WES MOORE, Governor Ch. 454
– 1 –
Chapter 454
(House Bill 567)
AN ACT concerning
Maryland Online Data Privacy Act of 2024
FOR the purpose of regulating the manner in which a controller or a processor in possession
of a consumer’s personal data may process the consumer’s personal data; authorizing
a consumer to exercise certain rights in regards to the consumer’s personal data;
requiring a controller of personal data to establish a method for a consumer to
exercise certain rights in regards to the consumer’s personal data; requiring a
controller to comply with a request by a consumer to exercise a certain right in a
certain manner, except under certain circumstances; authorizing a consumer to
designate an authorized agent to act on the consumer’s behalf to opt out of the
processing of the consumer’s personal data; requiring a controller to provide a
consumer with a certain privacy notice; requiring a controller that uses a processor
to process the personal data of consumers to enter into a contract with the processor
that governs the processor’s data processing procedures; requiring a controller to
conduct and document a data protection assessment for consumer data processing
activities that present a heightened risk of harm to a consumer; making a violation
of this Act an unfair, abusive, or deceptive trade practice that is subject to
enforcement and penalties under the Maryland Consumer Protection Act; and
generally relating to online data privacy.
BY repealing and reenacting, with amendments,
Article – Commercial Law
Section 13–301(14)(xl)
Annotated Code of Maryland
(2013 Replacement Volume and 2023 Supplement)
BY repealing and reenacting, without amendments,
Article – Commercial Law
Section 13–301(14)(xli)
Annotated Code of Maryland
(2013 Replacement Volume and 2023 Supplement)
BY adding to
Article – Commercial Law
Section 13–301(14)(xlii); and 14–4601 through 14–4613 14–4614 to be under the new
subtitle “Subtitle 46. Online Data Privacy Act”
Annotated Code of Maryland
(2013 Replacement Volume and 2023 Supplement)
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND,
That the Laws of Maryland read as follows: Ch. 454 2024 LAWS OF MARYLAND
– 2 –
Article – Commercial Law
13–301.
Unfair, abusive, or deceptive trade practices include any:
(14) Violation of a provision of:
(xl) Title 14, Subtitle 13 of the Public Safety Article; [or]
(xli) Title 14, Subtitle 45 of this article; or
(XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR
SUBTITLE 46. ONLINE DATA PRIVACY ACT.
14–4601.
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS
INDICATED.
(B) “AFFILIATE” MEANS A PERSON THAT , DIRECTLY OR INDIRECT LY
THROUGH ONE OR MORE INTERMED IARIES, CONTROLS, IS CONTROLLED BY , OR IS
UNDER COMMON CONTROL WITH ANOTHER PERSON , SUCH THAT THE PERSON :
(1) SHARES COMMON BRANDIN G WITH ANOTHER PERSO N; OR
(2) CONTROLS, IS CONTROLLED BY , OR IS UNDER COMMON C ONTROL
WITH ANOTHER P ERSON.
(1) OWNS OR HAS THE POWER TO VOTE MORE THAN 50 PERCENT %
OF THE OUTSTANDING S HARES OF ANY VOTING CLASS OF THE OTHER P ERSON’S
SECURITIES;
(2) HAS THE POWER TO ELEC T OR INFLUENCE THE E LECTION OF A
MAJORITY OF THE DIRE CTORS, MEMBERS, OR MANAGERS OF THE OTHER PERSON ;
(3) HAS THE POWER TO DIRE CT THE MANAGEMENT OF THE OTHER
PERSON; OR
(4) IS SUBJECT TO THE OTH ER PERSON’S EXERCISE OF THE PO WERS
DESCRIBED IN ITEM (1), (2), OR (3) OF THIS SUBSECTION .
WES MOORE, Governor Ch. 454
– 3 –
(C) “AUTHENTICATE ” MEANS TO USE REASONA BLE MEANS TO DETERMI NE
THAT A REQUEST TO EX ERCISE A CONSUMER RI GHT IN ACCORDANCE WI TH §
14–4605 OF THIS SUBTITLE IS BEING MADE BY, OR ON BEHALF OF , A CONSUMER WHO
IS ENTITLED TO EXERCISE THE CONSUMER RIGHT W ITH RESPECT TO THE PERSONAL
DATA AT ISSUE.
(D) (1) “BIOMETRIC DATA ” MEANS DATA GENERATED BY AUTOMATIC
MEASUREMENTS OF THE BIOLOGICAL CHARACTER ISTICS OF A CONSUMER THAT CAN
BE USED TO UNIQUELY AUTHENTICATE A CONSU MER’S IDENTITY.
(2) “BIOMETRIC DATA ” INCLUDES:
(I) A FINGERPRINT ;
(II) A VOICE PRINT;
(III) AN EYE RETINA OR IRIS IMAGE; AND
(IV) ANY OTHER UNIQUE BIOL OGICAL CHARACTERISTI CS THAT
CAN BE USED TO UNIQU ELY AUTHENTICATE A C ONSUMER’S IDENTITY.
(3) “BIOMETRIC DATA ” DOES NOT INCLUDE :
(I) A DIGITAL OR PHYSICAL PHOTOGRAPH ;
(II) AN AUDIO OR VIDEO REC ORDING; OR
(III) ANY DATA GENERATED FR OM A DIGITAL OR PHYS ICAL
PHOTOGRAPH OR AN AUD IO OR VIDEO RECORDIN G, UNLESS THE DATA IS
GENERATED TO IDENTIF Y A SPECIFIC CONSUME R.
(E) “BUSINESS ASSOCI ATE” HAS THE MEANING STAT ED IN HIPAA.
(F) “CHILD” HAS THE MEANING STAT ED IN COPPA.
(G) (1) “CONSENT” MEANS A CLEAR AFFIRM ATIVE ACT SIGNIFYING A
CONSUMER ’S FREELY GIVEN , SPECIFIC, INFORMED, AND UNAMBIGUOUS
AGREEMENT TO ALLOW T HE PROCESSING OF PER SONAL DATA RELATING TO THE
CONSUMER FOR A PARTI CULAR PURPOSE .
(2) “CONSENT” INCLUDES:
(I) A WRITTEN STATEMENT ;
Ch. 454 2024 LAWS OF MARYLAND
– 4 –
(II) A WRITTEN STATEMENT BY ELECTRONIC MEANS ; OR
(III) ANY OTHER UNAMBIGUOUS AFFIRMATIVE ACTION .
(3) “CONSENT” DOES NOT INCLUDE :
(I) ACCEPTANCE OF A GENER AL OR BROAD TERMS OF USE OR
SIMILAR DOCUMENT THA T CONTAINS DESCRIPTI ONS OF PERSONAL DATA
PROCESSING ALONG WIT H OTHER UNRELATED IN FORMATION;
(II) HOVERING OVER , MUTING, PAUSING, OR CLOSING A PIECE
OF CONTENT; OR
(III) AGREEMENT OBTAINED THROUGH THE USE OF DARK
PATTERNS.
(H) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE
STATE.
(2) “CONSUMER” DOES NOT INCLUDE :
(I) AN INDIVIDUAL ACTING IN A COMMERCIAL OR
EMPLOYMENT CONTEXT ; OR
(II) AN INDIVIDUAL ACTING AS AN EMPLOYEE , AN OWNER, A
DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, A PARTNERSHIP , A SOLE
PROPRIETORSHIP , A NONPROFIT ORGANIZA TION, OR A GOVERNMENTAL UN IT
WHOSE COMMUNICATIONS OR TRANSACTIONS WITH A CONTROLLER OCCUR O NLY
WITHIN THE CONTEXT O F THE INDIVIDUAL ’S ROLE WITH THE COMP ANY,
PARTNERSHIP , SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR
GOVERNMENTAL UNIT .
(I) (1) “CONSUMER HEALTH DATA ” MEANS PERSONAL DATA THAT A
CONTROLLER USES TO I DENTIFY A CONSUMER ’S PHYSICAL OR MENTAL HEALTH
STATUS.
(2) “CONSUMER HEALTH DATA ” INCLUDES DATA RELATE D TO:
(I) GENDER–AFFIRMING CARE TREATMENT ; OR
(II) REPRODUCTIVE OR SEXUA L HEALTH CARE .
(J) “CONTROL” MEANS:
WES MOORE, Governor Ch. 454
– 5 –
(1) OWNERSHIP OF OR THE P OWER TO VOTE MORE TH AN 50% OF THE
OUTSTANDING SHARES O F ANY CLASS OF VOTING SECU RITY OF A BUSINESS ;
(2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY
OF THE DIRECTORS OF A BUSINESS, OR INDIVIDUALS EXERC ISING SIMILAR
FUNCTIONS; OR
(3) THE POWER TO EXERCISE A CONTROLLING INFLUE NCE OVER THE
MANAGEMENT OF A BUSINESS.
(K) “CONTROLLER ” MEANS A PERSON THAT , ALONE OR JOINTLY WIT H
OTHERS, DETERMINES THE PURPO SE AND MEANS OF PROC ESSING PERSONAL DATA .
(L) (1) “COPPA” MEANS THE FEDERAL CHILDREN’S ONLINE PRIVACY
PROTECTION ACT OF 1998 AND THE REGULATIONS , RULES, GUIDANCE, AND
EXEMPTIONS ADOPTED U NDER THE ACT, AND AS THE ACT AND THE REGULATIO NS,
RULES, GUIDANCE, AND EXEMPTIONS MAY B E AMENDED.
(2) “COPPA” INCLUDES REGULATIONS ADOPTED UNDER THE
FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998.
(M) “COVERED ENTITY ” HAS THE MEANING STAT ED IN HIPAA.
(N) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED OR
MANIPULATED WITH THE SUBSTANTIAL EFFECT O F SUBVERTING USER AU TONOMY,
DECISION MAKING , OR CHOICE.
(2) “DARK PATTERN ” INCLUDES ANY PRACTIC E THE FEDERAL
TRADE COMMISSION REFERS TO AS A “DARK PATTERN ”.
(O) “DECISIONS THAT PRODUC E LEGAL OR SIMILARLY SIGNIFICANT
EFFECTS CONCERNING T HE CONSUMER ” MEANS DECISIONS THAT RESULT IN THE
PROVISION OR DENIAL OF:
(1) FINANCIAL OR LENDING SERVICES;
(2) HOUSING;
(3) INSURANCE;
(4) (3) EDUCATION ENROLLMENT OR OPPORTUNITY ;
(5) (4) CRIMINAL JUSTICE ;
Ch. 454 2024 LAWS OF MARYLAND
– 6 –
(6) (5) EMPLOYMENT OPPORTUNIT IES;
(7) (6) HEALTH CARE SERVICES ; OR
(8) (7) ACCESS TO ESSENTIAL G OODS OR SERVICES .
(P) “DE–IDENTIFIED DATA ” MEANS DATA THAT CANN OT REASONABLY BE
USED TO INFER INFORM ATION ABOUT OR OTHER WISE BE LINKED TO AN IDENTIFIED
OR IDENTIFIABLE CONS UMER, OR A DEVICE THAT MAY BE LINKED TO AN IDEN TIFIED
OR IDENTIFIABLE CONS UMER, IF THE CONTROLLER TH AT POSSESSES THAT
INFORMATION :
(1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE
INFORMATION CANNOT B E LINKED WITH A CONS UMER;
(2) COMMITS IN PUBLICLY A VAILABLE TERMS AND C ONDITIONS OR IN
A PUBLICLY AVAILABLE PRIVACY POLICY TO MA INTAIN AND USE THE I NFORMATION
IN DE–IDENTIFIED FORM; AND
(3) CONTRACTUALLY OBLIGES ANY RECIPIENTS OF TH E
INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION HAS THE
MEANING STATED IN § 14–4401 OF THIS TITLE.
(Q) “GENDER–AFFIRMING TREATMENT ” HAS THE MEANING STAT ED IN §
15–151(A) OF THE HEALTH – GENERAL ARTICLE.
