MD
Maryland Senate Bill SB541

Maryland 2024 Regular Session

Maryland Senate Bill SB541 Compare Versions

OldNewDifferences
1- WES MOORE, Governor Ch. 455
21
3-– 1 –
4-Chapter 455
5-(Senate Bill 541)
62
7-AN ACT concerning
3+EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
4+ [Brackets] indicate matter deleted from existing law.
5+ Underlining indicates amendments to bill.
6+ Strike out indicates matter stricken from the bill by amendment or deleted from the law by
7+amendment.
8+ Italics indicate opposite chamber/conference committee amendments.
9+ *sb0541*
810
9-Maryland Online Data Privacy Act of 2024
11+SENATE BILL 541
12+I3 (4lr1200)
13+ENROLLED BILL
14+— Finance/Economic Matters —
15+Introduced by Senators Gile, Hester, Augustine, Feldman, Beidle, and Ellis
1016
11-FOR the purpose of regulating the manner in which a controller or a processor in possession
12-of a consumer’s personal data may process the consumer’s personal data; authorizing
13-a consumer to exercise certain rights in regards to the consumer’s personal data;
14-requiring a controller of personal data to establish a method for a consumer to
15-exercise certain rights in regards to the consumer’s personal data; requiring a
16-controller to comply with a request by a consumer to exercise a certain right in a
17-certain manner, except under certain circumstances; authorizing a consumer to
18-designate an authorized agent to act on the consumer’s behalf to opt out of the
19-processing of the consumer’s personal data; requiring a controller to provide a
20-consumer with a certain privacy notice; requiring a controller that uses a processor
21-to process the personal data of consumers to enter into a contract with the processor
22-that governs the processor’s data processing procedures; requiring a controller to
23-conduct and document a data protection assessment for consumer data processing
24-activities that present a heightened risk of harm to a consumer; making a violation
25-of this Act an unfair, abusive, or deceptive trade practice that is subject to
26-enforcement and penalties under the Maryland Consumer Protection Act; and
27-generally relating to online data privacy.
17+Read and Examined by Proofreaders:
2818
29-BY repealing and reenacting, with amendments,
30- Article – Commercial Law
31-Section 13–301(14)(xl)
32- Annotated Code of Maryland
33- (2013 Replacement Volume and 2023 Supplement)
19+_______________________________________________
20+Proofreader.
21+_______________________________________________
22+Proofreader.
3423
35-BY repealing and reenacting, without amendments,
36- Article – Commercial Law
37-Section 13–301(14)(xli)
38- Annotated Code of Maryland
39- (2013 Replacement Volume and 2023 Supplement)
24+Sealed with the Great Seal and presented to the Governor, for his approval this
4025
41-BY adding to
42- Article – Commercial Law
43-Section 13–301(14)(xlii); and 14–4601 through 14–4613 14–4614 to be under the new
44-subtitle “Subtitle 46. Online Data Privacy Act”
45- Annotated Code of Maryland
46- (2013 Replacement Volume and 2023 Supplement)
26+_______ day of _______________ at ________________________ o’clock, ________M.
4727
48- SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND,
49-That the Laws of Maryland read as follows: Ch. 455 2024 LAWS OF MARYLAND
28+______________________________________________
29+President.
5030
51-– 2 –
31+CHAPTER ______
5232
53-Article – Commercial Law
33+AN ACT concerning 1
5434
55-13–301.
35+Maryland Online Data Privacy Act of 2024 2
5636
57- Unfair, abusive, or deceptive trade practices include any:
37+FOR the purpose of regulating the manner in which a controller or a processor in possession 3
38+of a consumer’s personal data may process the consumer’s personal data; authorizing 4
39+a consumer to exercise certain rights in regards to the consumer’s personal data; 5
40+requiring a controller of personal data to establish a method for a consumer to 6
41+exercise certain rights in regards to the consumer’s personal data; requiring a 7
42+controller to comply with a request by a consumer to exercise a certain right in a 8
43+certain manner, except under certain circumstances; authorizing a consumer to 9
44+designate an authorized agent to act on the consumer’s behalf to opt out of the 10
45+processing of the consumer’s personal data; requiring a controller to provide a 11
46+consumer with a certain privacy notice; requiring a controller that uses a processor 12
47+to process the personal data of consumers to enter into a contract with the processor 13
48+that governs the processor’s data processing procedures; requiring a controller to 14
49+conduct and document a data protection assessment for consumer data processing 15 2 SENATE BILL 541
5850
59- (14) Violation of a provision of:
6051
61- (xl) Title 14, Subtitle 13 of the Public Safety Article; [or]
52+activities that present a heightened risk of harm to a consumer; making a violation 1
53+of this Act an unfair, abusive, or deceptive trade practice that is subject to 2
54+enforcement and penalties under the Maryland Consumer Protection Act; and 3
55+generally relating to online data privacy. 4
6256
63- (xli) Title 14, Subtitle 45 of this article; or
57+BY repealing and reenacting, with amendments, 5
58+ Article – Commercial Law 6
59+Section 13–301(14)(xl) 7
60+ Annotated Code of Maryland 8
61+ (2013 Replacement Volume and 2023 Supplement) 9
6462
65- (XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR
63+BY repealing and reenacting, without amendments, 10
64+ Article – Commercial Law 11
65+Section 13–301(14)(xli) 12
66+ Annotated Code of Maryland 13
67+ (2013 Replacement Volume and 2023 Supplement) 14
6668
67-SUBTITLE 46. ONLINE DATA PRIVACY ACT.
69+BY adding to 15
70+ Article – Commercial Law 16
71+Section 13–301(14)(xlii); and 14–4601 through 14–4613 14–4614 to be under the new 17
72+subtitle “Subtitle 46. Online Data Privacy Act” 18
73+ Annotated Code of Maryland 19
74+ (2013 Replacement Volume and 2023 Supplement) 20
6875
69-14–4601.
76+ SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 21
77+That the Laws of Maryland read as follows: 22
7078
71- (A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS
72-INDICATED.
