 22
948+WITHIN A REASONABLE PERIOD AFTER THE CON SUMER RECEIVES THE D ECISION. 23
1030949
1031- (III) PROVIDE AN EFFECTIVE MECHANISM FOR A CONS UMER TO
1032-REVOKE THE CONSUMER ’S CONSENT UNDER THIS SECTION THAT IS AT L EAST AS
1033-EASY AS THE MECHANIS M BY WHICH THE CONSU MER PROVIDED T HE CONSUMER ’S
1034-CONSENT.
950+ (2) THE APPEAL PROCESS SH ALL BE: 24
1035951
1036- (2) IF A CONSUMER REVOKES CONSENT UNDER THIS S ECTION, THE
1037-CONTROLLER SHALL STO P PROCESSING THE CON SUMER’S PERSONAL DATA AS S OON
1038-AS PRACTICABLE , BUT NOT LATER THAN 15 30 DAYS AFTER RECEIVING THE
1039-REQUEST.
952+ (I) CONSPICUOUSLY AVAILAB LE; AND 25
1040953
1041- (C) NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE
1042-CONSTRUED TO :
954+ (II) SIMILAR TO THE PROCES S FOR SUBMITTING REQ UESTS TO 26
955+INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION. 27
1043956
1044- (1) REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE
1045-THAT REQUIRES THE PE RSONAL DATA OF A CON SUMER THAT THE CONTR OLLER
1046-DOES NOT COLLECT OR MAINTAIN; OR
957+ (3) NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A 28
958+CONTROLLER SHALL INF ORM THE CONSUMER IN WRITING OF ANY ACTION TAKE N OR 29
959+NOT TAKEN IN RESPONS E TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF 30
960+THE REASONS FOR THE DECISIONS. 31
961+ 22 HOUSE BILL 567
1047962
1048- (2) PROHIBIT A CONTROLLER FROM OFFERING A DIFFERENT PRICE ,
1049-RATE, LEVEL, QUALITY, OR SELECTION OF GOOD S OR SERVICES TO A C ONSUMER, Ch. 454 2024 LAWS OF MARYLAND
1050963
1051-– 24 –
1052-INCLUDING OFFERING G OODS OR SERVICES FOR NO FEE, IF THE OFFERING IS I N
1053-CONNECTION WITH A CO NSUMER’S VOLUNTARY PARTICIP ATION IN A BONA FIDE
1054-LOYALTY, REWARDS, PREMIUM FEA TURES, DISCOUNTS, OR CLUB CARD PROGRAM
1055-THAT DOES NOT :
964+ (4) IF A CONTROLLER DENIE S AN APPEAL, THE CONTROLLER SHALL 1
965+PROVIDE THE CONSUMER WITH AN ONLINE MECHA NISM, IF AVAILABLE, THROUGH 2
966+WHICH THE CONSUMER M AY CONTACT THE DIVISION TO SUBMIT A COMPLAINT. 3
1056967
1057- (I) PROVIDE FOR THE TRANS FER OF PERSONAL DATA TO A
1058-THIRD PARTY AS PART OF THE PROGRAM UNLES S:
968+14–4606. 4
1059969
1060- 1. THE TRANSFER IS FUNCT IONALLY NECESSARY TO
1061-ENABLE THE THIRD PAR TY TO PROVIDE A BENE FIT TO WHICH T HE CONSUMER IS
1062-ENTITLED;
970+ (A) (1) A CONSUMER MAY DESIGNA TE AN INDIVIDUAL TO SERVE AS THE 5
971+CONSUMER ’S AUTHORIZED AGENT A ND ACT ON THE CONSUM ER’S BEHALF TO OPT 6
972+OUT OF THE PROCESSIN G OF THE CONSUMER ’S PERSONAL DATA FOR ONE O R MORE 7
973+OF THE PURPOSES SPEC IFIED IN § 14–4605(B)(7) OF THIS SUBTITLE. 8
1063974
1064- 2. THE TRANSFER OF PERSO NAL DATA TO THE THIR D
1065-PARTY IS CLEARLY DIS CLOSED IN THE TERMS OF THE PROGRAM ; AND
975+ (2) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT BY AN 9
976+INTERNET LINK OR A BR OWSER SETTING , BROWSER EXTENSION , GLOBAL DEVICE 10
977+SETTING, OR OTHER SIMILAR TEC HNOLOGY, INDICATING A CONSUMER ’S INTENT TO 11
978+OPT OUT OF THE PROCE SSING OF THE CONSUME R’S PERSONAL DATA . 12
1066979
1067- 3. THE THIRD PARTY USES THE PERSONAL DATA ON LY
1068-FOR PURPOSES OF FACI LITATING A BENEFIT T O WHICH THE CONSUMER IS ENTITLED
1069-AND DOES NOT PROCESS OR TRANSFER THE PERS ONAL DATA FOR ANY OT HER
1070-PURPOSE; OR
980+ (B) A CONTROLLER SHALL COM PLY WITH AN OPT–OUT REQUEST RECEIVED 13
981+FROM AN AUTHORIZED A GENT IF, USING COMMERCIALLY R EASONABLE EFFORTS , 14
982+THE CONTROLLER IS AB LE TO AUTHE NTICATE THE: 15
1071983
1072- (II) USE FINANCIAL INCENTI VE PRACTICES THAT AR E UNJUST,
1073-UNREASONABLE , COERCIVE, OR USURIOUS IN NATUR E.
984+ (1) IDENTITY OF THE CONSU MER; AND 16
1074985
1075- (3) A SALE OF PERSONAL DAT A MAY NOT BE CONSIDE RED
1076-FUNCTIONALLY N ECESSARY TO PROVIDE A PROGRAM THAT MEETS THE
1077-DESCRIPTION UNDER PA RAGRAPH (2)(I) OF THIS SUBSECTION , PROVIDED THAT THE
1078-SELLING OF PERSONAL DATA IS NOT A CONDIT ION OF PARTICIPATION IN THE
1079-PROGRAM.
986+ (2) AUTHORIZED AGENT ’S AUTHORITY TO ACT O N THE CONSUMER ’S 17
987+BEHALF. 18
1080988
1081- (D) A CONTROLLER SHALL PRO VIDE A CONSUMER WITH A REASONABLY
1082-ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVA CY NOTICE THAT INCLU DES:
989+14–4607. 19
1083990
1084- (1) THE CATEGORIES OF PER SONAL DATA PROCESSED BY THE
1085-CONTROLLER , INCLUDING SENSITIVE DATA;
991+ (A) A CONTROLLER OR PROCESSOR MAY NOT: 20
1086992
1087- (2) THE CONTROLLER ’S PURPOSE FOR PROCES SING PERSONAL DATA ;
993+ (1) COLLECT PERSONAL DATA FOR THE SOLE PURPOSE OF CONTENT 21
994+PERSONALIZATION OR MARKETING WITHOUT TH E CONSENT OF THE CON SUMER 22
995+WHOSE PERSONAL DATA IS COLLECTED; 23
1088996
1089- (3) HOW A CONSUMER MAY EX ERCISE THE CONSUMER ’S RIGHTS
1090-UNDER THIS SUBTITLE , INCLUDING HOW A CONS UMER MAY APPEAL A
1091-CONTROLLER ’S DECISION REGARDING THE CONSUMER ’S REQUEST OR MAY REV OKE
1092-CONSENT;
1093- WES MOORE, Governor Ch. 454
997+ (2) (1) EXCEPT WHERE THE COLL ECTION OR PROCESSING IS 24
998+STRICTLY NECESSARY T O PROVIDE OR MAINTAI N A SPECIFIC PRODUCT OR SERVICE 25
999+REQUESTED BY THE CON SUMER TO WHOM THE PE RSONAL DATA PERTAINS AND 26
1000+UNLESS THE CONTROLLE R OBTAINS THE CONSUM ER’S CONSENT , COLLECT, 27
1001+PROCESS, OR SHARE SENSITIVE DATA CONCERNING A CONSUME R; 28
10941002
1095-– 25 –
1096- (4) THE CATEGORIES OF THI RD PARTIES WITH WHIC H THE
1097-CONTROLLER SHARES PE RSONAL DATA WITH A L EVEL OF DETAIL THAT ENA BLES A
1098-CONSUMER TO UNDERSTA ND WHAT TYPE OF ENTITY EACH THIRD PARTY IS AND, TO
1099-THE EXTENT POSSIBLE , HOW EACH THIRD PARTY MAY PROCESS THE PERS ONAL
1100-DATA THE TYPE OF, BUSINESS MODEL OF, OR PROCESSING CONDUC TED BY THE
1101-EACH THIRD PARTY;
1003+ (3) (2) SELL SENSITIVE DATA ; 29
11021004
1103- (5) THE CATEGORIES OF PER SONAL DATA , INCLUDING SENSITIVE
1104-DATA, THAT THE CONTROLLER SHARES WITH THIRD PA RTIES; AND
1005+ (4) (3) PROCESS PERSONAL DATA IN VIOLATION OF STATE OR 30
1006+FEDERAL LAWS THAT PR OHIBIT UNLAWFUL DISC RIMINATION; 31
1007+ HOUSE BILL 567 23
11051008
1106- (6) AN ACTIVE E–MAIL ADDRESS OR OTHE R ONLINE MECHANISM
1107-THAT A CONSUMER MAY USE TO CONTACT THE C ONTROLLER .
11081009
1109- (E) (1) IF A CONTROLLER SELLS PERSONAL DATA TO THI RD PARTIES OR
1110-PROCESSES PERSONAL D ATA FOR TARGETED ADV ERTISING OR FOR THE PURPOSES
1111-OF PROFILING THE CON SUMER IN FURTHERANCE OF DECISIONS THAT PR ODUCE
1112-LEGAL OR SIMILARLY S IGNIFICANT EFFECTS , THE CONTROLLER SHALL CLEARLY
1113-AND CONSPICUOUSLY DI SCLOSE THE SALE OR PROCESSING, AS WELL AS THE
1114-MANNER IN WHICH A CO NSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE
1115-SALE OR PROCESSING.
1010+ (5) (4) PROCESS THE PERSONAL DATA OF A CONSUMER F OR THE 1
1011+PURPOSES O F TARGETED ADVERTISI NG IF THE CONTROLLER KNEW OR SHOULD 2
1012+HAVE KNOWN THAT THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE 3
1013+OF 18 YEARS; 4
11161014
1117- (2) THE DISCLOSURE REQUIR ED UNDER PARAGRAPH (1) OF THIS
1118-SUBSECTION SHALL BE PROMINENTLY DISPLA YED, AND USE CLEAR , EASY TO
1119-UNDERSTAND , AND UNAMBIGUOUS LANG UAGE, TO STATE WHETHER THE
1120-CONSUMER’S PERSONAL DATA WILL BE SOLD OR SHARED WI TH A THIRD PARTY .
1015+ (6) (5) SELL THE PERSONAL DAT A OF A CONSUMER WITHOUT THE 5
1016+CONSUMER ’S CONSENT IF THE CONTROLLER KN EW OR SHOULD HAVE KN OWN THAT 6
1017+THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE OF 18 YEARS; 7
11211018
1122- (F) (1) THE PRIVACY NOTICE UN DER SUBSECTION (D) OF THIS SECTION
1123-SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A
1124-CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN
1125-ACCORDANCE WITH THIS SUBTITLE THAT TAKE I NTO ACCOUNT :
1019+ (7) (6) DISCRIMINATE AGAINST A CONSUMER FOR EXERC ISING A 8
1020+CONSUMER RIGHT CONTA INED IN THIS SUBTITL E, INCLUDING DENYING GO ODS OR 9
1021+SERVICES, CHARGING DIFFERENT P RICES OR RATES FOR G OODS OR SERVICES , OR 10
1022+PROVIDING A DIFFEREN T LEVEL OF QUALITY O F GOODS OR SERVICES TO THE 11
1023+CONSUMER ; 12
11261024
1127- (I) THE WAYS IN WHICH CON SUMERS NORMALLY INTE RACT
1128-WITH THE CONTROLLER ;
1025+ (8) (7) COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR 13
1026+PUBLICLY AVAILABLE D ATA IN A MANNER THAT UNLAWFULLY DISCR IMINATES IN OR 14
1027+OTHERWISE UNLAWFULLY MAKES UNAVAILABLE TH E EQUAL ENJOYMENT OF GOODS 15
1028+OR SERVICES ON THE B ASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN , SEX, 16
1029+SEXUAL ORIENTATION , GENDER IDENTITY , OR DISABILITY , UNLESS THE 17
1030+COLLECTION, PROCESSING, OR TRANSFER O F PERSONAL DATA IS F OR: 18
11291031
1130- (II) THE NEED FOR SECURE A ND RELIABLE COMMUNICATION
1131-OF CONSUMER REQUESTS ; AND
1032+ (I) THE CONTROLLER ’S SELF–TESTING TO PREVENT O R 19
1033+MITIGATE UNLAWFUL DI SCRIMINATION ; 20
11321034
1133- (III) THE ABILITY OF THE CO NTROLLER TO VERIFY T HE
1134-IDENTITY OF A CONSUM ER MAKING THE REQUES T.