(Q) (R) (1) “GENETIC DATA ” MEANS DATA IN ANY FO RMAT THAT
CONCERNS THE GENETIC CHARACTE RISTICS OF A CONSUME R.
(2) “GENETIC DATA” INCLUDES:
(I) RAW SEQUENCE DATA THA T RESULTS FROM SEQUE NCING
OF A CONSUMER ’S COMPLETE EXTRACTED DNA OR A PORTION OF THE CONSUMER ’S
COMPLETE EXTRACTED DNA;
(II) GENOTYPIC AND PHENOTY PIC INFORMATION THAT
RESULTS FROM ANALYZI NG RAW SEQUENCE DATA ;
(III) INFORMATION EXTRAPOLA TED, DERIVED, OR INFERRED
FROM THE ANALYSIS OF RAW SEQUENCE DA TA; AND
WES MOORE, Governor Ch. 454
– 7 –
(IV) SELF–REPORTED HEALTH INFO RMATION SUBMITTED TO A
DIRECT–TO–CONSUMER GENETIC TES TING COMPANY BY A CO NSUMER REGARDING
THE CONSUMER ’S HEALTH CONDITIONS :
1. THAT IS USED FOR SCIE NTIFIC RESEARCH OR
PRODUCT DEVELOPMENT ; AND
2. ANALYZED IN CONNECTION WITH T HE CONSUMER ’S
RAW SEQUENCE DATA HAS THE MEANING STAT ED IN § 14–4401 OF THIS TITLE.
(R) (S) (1) “GEOFENCE” MEANS TECHNOLOGY THA T ESTABLISHES A
VIRTUAL GEOGRAPHICAL BOUNDARY.
(2) “GEOFENCE” INCLUDES BOUNDARIES THAT ARE ESTABLISHED
OR MONITORED THROUGH TH E USE OF:
(I) GLOBAL POSITIONING TE CHNOLOGY;
(II) CELL TOWER CONNECTIVI TY;
(III) CELLULAR DATA ;
(IV) RADIO FREQUENCY IDENT IFICATION;
(V) WIRELESS FIDELITY TEC HNOLOGY; OR
(VI) ANY OTHER FORM OF LOC ATION DETERMINATION
TECHNOLOGY .
(S) (T) “HIPAA” MEANS THE FEDERAL HEALTH INSURANCE
PORTABILITY AND ACCOUNTABILITY ACT OF 1996.
(T) (U) “IDENTIFIED OR IDENTIF IABLE CONSUMER ” MEANS A CONSUMER
WHO CAN READILY BE I DENTIFIED, EITHER DIRECTLY OR I NDIRECTLY.
(U) (V) “MENTAL HEALTH FACILIT Y” MEANS A HEALTH CARE FACILITY IN
WHICH NOT LESS THAN 70% OF HEALTH CARE SERVI CES OFFERED ARE MENT AL
HEALTH SERVICES .
(V) (W) (1) “PERSONAL DATA ” MEANS ANY INFORMATIO N THAT IS
LINKED OR CAN BE REA SONABLY LINKED TO AN IDENTIFIED OR IDENTIFIABLE
CONSUMER .
(2) “PERSONAL DATA ” DOES NOT INCLUDE : Ch. 454 2024 LAWS OF MARYLAND
– 8 –
(I) DE–IDENTIFIED DATA ; OR
(II) PUBLICLY AVAILABLE IN FORMATION.
(W) (X) (1) “PRECISE GEOLOCATION D ATA” MEANS INFORMATION
DERIVED FROM TECHNOL OGY THAT CAN PRECISE LY AND ACCURATELY IDENTIFY
THE SPECIFIC LOCATIO N OF A CONSUMER WITH IN A RADIUS OF 1,750 FEET.
(2) “PRECISE GEOLOCATION D ATA” INCLUDES GLOBAL POSI TIONING
SYSTEM LEVEL LATITUD E AND LONGITUDE COOR DINATES OR OTHER SIM ILAR
MECHANISMS .
(3) “PRECISE GEOLOCATION D ATA” DOES NOT INCLUDE:
(I) THE CONTENT OF COMMUN ICATIONS DATA;
(II) DATA GENERATED BY OR CONN ECTED TO AN ADVANCED
UTILITY METERING INF RASTRUCTURE SYSTEM ; OR
(II) (III) EQUIPMENT DATA GENERATED BY EQU IPMENT USED
BY A UTILITY COMPANY .
(X) (Y) (1) “PROCESS” MEANS AN OPERATION O R SET OF OPERATIONS
PERFORMED BY MANUAL OR AUTOMATED MEANS O N PERSONAL DATA .
(2) “PROCESS” INCLUDES COLLECTING , USING, STORING,
DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L DATA.
(Y) (Z) “PROCESSOR” MEANS A PERSON THAT PROCESSE S PERSONAL
DATA ON BEHALF OF A CONTROLLER .
(Z) (AA) “PROFILING” MEANS ANY FORM OF AU TOMATED PROCESSING
PERFORMED ON PERSONA L DATA TO EVALUATE , ANALYZE, OR PREDICT PERSONAL
ASPECTS RELATED TO A N IDENTIFIED OR IDEN TIFIABLE CONSUMER ’S ECONOMIC
SITUATION, HEALTH, DEMOGRAPHIC CHARACTE RISTICS, PERSONAL PREFERENCES ,
INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS .
(AA) (BB) “PROTECTED HEALTH INFO RMATION” HAS THE MEANING STAT ED
IN HIPAA.
(BB) (CC) (1) “PUBLICLY AVAILABLE IN FORMATION” MEANS
INFORMATION THAT A PERSON:
WES MOORE, Governor Ch. 454
– 9 –
(I) IS LAWFULLY MADE READ ILY AVAILABLE TO THE GENERAL
PUBLIC THROUGH FEDER AL, STATE, OR LOCAL GOVERNMENT RECORDS; OR
(II) A CONTROLLER HAS A REA SONABLE BASIS TO BEL IEVE
THAT A CONSUMER HAS LAWFULLY MADE AVAILABLE TO THE GEN ERAL PUBLIC
THROUGH WIDELY DISTR IBUTED MEDIA.
(I) LAWFULLY OBTAINS FROM A RECORD OF A GOVERN MENTAL
ENTITY;
(II) REASONABLY BELIEVES A CONSUMER OR WIDELY
DISTRIBUTED MEDIA HA S LAWFULLY MADE AVAI LABLE TO THE GENERAL PUBLIC;
OR
(III) IF THE CONSUMER HAS N OT RESTRICTED THE
INFORMATION TO A SPE CIFIC AUDIENCE , OBTAINS FROM A PERSO N TO WHOM THE
CONSUMER DISCLOSED T HE INFORMATION .
(2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE
BIOMETRIC DATA COLLE CTED BY A BUSINESS A BOUT A CONSUMER WITHOUT THE
CONSUMER ’S KNOWLEDGE .
(CC) (DD) (1) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” MEANS CARE
RELATED TO A HEALTH CARE –RELATED SERVICE OR P RODUCT RENDERED OR
PROVIDED CONCERNING A CONSUMER ’S REPRODUCTIVE SYSTE M OR SEXUAL
WELL–BEING., INCLUDING:
(2) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” INCLUDES:
(I) (1) A SERVICE OR PRODUCT P ROVIDED RELATED TO A N
INDIVIDUAL HEALTH CO NDITION, STATUS, DISEASE, DIAGNOSIS, TEST, OR
TREATMENT ;
(II) (2) A SOCIAL, PSYCHOLOGICAL , BEHAVIORAL , OR
MEDICAL INTERVENTION ;
(III) (3) A SURGERY OR PROCEDURE ;
(IV) (4) THE PURCHASE OR USE O F A MEDICATION ,
INCLUDING A MEDICATI ON PURCHASED OR USED FOR THE PURPOSES OF AN
ABORTION;
(V) (5) A SERVICE OR PRODUCT R ELATED TO A BODILY
FUNCTION, VITAL SIGN, OR MEASUREMENT THEREOF SYMPTOM; Ch. 454 2024 LAWS OF MARYLAND
– 10 –
(6) A MEASUREMENT OF A BOD ILY FUNCTION , VITAL SIGN, OR
SYMPTOM; AND
(VI) (7) AN ABORTION , WHETHER SURGICAL OR MEDICAL;
AND
(VII) A SERVICE RELATED TO AN ABORTION AND MEDICAL AND
NONMEDICAL SERVICES , PRODUCTS, DIAGNOSTICS, COUNSELING , AND FOLLOW –UP
SERVICES FOR AN ABOR TION.
(DD) (EE) “REPRODUCTIVE OR SEXUA L HEALTH FACILITY ” MEANS A
HEALTH CARE FACILITY WHERE NOT LESS THAN 70% OF SERVICES OFFERED ARE
REPRODUCTIVE OR SEXUA L HEALTH CARE SERVIC ES.
(EE) (FF) (1) “SALE OF PERSONAL DATA ” MEANS THE EXCHANGE O F
PERSONAL DATA BY A C ONTROLLER , A PROCESSOR , OR AN AFFILIATE OF A
CONTROLLER OR PROCES SOR TO A THIRD PARTY FOR MONETARY OR OTHER
VALUABLE CONSIDERATION .
(2) “SALE OF PERSONAL DATA ” DOES NOT INCLUDE :
(I) THE DISCLOSURE OF PER SONAL DATA TO A PROC ESSOR
THAT PROCESSES PERSO NAL DATA ON BEHALF O F A CONTROLLER IF LI MITED TO
THE PURPOSES OF THE PROCESSING;
(II) THE DISCLOSURE OF PER SONAL DATA TO A THIRD PART Y
FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE AFFIRMATIVELY
REQUESTED BY THE CON SUMER;
(III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN
AFFILIATE OF THE CON TROLLER FOR THE PURPOSE OF P ROVIDING A PRODUCT O R
SERVICE AFFIRMAT IVELY REQUESTED BY T HE CONSUMER ;
(IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE
CONSUMER :
1. DIRECTS THE CONTROLLE R TO DISCLOSE THE
PERSONAL DATA ; OR
2. INTENTIONALLY USES TH E CONTROLLER TO
INTERACT WITH A THIR D PARTY;
WES MOORE, Governor Ch. 454
– 11 –
(V) THE DISCLOSURE OF PERSONAL DATA THA T THE
CONSUMER :
1. INTENTIONALLY MADE AV AILABLE TO THE GENER AL
PUBLIC THROUGH A CHA NNEL OF MASS MEDIA ; AND
2. DID NOT RESTRICT TO A SPECIFIC AUDIENCE ; OR
(VI) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A
THIRD PARTY AS AN ASSET THAT IS PAR T OF AN ACTUAL OR PR OPOSED MERGER ,
ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION WHERE THE THIRD PART Y
ASSUMES CONTROL OF A LL OR PART OF THE CO NTROLLER’S ASSETS.
(FF) (GG) “SENSITIVE DATA” MEANS PERSONAL DATA THAT INCLUDES :
(1) DATA REVEALING:
(I) RACIAL OR ETHNIC ORIG IN;
(II) RELIGIOUS BELIEFS ;
(III) CONSUMER HEALTH DATA ;
(IV) SEX LIFE;
(V) SEXUAL ORIENTATION ;
(VI) STATUS AS TRANSGENDER OR NONBINARY ;
(VII) NATIONAL ORIGIN ; OR
(VIII) CITIZENSHIP OR IMMIGRATION STATUS ;
(2) GENETIC DATA OR BIOME TRIC DATA;
(3) PERSONAL DATA OF A CO NSUMER THAT THE CONT ROLLER KNOWS
OR HAS REASON TO KNO W IS A CHILD; OR
(4) PRECISE GEOLOCATION D ATA.