79+Article – Commercial Law 23
7380
74- (B) “AFFILIATE” MEANS A PERSON THAT , DIRECTLY OR INDIRECT LY
75-THROUGH ONE OR MORE INTERMED IARIES, CONTROLS, IS CONTROLLED BY , OR IS
76-UNDER COMMON CONTROL WITH ANOTHER PERSON , SUCH THAT THE PERSON :
81+13–301. 24
7782
78- (1) SHARES COMMON BRANDIN G WITH ANOTHER PERSO N; OR
83+ Unfair, abusive, or deceptive trade practices include any: 25
7984
80- (2) CONTROLS, IS CONTROLLED BY , OR IS UNDER COMMON C ONTROL
81-WITH ANOTHER P ERSON.
85+ (14) Violation of a provision of: 26
8286
83- (1) OWNS OR HAS THE POWER TO VOTE MORE THAN 50% OF THE
84-OUTSTANDING SHARES O F ANY VOTING CLASS O F THE OTHER PERSON ’S SECURITIES;
87+ (xl) Title 14, Subtitle 13 of the Public Safety Article; [or] 27
8588
86- (2) HAS THE POWER TO ELEC T OR INFLUENCE THE E LECTION OF A
87-MAJORITY OF THE DIRE CTORS, MEMBERS, OR MANAGERS OF THE O THER PERSON;
89+ (xli) Title 14, Subtitle 45 of this article; or 28
8890
89- (3) HAS THE POWER TO DIRE CT THE MANAGEMENT OF THE OTHER
90-PERSON; OR
91+ (XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR 29
9192
92- (4) IS SUBJECT TO THE OTH ER PERSON’S EXERCISE OF THE PO WERS
93-DESCRIBED IN ITEM (1), (2), OR (3) OF THIS SUBSECTION .
94- WES MOORE, Governor Ch. 455
93+SUBTITLE 46. ONLINE DATA PRIVACY ACT. 30
9594
96-– 3 –
97- (C) “AUTHENTICATE ” MEANS TO USE REASONA BLE MEANS TO DETERMI NE
98-THAT A REQUEST TO EX ERCISE A CONSUMER RI GHT IN ACCORDANCE WI TH §
99-14–4605 OF THIS SUBTITLE IS BEING MADE BY, OR ON BEHALF OF , A CONSUMER WHO
100-IS ENTITLED TO EXERC ISE THE CONSUMER RIG HT WITH RESPECT T O THE PERSONAL
101-DATA AT ISSUE.
95+14–4601. 31
96+ SENATE BILL 541 3
10297
103- (D) (1) “BIOMETRIC DATA ” MEANS DATA GENERATED BY AUTOMATIC
104-MEASUREMENTS OF THE BIOLOGICAL CHARACTER ISTICS OF A CONSUMER THAT CAN
105-BE USED TO UNIQUELY AUTHENTICATE A CONSU MER’S IDENTITY.
10698
107- (2) “BIOMETRIC DATA ” INCLUDES:
99+ (A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 1
100+INDICATED. 2
108101
109- (I) A FINGERPRINT ;
102+ (B) “AFFILIATE” MEANS A PERSON THAT , DIRECTLY OR INDIRECT LY 3
103+THROUGH ONE OR MORE INTERMEDIARIES , CONTROLS, IS CONTROLLED BY , OR IS 4
104+UNDER COMMON CONTROL WITH ANOTHER PERSON , SUCH THAT THE PERSON : 5
110105
111- (II) A VOICE PRINT;
106+ (1) SHARES COMMON BRANDIN G WITH ANOTHER PERSO N; OR 6
112107
113- (III) AN EYE RETINA OR IRIS IMAGE; AND
108+ (2) CONTROLS, IS CONTROLLED B Y, OR IS UNDER COMMON C ONTROL 7
109+WITH ANOTHER PERSON . 8
114110
115- (IV) ANY OTHER UNIQUE BIOL OGICAL CHARACTERISTI CS THAT
116-CAN BE ARE CAN BE USED TO UNIQUELY AUT HENTICATE A CONSUMER ’S IDENTITY.
111+ (1) OWNS OR HAS THE POWER TO VOTE MORE THAN 50% OF THE 9
112+OUTSTANDING SHARES O F ANY VOTING CLASS O F THE OTHER PERSON ’S SECURITIES; 10
117113
118- (3) “BIOMETRIC DATA ” DOES NOT INCLUDE :
114+ (2) HAS THE POWER TO ELEC T OR INFLUENCE THE E LECTION OF A 11
115+MAJORITY OF THE DIRECTORS , MEMBERS, OR MANAGERS OF THE O THER PERSON ; 12
119116
120- (I) A DIGITAL OR PHYSICAL PHOTOGRAPH ;
117+ (3) HAS THE POWER TO DIRE CT THE MANAGEMENT OF THE OTHER 13
118+PERSON; OR 14
121119
122- (II) AN AUDIO OR VIDEO REC ORDING; OR
120+ (4) IS SUBJECT TO THE OTH ER PERSON’S EXERCISE OF THE PO WERS 15
121+DESCRIBED IN ITEM (1), (2), OR (3) OF THIS SUBSECTION . 16
123122
124- (III) ANY DATA GENERATED FR OM A DIGITAL OR PHYS ICAL
125-PHOTOGRAPH OR AN AUD IO OR VIDEO RECORDIN G, UNLESS THE DATA IS
126-GENERATED TO IDENTIF Y A SPECIFIC CONSUME R.
123+ (C) “AUTHENTICATE” MEANS TO USE REASONA BLE MEANS TO DETERMI NE 17
124+THAT A REQUEST TO EX ERCISE A CONSUMER RI GHT IN ACCORDANCE WI TH § 18
125+14–4605 OF THIS SUBTITLE IS BEING MADE BY, OR ON BEHALF OF , A CONSUMER WHO 19
126+IS ENTITLED TO EXERC ISE THE CONSUMER RIG HT WITH RESPECT TO T HE PERSONAL 20
127+DATA AT ISSUE. 21
127128
128- (E) “BUSINESS ASSOCIATE” HAS THE MEANING STAT ED IN HIPAA.