1035+ (II) THE CONTROLLER ’S DIVERSIFYING OF AN APPLICANT, 21
1036+PARTICIPANT, OR CUSTOMER POOL ; OR 22
11351037
1136- (2) (I) A CONTROLLER MAY NOT R EQUIRE A CONSUMER TO
1137-CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT .
1138- Ch. 454 2024 LAWS OF MARYLAND
1038+ (III) A PRIVATE CLUB OR GROU P NOT OPEN TO THE PUBLIC, AS 23
1039+DESCRIBED IN § 201(E) OF THE CIVIL RIGHTS ACT OF 1964; OR 24
11391040
1140-– 26 –
1141- (II) A CONTROLLER MAY REQUI RE A CONSUMER TO USE AN
1142-EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT.
1041+ (9) (8) UNLESS THE CONTROLLER OBTAINS THE CONSUMER ’S 25
1042+CONSENT, PROCESS PERSONAL DAT A FOR A PURPOSE THAT IS NEITHER 26
1043+REASONABLY NECESSARY TO, NOR COMPATIBLE WITH , THE DISCLOSED PURPOS ES 27
1044+FOR WHICH THE PERSON AL DATA IS PROCESSED , AS DISCLOSED TO THE CONSUMER . 28
11431045
1144- (3) A CONTROLLER MAY UTILI ZE THE FOLLOWING MET HODS TO
1145-SATISFY PARAGRAPH (1) OF THIS SUBSECTION :
1046+ (B) (1) A CONTROLLER OR PROCESSOR SHALL: 29
11461047
1147- (I) PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE
1148-CONTROLLER’S WEBSITE TO A WEBPA GE THAT ALLOWS A CON SUMER, OR AN
1149-AUTHORIZED AGENT OF THE CONSUMER , TO OPT OUT OF THE TA RGETED
1150-ADVERTISING OR THE S ALE OF THE CONSUMER ’S PERSONAL DATA ; OR
1048+ (I) LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS 30
1049+REASONABLY NECESSARY AND PROPORTIONATE TO PROVIDE OR MAINTAIN A 31
1050+SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE CONSUMER TO WHOM THE 32
1051+DATA PERTAINS ; 33
1052+ 24 HOUSE BILL 567
11511053
1152- (II) ON OR BEFORE OCTOBER 1, 2025, ALLOWING A CONSUMER
1153-TO OPT OUT OF ANY PROCESSING OF TH E CONSUMER ’S PERSONAL DATA FOR THE
1154-PURPOSES OF TARGETED ADVERTISING, OR ANY SALE OF PERSO NAL DATA,
1155-THROUGH AN OPT –OUT PREFERENCE SIGNA L SENT, WITH THE CONSUMER ’S
1156-CONSENT, BY A PLATFORM , TECHNOLOGY , OR MECHANISM TO THE CONTROLLER
1157-INDICATING THE CONSUMER ’S INTENT TO OPT OUT OF THE PROCESSING OR SALE.
11581054
1159- (4) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN
1160-ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION S HALL:
1055+ (II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 1
1056+ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO 2
1057+PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 3
1058+DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT 4
1059+ISSUE; AND 5
11611060
1162- (I) BE CONSUMER –FRIENDLY AND EASY TO USE BY THE
1163-AVERAGE CONSUMER ;
1061+ (III) PROVIDE AN EFFECTIVE MECHANISM FOR A CONS UMER TO 6
1062+REVOKE THE CONSUMER ’S CONSENT UNDER THIS SECTION THAT IS AT L EAST AS 7
1063+EASY AS THE MECHANIS M BY WHICH THE CONSU MER PROVIDED T HE CONSUMER ’S 8
1064+CONSENT. 9
11641065
1165- (II) USE CLEAR, EASY TO UNDERSTAND , AND UNAMBIGUOUS
1166-LANGUAGE;
1066+ (2) IF A CONSUMER REVOKES CONSENT UNDER THIS S ECTION, THE 10
1067+CONTROLLER SHALL STO P PROCESSING THE CON SUMER’S PERSONAL DATA AS S OON 11
1068+AS PRACTICABLE , BUT NOT LATER THAN 15 30 DAYS AFTER RECEIVING THE 12
1069+REQUEST. 13
11671070
1168- (III) BE AS CONSISTENT AS P OSSIBLE WITH ANY OTH ER SIMILAR
1169-PLATFORM, TECHNOLOGY , OR MECHANISM REQUIRE D BY ANY FEDERAL OR STATE
1170-LAW OR REGULATION ;
1071+ (C) NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE 14
1072+CONSTRUED TO : 15
11711073
1172- (IV) ENABLE THE CONTROLLER TO REASONABLY DETERM INE
1173-WHETHER THE CONSUMER :
1074+ (1) REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE 16
1075+THAT REQUIRES THE PE RSONAL DATA OF A CON SUMER THAT THE CONTR OLLER 17
1076+DOES NOT COLLECT OR MAINTAIN; OR 18
11741077
1175- 1. IS A RESIDENT OF THE STATE; AND
1078+ (2) PROHIBIT A CONTROLLER FROM OFFERING A DIFFERENT PRICE , 19
1079+RATE, LEVEL, QUALITY, OR SELECTION OF GOOD S OR SERVICES TO A C ONSUMER, 20
1080+INCLUDING OFFERING G OODS OR SERVICES FOR NO FEE, IF THE OFFERING IS I N 21
1081+CONNECTION WITH A CO NSUMER’S VOLUNTARY PARTICIP ATION IN A BONA FIDE 22
1082+LOYALTY, REWARDS, PREMIUM FEA TURES, DISCOUNTS, OR CLUB CARD PROGRAM 23
1083+THAT DOES NOT : 24
11761084
1177- 2. HAS MADE A LEGITIMATE REQUEST TO OPT OUT O F
1178-ANY SALE OF THE CONS UMER’S PERSONAL DATA OR T ARGETED ADVERTISING ; AND
1085+ (I) PROVIDE FOR THE TRANS FER OF PERSONAL DATA TO A 25
1086+THIRD PARTY AS PART OF THE PROGRAM UNLES S: 26
11791087
1180- (V) REQUIRE A CONSUMER TO MAKE AN AFFIRMATIVE ,
1181-UNAMBIGUOUS , AND VOL UNTARY CHOICE IN ORD ER TO OPT OUT OF ANY
1182-PROCESSING OF THE CO NSUMER’S PERSONAL DATA .
1183- WES MOORE, Governor Ch. 454
1088+ 1. THE TRANSFER IS FUNCT IONALLY NECESSARY TO 27
1089+ENABLE THE THIRD PAR TY TO PROVIDE A BENE FIT TO WHICH T HE CONSUMER IS 28
1090+ENTITLED; 29
11841091
1185-– 27 –
1186- (5) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN
1187-ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION M AY NOT:
1092+ 2. THE TRANSFER OF PERSO NAL DATA TO THE THIR D 30
1093+PARTY IS CLEARLY DIS CLOSED IN THE TERMS OF THE PROGRAM ; AND 31
11881094
1189- (I) UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER ; OR
1095+ 3. THE THIRD PARTY USES THE PERSONAL DATA ON LY 32
1096+FOR PURPOSES OF FACI LITATING A BENEFIT T O WHICH THE CONSUMER IS ENTITLED 33
1097+AND DOES NOT PROCESS OR TRANSFER THE PERS ONAL DATA FOR ANY OT HER 34
1098+PURPOSE; OR 35 HOUSE BILL 567 25
11901099
1191- (II) USE A DEFAULT SETTING TO OPT A CONSUMER OU T OF ANY
1192-PROCESSING OF THE CO NSUMER’S PERSONAL DATA .
11931100
1194- (G) (1) IF A CONSUMER ’S DECISION TO OPT OU T OF THE PROCESSING OF
1195-THE CONSUMER ’S PERSONAL DATA FOR THE PURPOSES OF TARG ETED
1196-ADVERTISING, OR THE SALE OF PERSO NAL DATA THROUGH AN OP T–OUT
1197-PREFERENCE SIGNAL SE NT IN ACCORDANCE WIT H SUBSECTION (F)(3) OF THIS
1198-SECTION CONFLICTS WI TH THE CONSUMER ’S EXISTING CONTROLLE R–SPECIFIC
1199-PRIVACY SETTING OR T HE CONSUMER ’S VOLUNTARY PARTICIP ATION IN A
1200-CONTROLLER ’S BONA FIDE LOYALTY , REWARDS, PREMIUM FEATURES , DISCOUNTS,
1201-OR CLUB CARD PROGRAM , THE CONTROLLER MAY N OTIFY THE CONSUMER O F A
1202-CONFLICT AND PROVIDE THE CHOICE TO CONFIR M CONTROLLER –SPECIFIC
1203-PRIVACY SETTINGS OR PARTICIPATION IN A P ROGRAM LISTED IN THI S PARAGRAPH .
12041101
1205- (2) A CONTROL LER THAT RECOGNIZES SIGNALS APPROVED BY
1206-OTHER STATES SHALL B E CONSIDERED IN COMP LIANCE WITH THIS SEC TION.
1102+ (II) USE FINANCIAL INCENTI VE PRACTICES THAT AR E UNJUST, 1
1103+UNREASONABLE , COERCIVE, OR USURIOUS IN NATUR E. 2
12071104
1208-14–4608.
1105+ (3) A SALE OF PERSONAL DAT A MAY NOT BE CONSIDE RED 3
1106+FUNCTIONALLY NECESSARY TO PROVIDE A PROGRAM THAT MEETS THE 4
1107+DESCRIPTION UNDER PA RAGRAPH (2)(I) OF THIS SUBSECTION , PROVIDED THAT THE 5
1108+SELLING OF PERSONAL DATA IS NOT A CONDIT ION OF PARTICIPATION IN THE 6
1109+PROGRAM. 7
12091110
1210- (A) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE
1211-PERSONAL DATA OF CON SUMERS, THE CONTROLLER AND T HE PROCESSOR SHALL
1212-ENTER INTO A C ONTRACT THAT GOVERNS THE PROCESSOR ’S DATA PROCESSING
1213-PROCEDURES WITH RESP ECT TO PROCESSING PE RFORMED ON BEHALF OF THE
1214-CONTROLLER .
1111+ (D) A CONTROLLER SHALL PRO VIDE A CONSUMER WITH A REASONABLY 8
1112+ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVA CY NOTICE THAT INCLU DES: 9
12151113
1216- (2) THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH
1217-INSTRUCTIONS FOR :
1114+ (1) THE CATEGORIES OF PER SONAL DATA PROCESSED BY THE 10
1115+CONTROLLER , INCLUDING SENSITIVE DATA; 11
12181116
1219- (I) PROCESSING INSTRUCTIONS FOR PROC ESSING DATA;
1117+ (2) THE CONTROLLER ’S PURPOSE FOR PROCES SING PERSONAL DATA ; 12
12201118
1221- (II) THE NATURE AND PURPOS E OF PROCESSING ;
1119+ (3) HOW A CONSUMER MAY EXERCISE THE CONSUME R’S RIGHTS 13
1120+UNDER THIS SUBTITLE , INCLUDING HOW A CONS UMER MAY APPEAL A 14
1121+CONTROLLER ’S DECISION REGARDING THE CONSUMER ’S REQUEST OR MAY REV OKE 15
1122+CONSENT; 16
12221123
1223- (III) THE TYPE OF DATA SUBJ ECT TO PROCESSING ;
1124+ (4) THE CATEGORIES OF THI RD PARTIES WITH WHIC H THE 17
1125+CONTROLLER SHARES PE RSONAL DATA W ITH A LEVEL OF DETAI L THAT ENABLES A 18
1126+CONSUMER TO UNDERSTA ND WHAT TYPE OF ENTITY EACH THIRD PARTY IS AND, TO 19
1127+THE EXTENT POSSIBLE , HOW EACH THIRD PARTY MAY PROCESS THE PERS ONAL 20
1128+DATA THE TYPE OF, BUSINESS MODEL OF, OR PROCESSING CONDUC TED BY THE 21
1129+EACH THIRD PARTY; 22
12241130
1225- (IV) THE DURATION OF PROCE SSING; AND
1131+ (5) THE CATEGORIES OF PER SONAL DATA , INCLUDING SENSITIVE 23
1132+DATA, THAT THE CONTROLLER SHARES WITH THIRD PA RTIES; AND 24
12261133
1227- (V) THE RIGHTS AND OBLIGA TIONS OF BOTH PARTIE S.