(GG) (HH) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING
ADVERTISEMENTS TO A CONSUMER OR ON A DEV ICE IDENTIFIED BY A UNIQUE
IDENTIFIER, WHERE THE ADVERTISEM ENT IS SELECTED BASE D ON PERSONAL DATA
OBTAINED OR INFERRED FROM THE CONSUMER ’S ACTIVITIES OVER TI ME AND Ch. 454 2024 LAWS OF MARYLAND
– 12 –
ACROSS NONAFFILIATED WEBSITES OR ONLINE A PPLICATIONS THAT ARE
UNAFFILIATED WITH EA CH OTHER, IN ORDER TO PREDICT THE CONSUMER ’S
PREFERENCES OR INTER ESTS.
(2) “TARGETED ADVERTISING ” DOES NOT INCLUDE :
(I) ADVERTISEMENTS BASED ON THE CONTEXT IN WHICH THE
ADVERTISEM ENT APPEARS AND DOES NOT VARY BASED ON WH O IS VIEWING THE
ADVERTISEMENT OF A CONSUMER ’S CURRENT SEARCH QUE RY, VISIT TO A WEBSITE,
OR ONLINE APPLICATIO N;
(II) ADVERTISEMENTS BASED ON A CONSUMER ’S ACTIVITIES
WITHIN A CONTROLLER ’S WEBSITES OR ONLINE APPLICATIONS;
(III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN
RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR
(IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR
REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH.
(HH) (II) “THIRD PARTY” MEANS A PERSON OTHER THAN THE RELEVANT
CONSUMER , CONTROLLER , PROCESSOR, OR AFFILIATE OF THE CONTROLLER OR
PROCESSOR OF RELEVAN T PERSONAL DATA .
(II) (JJ) (1) “TRADE SECRET” MEANS INFORMATION TH AT:
(I) DERIVES INDEPENDENT E CONOMIC VALUE , ACTUAL OR
POTENTIAL, FROM NOT BEING GENER ALLY KNOWN TO , AND NOT BEING READIL Y
ASCERTAINABLE BY PRO PER MEANS BY , OTHER PERSONS WHO CO ULD OBTAIN
ECONOMIC VALUE FROM THE INFORMATION ’S DISCLOSURE OR USE ; AND
(II) IS THE SUBJECT OF EFF ORTS THAT ARE REASON ABLE
UNDER THE CIRCUMSTAN CES TO MAINTAIN THE SECRECY OF THE INFOR MATION.
(2) “TRADE SECRET ” INCLUDES A FORMULA , PATTERN,
COMPILATION , PROGRAM, DEVICE, METHOD, TECHNIQUE, OR PROCESS HAS THE
MEANING STATED IN § 11–1201 OF THIS ARTICLE.
(KK) “TRANSFER” MEANS TO DISCLOSE , RELEASE, DISSEMINATE, MAKE
AVAILABLE, LICENSE, RENT, OR SHARE PERSONAL DA TA ORALLY, IN WRITING,
ELECTRONICALLY , OR BY ANY OTHER MEAN S.
14–4602. WES MOORE, Governor Ch. 454
– 13 –
THIS SUBTITLE APPLIES TO A PERSON THAT CONDUCTS BUSINESS IN THE
STATE OR PROVIDES PRO DUCTS OR SERVICES THAT A RE TARGETED TO RESID ENTS
OF THE STATE, AND THAT DURING THE PRECEDING CALENDAR Y EAR DID ANY OF
THE FOLLOWING :
(1) CONDUCTS BUSINESS IN THE STATE; OR
(2) (I) PRODUCES SERVICES OR PRODUCTS THAT ARE TA RGETED
TO RESIDENTS OF THE STATE; AND
(II) DURING THE IMMEDIATEL Y PRECEDING CALENDAR YEAR:
1. (1) CONTROLLED OR PROCESS ED THE PERSONAL DATA
OF AT LEAST 35,000 CONSUMERS , EXCLUDING PERSONAL D ATA CONTROLLED OR
PROCESSED SOLELY FOR THE PURPOSE OF COMPL ETING A PAYMENT TRAN SACTION;
OR
2. (2) CONTROLLED OR PROCESS ED THE PERSONAL DATA
OF AT LEAST 10,000 CONSUMERS AND DERIVE D MORE THAN 20% OF ITS GROSS
REVENUE FROM THE SAL E OF PERSONAL DATA .
14–4603.
(A) THIS SUBTITLE DOES NO T APPLY TO:
(1) A REGULATORY , ADMINISTRATIVE , ADVISORY, EXECUTIVE,
APPOINTIVE, LEGISLATIVE, OR JUDICIAL BODY OR INSTRUMENTALITY OF THE
STATE, INCLUDING A BOARD , BUREAU, COMMISSION, OR UNIT OF THE STATE OR A
POLITICAL SUBDIVISIO N OF THE STATE;
(2) A NATIONAL SECURITIES ASSOCIATION THAT IS REGISTERED
UNDER § 15 OF THE FEDERAL SECURITIES EXCHANGE ACT OF 1934 OR A
REGISTERED FUTURES A SSOCIATION DESIGNATE D IN ACCORDANCE WITH § 17 OF
THE FEDERAL COMMODITY EXCHANGE ACT; OR
(3) A FINANCIAL INSTITUTIO N OR, AN AFFILIATE OF A F INANCIAL
INSTITUTION, OR DATA THAT IS SUBJECT TO TITLE V OF THE FEDERAL
GRAMM–LEACH–BLILEY ACT AND REGULATIONS A DOPTED UNDER THAT AC T; OR
(4) A NONPROFIT CONTROLLER THAT PROCESSES OR SH ARES
PERSONAL DATA SOLELY FOR THE PURPOSES OF ASSISTING:
Ch. 454 2024 LAWS OF MARYLAND
– 14 –
(I) LAW ENFORCEMENT AGENC IES IN INVESTIGATING
CRIMINAL OR FRAUDULE NT ACTS RELATING TO INSURANCE; OR
(II) FIRST RESPONDERS IN R ESPONDING TO CATASTR OPHIC
EVENTS.
(B) THE FOLLOWING INFORMA TION AND DATA ARE EX EMPT FROM THIS
SUBTITLE:
(1) PROTECTED HEALTH INFORMATION UNDER HIPAA;
(2) PATIENT–IDENTIFYING INFORMAT ION FOR PURPOSES OF 42
U.S.C. § 290DD–2;
(3) IDENTIFIABLE PRIVATE INFORMATION THAT IS USED FOR
PURPOSES OF THE FEDE RAL POLICY FOR THE P ROTECTION OF HUMAN S UBJECTS IN
ACCORDANCE WITH 45 C.F.R. § 46;
(4) IDENTIFIABLE PRIVATE INFORMATION TO THE E XTENT THAT IT IS
COLLECTED AND USED A S PART OF HUMAN SUBJ ECTS RESEARCH IN ACC ORDANCE
WITH THE ICH 36 GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS
FOR PHARMACEUTICALS FOR HUMAN USE OR THE PROTECTION OF HUMAN
SUBJECTS UNDER 21 C.F.R. §§ 50 AND 56;
(5) PATIENT SAFETY WORK P RODUCT THAT IS CREAT ED AND USED
FOR PURPOSES OF PATI ENT SAFETY IMPROVEME NT IN ACCORDANCE WIT H 42
C.F.R. § 3, ESTABLISHED IN ACCORDANCE W ITH 42 U.S.C. §§ 299B–21 THROUGH
299B–26;
(6) (I) INFORMATION TO THE EX TENT IT IS USED FOR PUBLIC
HEALTH, COMMUNITY HEALTH , OR POPULATION HEALTH ACTIVITIES AND
PURPOSES, AS AUTHORIZED BY HIPAA, WHEN PROVIDED BY OR TO A COVERED
ENTITY OR WHEN PROVIDED BY OR TO A BUSINESS ASS OCIATE IN ACCORDANCE WITH
THE BUSINESS ASSOCIA TE AGREEMENT WITH A COVERED ENTITY ; AND
(II) INFORMATION COLLECTED , USED, OR DISCLOSED BY AN
ENTITY IF:
1. THE ENTITY IS A COVER ED ENTITY OR BUSINES S
ASSOCIATE UNDER HIPAA BECAUSE IT COLLECTS , USES, OR DISCLOSES
PROTECTED HEALTH INF ORMATION; AND
WES MOORE, Governor Ch. 454
– 15 –
2. THE ENTITY APPLIES TH E SAME FEDERAL AND STATE
STANDARDS FOR THE CO LLECTION, USE, AND DISCLOSURE OF IN FORMATION AS
PROVIDED TO PROTECTE D HEALTH INFORMATION UNDER HIPAA AND LEGALLY
PROTECTED HEALTH CAR E UNDER § 4–301 OF THE HEALTH – GENERAL ARTICLE
FOR INFORMATION THAT :
A. IS CONSIDERED A MEDIC AL RECORD UNDER § 4–301
OF THE HEALTH – GENERAL ARTICLE; AND
B. IS NOT CONSIDERED PRO TECTED HEALTH
INFORMATION UND ER HIPAA;
(II) INFORMATION THAT IS A MEDICAL RECORD UNDER § 4–301
OF THE HEALTH – GENERAL ARTICLE IF:
1. THE INFORMATION IS HE LD BY AN ENTITY THAT IS A
COVERED ENTITY OR BU SINESS ASSOCIATE UND ER HIPAA BECAUSE IT COLLECTS ,
USES, OR DISCLOSES PROTE CTED HEALTH INFORMAT ION; AND
2. THE ENTITY APPLIES TH E SAME STANDARDS FOR THE
COLLECTION, USE, AND DISCLOSURE OF TH E INFORMATION AS REQ UIRED FOR
PROTECTED HEALTH INF ORMATION UNDER HIPAA AND MEDICAL RECORDS UNDER
§ 4–301 OF THE HEALTH – GENERAL ARTICLE, INCLUDING SPECIFIC S TANDARDS
REGARDING LEGALLY PR OTECTED HEALTH CARE ; AND
(III) INFORMATION THAT IS D E–IDENTIFIED IN ACCORD ANCE
WITH THE REQUIREMENT S FOR DE–IDENTIFICATION SET F ORTH IN 45 C.F.R.
164.514 THAT IS DERIVED FROM INDIVIDUALLY IDENTI FIABLE HEALTH
INFORMATION AS DESCR IBED IN HIPAA OR PERSONAL INFORMAT ION CONSISTENT
WITH THE HUMAN SUBJE CT PROTECTION REQUIR EMENTS OF THE U.S. FOOD AND
DRUG ADMINISTRATION ;
(7) THE COLLECTION , MAINTENANCE , DISCLOSURE, SALE,
COMMUNICATION , OR USE OF PERS ONAL INFORMATION BEA RING ON A CONSUMER ’S
CREDITWORTHINESS , CREDIT STANDING , CREDIT CAPACITY , CHARACTER , GENERAL
REPUTATION, PERSONAL CHARACTERIS TICS, OR MODE OF LIVING BY A CONSUMER
REPORTING AGENCY , FURNISHER, OR USER THAT PROVIDE S INFORMATION FOR US E
IN A CONSUMER REPORT , AND BY A USER OF A C ONSUMER REPORT , BUT ONLY TO
THE EXTENT THAT THE ACTIVITY IS REGULATE D BY AND AUTHORIZED UNDER THE
FEDERAL FAIR CREDIT REPORTING ACT;
(8) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED
IN COMPLIANCE WITH T HE FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994;
Ch. 454 2024 LAWS OF MARYLAND
– 16 –
(9) PERSONAL DATA REGULAT ED BY THE FEDERAL FAMILY
EDUCATIONAL RIGHTS AND PRIVACY ACT;
(10) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED
IN COMPLIANCE WITH T HE FEDERAL FARM CREDIT ACT;
(11) DATA PROCESSED OR MAI NTAINED:
(I) IN THE COURSE OF AN I NDIVIDUAL APPLYING T O,
EMPLOYED BY , OR ACTING AS AN AGEN T OR INDEPENDENT CON TRACTOR OF A
CONTROLLER , PROCESSOR, OR THIRD PARTY , TO THE EXTENT THAT T HE DATA IS
COLLECTED AND USED W ITHIN THE CONTEXT OF THE ROLE ;
(II) AS THE EMERGENCY CONT ACT INFORMATION OF A
CONSUMER IF THE DATA IS USED FOR EMERGENC Y CONTACT PURPOSES ; OR
(III) THAT IS:
1. NECESSARY TO RETAIN T O ADMINISTER BENEFIT S
FOR ANOTHER INDIVIDU AL RELATING TO THE C ONSUMER WH O IS THE SUBJECT OF
THE INFORMATION UNDE R ITEM (I) OF THIS ITEM; AND
2. USED FOR THE PURPOSES OF ADMINISTERING THE
BENEFITS; AND
(12) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED
IN RELATION TO PRICE , ROUTE, OR SERVICE BY AN AIR CARRIER SUBJECT TO THE
FEDERAL AIRLINE DEREGULATION ACT TO THE EXTENT THI S SUBTITLE IS
PREEMPTED BY THE FED ERAL AIRLINE DEREGULATION ACT; AND
(13) PERSONAL DATA COLLECT ED BY OR ON BEHALF O F A PERSON
REGULATED UNDER THE INSURANCE ARTICLE OR AN AFFILIA TE OF SUCH A PERSON,
IN FURTHERANCE OF TH E BUSINESS OF INSURA NCE.