129+ (D) (1) “BIOMETRIC DATA ” MEANS DATA GENERATED BY AUTOMATIC 22
130+MEASUREMENTS OF THE BIOLOGICAL CHARACTER ISTICS OF A CONSUMER THAT CAN 23
131+BE USED TO UNIQUELY AUTHENTICATE A CONSU MER’S IDENTITY. 24
129132
130- (F) “CHILDHAS THE MEANING STAT ED IN COPPA.
133+ (2) “BIOMETRIC DATA INCLUDES: 25
131134
132- (G) (1) “CONSENT” MEANS A CLEAR AFFIRM ATIVE ACT SIGNIFYING A
133-CONSUMER ’S FREELY GIVEN , SPECIFIC, INFORMED, AND UNAMBIGUOUS
134-AGREEMENT TO ALLOW T HE PROCESSING OF PERSONAL DATA RELATI NG TO THE
135-CONSUMER FOR A PARTI CULAR PURPOSE .
135+ (I) A FINGERPRINT ; 26
136136
137- (2) “CONSENT” INCLUDES:
137+ (II) A VOICE PRINT; 27
138138
139- (I) A WRITTEN STATEMENT ;
140- Ch. 455 2024 LAWS OF MARYLAND
139+ (III) AN EYE RETINA OR IRIS IMAGE; AND 28
141140
142-– 4 –
143- (II) A WRITTEN STATEMENT BY ELECTRONIC MEANS ; OR
141+ (IV) ANY OTHER UNIQUE BIOL OGICAL CHARACTERISTI CS THAT 29
142+CAN BE ARE CAN BE USED TO UNIQUELY AUT HENTICATE A CONSUMER ’S IDENTITY. 30 4 SENATE BILL 541
144143
145- (III) ANY OTHER UNAMBIGUOUS AFFIRMATIVE ACTION .
146144
147- (3) “CONSENT” DOES NOT INCLUDE:
148145
149- (I) ACCEPTANCE OF A GENER AL OR BROAD TERMS OF USE OR
150-SIMILAR DOCUMENT THA T CONTAINS DESCRIPTI ONS OF PERSONAL DATA
151-PROCESSING ALONG WIT H OTHER UNRELATED IN FORMATION;
146+ (3) “BIOMETRIC DATA ” DOES NOT INCLUDE : 1
152147
153- (II) HOVERING OVER , MUTING, PAUSING, OR CLOSING A PIECE
154-OF CONTENT; OR
148+ (I) A DIGITAL OR PHYSICAL PHOTOGRAPH ; 2
155149
156- (III) AGREEMENT OBTAINED TH ROUGH THE USE OF DAR K
157-PATTERNS.
150+ (II) AN AUDIO OR VIDEO REC ORDING; OR 3
158151
159- (H) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE
160-STATE.
152+ (III) ANY DATA GENERATED FR OM A DIGITAL OR PHYS ICAL 4
153+PHOTOGRAPH OR AN AUD IO OR VIDEO RECORDIN G, UNLESS THE DATA IS 5
154+GENERATED TO IDENTIF Y A SPECIFIC CONSUME R. 6
161155
162- (2) “CONSUMERDOES NOT INCLUDE :
156+ (E) “BUSINESS ASSOCIATEHAS THE MEANING STAT ED IN HIPAA. 7
163157
164- (I) AN INDIVIDUAL ACTING IN A COMMERCIAL OR
165-EMPLOYMENT CONTEXT ; OR
158+ (F) “CHILD” HAS THE MEANING STAT ED IN COPPA. 8
166159
167- (II) AN INDIVIDUAL ACTING AS AN EMPLOYEE, AN OWNER, A
168-DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, A PARTNERSHIP , A SOLE
169-PROPRIETORSHIP , A NONPROFIT ORGANIZA TION, OR A GOVERNMENTAL UN IT
170-WHOSE COMMUNICATIONS OR TRANSACTIONS WITH A CONTROLLER OCCUR O NLY
171-WITHIN TH E CONTEXT OF THE IND IVIDUAL’S ROLE WITH THE COMP ANY,
172-PARTNERSHIP , SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR
173-GOVERNMENTAL UNIT .
160+ (G) (1) “CONSENT” MEANS A CLEAR AFFIRM ATIVE ACT SIGNIFYING A 9
161+CONSUMER ’S FREELY GIVEN , SPECIFIC, INFORMED, AND UNAMBIGUOUS 10
162+AGREEMENT TO ALLOW T HE PROCESSING OF PER SONAL DATA RELATING T O THE 11
163+CONSUMER FOR A PARTI CULAR PURPOSE . 12
174164
175- (I) (1) “CONSUMER HEALTH DATA ” MEANS PERSONAL DATA THAT A
176-CONTROLLER USES TO I DENTIFY A CONSUMER ’S PHYSICAL OR MENTAL HEALTH
177-STATUS.
165+ (2) “CONSENT” INCLUDES: 13
178166
179- (2) “CONSUMER HEALTH DATA ” INCLUDES DATA RELATE D TO:
167+ (I) A WRITTEN STATEMENT ; 14
180168
181- (I) GENDER–AFFIRMING CARE TREATMENT ; OR
169+ (II) A WRITTEN STATEMENT BY ELECTRONIC MEANS ; OR 15
182170
183- (II) REPRODUCTIVE OR SEXUA L HEALTH CARE .
171+ (III) ANY OTHER UNAMBIGUOUS AFFIRMATIVE ACTION . 16
184172
185- (J) “CONTROL” MEANS:
186- WES MOORE, Governor Ch. 455
173+ (3) “CONSENT” DOES NOT INCLUDE : 17
187174
188-– 5 –
189- (1) OWNERSHIP OF OR THE P OWER TO VOTE MORE TH AN 50% OF THE
190-OUTSTANDING SHARES OF ANY CLASS OF VOTING SECURITY O F A BUSINESS;
175+ (I) ACCEPTANCE OF A GENER AL OR BROAD TERMS OF USE OR 18
176+SIMILAR DOCUMENT THA T CONTAINS DESCRIPTI ONS OF PERSONAL DATA 19
177+PROCESSING ALONG WIT H OTHER UNRELATED IN FORMATION; 20
191178
192- (2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY
193-OF THE DIRECTORS OF A BUSINESS, OR INDIVIDUALS EXERC ISING SIMILAR
194-FUNCTIONS; OR
179+ (II) HOVERING OVER , MUTING, PAUSING, OR CLOSING A PIECE 21
180+OF CONTENT; OR 22
195181
196- (3) THE POWER TO EXERCISE A CONTROLLING INFLUE NCE OVER TH E
197-MANAGEMENT OF A BUSI NESS.