1134+ (6) AN ACTIVE E–MAIL ADDRESS OR OTHE R ONLINE MECHANISM 25
1135+THAT A CONSUMER MAY USE TO CONTACT THE C ONTROLLER . 26
12281136
1229- (3) THE CONTRACT SHALL RE QUIRE THAT THE PROCE SSOR: Ch. 454 2024 LAWS OF MARYLAND
1137+ (E) (1) IF A CONTROLLER SELLS PERSONAL DATA TO THI RD PARTIES OR 27
1138+PROCESSES PERSONAL D ATA FOR TARGETED ADV ERTISING OR FOR THE PURPOSES 28
1139+OF PROFILING THE CON SUMER IN FURTHERANCE OF DECISIONS THAT PR ODUCE 29
1140+LEGAL OR SIMILARLY S IGNIFICANT EFFECTS , THE CONTROLLER SHALL CLEARLY 30
1141+AND CONSPICUOUSLY DI SCLOSE THE SALE OR PROCESSING, AS WELL AS THE 31
1142+MANNER IN WHICH A CO NSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE 32
1143+SALE OR PROCESSING. 33
1144+ 26 HOUSE BILL 567
12301145
1231-– 28 –
12321146
1233- (I) ENSURE THAT EACH PERS ON PROCESSING PERSON AL DATA
1234-IS SUBJECT TO A DUTY OF CONFIDENTIALITY W ITH RESPECT TO THE P ERSONAL
1235-DATA;
1147+ (2) THE DISCLOSURE REQUIR ED UNDER PARAGRAPH (1) OF THIS 1
1148+SUBSECTION SHALL BE PROMINENTLY DISPLA YED, AND USE CLEAR , EASY TO 2
1149+UNDERSTAND , AND UNAMBIGUOUS LANG UAGE, TO STATE WHETHER THE 3
1150+CONSUMER’S PERSONAL DATA WILL BE SOLD OR SHARED WI TH A THIRD PARTY . 4
12361151
1237- (II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE
1238-ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO
1239-PROTECT THE CONFIDENTIALITY , INTEGRITY, AND ACCESSIBILITY OF PERSONAL
1240-DATA, CONSIDERING THE VOLU ME AND NATURE OF THE PERSONAL DATA ;
1152+ (F) (1) THE PRIVACY NOTICE UN DER SUBSECTION (D) OF THIS SECTION 5
1153+SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A 6
1154+CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN 7
1155+ACCORDANCE WITH THIS SUBTITLE THAT TAKE I NTO ACCOUNT : 8
12411156
1242- (III) STOP PROCESSING DATA ON REQUEST BY THE CO NTROLLER
1243-MADE IN ACCORDANCE W ITH A CONSUMER ’S AUTHENTICATED REQU EST;
1157+ (I) THE WAYS IN WHICH CON SUMERS NORMALLY INTE RACT 9
1158+WITH THE CONTROLLER ; 10
12441159
1245- (IV) AT THE CONTROLLER ’S DIRECTION, DELETE OR RETURN
1246-ALL PERSONAL DATA TO THE CONTROLLER AS RE QUESTED AT THE END O F THE
1247-PROVISION OF SERVICE , UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED
1248-BY LAW;
1160+ (II) THE NEED FOR SECURE A ND RELIABLE COMMUNICATION 11
1161+OF CONSUMER REQUESTS ; AND 12
12491162
1250- (V) ON THE REASONABLE REQ UEST OF THE CONTROLL ER,
1251-MAKE AVAILABLE TO THE CON TROLLER ALL INFORMAT ION IN THE PROCESSOR ’S
1252-POSSESSION NECESSARY TO DEMONSTRATE THE P ROCESSOR’S COMPLIANCE WITH
1253-THE OBLIGATIONS IN T HIS SUBTITLE;
1163+ (III) THE ABILITY OF THE CO NTROLLER TO VERIFY T HE 13
1164+IDENTITY OF A CONSUM ER MAKING THE REQUES T. 14
12541165
1255- (VI) AFTER PROVIDING THE C ONTROLLER AN OPPORTU NITY TO
1256-OBJECT, ENGAGE A SUBCONTRACT OR TO ASSIST WITH PROCESSI NG PERSONAL DATA
1257-ON THE CONTROLLER ’S BEHALF ONLY IN ACC ORDANCE WITH A WRITT EN CONTRACT
1258-THAT REQUIRES THE SU BCONTRACTOR TO MEET THE PROCESSOR ’S OBLIGATIONS
1259-REGARDING THE PERSON AL DATA UNDER THE PR OCESSOR’S CONTRACT WITH THE
1260-CONTROLLER ; AND
1166+ (2) (I) A CONTROLLER MAY NOT R EQUIRE A CONSUMER TO 15
1167+CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT . 16
12611168
1262- (VII) ALLOW AND COOPERATE W ITH REASONABLE ASSES SMENTS
1263-BY THE CONTROLLER , THE CONTROLLER ’S DESIGNATED ASSESSO R, OR A QUALIFIED
1264-AND INDEPENDENT ASSE SSOR ARRANGED FOR BY THE PROCESSOR TO ASS ESS THE
1265-PROCESSOR’S POLICIES AND TECHN ICAL AND ORGANIZATIO NAL MEASURES IN
1266-SUPPORT OF THE OBLIG ATIONS UNDER THIS SU BTITLE.
1169+ (II) A CONTROLLER MAY REQUI RE A CONSUMER TO USE AN 17
1170+EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT. 18
12671171
1268- (4) (I) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT
1269-OF AN ASSESSMENT REQ UIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION T O THE
1270-CONTROLLER .
1172+ (3) A CONTROLLER MAY UTILI ZE THE FOLLOWING MET HODS TO 19
1173+SATISFY PARAGRAPH (1) OF THIS SUBSECTION : 20
12711174
1272- (II) AN ASSESSMENT CONDUCT ED IN ACCORDANCE WIT H
1273-PARAGRAPH (3)(V) OF THIS SUBSECTION S HALL BE CONDUCTED US ING AN WES MOORE, Governor Ch. 454
1175+ (I) PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE 21
1176+CONTROLLER’S WEBSITE TO A WEBPA GE THAT ALLOWS A CON SUMER, OR AN 22
1177+AUTHORIZED AGENT OF THE CONSUMER , TO OPT OUT OF THE TA RGETED 23
1178+ADVERTISING OR THE S ALE OF THE CONSUMER ’S PERSONAL DATA ; OR 24
12741179
1275-– 29 –
1276-APPROPRIATE AND ACCE PTED CONTROL STANDAR D OR FRAMEWORK AND
1277-ASSESSMENT PROCEDURE FOR THE ASSESSMENTS .
1180+ (II) ON OR BEFORE OCTOBER 1, 2025, ALLOWING A CONSUMER 25
1181+TO OPT OUT OF ANY PROCESSING OF TH E CONSUMER ’S PERSONAL DATA FOR THE 26
1182+PURPOSES OF TARGETED ADVERTISING, OR ANY SALE OF PERSO NAL DATA, 27
1183+THROUGH AN OPT –OUT PREFERENCE SIGNA L SENT, WITH THE CONSUMER ’S 28
1184+CONSENT, BY A PLATFORM , TECHNOLOGY , OR MECHANISM TO THE CONTROLLER 29
1185+INDICATING THE CONSUMER ’S INTENT TO OPT OUT OF THE PROCESSING OR SALE. 30
12781186
1279- (B) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE
1280-PERSONAL DATA OF CON SUMERS, THE CONTROLLER SHALL PRO VIDE THE
1281-PROCESSOR WITH INSTR UCTIONS ON HOW TO PR OCESS PERSONAL DATA .
1187+ (4) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN 31
1188+ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION S HALL: 32
1189+ HOUSE BILL 567 27
12821190
1283- (2) A PROCESSOR SHALL :
12841191
1285- (I) (1) ADHERE TO THE CONTRAC T AND INSTRUCTIONS O F A
1286-CONTROLLER ;
1192+ (I) BE CONSUMER –FRIENDLY AND EASY TO USE BY THE 1
1193+AVERAGE CONSUMER ; 2
12871194
1288- (II) (2) ASSIST THE CONTROLLER IN MEETING THE
1289-CONTROLLER ’S OBLIGATIONS UNDER TH IS SUBTITLE, INCLUDING, CONSIDERING
1290-THE NATURE OF PROCESSING AND THE I NFORMATION AVAILABLE TO THE
1291-PROCESSOR:
1195+ (II) USE CLEAR, EASY TO UNDERSTAND , AND UNAMBIGUOUS 3
1196+LANGUAGE; 4
12921197
1293- 1. (I) BY APPROPRIATE TECHNI CAL AND ORGANIZATION AL
1294-MEASURES AS MUCH AS REASONABLY PRACTICAB LE TO FULFILL THE
1295-CONTROLLER ’S OBLIGATION TO RESPON D TO CONSUMER RIGHTS REQUESTS,
1296-CONSIDERING THE NATU RE OF PROCESSING AND THE INFORMATION AVAI LABLE TO
1297-THE PROCESSOR ; AND
1198+ (III) BE AS CONSISTENT AS P OSSIBLE WITH ANY OTH ER SIMILAR 5
1199+PLATFORM, TECHNOLOGY , OR MECHANISM REQUIRE D BY ANY FEDERAL OR STATE 6
1200+LAW OR REGULATION ; 7
12981201
1299- 2. (II) BY ASSISTING THE CONT ROLLER IN MEETING TH E
1300-CONTROLLER ’S OBLIGATIONS IN REL ATION TO THE SECURIT Y OF PROCESSING THE
1301-PERSONAL DATA AND IN RELATION TO THE NOTI FICATION OF A BREACH OF THE
1302-SECURITY OF A SYSTEM , AS DEFINED IN § 14–3504 OF THIS TITLE; AND
1202+ (IV) ENABLE THE CONTROLLER TO REASONABLY DETERM INE 8
1203+WHETHER THE CONSUMER : 9
13031204
1304- (III) (3) PROVIDE NECESSARY INF ORMATION TO ENABLE T HE
1305-CONTROLLER TO CONDUC T AND DOCUMENT DATA PROTECTION AS SESSMENTS.
1205+ 1. IS A RESIDENT OF THE STATE; AND 10
13061206
1307- (C) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO RELIEVE A
1308-CONTROLLER OR A PROC ESSOR FROM THE LIABI LITIES IMPOSED ON TH E
1309-CONTROLLER OR PROCES SOR BY VIRTUE OF THE CONTROLLER ’S OR PROCESSOR ’S
1310-ROLE IN THE PROCESSI NG RELATIONSHIP IN A CCORDANCE WITH THIS SECTION.
1207+ 2. HAS MADE A LEGITIMATE REQUEST TO OPT OUT O F 11
1208+ANY SALE OF THE CONS UMER’S PERSONAL DATA OR T ARGETED ADVERTISING ; AND 12
13111209
1312- (D) (1) THE DETERMINATION OF WHETHER A PERSON IS ACTING AS A
1313-CONTROLLER OR A PROC ESSOR WITH RESPECT T O A SPECIFIC PROCESS ING OF DATA
1314-IS A FACT–BASED DETERMINATION THAT DEPENDS ON THE CONTEXT IN WHICH
1315-PERSONAL DATA IS BEI NG PROCESSED .
1210+ (V) REQUIRE A CONSUMER TO MAKE AN AFFIRMATIVE , 13
1211+UNAMBIGUOUS , AND VOLU NTARY CHOICE IN ORDE R TO OPT OUT OF ANY 14
1212+PROCESSING OF THE CO NSUMER’S PERSONAL DATA . 15
13161213
1317- (2) A PERSON IS CONSIDERED TO BE A CONTROLLER I F THE PERSON:
1318- Ch. 454 2024 LAWS OF MARYLAND
1214+ (5) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN 16
1215+ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION M AY NOT: 17
13191216
1320-– 30 –
1321- (I) IS NOT LIMITED IN THE PERSON’S PROCESSING OF SPEC IFIC
1322-PERSONAL DATA IN ACC ORDANCE WITH A CONTR OLLER’S INSTRUCTIONS ; OR
1217+ (I) UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER ; OR 18
13231218
1324- (II) FAILS TO ADHERE TO A CONTROLLER ’S INSTRUCTIONS
1325-WITH RESPECT TO A SPECIFIC PROCES SING OF PERSONAL DAT A.