(C) CONTROLLERS AND PROCE SSORS THAT COMPLY WI TH THE VERIFIABLE
PARENTAL CONSENT REQ UIREMENTS OF COPPA SHALL BE CONSIDERED
COMPLIANT WITH AN OB LIGATION TO OBTAIN P ARENTAL CONSENT IN A CCORDANCE
WITH THIS SUBTITLE WITH RESP ECT TO A CONSUMER WH O IS A CHILD.
14–4604.
A PERSON MAY NOT :
WES MOORE, Governor Ch. 454
– 17 –
(1) PROVIDE AN EMPLOYEE O R CONTRACTOR ACCESS TO CONSUMER
HEALTH DATA UNLESS THE:
(I) THE EMPLOYEE OR CONTRACT OR IS SUBJECT TO A
CONTRACTUAL OR STATU TORY DUTY OF CONFIDE NTIALITY; OR
(II) CONFIDENTIALITY IS RE QUIRED AS A CONDITIO N OF
EMPLOYMENT OF THE EM PLOYEE;
(2) PROVIDE A PROCESSOR A CCESS TO CONSUMER HE ALTH DATA
UNLESS THE PERSON PR OVIDING ACCESS TO THE CONSUMER HEALTH DATA AND
THE PROCESSOR COMPLY WITH § 14–4607 14–4608 OF THIS SUBTITLE; OR
(3) USE A GEOFENCE :
(I) TO IDENTIFY, TRACK, COLLECT DATA FROM , OR SEND A
NOTIFICATION TO A CO NSUMER REGARDING THE CONSUMER ’S CONSUMER HEALTH
DATA; AND
(II) WITHIN 1,750 FEET OF A MENTAL HEA LTH FACILITY OR
REPRODUCTIVE OR SEXU AL HEALTH FACILITY ; OR
(4) SELL OR OFFER TO SELL CONSUMER HEALTH DATA WITHOUT THE
CONSENT OF THE CONSU MER WHOSE HEALTH DAT A IS TO BE SOLD OR O FFERED TO
BE SOLD TO ESTABLISH A VIRTU AL BOUNDARY THAT IS WITHIN 1,750 FEET OF ANY
MENTAL HEALTH FACILI TY OR REPRODUCTIVE O R SEXUAL HEALTH FACI LITY FOR
THE PURPOSE OF IDENT IFYING, TRACKING, COLLECTING DATA FROM , OR SENDING
ANY NOTIFICATION TO A CONSUMER REGARDING THE CONS UMER’S CONSUMER
HEALTH DATA .
14–4605.
(A) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO REQUIRE A
CONTROLLER TO REVEAL A TRADE SECRET .
(B) A CONSUMER SHALL HAVE THE RIGHT TO:
(1) CONFIRM WHETHER A CON TROLLER IS PROCESSIN G THE
CONSUMER ’S PERSONAL DATA , UNLESS THAT CONFIRMA TION WOULD REQUIRE T HE
DISCLOSURE OF A TRAD E SECRET;
(2) IF A CONTROLLER IS PR OCESSING A CONSUMER ’S PERSONAL
DATA, ACCESS THE CONSUMER ’S PERSONAL DATA UNLESS THAT ACCESS W OULD
REQUIRE THE DISCLOSU RE OF A TRADE SECRET ; Ch. 454 2024 LAWS OF MARYLAND
– 18 –
(3) CONSIDERING THE NATUR E OF THE CONSUMER ’S PERSONAL
DATA AND THE PURPOSE S OF THE PROCESSING OF THE PERSONAL DATA , CORRECT
INACCURACIES IN THE CONSUMER ’S PERSONAL DATA ;
(4) REQUIRE A CONTROLLER TO DELETE PERSONAL D ATA PROVIDED
BY, OR OBTAINED ABOUT , THE CONSUMER UNLESS RETENTION OF THE PERSONAL
DATA IS REQUIRED BY LAW;
(5) IF THE PROCESSING OF PERSONAL DATA IS DON E BY AUTOMATIC
MEANS, OBTAIN A COPY OF THE CONSUMER ’S PERSONAL DATA PROC ESSED BY THE
CONTROLLER IN A PORT ABLE AND, TO THE EXTENT TECHNI CALLY FEASIBLE,
READILY USABLE FORMA T THAT ALLOWS THE CO NSUMER TO EASILY TRA NSMIT THE
DATA TO ANOTHER CONT ROLLER WITHOUT HINDR ANCE;
(6) OBTAIN A LIST OF THE CATEGORIES OF THIRD PARTIES TO WHICH
THE CONTROLLER HAS D ISCLOSED THE CONSUME R’S PERSONAL DATA OR A LIST OF
THE CATEGORIES OF TH IRD PARTIES TO WHICH THE CONTROLLER HAS D ISCLOSED
ANY CONSUMER ’S PERSONAL DATA IF T HE CONTROLLER DOES N OT MAINTAIN THIS
INFORMATION IN A FOR MAT SPECIFIC TO THE CONSUMER ; AND
(7) OPT OUT OF THE PROCES SING OF PERSONAL DAT A FOR PURPOSES
OF:
(I) TARGETED ADVERTISING ;
(II) THE SALE OF PERSONAL DATA; OR
(III) PROFILING IN FURTHERA NCE OF SOLELY AUTOMA TED
DECISIONS THAT PRODU CE LEGAL OR SIMILARL Y SIGNIFICANT EFFECT S
CONCERNING THE CONSU MER.
(C) (1) A CONTROLLER SHALL ESTABLISH A SECURE A ND RELIABLE
METHOD FOR A CONSUME R TO EXERCISE A CONS UMER RIGHT UNDER THI S SECTION.
(2) A CONSUMER MAY EXERCIS E A CONSUMER RIGHT U NDER THIS
SECTION BY THE METHO D ESTABLISHED BY THE CONTROLLER UNDER PAR AGRAPH
(1) OF THIS SUBSECTION .
(D) (1) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT IN
ACCORDANCE WITH § 14–4606 OF THIS SUBTITLE TO OPT OUT OF THE PROCE SSING
OF THE CONSUMER ’S PERSONAL DATA UNDE R SUBSECTION (B)(7) OF THIS SECTION
ON BEHALF OF A CONSU MER. WES MOORE, Governor Ch. 454
– 19 –
(2) A PARENT OR LEGAL GUAR DIAN OF A CHILD MAY EX ERCISE A
CONSUMER RIGHT LISTE D IN SUBSECTION (B) OF THIS SECTION ON T HE CHILD’S
BEHALF REGARDING THE PROCESSING OF PERSON AL DATA.
(3) A GUARDIAN OR CONSERVA TOR OF A CONSUMER SU BJECT TO A
GUARDIANSHIP , CONSERVATORSHIP , OR OTHER PROTEC TIVE ARRANGEMENT MAY
EXERCISE A CONSUMER RIGHT LISTED IN SUBS ECTION (B) OF THIS SECTION ON T HE
CONSUMER ’S BEHALF REGARDING T HE PROCESSING OF PER SONAL DATA.
(E) (1) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, A
CONTROLLER SHALL COM PLY WITH A REQUEST B Y A CONSUMER TO EXERCI SE A
CONSUMER RIGHT LISTE D IN THIS SECTION.
(2) (I) A CONTROLLER SHALL RES POND TO A CONSUMER R EQUEST
NOT LATER THAN 45 DAYS AFTER THE CONTR OLLER RECEIVES THE C ONSUMER
REQUEST.
(II) A CONTROLLER MAY EXTEN D THE COMPLETION PER IOD BY
AN ADDITIONAL 45 DAYS IF:
1. IT IS REASONABLY NECE SSARY TO COMPLETE TH E
REQUEST BASED ON THE COMPLEXITY AND NUMBE R OF THE CONSUMER ’S
REQUESTS; AND
2. THE CONTROLLER INFORM S THE CONSUMER OF TH E
EXTENSION AND THE RE ASON FOR THE EXTENSI ON WITHIN T HE INITIAL 45–DAY
RESPONSE PERIOD .
(III) A CONTROLLER SHALL NOT IFY THE CONSUMER WIT HIN 30
DAYS AFTER COMPLYING WITH THE CONSUMER ’S REQUEST THAT THE C ONTROLLER
HAS COMPLIED WITH TH E CONSUMER ’S REQUEST.
(3) IF A CONTROLLER DECLI NES TO ACT REGARDING A CONSUMER ’S
REQUEST, THE CONTROLLER SHALL :
(I) INFORM THE CONSUMER W ITHOUT UNDUE DELAY , BUT NOT
LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST , OF THE JUSTIFICATION FOR
DECLINING TO ACT ; AND
(II) PROVIDE INSTRUCTIONS FOR HOW TO APPEAL TH E
DECISION.
Ch. 454 2024 LAWS OF MARYLAND
– 20 –
(4) (I) A CONTROLLER SHALL PRO VIDE INFORMATION TO A
CONSUMER IN RESPONSE TO A CONSUMER ’S REQUEST TO EXERCIS E RIGHTS UNDER
THIS SUBTITLE FREE O F CHARGE ONCE DURING ANY 12–MONTH PERIOD .
(II) IF REQUESTS FROM A CO NSUMER ARE MANIFESTL Y
UNFOUNDED , EXCESSIVE, TECHNICALLY INFEASIB LE, OR REPETITIVE , A
CONTROLLER MAY :
1. CHARGE THE CONSUMER A REASONABLE FEE TO
COVER THE ADMINISTRA TIVE COSTS OF COMPLY ING WITH THE REQUEST ; OR
2. DECLINE TO ACT ON THE REQUEST.
(III) THE CONTROLLER HAS TH E BURDEN OF DEMONSTRATING
THE MANIFESTLY UNFOU NDED, EXCESSIVE, TECHNICALLY INFEASIB LE, OR
REPETITIVE NATURE OF THE REQUEST .
(5) IF A CONTROLLER IS UN ABLE TO AUTHENTICATE A REQUEST TO
EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5)
OF THIS SECTION USING COMMER CIALLY REASONABLE EF FORTS, THE
CONTROLLER :
(I) MAY NOT BE REQUIRED T O COMPLY WITH A REQU EST TO
INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION; AND
(II) SHALL PROVIDE NOTICE TO THE CONSUMER THAT THE
CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUE ST TO EXERCISE THE R IGHT
UNTIL THE CONSUMER P ROVIDES ADDITIONAL I NFORMATION REASONABL Y
NECESSARY TO AUTHENT ICATE THE CONSUMER A ND THE CONSUMER ’S REQUEST TO
EXERCISE THE CONSUME R’S RIGHTS.
(6) A CONTROLLER MAY NOT B E REQUIRED TO AUTHENTICATE AN
OPT–OUT REQUEST .