182+ (III) AGREEMENT OBTAINED TH ROUGH THE USE OF DAR K 23
183+PATTERNS. 24
198184
199- (K) “CONTROLLER ” MEANS A PERSON THAT , ALONE OR JOINTLY WIT H
200-OTHERS, DETERMINES THE PURPO SE AND MEANS OF PROC ESSING PERSONAL DATA .
185+ (H) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 25
186+STATE. 26
201187
202- (L) (1) “COPPA” MEANS THE FEDERAL CHILDREN’S ONLINE PRIVACY
203-PROTECTION ACT OF 1998 AND THE REG ULATIONS, RULES, GUIDANCE, AND
204-EXEMPTIONS ADOPTED U NDER THE ACT, AND AS THE ACT AND THE REGULATIO NS,
205-RULES, GUIDANCE, AND EXEMPTIONS MAY B E AMENDED.
188+ (2) “CONSUMER” DOES NOT INCLUDE : 27 SENATE BILL 541 5
206189
207- (2) “COPPA” INCLUDES REGULATIONS ADOPTED UNDER THE
208-FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998.
209190
210- (M) “COVERED ENTITY ” HAS THE MEANING STAT ED IN HIPAA.
211191
212- (N) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED OR
213-MANIPULATED WITH THE SUBSTANTIAL EFFECT O F SUBVERTING USER AU TONOMY,
214-DECISION MAKING , OR CHOICE.
192+ (I) AN INDIVIDUAL ACTING IN A COMMERCIAL OR 1
193+EMPLOYMENT CONTEXT ; OR 2
215194
216- (2) “DARK PATTERN ” INCLUDES ANY PRACTICE THE FEDERAL
217-TRADE COMMISSION REFERS TO AS A “DARK PATTERN ”.
195+ (II) AN INDIVIDUAL ACTING AS AN EMPLOYE E, AN OWNER, A 3
196+DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, A PARTNERSHIP , A SOLE 4
197+PROPRIETORSHIP , A NONPROFIT ORGANIZA TION, OR A GOVERNMENTAL UN IT 5
198+WHOSE COMMUNICATIONS OR TRANSACTIONS WITH A CONTROLLER OCCUR O NLY 6
199+WITHIN THE CONTE XT OF THE INDIVIDUAL ’S ROLE WITH THE COMP ANY, 7
200+PARTNERSHIP , SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR 8
201+GOVERNMENTAL UNIT . 9
218202
219- (O) “DECISIONS THAT PRODUC E LEGAL OR SIMILARLY SIGNIFICANT
220-EFFECTS CONCERNING T HE CONSUMER ” MEANS DECISIONS THAT RESULT IN THE
221-PROVISION OR DENIAL OF:
203+ (I) (1) “CONSUMER HEALTH DATA ” MEANS PERSONAL DATA THAT A 10
204+CONTROLLER USES TO I DENTIFY A CONSUMER ’S PHYSICAL OR MENTAL HEALTH 11
205+STATUS. 12
222206
223- (1) FINANCIAL OR LENDING SERVICES;
207+ (2) “CONSUMER HEALTH DATA ” INCLUDES DATA RELATE D TO: 13
224208
225- (2) HOUSING;
209+ (I) GENDER–AFFIRMING CARE TREATMENT ; OR 14
226210
227- (3) INSURANCE;
211+ (II) REPRODUCTIVE OR SEXUA L HEALTH CARE . 15
228212
229- (4) (3) EDUCATION ENROLLMENT OR OPPORTUNITY ;
213+ (J) “CONTROL” MEANS: 16
230214
231- (5) (4) CRIMINAL JUSTICE ;
232- Ch. 455 2024 LAWS OF MARYLAND
215+ (1) OWNERSHIP OF OR THE P OWER TO VOTE MORE TH AN 50% OF THE 17
216+OUTSTANDING SHARES O F ANY CLASS OF VOTING SECURITY OF A BUSINE SS; 18
233217
234-– 6 –
235- (6) (5) EMPLOYMENT OPPORTUNIT IES;
218+ (2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY 19
219+OF THE DIRECTORS OF A BUSINESS, OR INDIVIDUALS EXERC ISING SIMILAR 20
220+FUNCTIONS; OR 21
236221
237- (7) (6) HEALTH CARE SERVICES ; OR
222+ (3) THE POWER TO EXERCISE A CONTROLLING INFLUE NCE OVER THE 22
223+MANAGEMENT OF A BUSI NESS. 23
238224
239- (8) (7) ACCESS TO ESSENTIAL G OODS OR SERVICES .
225+ (K) “CONTROLLER ” MEANS A PERSON THAT , ALONE OR JOINTLY WIT H 24
226+OTHERS, DETERMINES THE PURPO SE AND MEANS OF PROC ESSING PERSONAL DATA . 25
240227
241- (P) “DE–IDENTIFIED DATA ” MEANS DATA THAT CANN OT REASONABLY BE
242-USED TO INFER INFORM ATION ABOUT OR OTHER WISE BE LINKED TO AN IDENTIFIED
243-OR IDENTIFIABLE CONS UMER, OR A DEVICE THAT MAY BE LINKED TO AN IDEN TIFIED
244-OR IDENTIFIABLE CONS UMER, IF THE CONTROLLER TH AT POSSESSES THAT
245-INFORMATION :
228+ (L) (1) “COPPA” MEANS THE FEDERAL CHILDREN’S ONLINE PRIVACY 26
229+PROTECTION ACT OF 1998 AND THE REGULATIONS , RULES, GUIDANCE, AND 27
230+EXEMPTIONS ADOPTED U NDER THE ACT, AND AS THE ACT AND THE REGULATIO NS, 28
231+RULES, GUIDANCE, AND EXEMPTIONS MAY B E AMENDED. 29
246232
247- (1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE
248-INFORMATION CANNOT B E LINKED WITH A CONS UMER;
233+ (2) “COPPA” INCLUDES REGULATIONS ADOPTED UNDER THE 30
234+FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998. 31 6 SENATE BILL 541
249235
250- (2) COMMITS IN PUBLICLY A VAILABLE TERMS AND C ONDITIONS OR IN
251-A PUBLICLY AVAILABLE PRIVACY POLICY TO MA INTAIN AND USE THE INFORMATION
252-IN DE–IDENTIFIED FORM ; AND
253236
254- (3) CONTRACTUALLY OBLIGES ANY RECIPIENTS OF TH E
255-INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION HAS THE
256-MEANING STATED IN § 14–4401 OF THIS TITLE.