1219+ (II) USE A DEFAULT SETTING TO OPT A CONSUMER OU T OF ANY 19
1220+PROCESSING OF THE CO NSUMER’S PERSONAL DATA . 20
13261221
1327- (3) A PROCESSOR THAT CONTI NUES TO ADHERE TO A CONTROLLER ’S
1328-INSTRUCTIONS WITH RE SPECT TO A SPECIFIC PROCESSING OF PERSON AL DATA
1329-REMAINS A PROCESSOR .
1222+ (G) (1) IF A CONSUMER ’S DECISION TO OPT OU T OF THE PROCESSING OF 21
1223+THE CONSUMER ’S PERSONAL DATA FOR THE PURPOSES OF TARG ETED 22
1224+ADVERTISING, OR THE SALE OF PERSO NAL DATA THROUGH AN OPT –OUT 23
1225+PREFERENCE SIGNAL SE NT IN ACCORDANCE WIT H SUBSECTION (F)(3) OF THIS 24
1226+SECTION CONFLICTS WI TH THE CONSUMER ’S EXISTING CONTROLLE R–SPECIFIC 25
1227+PRIVACY SETTING OR T HE CONSUMER ’S VOLUNTARY PARTICIP ATION IN A 26
1228+CONTROLLER ’S BONA FIDE LOYALTY , REWARDS, PREMIUM FEATURES , DISCOUNTS, 27
1229+OR CLUB CARD PROGRAM , THE CONTROLLER MAY N OTIFY THE CONSUMER O F A 28
1230+CONFLICT AND PROVIDE THE CHOICE TO CONFIR M CONTROLLER –SPECIFIC 29
1231+PRIVACY SETTINGS OR PARTICIPATION IN A P ROGRAM LISTED IN THI S PARAGRAPH . 30
13301232
1331- (4) IF A PROCESSOR OR THI RD PARTY BEGINS , ALONE OR JOINTLY
1332-WITH OTHERS , DETERMINING THE PURP OSES AND MEANS OF TH E PROCESSING OF
1333-PERSONAL DATA , THE PROCESSOR :
1233+ (2) A CONTROLL ER THAT RECOGNIZES S IGNALS APPROVED BY 31
1234+OTHER STATES SHALL B E CONSIDERED IN COMP LIANCE WITH THIS SEC TION. 32
1235+ 28 HOUSE BILL 567
13341236
1335- (I) IS A CONTROLLER WITH RESPECT TO THE PROCE SSING; AND
13361237
1337- (II) MAY BE SUBJECT TO AN ENFORCEMENT ACTION U NDER
1338-THIS SUBTITLE.
1238+14–4608. 1
13391239
1340- (E) NOTHING IN THIS SECT ION MAY BE CONSTRUED TO ALTER A
1341-CONTROLLER ’S OBLIGATION TO LIMI T A PERSON’S PROCESSING OF PERS ONAL DATA
1342-OR TO TAKE STEPS TO ENSURE THAT A PROCES SOR ADHERES TO THE C ONTROLLER ’S
1343-INSTRUCTIONS .
1240+ (A) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE 2
1241+PERSONAL DATA OF CON SUMERS, THE CONTROLLER AND T HE PROCESSOR SHALL 3
1242+ENTER INTO A CO NTRACT THAT GOVERNS THE PROCESSOR ’S DATA PROCESSING 4
1243+PROCEDURES WITH RESP ECT TO PROCESSING PE RFORMED ON BEHALF OF THE 5
1244+CONTROLLER . 6
13441245
1345-14–4609.
1246+ (2) THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH 7
1247+INSTRUCTIONS FOR : 8
13461248
1347- (A) IF A THIRD PARTY USES OR SHARES A CONSUMER ’S INFORMATION IN A
1348-MANNER INCONSISTENT WITH PROMISES MADE T O THE CONSUMER AT TH E TIME OF
1349-COLLECTION OF THE IN FORMATION, THE THIRD PARTY SHAL L PROVIDE AN
1350-AFFECTED CONSUMER WI TH NOTICE OF THE NEW OR CHANGED PRACTICE BEFORE
1351-IMPLEMENTING THE NEW OR CHANGED PRACTICE .
1249+ (I) PROCESSING INSTRUCTIONS FOR PROC ESSING DATA; 9
13521250
1353- (B) THE NOTICE PROVIDED U NDER SUBSECTION (A) OF THIS SECTION
1354-SHALL BE PROVIDED IN A MANNER AND AT A TI ME REASONABLY CALCUL ATED TO
1355-ALLOW A CONSUMER TO EXERCISE THE RIGHTS PROVIDED UNDER THIS SUBTITLE.
1251+ (II) THE NATURE AND PURPOS E OF PROCESSING ; 10
13561252
1357-14–4610.
1253+ (III) THE TYPE OF DATA SUBJ ECT TO PROCESSING ; 11
13581254
1359- (A) IN THIS SECTION , “PROCESSING ACTIVITIE S THAT PRESENT A
1360-HEIGHTENED RISK OF H ARM TO A CONSUMER ” MEANS:
1255+ (IV) THE DURATION OF PROCE SSING; AND 12
13611256
1362- (1) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF
1363-TARGETED ADVERTISING ; WES MOORE, Governor Ch. 454
1257+ (V) THE RIGHTS AND OBLIGA TIONS OF BOTH PARTIE S. 13
13641258
1365-– 31 –
1259+ (3) THE CONTRACT SHALL RE QUIRE THAT THE PROCE SSOR: 14
13661260
1367- (2) THE SALE OF PERSONAL DATA;
1261+ (I) ENSURE THAT EACH PERS ON PROCESSING PERSON AL DATA 15
1262+IS SUBJECT TO A DUTY OF CONFIDENTIALITY W ITH RESPECT TO THE P ERSONAL 16
1263+DATA; 17
13681264
1369- (3) THE PROCESSING OF SEN SITIVE DATA; AND
1265+ (II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 18
1266+ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO 19
1267+PROTECT THE CONFIDENTIALIT Y, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 20
1268+DATA, CONSIDERING THE VOLU ME AND NATURE OF THE PERSONAL DATA ; 21
13701269
1371- (4) THE PROCESSING OF PER SONAL DATA FOR THE PURPOSE S OF
1372-PROFILING, IN WHICH THE PROFILI NG PRESENTS A REASON ABLY FORESEEABLE
1373-RISK OF:
1270+ (III) STOP PROCESSING DATA ON REQUEST BY THE CO NTROLLER 22
1271+MADE IN ACCORDANCE W ITH A CONSUMER ’S AUTHENTICATED REQU EST; 23
13741272
1375- (I) UNFAIR, ABUSIVE, OR DECEPTIVE TREATME NT OF A
1376-CONSUMER ;
1273+ (IV) AT THE CONTROLLER ’S DIRECTION, DELETE OR RETURN 24
1274+ALL PERSONAL DATA TO THE CONTROLLER AS RE QUESTED AT THE END O F THE 25
1275+PROVISION OF SERVICE , UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED 26
1276+BY LAW; 27
13771277
1378- (II) HAVING AN UNLAWFUL DI SPARATE IMPACT ON A
1379-CONSUMER ;
1278+ (V) ON THE REASONABLE REQ UEST OF THE CONTROLL ER, 28
1279+MAKE AVAILABLE TO THE CON TROLLER ALL INFORMAT ION IN THE PROCESSOR ’S 29
1280+POSSESSION NECESSARY TO DEMONSTRATE THE P ROCESSOR’S COMPLIANCE WITH 30
1281+THE OBLIGATIONS IN T HIS SUBTITLE; 31 HOUSE BILL 567 29
13801282
1381- (III) FINANCIAL, PHYSICAL, OR REPUTATIONAL INJU RY TO A
1382-CONSUMER ;
13831283
1384- (IV) A PHYSICAL OR OTHER IN TRUSION ON THE SOLIT UDE OR
1385-SECLUSION OR THE PRI VATE AFFAIRS OR CONC ERNS OF A CONSUMER I N WHICH THE
1386-INTRUSION WOULD BE O FFENSIVE TO A REASON ABLE PERSON; OR
13871284
1388- (V) OTHER SUBSTANTIAL INJ URY TO A CONSUMER .
1285+ (VI) AFTER PROVIDING THE C ONTROLLER AN OPPORTU NITY TO 1
1286+OBJECT, ENGAGE A SUBCONTRACT OR TO ASSIST WITH PROCESSI NG PERSONAL DATA 2
1287+ON THE CONTROLLER ’S BEHALF ONLY IN ACC ORDANCE WITH A WRITT EN CONTRACT 3
1288+THAT REQUIRES THE SU BCONTRACTOR TO MEET THE PROCESSOR ’S OBLIGATIONS 4
1289+REGARDING THE PERSON AL DATA UNDER THE PR OCESSOR’S CONTRACT WITH THE 5
1290+CONTROLLER ; AND 6
13891291
1390- (B) A CONTROLLER SHALL CON DUCT AND DOCUMENT , ON A REGULAR
1391-BASIS, A DATA PROTECTION AS SESSMENT FOR EACH OF THE CONTROLLER ’S
1392-PROCESSING ACTIVITIE S THAT PRESENT A HEI GHTENED RISK OF HARM TO A
1393-CONSUMER , INCLUDING AN ASSESSM ENT FOR EACH ALGOR ITHM THAT IS USED .
1292+ (VII) ALLOW AND COOPERATE W ITH REASONABLE ASSES SMENTS 7
1293+BY THE CONTROLLER , THE CONTROLLER ’S DESIGNATED ASSESSO R, OR A QUALIFIED 8
1294+AND INDEPENDENT ASSE SSOR ARRANGED FOR BY THE PROCESSOR TO ASS ESS THE 9
1295+PROCESSOR’S POLICIES AND TECHN ICAL AND ORGANIZATIO NAL MEASURES IN 10
1296+SUPPORT OF THE OBLIG ATIONS UNDER THIS SU BTITLE. 11
13941297
1395- (C) (1) A DATA PROTECTION ASSE SSMENT CONDUCTED IN ACCORDANCE
1396-WITH THIS SECTION SH ALL IDENTIFY AND WEI GH THE BENEFITS THAT MAY FLOW
1397-DIRECTLY AND INDIREC TLY FROM THE PROCESS ING TO THE CONTROLLE R, THE
1398-CONSUMER , OTHER INTERESTED PAR TIES, AND THE PUBLIC AGAINS T:
1298+ (4) (I) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT 12
1299+OF AN ASSESSMENT REQ UIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION T O THE 13
1300+CONTROLLER . 14
13991301
1400- (I) THE POTENTIAL RISKS T O THE RIGHTS OF THE CONSUMER
1401-ASSOCIATED WITH THE PROCESSING AS MITIGA TED BY SAFEGUARDS TH AT MAY BE
1402-EMPLOYED BY THE CONT ROLLER TO REDUCE THE SE RISKS; AND
1302+ (II) AN ASSESSMENT CONDUCT ED IN ACCORDANCE WIT H 15
1303+PARAGRAPH (3)(V) OF THIS SUBSECTION S HALL BE CONDUCTED US ING AN 16
1304+APPROPRIATE AND ACCE PTED CONTROL STANDAR D OR FRAMEWORK AND 17
1305+ASSESSMENT PROCEDURE FOR THE ASSESSMENTS . 18
14031306
1404- (II) THE NECESSITY AND PRO PORTIONALITY OF PROC ESSING IN
1405-RELATION TO THE STAT ED PURPOSE OF THE PR OCESSING.