(7) A CONTROLLER THAT HAS OBTAINED PERSONAL DA TA ABOUT A
CONSUMER FROM A SOUR CE OTHER THAN THE CO NSUMER SHALL BE CONS IDERED
COMPLIANT WITH THE C ONSUMER’S REQUEST TO DELETE THE CONSUMER ’S DATA IN
ACCORDANCE WITH SUBS ECTION (B)(4) OF THIS SECTION BY R ETAINING A RECORD
OF THE DELETION REQU EST AND THE MINIMUM DATA NECESSARY FOR T HE
PURPOSE OF ENSURING THAT THE CONSUMER ’S PERSONAL DATA :
(I) REMAINS DELETED FROM THE CONTROLLER ’S RECORDS;
AND WES MOORE, Governor Ch. 454
– 21 –
(II) IS NOT BEING USED FOR ANY OTHER PURPOSE .
(F) (1) A CONTROLLER SHALL EST ABLISH A PROCESS FOR A CONSUMER
TO APPEAL THE CONTRO LLER’S REFUSAL TO ACT ON A CONSUMER RIGHTS RE QUEST
WITHIN A REASONABLE PERIOD AFTER THE CON SUMER RECEIVES THE D ECISION.
(2) THE APPEAL PROCESS SH ALL BE:
(I) CONSPICUOUSLY AVAILAB LE; AND
(II) SIMILAR TO THE PROCES S FOR SUBMITTING REQ UESTS TO
INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION.
(3) NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A
CONTROLLER SHALL INF ORM THE CONSUMER IN WRITING OF ANY ACTION TAKEN OR
NOT TAKEN IN RESPONS E TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF
THE REASONS FOR THE DECISIONS.
(4) IF A CONTROLLER DENIE S AN APPEAL, THE CONTROLLER SHALL
PROVIDE THE CONSUMER WITH AN ONLINE MECHA NISM, IF AVAILABLE, THROUGH
WHICH THE CONSUMER M AY CONTACT THE DIVISION TO SUBMIT A COMPLAINT.
14–4606.
(A) (1) A CONSUMER MAY DESIGNA TE AN INDIVIDUAL TO SERVE AS THE
CONSUMER ’S AUTHORIZED AGENT A ND ACT ON THE CONSUM ER’S BEHALF TO OPT
OUT OF THE PROCESSIN G OF THE CONSUMER ’S PERSONAL DATA FOR ON E OR MORE
OF THE PURPOSES SPEC IFIED IN § 14–4605(B)(7) OF THIS SUBTITLE.
(2) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT BY AN
INTERNET LINK OR A BR OWSER SETTING , BROWSER EXTENSION , GLOBAL DEVICE
SETTING, OR OTHER SIMILAR TEC HNOLOGY, INDICATING A CONSUME R’S INTENT TO
OPT OUT OF THE PROCE SSING OF THE CONSUME R’S PERSONAL DATA .
(B) A CONTROLLER SHALL COM PLY WITH AN OPT–OUT REQUEST RECEIVED
FROM AN AUTHORIZED A GENT IF, USING COMMERCIALLY R EASONABLE EFFORTS ,
THE CONTROLLER IS AB LE TO AUTHENTICATE THE :
(1) IDENTITY OF THE CONSU MER; AND
(2) AUTHORIZED AGENT ’S AUTHORITY TO ACT O N THE CONSUMER ’S
BEHALF.
Ch. 454 2024 LAWS OF MARYLAND
– 22 –
14–4607.
(A) A CONTROLLER OR PROCESSOR MAY NOT:
(1) COLLECT PERSONAL DATA FOR THE SOLE PURPOSE OF CONTENT
PERSONALIZATION OR MARKETING WITHOUT TH E CONSENT OF THE CON SUMER
WHOSE PERSONAL DATA IS COLLECTED;
(2) (1) EXCEPT WHERE THE COLL ECTION OR PROCESSING IS
STRICTLY NECESSARY T O PROVIDE OR MAINTAI N A SPECIFIC PRODUCT OR SERVICE
REQUESTED BY THE CON SUMER TO WHOM THE PE RSONAL DATA PERTAINS AND
UNLESS THE CONTROLLE R OBTAINS THE CONSUM ER’S CONSENT , COLLECT,
PROCESS, OR SHARE SENSITIVE DATA CONCERNING A CONSUME R;
(3) (2) SELL SENSITIVE DATA ;
(4) (3) PROCESS PERSONAL DATA IN VIOLATION OF STATE OR
FEDERAL LAWS THAT PR OHIBIT UNLAWFUL DISC RIMINATION;
(5) (4) PROCESS THE PERSONAL DATA OF A CONSUMER F OR THE
PURPOSES O F TARGETED ADVERTISI NG IF THE CONTROLLER KNEW OR SHOULD
HAVE KNOWN THAT THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE
OF 18 YEARS;
(6) (5) SELL THE PERSONAL DAT A OF A CONSUMER WITHOUT THE
CONSUMER ’S CONSENT IF THE CONTROLLER KN EW OR SHOULD HAVE KN OWN THAT
THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE OF 18 YEARS;
(7) (6) DISCRIMINATE AGAINST A CONSUMER FOR EXERC ISING A
CONSUMER RIGHT CONTA INED IN THIS SUBTITL E, INCLUDING DENYING GO ODS OR
SERVICES, CHARGING DIFFERENT P RICES OR RATES FOR G OODS OR SERVICES , OR
PROVIDING A DIFFEREN T LEVEL OF QUALITY O F GOODS OR SERVICES TO THE
CONSUMER ;
(8) (7) COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR
PUBLICLY AVAILABLE D ATA IN A MANNER THAT UNLAWFULL Y DISCRIMINATES IN O R
OTHERWISE UNLAWFULLY MAKES UNAVAILABLE TH E EQUAL ENJOYMENT OF GOODS
OR SERVICES ON THE B ASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN , SEX,
SEXUAL ORIENTATION , GENDER IDENTITY , OR DISABILITY , UNLESS THE
COLLECTION, PROCESSING, OR TRANSFER OF PERSONAL DA TA IS FOR:
(I) THE CONTROLLER ’S SELF–TESTING TO PREVENT O R
MITIGATE UNLAWFUL DI SCRIMINATION ; WES MOORE, Governor Ch. 454
– 23 –
(II) THE CONTROLLER ’S DIVERSIFYING OF AN APPLICANT,
PARTICIPANT, OR CUSTOMER POOL ; OR
(III) A PRIVATE CLUB OR GROU P NOT OPEN TO THE PUBLIC, AS
DESCRIBED IN § 201(E) OF THE CIVIL RIGHTS ACT OF 1964; OR
(9) (8) UNLESS THE CONTROLLER OBTAINS THE CONSUMER ’S
CONSENT, PROCESS PERSONAL DAT A FOR A PURPOSE THAT IS NEITHER
REASONABLY NECESSARY TO, NOR COMPATIBLE WITH , THE DISCLOSED PURPOS ES
FOR WHICH THE PERSON AL DATA IS PROCESSED , AS DISCLOSED TO THE CONSUMER .
(B) (1) A CONTROLLER OR PROCESSOR SHALL:
(I) LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS
REASONABLY NECESSARY AND PROPORTIONATE TO PROVIDE OR MAINTAIN A
SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE CONSUMER TO WHOM THE
DATA PERTAINS ;
(II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE
ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO
PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL
DATA APPROPRIATE TO THE VOLUME AND NATURE OF THE PERSONAL DATA AT
ISSUE; AND
(III) PROVIDE AN EFFECTIVE MECHANISM FOR A CONS UMER TO
REVOKE THE CONSUMER ’S CONSENT UNDER THIS SECTION THAT IS AT L EAST AS
EASY AS THE MECHANIS M BY WHICH THE CONSU MER PROVIDED T HE CONSUMER ’S
CONSENT.
(2) IF A CONSUMER REVOKES CONSENT UNDER THIS S ECTION, THE
CONTROLLER SHALL STO P PROCESSING THE CON SUMER’S PERSONAL DATA AS S OON
AS PRACTICABLE , BUT NOT LATER THAN 15 30 DAYS AFTER RECEIVING THE
REQUEST.
(C) NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE
CONSTRUED TO :
(1) REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE
THAT REQUIRES THE PE RSONAL DATA OF A CON SUMER THAT THE CONTR OLLER
DOES NOT COLLECT OR MAINTAIN; OR
(2) PROHIBIT A CONTROLLER FROM OFFERING A DIFFERENT PRICE ,
RATE, LEVEL, QUALITY, OR SELECTION OF GOOD S OR SERVICES TO A C ONSUMER, Ch. 454 2024 LAWS OF MARYLAND
– 24 –
INCLUDING OFFERING G OODS OR SERVICES FOR NO FEE, IF THE OFFERING IS I N
CONNECTION WITH A CO NSUMER’S VOLUNTARY PARTICIP ATION IN A BONA FIDE
LOYALTY, REWARDS, PREMIUM FEA TURES, DISCOUNTS, OR CLUB CARD PROGRAM
THAT DOES NOT :
(I) PROVIDE FOR THE TRANS FER OF PERSONAL DATA TO A
THIRD PARTY AS PART OF THE PROGRAM UNLES S:
1. THE TRANSFER IS FUNCT IONALLY NECESSARY TO
ENABLE THE THIRD PAR TY TO PROVIDE A BENE FIT TO WHICH T HE CONSUMER IS
ENTITLED;
2. THE TRANSFER OF PERSO NAL DATA TO THE THIR D
PARTY IS CLEARLY DIS CLOSED IN THE TERMS OF THE PROGRAM ; AND
3. THE THIRD PARTY USES THE PERSONAL DATA ON LY
FOR PURPOSES OF FACI LITATING A BENEFIT T O WHICH THE CONSUMER IS ENTITLED
AND DOES NOT PROCESS OR TRANSFER THE PERS ONAL DATA FOR ANY OT HER
PURPOSE; OR
(II) USE FINANCIAL INCENTI VE PRACTICES THAT AR E UNJUST,
UNREASONABLE , COERCIVE, OR USURIOUS IN NATUR E.
(3) A SALE OF PERSONAL DAT A MAY NOT BE CONSIDE RED
FUNCTIONALLY N ECESSARY TO PROVIDE A PROGRAM THAT MEETS THE
DESCRIPTION UNDER PA RAGRAPH (2)(I) OF THIS SUBSECTION , PROVIDED THAT THE
SELLING OF PERSONAL DATA IS NOT A CONDIT ION OF PARTICIPATION IN THE
PROGRAM.
(D) A CONTROLLER SHALL PRO VIDE A CONSUMER WITH A REASONABLY
ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVA CY NOTICE THAT INCLU DES:
(1) THE CATEGORIES OF PER SONAL DATA PROCESSED BY THE
CONTROLLER , INCLUDING SENSITIVE DATA;
(2) THE CONTROLLER ’S PURPOSE FOR PROCES SING PERSONAL DATA ;
(3) HOW A CONSUMER MAY EX ERCISE THE CONSUMER ’S RIGHTS
UNDER THIS SUBTITLE , INCLUDING HOW A CONS UMER MAY APPEAL A
CONTROLLER ’S DECISION REGARDING THE CONSUMER ’S REQUEST OR MAY REV OKE
CONSENT;
WES MOORE, Governor Ch. 454
– 25 –
(4) THE CATEGORIES OF THI RD PARTIES WITH WHIC H THE
CONTROLLER SHARES PE RSONAL DATA WITH A L EVEL OF DETAIL THAT ENA BLES A
CONSUMER TO UNDERSTA ND WHAT TYPE OF ENTITY EACH THIRD PARTY IS AND, TO
THE EXTENT POSSIBLE , HOW EACH THIRD PARTY MAY PROCESS THE PERS ONAL
DATA THE TYPE OF, BUSINESS MODEL OF, OR PROCESSING CONDUC TED BY THE
EACH THIRD PARTY;
(5) THE CATEGORIES OF PER SONAL DATA , INCLUDING SENSITIVE
DATA, THAT THE CONTROLLER SHARES WITH THIRD PA RTIES; AND
(6) AN ACTIVE E–MAIL ADDRESS OR OTHE R ONLINE MECHANISM
THAT A CONSUMER MAY USE TO CONTACT THE C ONTROLLER .