257237
258- (Q) “GENDER–AFFIRMING TREATMENT ” HAS THE MEANING STAT ED IN §
259-15–151(A) OF THE HEALTH – GENERAL ARTICLE.
238+ (M) “COVERED ENTITY ” HAS THE MEANING STAT ED IN HIPAA. 1
260239
261- (Q) (R) (1) “GENETIC DATA ” MEANS DATA IN ANY FO RMAT THAT
262-CONCERNS THE GENETIC CHARACTE RISTICS OF A CONSUME R.
240+ (N) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED OR 2
241+MANIPULATED WITH THE SUBSTANTIAL EFFECT O F SUBVERTING USER AU TONOMY, 3
242+DECISION MAKING , OR CHOICE. 4
263243
264- (2) “GENETIC DATA” INCLUDES:
244+ (2) “DARK PATTERN ” INCLUDES ANY PRACTICE THE FEDERAL 5
245+TRADE COMMISSION REFERS TO AS A “DARK PATTERN ”. 6
265246
266- (I) RAW SEQUENCE DATA THAT R ESULTS FROM SEQUENCI NG
267-OF A CONSUMER ’S COMPLETE EXTRACTED DNA OR A PORTION OF THE CONSUMER ’S
268-COMPLETE EXTRACTED DNA;
247+ (O) “DECISIONS THAT PRODUC E LEGAL OR SIMILARLY SIGNIFICANT 7
248+EFFECTS CONCERNING T HE CONSUMER ” MEANS DECISIONS THAT RESULT IN THE 8
249+PROVISION OR DENIAL OF: 9
269250
270- (II) GENOTYPIC AND PHENOTY PIC INFORMATION THAT
271-RESULTS FROM ANALYZI NG RAW SEQUENCE DATA ;
251+ (1) FINANCIAL OR LENDING SERVICES; 10
272252
273- (III) INFORMATION EXT RAPOLATED, DERIVED, OR INFERRED
274-FROM THE ANALYSIS OF RAW SEQUENCE DATA ; AND
275- WES MOORE, Governor Ch. 455
253+ (2) HOUSING; 11
276254
277-– 7 –
278- (IV) SELF–REPORTED HEALTH INFO RMATION SUBMITTED TO A
279-DIRECT–TO–CONSUMER GENETIC TES TING COMPANY BY A CO NSUMER REGARDING
280-THE CONSUMER ’S HEALTH CONDITIONS :
255+ (3) INSURANCE; 12
281256
282- 1. THAT IS USED F OR SCIENTIFIC RESEAR CH OR
283-PRODUCT DEVELOPMENT ; AND
257+ (4) (3) EDUCATION ENROLLMENT OR OPPORTUNITY ; 13
284258
285- 2. ANALYZED IN CONNECTIO N WITH THE CONSUMER ’S
286-RAW SEQUENCE DATA HAS THE MEANING STAT ED IN § 14–4401 OF THIS TITLE.
259+ (5) (4) CRIMINAL JUSTICE ; 14
287260
288- (R) (S) (1) “GEOFENCE” MEANS TECHNOLOGY THA T ESTABLISHES A
289-VIRTUAL GEOGRAPHICAL BOUNDARY.
261+ (6) (5) EMPLOYMENT OPPORTUNIT IES; 15
290262
291- (2) “GEOFENCE” INCLUDES BOUNDARIES THAT ARE ESTABLISHED
292-OR MONITORED THROUGH THE USE OF:
263+ (7) (6) HEALTH CARE SERVICES ; OR 16
293264
294- (I) GLOBAL POSITIONING TE CHNOLOGY;
265+ (8) (7) ACCESS TO ESSENTIAL G OODS OR SERVICES . 17
295266
296- (II) CELL TOWER CONNECTIVI TY;
267+ (P) “DE–IDENTIFIED DATA ” MEANS DATA THAT CANN OT REASONABLY BE 18
268+USED TO INFER INFORM ATION ABOUT OR OTHER WISE BE LINKED TO AN IDENTIFIED 19
269+OR IDENTIFIABLE CONS UMER, OR A DEVICE THAT MAY BE LINKED TO AN IDEN TIFIED 20
270+OR IDENTIFIABLE CONS UMER, IF THE CONTROLLER TH AT POSSESSES THAT 21
271+INFORMATION : 22
297272
298- (III) CELLULAR DATA ;
273+ (1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE 23
274+INFORMATION CANNOT B E LINKED WITH A CONS UMER; 24
299275
300- (IV) RADIO FREQUENCY IDENT IFICATION;
276+ (2) COMMITS IN PUBLICLY A VAILABLE TERMS AND C ONDITIONS OR IN 25
277+A PUBLICLY AVAILABLE PRIVACY POLICY TO MA INTAIN AND USE THE I NFORMATION 26
278+IN DE–IDENTIFIED FORM ; AND 27
279+ SENATE BILL 541 7
301280
302- (V) WIRELESS FIDELITY TEC HNOLOGY; OR
303281
304- (VI) ANY OTHER FORM OF LOC ATION DETERMINATION
305-TECHNOLOGY .