1307+ (B) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE 19
1308+PERSONAL DATA OF CON SUMERS, THE CONTROLLER SHALL PRO VIDE THE 20
1309+PROCESSOR WITH INSTR UCTIONS ON HOW TO PR OCESS PERSONAL DATA . 21
14061310
1407- (2) THE CONTROLLER SHALL FACTOR INTO A DATA P ROTECTION
1408-ASSESSMENT :
1409- Ch. 454 2024 LAWS OF MARYLAND
1311+ (2) A PROCESSOR SHALL : 22
14101312
1411-– 32 –
1412- (I) THE USE OF DE–IDENTIFIED DATA ;
1313+ (I) (1) ADHERE TO THE CONTRAC T AND INSTRUCTIONS O F A 23
1314+CONTROLLER ; 24
14131315
1414- (II) THE REASONABLE EXPECT ATIONS OF CONSUMERS ;
1316+ (II) (2) ASSIST THE CONTROLLER IN MEETING THE 25
1317+CONTROLLER ’S OBLIGATIONS UNDER TH IS SUBTITLE, INCLUDING, CONSIDERING 26
1318+THE NATURE OF PROCESSING AND THE I NFORMATION AVAILABLE TO THE 27
1319+PROCESSOR: 28
14151320
1416- (III) THE CONTEXT OF THE PR OCESSING; AND
1321+ 1. (I) BY APPROPRIATE TECHNI CAL AND ORGANIZATION AL 29
1322+MEASURES AS MUCH AS REASONABLY PRACTICAB LE TO FULFILL THE 30
1323+CONTROLLER ’S OBLIGATION TO RESPON D TO CONSUMER RIGHTS REQUESTS, 31
1324+CONSIDERING THE NATU RE OF PROCESSING AND THE INFORMATION AVAI LABLE TO 32
1325+THE PROCESSOR ; AND 33
1326+ 30 HOUSE BILL 567
14171327
1418- (IV) THE RELATIONSHIP BETW EEN THE CONTROLLER A ND THE
1419-CONSUMER WHOSE PERSO NAL DATA WILL BE PRO CESSED.
14201328
1421- (D) (1) THE DIVISION MAY REQUIRE THAT A CONTROLLER MA KE
1422-AVAILABLE TO THE DIVISION A DATA PROTE CTION ASSESSMENT THA T IS RELEVANT
1423-TO AN INVESTIGATION CONDUC TED BY THE DIVISION.
1329+ 2. (II) BY ASSISTING THE CONT ROLLER IN MEETING TH E 1
1330+CONTROLLER ’S OBLIGATIONS IN REL ATION TO THE SECURIT Y OF PROCESSING THE 2
1331+PERSONAL DATA AND IN RELATION TO THE NOTI FICATION OF A BREACH OF THE 3
1332+SECURITY OF A SYSTEM , AS DEFINED IN § 14–3504 OF THIS TITLE; AND 4
14241333
1425- (2) (I) THE DIVISION MAY EVALUATE A DATA PROTECTION
1426-ASSESSMENT FOR COMPL IANCE WITH THE RESPO NSIBILITIES ESTABLIS HED IN THIS
1427-SUBTITLE.
1334+ (III) (3) PROVIDE NECESSARY INF ORMATION TO ENABLE T HE 5
1335+CONTROLLER TO CONDUC T AND DOCUMENT DATA PROTECTION AS SESSMENTS. 6
14281336
1429- (II) A CONTROLLER ’S DATA PROTECTION AS SESSMENT MAY BE
1430-USED IN AN ACTION TO ENFORCE THIS SUBTITL E.
1337+ (C) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO RELIEVE A 7
1338+CONTROLLER OR A PROC ESSOR FROM THE LIABI LITIES IMPOSED ON TH E 8
1339+CONTROLLER OR PROCES SOR BY VIRTUE OF THE CONTROLLER ’S OR PROCESSOR ’S 9
1340+ROLE IN THE PROCESSI NG RELATIONSHIP IN A CCORDANCE WITH THIS SECTION. 10
14311341
1432- (3) A DATA PROTECTION ASSE SSMENT IS CONFIDENTI AL AND IS
1433-EXEMPT FROM DISCLOSU RE UNDER THE FEDERAL FREEDOM OF INFORMATION ACT
1434-OR THE PUBLIC INFORMATION ACT.
1342+ (D) (1) THE DETERMINATION OF WHETHER A PERSON IS ACTING AS A 11
1343+CONTROLLER OR A PROC ESSOR WITH RESPECT T O A SPECIFIC PROCESS ING OF DATA 12
1344+IS A FACT–BASED DETERMINATION THAT DEPENDS ON THE CONTEXT IN WHICH 13
1345+PERSONAL DATA IS BEI NG PROCESSED . 14
14351346
1436- (E) A SINGLE DATA PROTECTI ON ASSESSMENT MAY AD DRESS A
1437-COMPARABLE SET OF PROCESSING OPERATION S THAT INCLUDE SIMIL AR
1438-ACTIVITIES.
1347+ (2) A PERSON IS CONSIDERED TO BE A CONTROLLER I F THE PERSON: 15
14391348
1440- (F) IF A CONTROLLER CONDU CTS A DATA PROTECTIO N ASSESSMENT FOR
1441-THE PURPOSE OF COMPL YING WITH ANOTHER AP PLICABLE LAW OR REGU LATION,
1442-THE DATA PROTECTION ASSESSMENT SHALL BE CONSIDERED TO SATISF Y THE
1443-REQUIREMENTS ESTABLISHE D IN THIS SECTION IF THE DATA PROTECTION
1444-ASSESSMENT IS REASON ABLY SIMILAR IN SCOP E AND EFFECT TO THE DATA
1445-PROTECTION ASSESSMEN T THAT WOULD OTHERWI SE BE CONDUCTED IN
1446-ACCORDANCE WITH THIS SECTION.
1349+ (I) IS NOT LIMITED IN THE PERSON’S PROCESSING OF SPEC IFIC 16
1350+PERSONAL DATA IN ACC ORDANCE WITH A CONTR OLLER’S INSTRUCTIONS ; OR 17
14471351
1448- (G) TO THE EXTENT THAT AN Y INFORMATION CONTAINED IN A DATA
1449-PROTECTION ASSESSMEN T DISCLOSED TO THE DIVISION INCLUDES INF ORMATION
1450-SUBJECT TO ATTORNEY –CLIENT PRIVILEGE OR WORK PRODUCT PROTECT ION, THE
1451-DISCLOSURE MAY NOT C ONSTITUTE A WAIVER O F THAT PRIVILEGE OR PROTECTION.
1352+ (II) FAILS TO ADHERE TO A CONTROLLER ’S INSTRUCTIONS 18
1353+WITH RESPECT TO A SPECIFIC PROCES SING OF PERSONAL DAT A. 19
14521354
1453- (H) A DATA PROTECTION AS SESSMENT CONDUCTED U NDER THIS SECTION :
1454- WES MOORE, Governor Ch. 454
1355+ (3) A PROCESSOR THAT CONTI NUES TO ADHERE TO A CONTROLLER ’S 20
1356+INSTRUCTIONS WITH RE SPECT TO A SPECIFIC PROCESSING OF PERSON AL DATA 21
1357+REMAINS A PROCESSOR . 22
14551358
1456-– 33 –
1457- (1) SHALL APPLY TO PROCES SING ACTIVITIES THAT OCCUR ON OR
1458-AFTER OCTOBER 1, 2025; AND
1359+ (4) IF A PROCESSOR OR THI RD PARTY BEGINS , ALONE OR JOINTLY 23
1360+WITH OTHERS , DETERMINING THE PURP OSES AND MEANS OF TH E PROCESSING OF 24
1361+PERSONAL DATA , THE PROCESSOR : 25
14591362
1460- (2) IS NOT REQUIRED FOR P ROCESSING ACTIVITIES THAT OCCUR
1461-BEFORE OCTOBER 1, 2025.
1363+ (I) IS A CONTROLLER WITH RESPECT TO THE PROCE SSING; AND 26
14621364
1463-14–4611.
1365+ (II) MAY BE SUBJECT TO AN ENFORCEMENT ACTION U NDER 27
1366+THIS SUBTITLE. 28
14641367
1465- (A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQU IRE A
1466-CONTROLLER OR A PROC ESSOR TO:
1368+ (E) NOTHING IN THIS SECT ION MAY BE CONSTRUED TO ALTER A 29
1369+CONTROLLER ’S OBLIGATION TO LIMI T A PERSON’S PROCESSING OF PERS ONAL DATA 30
1370+OR TO TAKE STEPS TO ENSURE THAT A PROCES SOR ADHERES TO THE C ONTROLLER ’S 31
1371+INSTRUCTIONS . 32
1372+ HOUSE BILL 567 31
14671373
1468- (1) RE–IDENTIFY DE–IDENTIFIED DATA ;
14691374
1470- (2) MAINTAIN DATA IN AN I DENTIFIABLE FORM ; OR
1375+14–4609. 1
14711376
1472- (3) COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA O R
1473-TECHNOLOGY IN ORDER TO BE CAPABLE OF ASS OCIATING AN AUTHENTICATED
1474-CONSUMER REQUEST WIT H PERSONAL DATA .
1377+ (A) IF A THIRD PARTY USES OR SHARES A CONSUMER ’S INFORMATION IN A 2
1378+MANNER INCONSISTENT WITH PROMISES MADE T O THE CONSUMER AT TH E TIME OF 3
1379+COLLECTION OF THE IN FORMATION, THE THIRD PARTY SHAL L PROVIDE AN 4
1380+AFFECTED CONSUMER WI TH NOTICE OF THE NEW OR CHANGED PRACTICE BEFORE 5
1381+IMPLEMENTING THE NEW OR CHANGED PRACT ICE. 6
14751382
1476- (B) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A
1477-CONTROLLER OR PROCES SOR TO COMPLY WITH A N AUTHENTICATED CONS UMER
1478-RIGHTS REQUEST IF TH E CONTROLLER :
1383+ (B) THE NOTICE PROVIDED U NDER SUBSECTION (A) OF THIS SECTION 7
1384+SHALL BE PROVIDED IN A MANNER AND AT A TI ME REASONABLY CALCUL ATED TO 8
1385+ALLOW A CONSUMER TO EXERCISE THE RIGHTS PROVIDED UNDER THIS SUBTITLE. 9
14791386
1480- (1) IS NOT REASONABLY CAP ABLE OF ASSOCIATING THE REQU EST
1481-WITH THE PERSONAL DA TA OR IT WOULD BE UN REASONABLY BURDENSOM E FOR THE
1482-CONTROLLER TO ASSOCI ATE THE REQUEST WITH THE PERSONAL DATA ;
1387+14–4610. 10
14831388
1484- (2) DOES NOT USE THE PERS ONAL DATA TO RECOGNI ZE OR RESPOND
1485-TO THE SPECIFIC CONS UMER WHO IS THE SUBJ ECT OF THE PERSONAL DATA OR
1486-ASSOCIATE THE PERSON AL DATA WITH OTHER P ERSONAL DATA ABOUT T HE SAME
1487-SPECIFIC CONSUMER ; AND
1389+ (A) IN THIS SECTION , “PROCESSING ACTI VITIES THAT PRESENT A 11
1390+HEIGHTENED RISK OF H ARM TO A CONSUMER ” MEANS: 12
14881391
1489- (3) DOES NOT SELL THE PER SONAL DATA TO A THIR D PARTY OR
1490-OTHERWISE VOLUNTARIL Y DISCLOSE THE PERSO NAL DATA TO A THIRD PARTY
1491-OTHER THAN A PROCESSOR, EXCEPT AS OTHERWISE ALLOWED IN THIS SUBT ITLE.
1392+ (1) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 13
1393+TARGETED ADVERTISING ; 14
14921394
1493- (C) (1) A CONTROLLER THAT DISC LOSES DE–IDENTIFIED DATA SHAL L:
1395+ (2) THE SALE OF PERSONAL DATA; 15
14941396
1495- (I) EXERCISE REASONABLE O VERSIGHT TO MONITOR
1496-COMPLIANCE WITH ANY CONTRACTUAL COMMITME NTS TO WHICH THE
1497-DE–IDENTIFIED DATA IS S UBJECT; AND
1397+ (3) THE PROCESSING OF SEN SITIVE DATA; AND 16
14981398
1499- (II) TAKE APPROPRIATE STEP S TO ADDRESS ANY BRE ACHES OF
1500-ANY CONTRACTUAL COMM ITMENTS. Ch. 454 2024 LAWS OF MARYLAND
1399+ (4) THE PROCESSING OF PERSONAL DATA FOR TH E PURPOSES OF 17
1400+PROFILING, IN WHICH THE PROFILI NG PRESENTS A REASON ABLY FORESEEABLE 18
1401+RISK OF: 19
15011402
1502-– 34 –
1403+ (I) UNFAIR, ABUSIVE, OR DECEPTIVE TREATME NT OF A 20
1404+CONSUMER ; 21
15031405
1504- (2) THE DETERMINATION OF WHETHER OVERSIGHT IS REASONABLE
1505-AND WHETHER APPROPRI ATE STEPS WERE TAKEN IN ACCORDANCE WITH
1506-PARAGRAPH (1) OF THIS SUBSECTION S HALL TAKE INTO ACCOUNT WHE THER THE
1507-DISCLOSED DATA INCLU DES DATA THAT WOULD BE CONSIDERED SENSIT IVE DATA IF
1508-THE DATA WERE RE –IDENTIFIED.