(E) (1) IF A CONTROLLER SELLS PERSONAL DATA TO THI RD PARTIES OR
PROCESSES PERSONAL D ATA FOR TARGETED ADV ERTISING OR FOR THE PURPOSES
OF PROFILING THE CON SUMER IN FURTHERANCE OF DECISIONS THAT PR ODUCE
LEGAL OR SIMILARLY S IGNIFICANT EFFECTS , THE CONTROLLER SHALL CLEARLY
AND CONSPICUOUSLY DI SCLOSE THE SALE OR PROCESSING, AS WELL AS THE
MANNER IN WHICH A CO NSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE
SALE OR PROCESSING.
(2) THE DISCLOSURE REQUIR ED UNDER PARAGRAPH (1) OF THIS
SUBSECTION SHALL BE PROMINENTLY DISPLA YED, AND USE CLEAR , EASY TO
UNDERSTAND , AND UNAMBIGUOUS LANG UAGE, TO STATE WHETHER THE
CONSUMER’S PERSONAL DATA WILL BE SOLD OR SHARED WI TH A THIRD PARTY .
(F) (1) THE PRIVACY NOTICE UN DER SUBSECTION (D) OF THIS SECTION
SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A
CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN
ACCORDANCE WITH THIS SUBTITLE THAT TAKE I NTO ACCOUNT :
(I) THE WAYS IN WHICH CON SUMERS NORMALLY INTE RACT
WITH THE CONTROLLER ;
(II) THE NEED FOR SECURE A ND RELIABLE COMMUNICATION
OF CONSUMER REQUESTS ; AND
(III) THE ABILITY OF THE CO NTROLLER TO VERIFY T HE
IDENTITY OF A CONSUM ER MAKING THE REQUES T.
(2) (I) A CONTROLLER MAY NOT R EQUIRE A CONSUMER TO
CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT .
Ch. 454 2024 LAWS OF MARYLAND
– 26 –
(II) A CONTROLLER MAY REQUI RE A CONSUMER TO USE AN
EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT.
(3) A CONTROLLER MAY UTILI ZE THE FOLLOWING MET HODS TO
SATISFY PARAGRAPH (1) OF THIS SUBSECTION :
(I) PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE
CONTROLLER’S WEBSITE TO A WEBPA GE THAT ALLOWS A CON SUMER, OR AN
AUTHORIZED AGENT OF THE CONSUMER , TO OPT OUT OF THE TA RGETED
ADVERTISING OR THE S ALE OF THE CONSUMER ’S PERSONAL DATA ; OR
(II) ON OR BEFORE OCTOBER 1, 2025, ALLOWING A CONSUMER
TO OPT OUT OF ANY PROCESSING OF TH E CONSUMER ’S PERSONAL DATA FOR THE
PURPOSES OF TARGETED ADVERTISING, OR ANY SALE OF PERSO NAL DATA,
THROUGH AN OPT –OUT PREFERENCE SIGNA L SENT, WITH THE CONSUMER ’S
CONSENT, BY A PLATFORM , TECHNOLOGY , OR MECHANISM TO THE CONTROLLER
INDICATING THE CONSUMER ’S INTENT TO OPT OUT OF THE PROCESSING OR SALE.
(4) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN
ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION S HALL:
(I) BE CONSUMER –FRIENDLY AND EASY TO USE BY THE
AVERAGE CONSUMER ;
(II) USE CLEAR, EASY TO UNDERSTAND , AND UNAMBIGUOUS
LANGUAGE;
(III) BE AS CONSISTENT AS P OSSIBLE WITH ANY OTH ER SIMILAR
PLATFORM, TECHNOLOGY , OR MECHANISM REQUIRE D BY ANY FEDERAL OR STATE
LAW OR REGULATION ;
(IV) ENABLE THE CONTROLLER TO REASONABLY DETERM INE
WHETHER THE CONSUMER :
1. IS A RESIDENT OF THE STATE; AND
2. HAS MADE A LEGITIMATE REQUEST TO OPT OUT O F
ANY SALE OF THE CONS UMER’S PERSONAL DATA OR T ARGETED ADVERTISING ; AND
(V) REQUIRE A CONSUMER TO MAKE AN AFFIRMATIVE ,
UNAMBIGUOUS , AND VOL UNTARY CHOICE IN ORD ER TO OPT OUT OF ANY
PROCESSING OF THE CO NSUMER’S PERSONAL DATA .
WES MOORE, Governor Ch. 454
– 27 –
(5) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN
ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION M AY NOT:
(I) UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER ; OR
(II) USE A DEFAULT SETTING TO OPT A CONSUMER OU T OF ANY
PROCESSING OF THE CO NSUMER’S PERSONAL DATA .
(G) (1) IF A CONSUMER ’S DECISION TO OPT OU T OF THE PROCESSING OF
THE CONSUMER ’S PERSONAL DATA FOR THE PURPOSES OF TARG ETED
ADVERTISING, OR THE SALE OF PERSO NAL DATA THROUGH AN OP T–OUT
PREFERENCE SIGNAL SE NT IN ACCORDANCE WIT H SUBSECTION (F)(3) OF THIS
SECTION CONFLICTS WI TH THE CONSUMER ’S EXISTING CONTROLLE R–SPECIFIC
PRIVACY SETTING OR T HE CONSUMER ’S VOLUNTARY PARTICIP ATION IN A
CONTROLLER ’S BONA FIDE LOYALTY , REWARDS, PREMIUM FEATURES , DISCOUNTS,
OR CLUB CARD PROGRAM , THE CONTROLLER MAY N OTIFY THE CONSUMER O F A
CONFLICT AND PROVIDE THE CHOICE TO CONFIR M CONTROLLER –SPECIFIC
PRIVACY SETTINGS OR PARTICIPATION IN A P ROGRAM LISTED IN THI S PARAGRAPH .
(2) A CONTROL LER THAT RECOGNIZES SIGNALS APPROVED BY
OTHER STATES SHALL B E CONSIDERED IN COMP LIANCE WITH THIS SEC TION.
14–4608.
(A) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE
PERSONAL DATA OF CON SUMERS, THE CONTROLLER AND T HE PROCESSOR SHALL
ENTER INTO A C ONTRACT THAT GOVERNS THE PROCESSOR ’S DATA PROCESSING
PROCEDURES WITH RESP ECT TO PROCESSING PE RFORMED ON BEHALF OF THE
CONTROLLER .
(2) THE CONTRACT SHALL BE BINDING AND CLEARLY SET FORTH
INSTRUCTIONS FOR :
(I) PROCESSING INSTRUCTIONS FOR PROC ESSING DATA;
(II) THE NATURE AND PURPOS E OF PROCESSING ;
(III) THE TYPE OF DATA SUBJ ECT TO PROCESSING ;
(IV) THE DURATION OF PROCE SSING; AND
(V) THE RIGHTS AND OBLIGA TIONS OF BOTH PARTIE S.
(3) THE CONTRACT SHALL RE QUIRE THAT THE PROCE SSOR: Ch. 454 2024 LAWS OF MARYLAND
– 28 –
(I) ENSURE THAT EACH PERS ON PROCESSING PERSON AL DATA
IS SUBJECT TO A DUTY OF CONFIDENTIALITY W ITH RESPECT TO THE P ERSONAL
DATA;
(II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE
ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO
PROTECT THE CONFIDENTIALITY , INTEGRITY, AND ACCESSIBILITY OF PERSONAL
DATA, CONSIDERING THE VOLU ME AND NATURE OF THE PERSONAL DATA ;
(III) STOP PROCESSING DATA ON REQUEST BY THE CO NTROLLER
MADE IN ACCORDANCE W ITH A CONSUMER ’S AUTHENTICATED REQU EST;
(IV) AT THE CONTROLLER ’S DIRECTION, DELETE OR RETURN
ALL PERSONAL DATA TO THE CONTROLLER AS RE QUESTED AT THE END O F THE
PROVISION OF SERVICE , UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED
BY LAW;
(V) ON THE REASONABLE REQ UEST OF THE CONTROLL ER,
MAKE AVAILABLE TO THE CON TROLLER ALL INFORMAT ION IN THE PROCESSOR ’S
POSSESSION NECESSARY TO DEMONSTRATE THE P ROCESSOR’S COMPLIANCE WITH
THE OBLIGATIONS IN T HIS SUBTITLE;
(VI) AFTER PROVIDING THE C ONTROLLER AN OPPORTU NITY TO
OBJECT, ENGAGE A SUBCONTRACT OR TO ASSIST WITH PROCESSI NG PERSONAL DATA
ON THE CONTROLLER ’S BEHALF ONLY IN ACC ORDANCE WITH A WRITT EN CONTRACT
THAT REQUIRES THE SU BCONTRACTOR TO MEET THE PROCESSOR ’S OBLIGATIONS
REGARDING THE PERSON AL DATA UNDER THE PR OCESSOR’S CONTRACT WITH THE
CONTROLLER ; AND
(VII) ALLOW AND COOPERATE W ITH REASONABLE ASSES SMENTS
BY THE CONTROLLER , THE CONTROLLER ’S DESIGNATED ASSESSO R, OR A QUALIFIED
AND INDEPENDENT ASSE SSOR ARRANGED FOR BY THE PROCESSOR TO ASS ESS THE
PROCESSOR’S POLICIES AND TECHN ICAL AND ORGANIZATIO NAL MEASURES IN
SUPPORT OF THE OBLIG ATIONS UNDER THIS SU BTITLE.
(4) (I) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT
OF AN ASSESSMENT REQ UIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION T O THE
CONTROLLER .
(II) AN ASSESSMENT CONDUCT ED IN ACCORDANCE WIT H
PARAGRAPH (3)(V) OF THIS SUBSECTION S HALL BE CONDUCTED US ING AN WES MOORE, Governor Ch. 454
– 29 –
APPROPRIATE AND ACCE PTED CONTROL STANDAR D OR FRAMEWORK AND
ASSESSMENT PROCEDURE FOR THE ASSESSMENTS .
(B) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE
PERSONAL DATA OF CON SUMERS, THE CONTROLLER SHALL PRO VIDE THE
PROCESSOR WITH INSTR UCTIONS ON HOW TO PR OCESS PERSONAL DATA .
(2) A PROCESSOR SHALL :
(I) (1) ADHERE TO THE CONTRAC T AND INSTRUCTIONS O F A
CONTROLLER ;
(II) (2) ASSIST THE CONTROLLER IN MEETING THE
CONTROLLER ’S OBLIGATIONS UNDER TH IS SUBTITLE, INCLUDING, CONSIDERING
THE NATURE OF PROCESSING AND THE I NFORMATION AVAILABLE TO THE
PROCESSOR:
1. (I) BY APPROPRIATE TECHNI CAL AND ORGANIZATION AL
MEASURES AS MUCH AS REASONABLY PRACTICAB LE TO FULFILL THE
CONTROLLER ’S OBLIGATION TO RESPON D TO CONSUMER RIGHTS REQUESTS,
CONSIDERING THE NATU RE OF PROCESSING AND THE INFORMATION AVAI LABLE TO
THE PROCESSOR ; AND
2. (II) BY ASSISTING THE CONT ROLLER IN MEETING TH E
CONTROLLER ’S OBLIGATIONS IN REL ATION TO THE SECURIT Y OF PROCESSING THE
PERSONAL DATA AND IN RELATION TO THE NOTI FICATION OF A BREACH OF THE
SECURITY OF A SYSTEM , AS DEFINED IN § 14–3504 OF THIS TITLE; AND
(III) (3) PROVIDE NECESSARY INF ORMATION TO ENABLE T HE
CONTROLLER TO CONDUC T AND DOCUMENT DATA PROTECTION AS SESSMENTS.