282+ (3) CONTRACTUALLY OBLIGES ANY RECIPIENTS OF TH E 1
283+INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION HAS THE 2
284+MEANING STATED IN § 14–4401 OF THIS TITLE. 3
306285
307- (S) (T) “HIPAAMEANS THE FEDERAL HEALTH INSURANCE
308-PORTABILITY AND ACCOUNTABILITY ACT OF 1996.
286+ (Q) “GENDER–AFFIRMING TREATMENT HAS THE MEANING STAT ED IN § 4
287+15–151(A) OF THE HEALTH – GENERAL ARTICLE. 5
309288
310- (T) (U) “IDENTIFIED OR IDENTIF IABLE CONSUMER ” MEANS A CONSUMER
311-WHO CAN READILY BE I DENTIFIED, EITHER DIRECTLY OR I NDIRECTLY.
289+ (Q) (R) (1) “GENETIC DATA ” MEANS DATA IN ANY FO RMAT THAT 6
290+CONCERNS THE GENETIC CHARACTE RISTICS OF A CONSUME R. 7
312291
313- (U) (V) “MENTAL HEALTH FACILIT Y” MEANS A HEALTH CARE FACILITY IN
314-WHICH NOT LESS THAN 70% OF HEALTH CARE SERVI CES OFFERED ARE MENT AL
315-HEALTH SERVICES .
292+ (2) “GENETIC DATA” INCLUDES: 8
316293
317- (V) (W) (1) “PERSONAL DATA ” MEANS ANY IN FORMATION THAT IS
318-LINKED OR CAN BE REA SONABLY LINKED TO AN IDENTIFIED OR IDENTI FIABLE
319-CONSUMER .
294+ (I) RAW SEQUENCE DATA THA T RESULTS FROM SEQUE NCING 9
295+OF A CONSUMER ’S COMPLETE EXTRACTED DNA OR A PORTION OF THE CONSUMER ’S 10
296+COMPLETE EXTRACTED DNA; 11
320297
321- (2) “PERSONAL DATA ” DOES NOT INCLUDE : Ch. 455 2024 LAWS OF MARYLAND
298+ (II) GENOTYPIC AND PHENOTY PIC INFORMATION THAT 12
299+RESULTS FROM ANALYZI NG RAW SEQUENCE DATA ; 13
322300
323-– 8 –
301+ (III) INFORMATION EXTRAPOLA TED, DERIVED, OR INFERRED 14
302+FROM THE ANALYSIS OF RAW SEQUENCE DATA ; AND 15
324303
325- (I) DE–IDENTIFIED DATA ; OR
304+ (IV) SELF–REPORTED HEALTH INFO RMATION SUBMITTED TO A 16
305+DIRECT–TO–CONSUMER GENETIC TES TING COMPANY BY A CO NSUMER REGARDING 17
306+THE CONSUMER ’S HEALTH CONDITIONS : 18
326307
327- (II) PUBLICLY AVAILABLE IN FORMATION.
308+ 1. THAT IS USED FOR SCIE NTIFIC RESEARCH OR 19
309+PRODUCT DEVELOPMENT ; AND 20
328310
329- (W) (X) (1) “PRECISE GEOLOCATION D ATA” MEANS INFORMATION
330-DERIVED FROM TECHNOL OGY THAT CAN PRECISE LY AND ACCURATELY ID ENTIFY
331-THE SPECIFIC LOCATIO N OF A CONSUMER WITH IN A RADIUS OF 1,750 FEET.
311+ 2. ANALYZED IN CONNECTIO N WITH THE CONSUMER ’S 21
312+RAW SEQUENCE DATA HAS THE MEANING STAT ED IN § 14–4401 OF THIS TITLE. 22
332313
333- (2) “PRECISE GEOLOCATION D ATA” INCLUDES GLOBAL POSI TIONING
334-SYSTEM LEVEL LATITUD E AND LONGITUDE COOR DINATES OR OTHER SIMILAR
335-MECHANISMS .
314+ (R) (S) (1) “GEOFENCE” MEANS TECHNOLOGY THA T ESTABLISHES A 23
315+VIRTUAL GEOGRAPHICAL BOUNDARY. 24
336316
337- (3) “PRECISE GEOLOCATION D ATA” DOES NOT INCLUDE :
317+ (2) “GEOFENCE” INCLUDES BOUNDARIES THAT ARE ESTABLISHED 25
318+OR MONITORED THROUGH THE USE OF: 26
338319
339- (I) THE CONTENT OF COMMUN ICATIONS DATA;
320+ (I) GLOBAL POSITIONING TE CHNOLOGY; 27
340321
341- (II) DATA GENERATED BY OR CONN ECTED TO AN ADVANCED
342-UTILITY METERING INF RASTRUCTURE SYSTEM ; OR
322+ (II) CELL TOWER CONNECTIVI TY; 28
343323
344- (II) (III) EQUIPMENT DATA GENERATED BY EQUIPME NT USED
345-BY A UTILITY COMPANY .
324+ (III) CELLULAR DATA ; 29
325+ 8 SENATE BILL 541
346326
347- (X) (Y) (1) “PROCESS” MEANS AN OPERATION O R SET OF OPERATIONS
348-PERFORMED BY MANUAL OR AUTOMATED MEANS O N PERSONAL DATA .
349327
350- (2) “PROCESS” INCLUDES COLLECTING , USING, STORING,
351-DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L DATA.
328+ (IV) RADIO FREQUENCY IDENT IFICATION; 1
352329
353- (Y) (Z) “PROCESSOR” MEANS A PERSON THAT PROCESSES PERSONAL
354-DATA ON BEHALF OF A CONTROLLER .
330+ (V) WIRELESS FIDELITY TEC HNOLOGY; OR 2
355331
356- (Z) (AA) “PROFILING” MEANS ANY FORM OF AU TOMATED PROCESSING
357-PERFORMED ON PERSONA L DATA TO EVALUATE , ANALYZE, OR PREDICT PER SONAL
358-ASPECTS RELATED TO A N IDENTIFIED OR IDEN TIFIABLE CONSUMER ’S ECONOMIC
359-SITUATION, HEALTH, DEMOGRAPHIC CHARACTE RISTICS, PERSONAL PREFERENCES ,
360-INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS .
332+ (VI) ANY OTHER FORM OF LOCATION DET ERMINATION 3
333+TECHNOLOGY . 4
361334
362- (AA) (BB) “PROTECTED HEALTH INFO RMATION” HAS THE MEANING STATED
363-IN HIPAA.
335+ (S) (T) “HIPAA” MEANS THE FEDERAL HEALTH INSURANCE 5
336+PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 6
364337
365- (BB) (CC) (1) “PUBLICLY AVAILABLE IN FORMATION” MEANS
366-INFORMATION THAT A PERSON:
367- WES MOORE, Governor Ch. 455
338+ (T) (U) “IDENTIFIED OR IDENTIF IABLE CONSUMER ” MEANS A CONSUMER 7
339+WHO CAN READILY BE I DENTIFIED, EITHER DIRECTLY OR I NDIRECTLY. 8
368340
369- 9
370- (I) IS LAWFULLY MADE READ ILY AVAILABLE TO THE GENERAL
371-PUBLIC THROUGH FEDER AL, STATE, OR LOCAL GOVERNMENT RECORDS; OR
341+ (U) (V) “MENTAL HEALTH FACILIT Y” MEANS A HEALTH CARE FACILITY IN 9
342+WHICH NOT LESS THAN 70% OF HEALTH CARE SERVI CES OFFERED ARE MENT AL 10
343+HEALTH SERVICES . 11
372344
373- (II) A CONTROLLER HAS A REASONABLE BASIS TO BELIEVE
374-THAT A CONSUMER HAS LAWFULLY MADE AVAILA BLE TO THE GENERAL P UBLIC
375-THROUGH WIDELY DISTR IBUTED MEDIA.
345+ (V) (W) (1) “PERSONAL DATA ” MEANS ANY INFORMATIO N THAT IS 12
346+LINKED OR CAN BE REA SONABLY LINKED TO AN IDENTIFIED OR IDENTIFIABLE 13
347+CONSUMER . 14
376348
377- (I) LAWFULLY OBTAINS FROM A RECORD OF A GOVERN MENTAL
378-ENTITY;
349+ (2) “PERSONAL DATA ” DOES NOT INCLUDE : 15
379350
380- (II) REASONABLY BELIEVES A CONSUMER OR WIDELY
381-DISTRIBUTED M EDIA HAVE LAWFULLY M ADE AVAILABLE TO THE GENERAL PUBLIC ;
382-OR
351+ (I) DE–IDENTIFIED DATA ; OR 16
383352
384- (III) IF THE CONSUMER HAS N OT RESTRICTED THE
385-INFORMATION TO A SPE CIFIC AUDIENCE , OBTAINS FROM A PERSO N TO WHOM THE
386-CONSUMER DISCLOSED T HE INFORMATION .
353+ (II) PUBLICLY AVAILABLE IN FORMATION. 17
387354
388- (2) “PUBLICLY AVAILABLE IN FORMATIONDOES NOT INCLUDE
389-BIOMETRIC DATA COLLE CTED BY A BUSINESS A BOUT A CONSUMER WITH OUT THE
390-CONSUMER ’S KNOWLEDGE .
355+ (W) (X) (1) “PRECISE GEOLOCATION D ATAMEANS INFORMATION 18
356+DERIVED FROM TECHNOL OGY THAT CAN PRECISELY AND ACCURA TELY IDENTIFY 19
357+THE SPECIFIC LOCATIO N OF A CONSUMER WITH IN A RADIUS OF 1,750 FEET. 20
391358
392- (CC) (DD) (1) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” MEANS CARE
393-RELATED TO A HEALTH CARE –RELATED SERVICE OR P RODUCT RENDERED OR
394-PROVIDED CONCERNING A CONSUMER ’S REPRODUCTIVE SYSTE M OR SEXUAL
395-WELL–BEING., INCLUDING:
359+ (2) “PRECISE GEOLOCATION D ATA” INCLUDES GLOBAL POSI TIONING 21
360+SYSTEM LEVEL LATITUD E AND LONGITUDE COOR DINATES OR OTHER SIM ILAR 22
361+MECHANISMS . 23
396362
397- (2) “REPRODUCTIVE OR SEXUA L HEALTH CAREINCLUDES:
363+ (3) “PRECISE GEOLOCATION DATADOES NOT INCLUDE : 24
398364
399- (I) (1) A SERVICE OR PRODUCT P ROVIDED RELATED TO A N
400-INDIVIDUAL HEALTH CO NDITION, STATUS, DISEASE, DIAGNOSIS, TEST, OR
401-TREATMENT ;
365+ (I) THE CONTENT OF COMMUN ICATIONS DATA; 25
402366
403- (II) (2) A SOCIAL, PSYCHOLOGICAL , BEHAVIORAL , OR
404-MEDICAL INTERVENTION ;
367+ (II) DATA GENERATED BY OR CONN ECTED TO AN ADVANCED 26
368+UTILITY METERING INF RASTRUCTURE SYSTEM ; OR 27
405369
406- (III) (3) A SURGERY OR PROCEDURE ;
370+ (II) (III) EQUIPMENT DATA GENERATED BY EQU IPMENT USED 28
371+BY A UTILITY COMPANY. 29 SENATE BILL 541 9
407372
408- (IV) (4) THE PURCHASE OR USE O F A MEDICATION ,
409-INCLUDING A MEDICATI ON PURCHASED OR USED FOR THE PURPOSES OF AN
410-ABORTION;
411373
412- (V) (5) A SERVICE OR PRODUCT RELATED TO A BODILY
413-FUNCTION, VITAL SIGN, OR MEASUREMENT THEREOF SYMPTOM; Ch. 455 2024 LAWS OF MARYLAND
414374
415-– 10 –
375+ (X) (Y) (1) “PROCESS” MEANS AN OPERATION O R SET OF OPERATIONS 1
376+PERFORMED BY MANUAL OR AUTOMATED MEANS O N PERSONAL DATA . 2
416377
417- (6) A MEASUREMENT OF A BOD ILY FUNCTION , VITAL SIGN, OR
418-SYMPTOM; AND
378+ (2) “PROCESS” INCLUDES COLLECTING , USING, STORING, 3
379+DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L DATA. 4
419380
420- (VI) (7) AN ABORTION,, WHETHER SURGICAL OR MEDICAL;
421-AND
381+ (Y) (Z) “PROCESSOR” MEANS A PERSON THAT PROCESSES PERSONAL 5
382+DATA ON BEHALF OF A CONTROLLER . 6
422383
423- (VII) A SERVICE RELATED TO A N ABORTION AND MEDICAL AND
424-NONMEDICAL SERVICES , PRODUCTS, DIAGNOSTICS, COUNSELING , AND FOLLOW –UP
425-SERVICES FOR AN ABOR TION.