1406+ (II) HAVING AN UNLAWFUL DI SPARATE IMPACT ON A 22
1407+CONSUMER ; 23
15091408
1510-14–4612.
1409+ (III) FINANCIAL, PHYSICAL, OR REPUTATIONAL INJU RY TO A 24
1410+CONSUMER ; 25
15111411
1512- (A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO RESTRICT A
1513-CONTROLLER ’S OR PROCESSOR ’S ABILITY TO:
1412+ (IV) A PHYSICAL OR OTHER IN TRUSION ON THE SOLIT UDE OR 26
1413+SECLUSION OR THE PRI VATE AFFAIRS OR CONC ERNS OF A CONSUMER I N WHICH THE 27
1414+INTRUSION WOULD BE O FFENSIVE TO A REASON ABLE PERSON; OR 28
15141415
1515- (1) COMPLY WITH FEDERAL , STATE, OR LOCAL LAWS OR
1516-REGULATIONS ;
1416+ (V) OTHER SUBSTANTI AL INJURY TO A CONSU MER. 29
1417+ 32 HOUSE BILL 567
15171418
1518- (2) COMPLY WITH A CIVIL , CRIMINAL, OR REGULATORY INQUIR Y,
1519-INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, STATE, LOCAL, OR OTHER
1520-GOVERNMENTAL AUTHORI TY;
15211419
1522- (3) COOPERATE WITH LAW EN FORCEMENT AGENCIES CONCERNING
1523-CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONA BLY AND
1524-IN GOOD FAITH BELIEV ES MAY VIOLATE FEDER AL, STATE, OR LOCAL LAWS OR
1525-REGULATIONS ;
1420+ (B) A CONTROLLER SHALL CON DUCT AND DOCUMENT , ON A REGULAR 1
1421+BASIS, A DATA PROTECTION AS SESSMENT FOR EACH OF THE CONTROLLER ’S 2
1422+PROCESSING ACTIVITIE S THAT PRESENT A HEI GHTENED RISK OF HARM TO A 3
1423+CONSUMER , INCLUDING AN ASSESSM ENT FOR EACH ALGORITHM THAT IS USED. 4
15261424
1527- (4) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR , OR DEFEND
1528-A LEGAL CLAIM;
1425+ (C) (1) A DATA PROTECTION ASSE SSMENT CONDUCTED IN ACCORDANCE 5
1426+WITH THIS SECTION SH ALL IDENTIFY AND WEI GH THE BENEFITS THAT MAY FLOW 6
1427+DIRECTLY AND INDIREC TLY FROM THE PROCESS ING TO THE CONTROLLE R, THE 7
1428+CONSUMER , OTHER INTERESTED PARTIES, AND THE PUBLIC AGAIN ST: 8
15291429
1530- (5) PROVIDE A PRODUCT OR SERVICE S PECIFICALLY REQUESTE D BY
1531-A CONSUMER ;
1430+ (I) THE POTENTIAL RISKS T O THE RIGHTS OF THE CONSUMER 9
1431+ASSOCIATED WITH THE PROCESSING AS MITIGA TED BY SAFEGUARDS TH AT MAY BE 10
1432+EMPLOYED BY THE CONT ROLLER TO REDUCE THE SE RISKS; AND 11
15321433
1533- (6) PERFORM UNDER A CONTR ACT TO WHICH A CONSU MER IS A
1534-PARTY, INCLUDING FULFILLING THE TERMS OF A WRITT EN WARRANTY ;
1434+ (II) THE NECESSITY AND PRO PORTIONALIT Y OF PROCESSING IN 12
1435+RELATION TO THE STAT ED PURPOSE OF THE PR OCESSING. 13
15351436
1536- (7) TAKE STEPS AT THE REQ UEST OF A CONSUMER B EFORE
1537-ENTERING INTO A CONT RACT;
1437+ (2) THE CONTROLLER SHALL FACTOR INTO A DATA P ROTECTION 14
1438+ASSESSMENT : 15
15381439
1539- (8) TAKE IMMEDIATE STEPS TO PROTECT AN INTERE ST THAT IS
1540-ESSENTIAL FOR THE LI FE OR PHYSICAL SAFET Y OF A CONSUMER OR A NOTHER
1541-INDIVIDUAL AND WHEN THE PROCESSING CANNO T BE MANIFESTLY BASE D ON
1542-ANOTHER LEGAL BASIS ;
1440+ (I) THE USE OF DE–IDENTIFIED DATA ; 16
15431441
1544- (9) PREVENT, DETECT, PROTECT AGAINST , INVESTIGATE,
1545-PROSECUTE THOSE RESP ONSIBLE, OR OTHERWISE RESPOND TO A SECURITY WES MOORE, Governor Ch. 454
1442+ (II) THE REASONABLE EXPECT ATIONS OF CONSUMERS ; 17
15461443
1547-– 35 –
1548-INCIDENT, IDENTITY THEFT , FRAUD, HARASSMENT , MALICIOUS OR DECEPTI VE
1549-ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY ;
1444+ (III) THE CONTEXT OF TH E PROCESSING; AND 18
15501445
1551- (10) PRESERVE THE INTEGR ITY OR SECURITY OF S YSTEMS; OR
1446+ (IV) THE RELATIONSHIP BETW EEN THE CONTROLLER A ND THE 19
1447+CONSUMER WHOSE PERSO NAL DATA WILL BE PRO CESSED. 20
15521448
1553- (11) ASSIST ANOTHER CONTRO LLER, PROCESSOR, OR THIRD PARTY
1554-WITH AN OBLIGATION U NDER THIS SUBTITLE .
1449+ (D) (1) THE DIVISION MAY REQUIRE THAT A CONTROLLER MA KE 21
1450+AVAILABLE TO THE DIVISION A DATA PROTE CTION ASSESSMENT THA T IS RELEVANT 22
1451+TO AN INVESTIGATION CON DUCTED BY THE DIVISION. 23
15551452
1556- (B) (1) THIS SUBSECTION DOES NOT APPLY TO AN OBLI GATION
1557-REQUIRED UNDER § 14–4611 OF THIS SUBTITLE.
1453+ (2) (I) THE DIVISION MAY EVALUATE A DATA PROTECTION 24
1454+ASSESSMENT FOR COMPL IANCE WITH THE RESPO NSIBILITIES ESTABLIS HED IN THIS 25
1455+SUBTITLE. 26
15581456
1559- (2) AN OBLIGATION IM POSED ON A CONTROLLE R OR PROCESSOR
1560-UNDER THIS SUBTITLE MAY NOT RESTRICT A C ONTROLLER ’S OR PROCESSOR ’S
1561-ABILITY TO COLLECT , USE, OR RETAIN PERSONAL D ATA FOR INTERNAL USE TO:
1457+ (II) A CONTROLLER ’S DATA PROTECTION AS SESSMENT MAY BE 27
1458+USED IN AN ACTION TO ENFORCE THIS SUBT ITLE. 28
15621459
1563- (I) EFFECTUATE A PRODUCT RECALL;
1460+ (3) A DATA PROTECTION ASSE SSMENT IS CONFIDENTI AL AND IS 29
1461+EXEMPT FROM DISCLOSU RE UNDER THE FEDERAL FREEDOM OF INFORMATION ACT 30
1462+OR THE PUBLIC INFORMATION ACT. 31
1463+ HOUSE BILL 567 33
15641464
1565- (II) IDENTIFY AND REPAIR T ECHNICAL ERRORS THAT IMPAIR
1566-EXISTING OR INTENDED FUNCTIONALITY ; OR
15671465
1568- (III) PERFORM INTERNAL OPER ATIONS THAT ARE :
1466+ (E) A SINGLE DATA PROTECTI ON ASSESSMENT MAY AD DRESS A 1
1467+COMPARABLE SET OF PROCESSING OPERAT IONS THAT INCLUDE SI MILAR 2
1468+ACTIVITIES. 3
15691469
1570- 1. REASONABLY ALIGNED WI TH THE EXPECTATIONS OF
1571-THE CONSUMER OR CAN BE REASONABLY ANTICI PATED BASED ON THE C ONSUMER’S
1572-EXISTING RELATIONSHI P WITH THE CONT ROLLER; OR
1470+ (F) IF A CONTROLLER CONDU CTS A DATA PROTECTIO N ASSESSMENT FOR 4
1471+THE PURPOSE OF COMPL YING WITH ANOTHER AP PLICABLE LAW OR REGU LATION, 5
1472+THE DATA PROTECTION ASSESSMENT SHALL BE CONSIDERED TO SATISF Y THE 6
1473+REQUIREMENTS ESTABLI SHED IN THIS SECTION IF THE DATA PROTECTI ON 7
1474+ASSESSMENT IS REASON ABLY SIMILAR IN SCOP E AND EFFECT TO THE DATA 8
1475+PROTECTION ASSESSMEN T THAT WOULD OTHERWI SE BE CONDUCTED IN 9
1476+ACCORDANCE WITH THIS SECTION. 10
15731477
1574- 2. OTHERWISE COMPATIBLE WITH PROCESSING DATA IN
1575-FURTHERANCE OF :
1478+ (G) TO THE EXTENT THAT AN Y INFORMATI ON CONTAINED IN A DA TA 11
1479+PROTECTION ASSESSMEN T DISCLOSED TO THE DIVISION INCLUDES INF ORMATION 12
1480+SUBJECT TO ATTORNEY –CLIENT PRIVILEGE OR WORK PRODUCT PROTECT ION, THE 13
1481+DISCLOSURE MAY NOT C ONSTITUTE A WAIVER O F THAT PRIVILEGE OR PROTECTION. 14
15761482
1577- A. THE PROVISION OF A PR ODUCT OR SERVICE
1578-SPECIFICALLY REQUEST ED BY A CONSUMER ; OR
1483+ (H) A DATA PROTECTION ASSESSMENT CONDUCTED UNDER THIS SECTION : 15
15791484
1580- B. THE PERFORMANCE OF A CONTRACT TO WHICH TH E
1581-CONSUMER IS A PARTY .
1485+ (1) SHALL APPLY TO PROCES SING ACTIVITIES THAT OCCUR ON OR 16
1486+AFTER OCTOBER 1, 2025; AND 17
15821487
1583- (C) (1) AN OBLIGATION IMPOSED ON A CONTROLLER OR A PROC ESSOR
1584-UNDER THIS SUBTITLE DOES NOT APPLY WHEN COMPLIANCE BY THE CO NTROLLER
1585-OR PROCESSOR WITH TH E SUBTITLE WOULD VIO LATE AN EVIDENTIARY PRIVILEGE
1586-UNDER STATE LAW.
1488+ (2) IS NOT REQUIRED FOR P ROCESSING ACTIVITIES THAT OCCUR 18
1489+BEFORE OCTOBER 1, 2025. 19
15871490
1588- (2) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PREVENT A
1589-CONTROLLER OR PROCES SOR FROM PROVIDING P ERSONAL DATA CONCERN ING A
1590-CONSUMER TO A PERSON COVERED BY AN EVIDEN TIARY PRIVILEGE UNDE R STATE
1591-LAW AS PART OF A PRI VILEGED COMMUNICATIO N. Ch. 454 2024 LAWS OF MARYLAND
1491+14–4611. 20
15921492
1593-– 36 –
1493+ (A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A 21
1494+CONTROLLER OR A PROC ESSOR TO: 22
15941495
1595- (D) (1) A CONTROLLER OR PROCES SOR THAT DISCLOSES P ERSONAL DATA
1596-TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS
1597-SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE IF THE PROCESS OR OR
1598-THIRD–PARTY CONTROLLER THA T RECEIVES THE PERSO NAL DATA VIOLATES TH IS
1599-SUBTITLE AND:
1496+ (1) RE–IDENTIFY DE–IDENTIFIED DATA ; 23
16001497
1601- (I) AT THE TIME THE DISCLOS ING CONTROLLER OR
1602-PROCESSOR DISCLOSED THE PERSONAL DATA , THE DISCLOSING CONTR OLLER OR
1603-PROCESSOR DID NOT HA VE ACTUAL KNOWLEDGE THAT THE RECEIVING P ROCESSOR
1604-OR THIRD–PARTY CONTROLLER WOU LD VIOLATE THIS SUBT ITLE; AND
1498+ (2) MAINTAIN DATA IN AN I DENTIFIABLE FORM ; OR 24
16051499
1606- (II) THE DISCLOSING CONTROLLE R WAS, AND REMAINED , IN
1607-COMPLIANCE WITH ITS OBLIGATIONS AS THE D ISCLOSER OF THE PERS ONAL DATA.