(C) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO RELIEVE A
CONTROLLER OR A PROC ESSOR FROM THE LIABI LITIES IMPOSED ON TH E
CONTROLLER OR PROCES SOR BY VIRTUE OF THE CONTROLLER ’S OR PROCESSOR ’S
ROLE IN THE PROCESSI NG RELATIONSHIP IN A CCORDANCE WITH THIS SECTION.
(D) (1) THE DETERMINATION OF WHETHER A PERSON IS ACTING AS A
CONTROLLER OR A PROC ESSOR WITH RESPECT T O A SPECIFIC PROCESS ING OF DATA
IS A FACT–BASED DETERMINATION THAT DEPENDS ON THE CONTEXT IN WHICH
PERSONAL DATA IS BEI NG PROCESSED .
(2) A PERSON IS CONSIDERED TO BE A CONTROLLER I F THE PERSON:
Ch. 454 2024 LAWS OF MARYLAND
– 30 –
(I) IS NOT LIMITED IN THE PERSON’S PROCESSING OF SPEC IFIC
PERSONAL DATA IN ACC ORDANCE WITH A CONTR OLLER’S INSTRUCTIONS ; OR
(II) FAILS TO ADHERE TO A CONTROLLER ’S INSTRUCTIONS
WITH RESPECT TO A SPECIFIC PROCES SING OF PERSONAL DAT A.
(3) A PROCESSOR THAT CONTI NUES TO ADHERE TO A CONTROLLER ’S
INSTRUCTIONS WITH RE SPECT TO A SPECIFIC PROCESSING OF PERSON AL DATA
REMAINS A PROCESSOR .
(4) IF A PROCESSOR OR THI RD PARTY BEGINS , ALONE OR JOINTLY
WITH OTHERS , DETERMINING THE PURP OSES AND MEANS OF TH E PROCESSING OF
PERSONAL DATA , THE PROCESSOR :
(I) IS A CONTROLLER WITH RESPECT TO THE PROCE SSING; AND
(II) MAY BE SUBJECT TO AN ENFORCEMENT ACTION U NDER
THIS SUBTITLE.
(E) NOTHING IN THIS SECT ION MAY BE CONSTRUED TO ALTER A
CONTROLLER ’S OBLIGATION TO LIMI T A PERSON’S PROCESSING OF PERS ONAL DATA
OR TO TAKE STEPS TO ENSURE THAT A PROCES SOR ADHERES TO THE C ONTROLLER ’S
INSTRUCTIONS .
14–4609.
(A) IF A THIRD PARTY USES OR SHARES A CONSUMER ’S INFORMATION IN A
MANNER INCONSISTENT WITH PROMISES MADE T O THE CONSUMER AT TH E TIME OF
COLLECTION OF THE IN FORMATION, THE THIRD PARTY SHAL L PROVIDE AN
AFFECTED CONSUMER WI TH NOTICE OF THE NEW OR CHANGED PRACTICE BEFORE
IMPLEMENTING THE NEW OR CHANGED PRACTICE .
(B) THE NOTICE PROVIDED U NDER SUBSECTION (A) OF THIS SECTION
SHALL BE PROVIDED IN A MANNER AND AT A TI ME REASONABLY CALCUL ATED TO
ALLOW A CONSUMER TO EXERCISE THE RIGHTS PROVIDED UNDER THIS SUBTITLE.
14–4610.
(A) IN THIS SECTION , “PROCESSING ACTIVITIE S THAT PRESENT A
HEIGHTENED RISK OF H ARM TO A CONSUMER ” MEANS:
(1) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF
TARGETED ADVERTISING ; WES MOORE, Governor Ch. 454
– 31 –
(2) THE SALE OF PERSONAL DATA;
(3) THE PROCESSING OF SEN SITIVE DATA; AND
(4) THE PROCESSING OF PER SONAL DATA FOR THE PURPOSE S OF
PROFILING, IN WHICH THE PROFILI NG PRESENTS A REASON ABLY FORESEEABLE
RISK OF:
(I) UNFAIR, ABUSIVE, OR DECEPTIVE TREATME NT OF A
CONSUMER ;
(II) HAVING AN UNLAWFUL DI SPARATE IMPACT ON A
CONSUMER ;
(III) FINANCIAL, PHYSICAL, OR REPUTATIONAL INJU RY TO A
CONSUMER ;
(IV) A PHYSICAL OR OTHER IN TRUSION ON THE SOLIT UDE OR
SECLUSION OR THE PRI VATE AFFAIRS OR CONC ERNS OF A CONSUMER I N WHICH THE
INTRUSION WOULD BE O FFENSIVE TO A REASON ABLE PERSON; OR
(V) OTHER SUBSTANTIAL INJ URY TO A CONSUMER .
(B) A CONTROLLER SHALL CON DUCT AND DOCUMENT , ON A REGULAR
BASIS, A DATA PROTECTION AS SESSMENT FOR EACH OF THE CONTROLLER ’S
PROCESSING ACTIVITIE S THAT PRESENT A HEI GHTENED RISK OF HARM TO A
CONSUMER , INCLUDING AN ASSESSM ENT FOR EACH ALGOR ITHM THAT IS USED .
(C) (1) A DATA PROTECTION ASSE SSMENT CONDUCTED IN ACCORDANCE
WITH THIS SECTION SH ALL IDENTIFY AND WEI GH THE BENEFITS THAT MAY FLOW
DIRECTLY AND INDIREC TLY FROM THE PROCESS ING TO THE CONTROLLE R, THE
CONSUMER , OTHER INTERESTED PAR TIES, AND THE PUBLIC AGAINS T:
(I) THE POTENTIAL RISKS T O THE RIGHTS OF THE CONSUMER
ASSOCIATED WITH THE PROCESSING AS MITIGA TED BY SAFEGUARDS TH AT MAY BE
EMPLOYED BY THE CONT ROLLER TO REDUCE THE SE RISKS; AND
(II) THE NECESSITY AND PRO PORTIONALITY OF PROC ESSING IN
RELATION TO THE STAT ED PURPOSE OF THE PR OCESSING.
(2) THE CONTROLLER SHALL FACTOR INTO A DATA P ROTECTION
ASSESSMENT :
Ch. 454 2024 LAWS OF MARYLAND
– 32 –
(I) THE USE OF DE–IDENTIFIED DATA ;
(II) THE REASONABLE EXPECT ATIONS OF CONSUMERS ;
(III) THE CONTEXT OF THE PR OCESSING; AND
(IV) THE RELATIONSHIP BETW EEN THE CONTROLLER A ND THE
CONSUMER WHOSE PERSO NAL DATA WILL BE PRO CESSED.
(D) (1) THE DIVISION MAY REQUIRE THAT A CONTROLLER MA KE
AVAILABLE TO THE DIVISION A DATA PROTE CTION ASSESSMENT THA T IS RELEVANT
TO AN INVESTIGATION CONDUC TED BY THE DIVISION.
(2) (I) THE DIVISION MAY EVALUATE A DATA PROTECTION
ASSESSMENT FOR COMPL IANCE WITH THE RESPO NSIBILITIES ESTABLIS HED IN THIS
SUBTITLE.
(II) A CONTROLLER ’S DATA PROTECTION AS SESSMENT MAY BE
USED IN AN ACTION TO ENFORCE THIS SUBTITL E.
(3) A DATA PROTECTION ASSE SSMENT IS CONFIDENTI AL AND IS
EXEMPT FROM DISCLOSU RE UNDER THE FEDERAL FREEDOM OF INFORMATION ACT
OR THE PUBLIC INFORMATION ACT.
(E) A SINGLE DATA PROTECTI ON ASSESSMENT MAY AD DRESS A
COMPARABLE SET OF PROCESSING OPERATION S THAT INCLUDE SIMIL AR
ACTIVITIES.
(F) IF A CONTROLLER CONDU CTS A DATA PROTECTIO N ASSESSMENT FOR
THE PURPOSE OF COMPL YING WITH ANOTHER AP PLICABLE LAW OR REGU LATION,
THE DATA PROTECTION ASSESSMENT SHALL BE CONSIDERED TO SATISF Y THE
REQUIREMENTS ESTABLISHE D IN THIS SECTION IF THE DATA PROTECTION
ASSESSMENT IS REASON ABLY SIMILAR IN SCOP E AND EFFECT TO THE DATA
PROTECTION ASSESSMEN T THAT WOULD OTHERWI SE BE CONDUCTED IN
ACCORDANCE WITH THIS SECTION.
(G) TO THE EXTENT THAT AN Y INFORMATION CONTAINED IN A DATA
PROTECTION ASSESSMEN T DISCLOSED TO THE DIVISION INCLUDES INF ORMATION
SUBJECT TO ATTORNEY –CLIENT PRIVILEGE OR WORK PRODUCT PROTECT ION, THE
DISCLOSURE MAY NOT C ONSTITUTE A WAIVER O F THAT PRIVILEGE OR PROTECTION.
(H) A DATA PROTECTION AS SESSMENT CONDUCTED U NDER THIS SECTION :
WES MOORE, Governor Ch. 454
– 33 –
(1) SHALL APPLY TO PROCES SING ACTIVITIES THAT OCCUR ON OR
AFTER OCTOBER 1, 2025; AND
(2) IS NOT REQUIRED FOR P ROCESSING ACTIVITIES THAT OCCUR
BEFORE OCTOBER 1, 2025.
14–4611.
(A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQU IRE A
CONTROLLER OR A PROC ESSOR TO:
(1) RE–IDENTIFY DE–IDENTIFIED DATA ;
(2) MAINTAIN DATA IN AN I DENTIFIABLE FORM ; OR
(3) COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA O R
TECHNOLOGY IN ORDER TO BE CAPABLE OF ASS OCIATING AN AUTHENTICATED
CONSUMER REQUEST WIT H PERSONAL DATA .
(B) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A
CONTROLLER OR PROCES SOR TO COMPLY WITH A N AUTHENTICATED CONS UMER
RIGHTS REQUEST IF TH E CONTROLLER :
(1) IS NOT REASONABLY CAP ABLE OF ASSOCIATING THE REQU EST
WITH THE PERSONAL DA TA OR IT WOULD BE UN REASONABLY BURDENSOM E FOR THE
CONTROLLER TO ASSOCI ATE THE REQUEST WITH THE PERSONAL DATA ;
(2) DOES NOT USE THE PERS ONAL DATA TO RECOGNI ZE OR RESPOND
TO THE SPECIFIC CONS UMER WHO IS THE SUBJ ECT OF THE PERSONAL DATA OR
ASSOCIATE THE PERSON AL DATA WITH OTHER P ERSONAL DATA ABOUT T HE SAME
SPECIFIC CONSUMER ; AND
(3) DOES NOT SELL THE PER SONAL DATA TO A THIR D PARTY OR
OTHERWISE VOLUNTARIL Y DISCLOSE THE PERSO NAL DATA TO A THIRD PARTY
OTHER THAN A PROCESSOR, EXCEPT AS OTHERWISE ALLOWED IN THIS SUBT ITLE.
(C) (1) A CONTROLLER THAT DISC LOSES DE–IDENTIFIED DATA SHAL L:
(I) EXERCISE REASONABLE O VERSIGHT TO MONITOR
COMPLIANCE WITH ANY CONTRACTUAL COMMITME NTS TO WHICH THE
DE–IDENTIFIED DATA IS S UBJECT; AND
(II) TAKE APPROPRIATE STEP S TO ADDRESS ANY BRE ACHES OF
ANY CONTRACTUAL COMM ITMENTS. Ch. 454 2024 LAWS OF MARYLAND
– 34 –
(2) THE DETERMINATION OF WHETHER OVERSIGHT IS REASONABLE
AND WHETHER APPROPRI ATE STEPS WERE TAKEN IN ACCORDANCE WITH
PARAGRAPH (1) OF THIS SUBSECTION S HALL TAKE INTO ACCOUNT WHE THER THE
DISCLOSED DATA INCLU DES DATA THAT WOULD BE CONSIDERED SENSIT IVE DATA IF
THE DATA WERE RE –IDENTIFIED.
14–4612.