1500+ (3) COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA O R 25
1501+TECHNOLOGY IN ORDER TO BE CAPABLE OF ASS OCIATING AN AU THENTICATED 26
1502+CONSUMER REQUEST WIT H PERSONAL DATA . 27
16081503
1609- (2) A THIRD–PARTY CONTROLLER OR PROCESSOR THAT RECEI VES
1610-PERSONAL DATA FROM A CONTROLLER OR PROCES SOR IN COMPLIANCE WI TH THIS
1611-SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE FOR THE INDEPE NDENT
1612-MISCONDUCT OF THE CO NTROLLER OR PROCESSO R FROM WHICH THE
1613-THIRD–PARTY CONTROLLER OR PROCES SOR RECEIVED THE PER SONAL DATA.
1504+ (B) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A 28
1505+CONTROLLER OR PROCES SOR TO COMPLY WITH A N AUTHENTICATED CONS UMER 29
1506+RIGHTS REQUEST IF TH E CONTROLLER : 30
1507+ 34 HOUSE BILL 567
16141508
1615- (E) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO:
16161509
1617- (1) IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR
1618-THAT ADVERSELY AFFEC TS THE RIGHTS OR FRE EDOMS OF ANY PERSON , INCLUDING
1619-THE RIGHTS OF A PERS ON TO FREEDOM OF SPEE CH OR FREEDOM OF THE PRESS AS
1620-GUARANTEED IN THE FIRST AMENDMENT TO THE U.S. CONSTITUTION; OR
1510+ (1) IS NOT REASONABLY CAP ABLE OF ASSOCIATING THE REQUEST 1
1511+WITH THE PERSONAL DA TA OR IT WOULD BE UN REASONABLY BURDENSOM E FOR THE 2
1512+CONTROLLER TO ASSOCI ATE THE REQUEST WITH THE PERSONAL DATA ; 3
16211513
1622- (2) APPLY TO A PERSON ’S PROCESSING OF PERS ONAL DATA DURING
1623-THE PERSON’S PERSONAL OR HOUSEH OLD ACTIVITIES.
1514+ (2) DOES NOT USE THE PERS ONAL DATA TO RECOGNI ZE OR RESPOND 4
1515+TO THE SPECIFIC CONS UMER WHO IS THE SUBJ ECT OF THE PERSONAL DATA OR 5
1516+ASSOCIATE THE PERSON AL DATA WITH OTHER P ERSONAL DATA ABOUT T HE SAME 6
1517+SPECIFIC CONSUMER ; AND 7
16241518
1625- (F) IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL D ATA IN
1626-ACCORDANCE WITH AN E XEMPTION UNDER THIS SECTION, THE CONTROLLER OR
1627-PROCESSOR SHALL DEMONSTRATE TH AT THE PROCESSING :
1519+ (3) DOES NOT SELL THE PER SONAL DATA TO A THIR D PARTY OR 8
1520+OTHERWISE VOLUNTARIL Y DISCLOSE THE PERSO NAL DATA TO A THIRD PARTY 9
1521+OTHER THAN A PROCESS OR, EXCEPT AS OTHERWISE ALLOWED IN THIS SUBT ITLE. 10
16281522
1629- (1) QUALIFIES FOR AN EXEM PTION; AND
1523+ (C) (1) A CONTROLLER THAT DISC LOSES DE–IDENTIFIED DATA SHAL L: 11
16301524
1631- (2) COMPLIES WITH THE REQ UIREMENTS OF SUBSECT ION (G) OF THIS
1632-SECTION.
1525+ (I) EXERCISE REASONABLE O VERSIGHT TO MONITOR 12
1526+COMPLIANCE WITH ANY CONTRACTUAL COMMITME NTS TO WHICH THE 13
1527+DE–IDENTIFIED DATA IS S UBJECT; AND 14
16331528
1634- (G) PERSONAL DATA PROCESS ED BY A CONTROLLER OR PROCESSOR IN
1635-ACCORDANCE WITH THIS SECTION:
1636- WES MOORE, Governor Ch. 454
1529+ (II) TAKE APPROPRIATE STEP S TO ADDRESS ANY BRE ACHES OF 15
1530+ANY CONTRACTUAL COMM ITMENTS. 16
16371531
1638-– 37 –
1639- (1) SHALL BE SUBJECT TO R EASONABLE ADMINISTRA TIVE,
1640-TECHNICAL, AND PHYSICAL MEASURE S TO:
1532+ (2) THE DETERMINATION OF WHETHER OVERSIGHT IS REASONABLE 17
1533+AND WHETHER APPROPRI ATE STEPS WERE TAKEN IN ACCORDANCE WITH 18
1534+PARAGRAPH (1) OF THIS SUBSECTION S HALL TAKE INTO AC COUNT WHETHER THE 19
1535+DISCLOSED DATA INCLU DES DATA THAT WOULD BE CONSIDERED SENSIT IVE DATA IF 20
1536+THE DATA WERE RE –IDENTIFIED. 21
16411537
1642- (I) PROTECT THE CONFIDENT IALITY, INTEGRITY, AND
1643-ACCESSIBILITY OF THE PERSONAL DATA ; AND
1538+14–4612. 22
16441539
1645- (II) REDUCE REASONABLY FOR ESEEABLE RISKS OF HA RM TO
1646-CONSUMERS RELATING T O THE COLLECTION , USE, OR RETENTION OF PERS ONAL
1647-DATA; AND
1540+ (A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO RESTRICT A 23
1541+CONTROLLER ’S OR PROCESSOR ’S ABILITY TO: 24
16481542
1649- (2) MAY BE PROCESSED TO T HE EXTENT THAT THE P ROCESSING IS:
1543+ (1) COMPLY WITH FEDERA L, STATE, OR LOCAL LAWS OR 25
1544+REGULATIONS ; 26
16501545
1651- (I) REASONABLY NECESSARY AND PROPORTI ONATE TO THE
1652-PURPOSES LISTED IN T HIS SECTION; AND
1546+ (2) COMPLY WITH A CIVIL , CRIMINAL, OR REGULATORY INQUIR Y, 27
1547+INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, STATE, LOCAL, OR OTHER 28
1548+GOVERNMENTAL AUTHORI TY; 29
16531549
1654- (II) ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS
1655-NECESSARY IN RELATIO N TO THE SPECIFIC PU RPOSES LISTED IN THI S SECTION.
1550+ (3) COOPERATE WITH LAW EN FORCEMENT AGENCIES C ONCERNING 30
1551+CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONA BLY AND 31
1552+IN GOOD FAITH BELIEV ES MAY VIOLATE FEDER AL, STATE, OR LOCAL LAWS OR 32
1553+REGULATIONS ; 33 HOUSE BILL 567 35
16561554
1657- (H) A PERSON THAT PROCESSE S PERSONAL DATA FOR A PURPOSE
1658-EXPRESSLY IDENTIFIED IN THIS SECTION MAY NOT BE CONSIDERED A CONT ROLLER
1659-SOLELY BASED ON THE PROCESSING OF PERSON AL DATA.
16601555
1661-14–4613.
16621556
1663- (A) EXCEPT AS PROVIDED IN SUBSECTION (B) OF THIS SECTION , A
1664-VIOLATION OF THIS SU BTITLE IS:
1557+ (4) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR , OR DEFEND 1
1558+A LEGAL CLAIM; 2
16651559
1666- (1) AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE P RACTICE WITHIN
1667-THE MEANING OF TITLE 13 OF THIS ARTICLE; AND
1560+ (5) PROVIDE A PRODUCT OR SERVICE SPECIFICALLY REQUESTED BY 3
1561+A CONSUMER ; 4
16681562
1669- (2) SUBJECT TO THE ENFORC EMENT AND PENALTY PR OVISIONS
1670-CONTAINED IN TITLE 13 OF THIS ARTICLE, EXCEPT FOR § 13–408 OF THIS ARTICLE.
1563+ (6) PERFORM UNDER A CONTR ACT TO WHICH A CONSU MER IS A 5
1564+PARTY, INCLUDING FULFILLING THE TERMS OF A WRITT EN WARRANTY ; 6
16711565
1672- (B) THIS SECTION DOES NOT PREVENT A CONSUMER F ROM PURSUING ANY
1673-OTHER REMEDY PROVIDED BY L AW.
1566+ (7) TAKE STEPS AT THE REQ UEST OF A CONSUMER B EFORE 7
1567+ENTERING INTO A CONT RACT; 8
16741568
1675-14–4614.
1569+ (8) TAKE IMMEDIATE STEPS TO P ROTECT AN INTEREST T HAT IS 9
1570+ESSENTIAL FOR THE LI FE OR PHYSICAL SAFET Y OF A CONSUMER OR A NOTHER 10
1571+INDIVIDUAL AND WHEN THE PROCESSING CANNO T BE MANIFESTLY BASE D ON 11
1572+ANOTHER LEGAL BASIS ; 12
16761573
1677- (A) THIS SECTION APPLIES TO AN ENFORCEMENT AC TION UNDER § 14–4613
1678-OF THIS SUBTITLE FOR AN ALLEGED VIOLATION THAT OCCURS ON OR BE FORE APRIL
1679-1, 2027.
1680- Ch. 454 2024 LAWS OF MARYLAND
1574+ (9) PREVENT, DETECT, PROTECT AGAINST , INVESTIGATE, 13
1575+PROSECUTE THOSE RESPON SIBLE, OR OTHERWISE RESPOND TO A SECURITY 14
1576+INCIDENT, IDENTITY THEFT , FRAUD, HARASSMENT , MALICIOUS OR DECEPTI VE 15
1577+ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY ; 16
16811578
1682-– 38 –
1683- (B) BEFORE INITIATING ANY ACTION UNDER § 14–4613 OF THIS SUBTITLE ,
1684-THE DIVISION MAY ISSUE A NOTICE OF VIOLATION TO THE CONTROLLER OR
1685-PROCESSOR IF THE DIVISION DETERMINES T HAT A CURE IS POSSIB LE.
1579+ (10) PRESERVE THE INTEGRIT Y OR SECURITY OF SYS TEMS; OR 17
16861580
1687- (C) (1) IF THE DIVISION ISSUES A NOT ICE OF VIOLATION UND ER
1688-SUBSECTION (B) OF THIS SECTION, THE CONTROLLER OR PR OCESSOR SHALL HAVE
1689-AT LEAST 60 DAYS TO CURE THE VIO LATION AFTER RECEIPT OF THE NOTICE.
1581+ (11) ASSIST ANOTHER CONTROLLER , PROCESSOR, OR THIRD PARTY 18
1582+WITH AN OBLIGATION U NDER THIS SUBTITLE . 19
16901583
1691- (2) IF THE CONTROLLER OR PROCESSOR FAILS TO C URE THE
1692-VIOLATION WITHIN THE TIME PERIOD SPECIFIE D BY THE DIVISION, THE DIVISION
1693-MAY BRING AN ENFORCE MENT ACTION UNDER § 14–4613 OF THIS SUBTITLE.
1584+ (B) (1) THIS SUBSECTION DOES NOT APPLY TO AN OBLI GATION 20
1585+REQUIRED UNDER § 14–4611 OF THIS SUBTITLE. 21
16941586
1695- (D) IN DETERMINING WHETHE R TO GRANT A CONTROL LER OR PROCESSOR
1696-AN OPPORTUNITY TO CU RE AN ALLEGED VIOLAT ION, THE DIVISION MAY CONSIDER
1697-THE FOLLOWING FACTOR S:
1587+ (2) AN OBLIGATION IMPOSED ON A CONTROLLER OR P ROCESSOR 22
1588+UNDER THIS SUB TITLE MAY NOT RESTRI CT A CONTROLLER ’S OR PROCESSOR ’S 23
1589+ABILITY TO COLLECT , USE, OR RETAIN PERSONAL D ATA FOR INTERNAL USE TO: 24
16981590
1699- (1) THE NUMBER OF VIOLATI ONS;
1591+ (I) EFFECTUATE A PRODUCT RECALL; 25
17001592
1701- (2) THE SIZE AND COMPLEXI TY OF THE CONTROLLER OR PROCESSOR;
1593+ (II) IDENTIFY AND REPAIR T ECHNICAL ERRORS THAT IMPAIR 26
1594+EXISTING OR INTENDED FUNCTIONALITY ; OR 27
17021595
1703- (3) THE NATURE AND EXTENT OF THE CONTROLLER ’S OR
1704-PROCESSOR’S PROCESSING ACTIVIT IES;
1596+ (III) PERFORM INTERNAL OPER ATIONS THAT ARE : 28
1597+ 36 HOUSE BILL 567
17051598
1706- (4) THE LIKELIHOOD OF INJ URY TO THE PUBLIC ;
17071599
1708- (5) THE SAFETY OF PERSONS OR PROPERTY ;
1600+ 1. REASONABLY ALIGNED WI TH THE EXPECTATIONS OF 1
1601+THE CONSUMER OR CAN BE REASONABLY ANTICI PATED BASED ON THE C ONSUMER’S 2
1602+EXISTING RELATIONSHI P WITH THE CONTROLLE R; OR 3
17091603
1710- (6) WHETHER THE ALLEGED V IOLATION WAS LIKELY CAUSED BY
1711-HUMAN OR TECHNICAL ERROR ; AND
1604+ 2. OTHERWISE COMPATIBLE WITH PROCE SSING DATA IN 4
1605+FURTHERANCE OF : 5
17121606
1713- (7) THE EXTENT TO WHICH T HE CONTROLLER OR PRO CESSOR HAS
1714-VIOLATED THIS SUBTIT LE OR SIMILAR LAWS I N THE PAST.
1607+ A. THE PROVISION OF A PR ODUCT OR SERVICE 6
1608+SPECIFICALLY REQUEST ED BY A CONSUMER ; OR 7
17151609
1716- SECTION 2. AND BE IT FURTHER ENACTED, That § 14 –4612 of the Commercial
1717-Law Article, as enacted by Section 1 of this Act, shall be construed to apply only
1718-prospectively and may not be applied or interpreted to have any effect on or application to
1719-any personal data processing activities before April 1, 2025 2026.
1610+ B. THE PERFORMANCE OF A CONTRACT TO WHICH TH E 8
1611+CONSUMER IS A PARTY . 9
17201612
1721- SECTION 3. AND BE IT FURTHER ENACTED, That, if any provision of this Act or
1722-the application thereof to any person or circumstance is held invalid for any reason in a
1723-court of competent jurisdiction, the invalidity does not affect other provisions or any other
1724-application of this Act that can be given effect without the invalid provision or application,
1725-and for this purpose the provisions of this Act are declared severable.
1726- WES MOORE, Governor Ch. 454
1613+ (C) (1) AN OBLIGATION IMPOSED ON A CONTROLLER OR A PROCESSOR 10
1614+UNDER THIS SUBTITLE DOES NOT APPLY WHEN COMPLIANCE BY THE CO NTROLLER 11
1615+OR PROCESSOR WITH TH E SUBTITLE WOULD VIO LATE AN EVIDENTIARY PRIVILEGE 12
1616+UNDER STATE LAW. 13
17271617
1728-– 39 –
1729- SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect
1730-October 1, 2024 2025.
1618+ (2) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PREVENT A 14
1619+CONTROLLER OR PROCES SOR FROM PROVIDING PERSONAL DATA CONCER NING A 15
1620+CONSUMER TO A PERSON COVERED BY AN EVIDEN TIARY PRIVILEGE UNDE R STATE 16
1621+LAW AS PART OF A PRI VILEGED COMMUNICATIO N. 17
17311622
1732-Approved by the Governor, May 9, 2024.
1623+ (D) (1) A CONTROLLER OR PROCES SOR THAT DISCLOSES P ERSONAL DATA 18
1624+TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS 19
1625+SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE IF THE PROCESS OR OR 20
1626+THIRD–PARTY CONTROLLER THA T RECEIVES THE PERSO NAL DATA VIOLATES TH IS 21
1627+SUBTITLE AND: 22
1628+
1629+ (I) AT THE TIME THE DISCLOS ING CONTROLLER OR 23
1630+PROCESSOR DISCLOSED THE PERSONAL DATA , THE DISCLOSING CONTR OLLER OR 24
1631+PROCESSOR DID NOT HA VE ACTUAL KNOWLEDGE THAT THE RECEIVING P ROCESSOR 25
1632+OR THIRD–PARTY CONTROLLER WOU LD VIOLATE THIS SUBT ITLE; AND 26
1633+
1634+ (II) THE DISCLOSING CONTROLLE R WAS, AND REMAINED , IN 27
1635+COMPLIANCE WITH ITS OBLIGATIONS AS THE D ISCLOSER OF THE PERS ONAL DATA. 28
1636+
1637+ (2) A THIRD–PARTY CONTROLLER OR PROCESSOR THAT RECEI VES 29
1638+PERSONAL DATA FROM A CONTROLLER OR PROCES SOR IN COMPLIANCE WI TH THIS 30
1639+SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE FOR THE INDEPE NDENT 31
1640+MISCONDUCT OF THE CO NTROLLER OR PROCESSO R FROM WHICH THE 32
1641+THIRD–PARTY CONTROLLER OR PROCES SOR RECEIVED THE PER SONAL DATA. 33
1642+
1643+ (E) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO: 34 HOUSE BILL 567 37
1644+
1645+
1646+
1647+ (1) IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR 1
1648+THAT ADVERSELY AFFEC TS THE RIGHTS OR FRE EDOMS OF ANY PERSON , INCLUDING 2
1649+THE RIGHTS OF A PERS ON TO FREEDOM OF SPEE CH OR FREEDOM OF THE PRESS AS 3
1650+GUARANTEED IN THE FIRST AMENDMENT TO THE U.S. CONSTITUTION; OR 4
1651+
1652+ (2) APPLY TO A PERSON ’S PROCESSING OF PERS ONAL DATA DURING 5
1653+THE PERSON’S PERSONAL OR HOUSEH OLD ACTIVITIES. 6
1654+
1655+ (F) IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL D ATA IN 7
1656+ACCORDANCE WITH AN E XEMPTION UNDER THIS SECTION, THE CONTROLLER OR 8
1657+PROCESSOR SHALL DEMONSTRATE TH AT THE PROCESSING : 9
1658+
1659+ (1) QUALIFIES FOR AN EXEM PTION; AND 10
1660+
1661+ (2) COMPLIES WITH THE REQ UIREMENTS OF SUBSECT ION (G) OF THIS 11
1662+SECTION. 12
1663+
1664+ (G) PERSONAL DATA PROCESS ED BY A CONTROLLER OR PROCESSOR IN 13
1665+ACCORDANCE WITH THIS SECTION: 14
1666+
1667+ (1) SHALL BE SUBJECT TO R EASONABLE ADMINISTRA TIVE, 15
1668+TECHNICAL, AND PHYSICAL MEASURE S TO: 16
1669+
1670+ (I) PROTECT THE CONFIDENT IALITY, INTEGRITY, AND 17
1671+ACCESSIBILITY OF THE PERSONAL DATA ; AND 18
1672+
1673+ (II) REDUCE REASONABLY FOR ESEEABLE RISKS OF HA RM TO 19
1674+CONSUMERS RELATING T O THE COLLECTION , USE, OR RETENTION OF PERS ONAL 20
1675+DATA; AND 21
1676+
1677+ (2) MAY BE PROCESSED TO T HE EXTENT THAT THE P ROCESSING IS: 22
1678+
1679+ (I) REASONABLY NECESSARY AND PROPORTI ONATE TO THE 23
1680+PURPOSES LISTED IN T HIS SECTION; AND 24
1681+
1682+ (II) ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS 25
1683+NECESSARY IN RELATIO N TO THE SPECIFIC PU RPOSES LISTED IN THI S SECTION. 26
1684+
1685+ (H) A PERSON THAT PROCESSE S PERSONAL DATA FOR A PURPOSE 27
1686+EXPRESSLY IDENTIFIED IN THIS SECTION MAY NOT BE CONSIDERED A CONT ROLLER 28
1687+SOLELY BASED ON THE PROCESSING OF PERSON AL DATA. 29
1688+
1689+14–4613. 30 38 HOUSE BILL 567
1690+
1691+
1692+
1693+ (A) EXCEPT AS PROVIDED IN SUBSECTION (B) OF THIS SECTION , A 1
1694+VIOLATION OF THIS SU BTITLE IS: 2
1695+
1696+ (1) AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE P RACTICE WITHIN 3
1697+THE MEANING OF TITLE 13 OF THIS ARTICLE; AND 4
1698+
1699+ (2) SUBJECT TO THE ENFORC EMENT AND PENALTY PR OVISIONS 5
1700+CONTAINED IN TITLE 13 OF THIS ARTICLE, EXCEPT FOR § 13–408 OF THIS ARTICLE. 6
1701+
1702+ (B) THIS SECTION DOES NOT PREVENT A CONSUMER F ROM PURSUING ANY 7
1703+OTHER REMEDY PROVIDED BY L AW. 8
1704+
1705+14–4614. 9
1706+
1707+ (A) THIS SECTION APPLIES TO AN ENFORCEMENT AC TION UNDER § 14–4613 10
1708+OF THIS SUBTITLE FOR AN ALLEGED VIOLATION THAT OCCURS ON OR BE FORE APRIL 11
1709+1, 2027. 12
1710+
1711+ (B) BEFORE INITIATING ANY ACTION UNDER § 14–4613 OF THIS SUBTITLE , 13
1712+THE DIVISION MAY ISSUE A NOTICE OF VIOLATION TO THE CONTROLLER OR 14
1713+PROCESSOR IF THE DIVISION DETERMINES T HAT A CURE IS POSSIB LE. 15
1714+
1715+ (C) (1) IF THE DIVISION ISSUES A NOT ICE OF VIOLATION UND ER 16
1716+SUBSECTION (B) OF THIS SECTION, THE CONTROLLER OR PR OCESSOR SHALL HAVE 17
1717+AT LEAST 60 DAYS TO CURE THE VIO LATION AFTER RECEIPT OF THE NOTICE. 18
1718+
1719+ (2) IF THE CONTROLLER OR PROCESSOR FAILS TO C URE THE 19
1720+VIOLATION WITHIN THE TIME PERIOD SPECIFIE D BY THE DIVISION, THE DIVISION 20
1721+MAY BRING AN ENFORCE MENT ACTION UNDER § 14–4613 OF THIS SUBTITLE. 21
1722+
1723+ (D) IN DETERMINING WHETHE R TO GRANT A CONTROL LER OR PROCESSOR 22
1724+AN OPPORTUNITY TO CU RE AN ALLEGED VIOLAT ION, THE DIVISION MAY CONSIDER 23
1725+THE FOLLOWING FACTOR S: 24
1726+
1727+ (1) THE NUMBER OF VIOLATI ONS; 25
1728+
1729+ (2) THE SIZE AND COMPLEXI TY OF THE CONTROLLER OR PROCESSOR; 26
1730+
1731+ (3) THE NATURE AND EXTENT OF THE CONTROLLER ’S OR 27
1732+PROCESSOR’S PROCESSING ACTIVIT IES; 28
1733+
1734+ (4) THE LIKELIHOOD OF INJ URY TO THE PUBLIC ; 29
1735+ HOUSE BILL 567 39
1736+
1737+
1738+ (5) THE SAFETY OF PERSONS OR PROPERTY ; 1
1739+
1740+ (6) WHETHER THE ALLEGED V IOLATION WAS LIKELY CAUSED BY 2
1741+HUMAN OR TECHN ICAL ERROR; AND 3
1742+
1743+ (7) THE EXTENT TO WHICH T HE CONTROLLER OR PRO CESSOR HAS 4
1744+VIOLATED THIS SUBTIT LE OR SIMILAR LAWS I N THE PAST. 5
1745+
1746+ SECTION 2. AND BE IT FURTHER ENACTED, That § 14 –4612 of the Commercial 6
1747+Law Article, as enacted by Section 1 of this Act, shall be construed to apply only 7
1748+prospectively and may not be applied or interpreted to have any effect on or application to 8
1749+any personal data processing activities before April 1, 2025 2026. 9
1750+
1751+ SECTION 3. AND BE IT FURTHER ENACTED, That, if any provision of this Act or 10
1752+the application thereof to any person or circumstance is held invalid for any reason in a 11
1753+court of competent jurisdiction, the invalidity does not affect other provisions or any other 12
1754+application of this Act that can be given effect without the invalid provision or application, 13
1755+and for this purpose the provisions of this Act are declared severable. 14
1756+
1757+ SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect 15
1758+October 1, 2024 2025. 16
1759+
1760+
1761+
1762+Approved:
1763+________________________________________________________________________________
1764+ Governor.
1765+________________________________________________________________________________
1766+ Speaker of the House of Delegates.
1767+________________________________________________________________________________
1768+ President of the Senate.