(A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO RESTRICT A
CONTROLLER ’S OR PROCESSOR ’S ABILITY TO:
(1) COMPLY WITH FEDERAL , STATE, OR LOCAL LAWS OR
REGULATIONS ;
(2) COMPLY WITH A CIVIL , CRIMINAL, OR REGULATORY INQUIR Y,
INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, STATE, LOCAL, OR OTHER
GOVERNMENTAL AUTHORI TY;
(3) COOPERATE WITH LAW EN FORCEMENT AGENCIES CONCERNING
CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONA BLY AND
IN GOOD FAITH BELIEV ES MAY VIOLATE FEDER AL, STATE, OR LOCAL LAWS OR
REGULATIONS ;
(4) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR , OR DEFEND
A LEGAL CLAIM;
(5) PROVIDE A PRODUCT OR SERVICE S PECIFICALLY REQUESTE D BY
A CONSUMER ;
(6) PERFORM UNDER A CONTR ACT TO WHICH A CONSU MER IS A
PARTY, INCLUDING FULFILLING THE TERMS OF A WRITT EN WARRANTY ;
(7) TAKE STEPS AT THE REQ UEST OF A CONSUMER B EFORE
ENTERING INTO A CONT RACT;
(8) TAKE IMMEDIATE STEPS TO PROTECT AN INTERE ST THAT IS
ESSENTIAL FOR THE LI FE OR PHYSICAL SAFET Y OF A CONSUMER OR A NOTHER
INDIVIDUAL AND WHEN THE PROCESSING CANNO T BE MANIFESTLY BASE D ON
ANOTHER LEGAL BASIS ;
(9) PREVENT, DETECT, PROTECT AGAINST , INVESTIGATE,
PROSECUTE THOSE RESP ONSIBLE, OR OTHERWISE RESPOND TO A SECURITY WES MOORE, Governor Ch. 454
– 35 –
INCIDENT, IDENTITY THEFT , FRAUD, HARASSMENT , MALICIOUS OR DECEPTI VE
ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY ;
(10) PRESERVE THE INTEGR ITY OR SECURITY OF S YSTEMS; OR
(11) ASSIST ANOTHER CONTRO LLER, PROCESSOR, OR THIRD PARTY
WITH AN OBLIGATION U NDER THIS SUBTITLE .
(B) (1) THIS SUBSECTION DOES NOT APPLY TO AN OBLI GATION
REQUIRED UNDER § 14–4611 OF THIS SUBTITLE.
(2) AN OBLIGATION IM POSED ON A CONTROLLE R OR PROCESSOR
UNDER THIS SUBTITLE MAY NOT RESTRICT A C ONTROLLER ’S OR PROCESSOR ’S
ABILITY TO COLLECT , USE, OR RETAIN PERSONAL D ATA FOR INTERNAL USE TO:
(I) EFFECTUATE A PRODUCT RECALL;
(II) IDENTIFY AND REPAIR T ECHNICAL ERRORS THAT IMPAIR
EXISTING OR INTENDED FUNCTIONALITY ; OR
(III) PERFORM INTERNAL OPER ATIONS THAT ARE :
1. REASONABLY ALIGNED WI TH THE EXPECTATIONS OF
THE CONSUMER OR CAN BE REASONABLY ANTICI PATED BASED ON THE C ONSUMER’S
EXISTING RELATIONSHI P WITH THE CONT ROLLER; OR
2. OTHERWISE COMPATIBLE WITH PROCESSING DATA IN
FURTHERANCE OF :
A. THE PROVISION OF A PR ODUCT OR SERVICE
SPECIFICALLY REQUEST ED BY A CONSUMER ; OR
B. THE PERFORMANCE OF A CONTRACT TO WHICH TH E
CONSUMER IS A PARTY .
(C) (1) AN OBLIGATION IMPOSED ON A CONTROLLER OR A PROC ESSOR
UNDER THIS SUBTITLE DOES NOT APPLY WHEN COMPLIANCE BY THE CO NTROLLER
OR PROCESSOR WITH TH E SUBTITLE WOULD VIO LATE AN EVIDENTIARY PRIVILEGE
UNDER STATE LAW.
(2) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PREVENT A
CONTROLLER OR PROCES SOR FROM PROVIDING P ERSONAL DATA CONCERN ING A
CONSUMER TO A PERSON COVERED BY AN EVIDEN TIARY PRIVILEGE UNDE R STATE
LAW AS PART OF A PRI VILEGED COMMUNICATIO N. Ch. 454 2024 LAWS OF MARYLAND
– 36 –
(D) (1) A CONTROLLER OR PROCES SOR THAT DISCLOSES P ERSONAL DATA
TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS
SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE IF THE PROCESS OR OR
THIRD–PARTY CONTROLLER THA T RECEIVES THE PERSO NAL DATA VIOLATES TH IS
SUBTITLE AND:
(I) AT THE TIME THE DISCLOS ING CONTROLLER OR
PROCESSOR DISCLOSED THE PERSONAL DATA , THE DISCLOSING CONTR OLLER OR
PROCESSOR DID NOT HA VE ACTUAL KNOWLEDGE THAT THE RECEIVING P ROCESSOR
OR THIRD–PARTY CONTROLLER WOU LD VIOLATE THIS SUBT ITLE; AND
(II) THE DISCLOSING CONTROLLE R WAS, AND REMAINED , IN
COMPLIANCE WITH ITS OBLIGATIONS AS THE D ISCLOSER OF THE PERS ONAL DATA.
(2) A THIRD–PARTY CONTROLLER OR PROCESSOR THAT RECEI VES
PERSONAL DATA FROM A CONTROLLER OR PROCES SOR IN COMPLIANCE WI TH THIS
SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE FOR THE INDEPE NDENT
MISCONDUCT OF THE CO NTROLLER OR PROCESSO R FROM WHICH THE
THIRD–PARTY CONTROLLER OR PROCES SOR RECEIVED THE PER SONAL DATA.
(E) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO:
(1) IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR
THAT ADVERSELY AFFEC TS THE RIGHTS OR FRE EDOMS OF ANY PERSON , INCLUDING
THE RIGHTS OF A PERS ON TO FREEDOM OF SPEE CH OR FREEDOM OF THE PRESS AS
GUARANTEED IN THE FIRST AMENDMENT TO THE U.S. CONSTITUTION; OR
(2) APPLY TO A PERSON ’S PROCESSING OF PERS ONAL DATA DURING
THE PERSON’S PERSONAL OR HOUSEH OLD ACTIVITIES.
(F) IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL D ATA IN
ACCORDANCE WITH AN E XEMPTION UNDER THIS SECTION, THE CONTROLLER OR
PROCESSOR SHALL DEMONSTRATE TH AT THE PROCESSING :
(1) QUALIFIES FOR AN EXEM PTION; AND
(2) COMPLIES WITH THE REQ UIREMENTS OF SUBSECT ION (G) OF THIS
SECTION.
(G) PERSONAL DATA PROCESS ED BY A CONTROLLER OR PROCESSOR IN
ACCORDANCE WITH THIS SECTION:
WES MOORE, Governor Ch. 454
– 37 –
(1) SHALL BE SUBJECT TO R EASONABLE ADMINISTRA TIVE,
TECHNICAL, AND PHYSICAL MEASURE S TO:
(I) PROTECT THE CONFIDENT IALITY, INTEGRITY, AND
ACCESSIBILITY OF THE PERSONAL DATA ; AND
(II) REDUCE REASONABLY FOR ESEEABLE RISKS OF HA RM TO
CONSUMERS RELATING T O THE COLLECTION , USE, OR RETENTION OF PERS ONAL
DATA; AND
(2) MAY BE PROCESSED TO T HE EXTENT THAT THE P ROCESSING IS:
(I) REASONABLY NECESSARY AND PROPORTI ONATE TO THE
PURPOSES LISTED IN T HIS SECTION; AND
(II) ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS
NECESSARY IN RELATIO N TO THE SPECIFIC PU RPOSES LISTED IN THI S SECTION.
(H) A PERSON THAT PROCESSE S PERSONAL DATA FOR A PURPOSE
EXPRESSLY IDENTIFIED IN THIS SECTION MAY NOT BE CONSIDERED A CONT ROLLER
SOLELY BASED ON THE PROCESSING OF PERSON AL DATA.
14–4613.
(A) EXCEPT AS PROVIDED IN SUBSECTION (B) OF THIS SECTION , A
VIOLATION OF THIS SU BTITLE IS:
(1) AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE P RACTICE WITHIN
THE MEANING OF TITLE 13 OF THIS ARTICLE; AND
(2) SUBJECT TO THE ENFORC EMENT AND PENALTY PR OVISIONS
CONTAINED IN TITLE 13 OF THIS ARTICLE, EXCEPT FOR § 13–408 OF THIS ARTICLE.
(B) THIS SECTION DOES NOT PREVENT A CONSUMER F ROM PURSUING ANY
OTHER REMEDY PROVIDED BY L AW.
14–4614.
(A) THIS SECTION APPLIES TO AN ENFORCEMENT AC TION UNDER § 14–4613
OF THIS SUBTITLE FOR AN ALLEGED VIOLATION THAT OCCURS ON OR BE FORE APRIL
1, 2027.
Ch. 454 2024 LAWS OF MARYLAND
– 38 –
(B) BEFORE INITIATING ANY ACTION UNDER § 14–4613 OF THIS SUBTITLE ,
THE DIVISION MAY ISSUE A NOTICE OF VIOLATION TO THE CONTROLLER OR
PROCESSOR IF THE DIVISION DETERMINES T HAT A CURE IS POSSIB LE.
(C) (1) IF THE DIVISION ISSUES A NOT ICE OF VIOLATION UND ER
SUBSECTION (B) OF THIS SECTION, THE CONTROLLER OR PR OCESSOR SHALL HAVE
AT LEAST 60 DAYS TO CURE THE VIO LATION AFTER RECEIPT OF THE NOTICE.
(2) IF THE CONTROLLER OR PROCESSOR FAILS TO C URE THE
VIOLATION WITHIN THE TIME PERIOD SPECIFIE D BY THE DIVISION, THE DIVISION
MAY BRING AN ENFORCE MENT ACTION UNDER § 14–4613 OF THIS SUBTITLE.
(D) IN DETERMINING WHETHE R TO GRANT A CONTROL LER OR PROCESSOR
AN OPPORTUNITY TO CU RE AN ALLEGED VIOLAT ION, THE DIVISION MAY CONSIDER
THE FOLLOWING FACTOR S:
(1) THE NUMBER OF VIOLATI ONS;
(2) THE SIZE AND COMPLEXI TY OF THE CONTROLLER OR PROCESSOR;
(3) THE NATURE AND EXTENT OF THE CONTROLLER ’S OR
PROCESSOR’S PROCESSING ACTIVIT IES;
(4) THE LIKELIHOOD OF INJ URY TO THE PUBLIC ;
(5) THE SAFETY OF PERSONS OR PROPERTY ;
(6) WHETHER THE ALLEGED V IOLATION WAS LIKELY CAUSED BY
HUMAN OR TECHNICAL ERROR ; AND
(7) THE EXTENT TO WHICH T HE CONTROLLER OR PRO CESSOR HAS
VIOLATED THIS SUBTIT LE OR SIMILAR LAWS I N THE PAST.
SECTION 2. AND BE IT FURTHER ENACTED, That § 14 –4612 of the Commercial
Law Article, as enacted by Section 1 of this Act, shall be construed to apply only
prospectively and may not be applied or interpreted to have any effect on or application to
any personal data processing activities before April 1, 2025 2026.
SECTION 3. AND BE IT FURTHER ENACTED, That, if any provision of this Act or
the application thereof to any person or circumstance is held invalid for any reason in a
court of competent jurisdiction, the invalidity does not affect other provisions or any other
application of this Act that can be given effect without the invalid provision or application,
and for this purpose the provisions of this Act are declared severable.
WES MOORE, Governor Ch. 454
– 39 –
SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect
October 1, 2024 2025.
Approved by the Governor, May 9, 2024.