384+ (Z) (AA) “PROFILING” MEANS ANY FORM OF AU TOMATED PROCESSING 7
385+PERFORMED ON PERSONA L DATA TO EVALUATE , ANALYZE, OR PREDICT PERSONAL 8
386+ASPECTS RELATED TO A N IDENTIFIED OR IDENTIFIABLE CONSUME R’S ECONOMIC 9
387+SITUATION, HEALTH, DEMOGRAPHIC CHARACTE RISTICS, PERSONAL PREFERENCES , 10
388+INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS . 11
426389
427- (DD) (EE) “REPRODUCTIVE OR SEXUA L HEALTH CARE FACILI TY” MEANS A
428-HEALTH CARE FACILITY WHERE NOT LESS THAN 70% OF SERVICES OFFERED ARE
429-REPRODUCTIVE OR SEXU AL HEALTH CARE SERVI CES.
390+ (AA) (BB) “PROTECTED HEALTH INFO RMATION” HAS THE MEANING STAT ED 12
391+IN HIPAA. 13
430392
431- (EE) (FF) (1) “SALE OF PERSONAL DATA ” MEANS THE EXCHANGE O F
432-PERSONAL DATA BY A C ONTROLLER , A PROCESSOR , OR AN AFFILIATE OF A
433-CONTROLLER OR PROCES SER TO A THIRD PARTY FOR MONETARY OR OTHER
434-VALUABLE CONSIDERATI ON.
393+ (BB) (CC) (1) “PUBLICLY AVAILABLE INF ORMATION” MEANS 14
394+INFORMATION THAT A PERSON: 15
435395
436- (2) “SALE OF PERSONAL DATA ” DOES NOT INCLUDE :
396+ (I) IS LAWFULLY MADE READ ILY AVAILABLE TO THE GENERAL 16
397+PUBLIC THROUGH FEDER AL, STATE, OR LOCAL GOVERNMENT RECORDS; OR 17
437398
438- (I) THE DISCLOSURE OF PER SONAL DATA TO A PROC ESSOR
439-THAT PROCESSES PERSO NAL DATA ON BEHALF O F A CONTROLLER IF LI MITED TO
440-THE PURPOSES OF THE PROCESSING;
399+ (II) A CONTROLLER HAS A REA SONABLE BASIS TO BEL IEVE 18
400+THAT A CONSUMER HAS LAWFULLY MADE AV AILABLE TO THE GENER AL PUBLIC 19
401+THROUGH WIDELY DISTR IBUTED MEDIA. 20
441402
442- (II) THE DISCLOSURE OF PER SONAL DATA TO A THIRD PARTY
443-FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE AFFIRMATIVELY
444-REQUESTED BY THE CON SUMER;
403+ (I) LAWFULLY OBTAINS FROM A RECORD OF A GOVERN MENTAL 21
404+ENTITY; 22
445405
446- (III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN
447-AFFILIATE OF THE CON TROLLER FOR THE PURPOSE OF P ROVIDING A PRODUCT O R
448-SERVICE AFFIRMATIVEL Y REQUESTED BY THE CONSUME R;
406+ (II) REASONABLY BELIEVES A CONSUMER OR WIDELY 23
407+DISTRIBUTED MEDIA HA VE LAWFULLY MADE AVA ILABLE TO THE GE NERAL PUBLIC ; 24
408+OR 25
449409
450- (IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE
451-CONSUMER :
410+ (III) IF THE CONSUMER HAS N OT RESTRICTED THE 26
411+INFORMATION TO A SPE CIFIC AUDIENCE , OBTAINS FROM A PERSO N TO WHOM THE 27
412+CONSUMER DISCLOSED T HE INFORMATION . 28
452413
453- 1. DIRECTS THE CONTROLLE R TO DISCLOSE THE
454-PERSONAL DATA ; OR
414+ (2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE 29
415+BIOMETRIC DATA COLLE CTED BY A BUSINESS ABOUT A CONSUMER WITHOUT THE 30
416+CONSUMER ’S KNOWLEDGE . 31
417+ 10 SENATE BILL 541
455418
456- 2. INTENTIONALLY USES TH E CONTROLLER TO
457-INTERACT WITH A THIR D PARTY;
458- WES MOORE, Governor Ch. 455
459419
460-– 11 –
461- (V) THE DISCLOSURE OF PER SONAL DATA THAT THE
462-CONSUMER :
420+ (CC) (DD) (1) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” MEANS CARE 1
421+RELATED TO A HEALTH CARE –RELATED SERVICE OR P RODUCT RENDERED OR 2
422+PROVIDED CONCERNING A CONSUMER ’S REPRODUCTIVE SYSTE M OR SEXUAL 3
423+WELL–BEING., INCLUDING: 4
463424
464- 1. INTENTIONALLY MADE AV AILABLE TO THE GENER AL
465-PUBLIC THROUGH A CHA NNEL OF MASS MEDIA ; AND
425+ (2) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” INCLUDES: 5
466426
467- 2. DID NOT RESTRICT TO A SPECIFIC AUDIENCE ; OR
427+ (I) (1) A SERVICE OR PRODUCT P ROVIDED RELATED TO A N 6
428+INDIVIDUAL HEALTH CO NDITION, STATUS, DISEASE, DIAGNOSIS, TEST, OR 7
429+TREATMENT ; 8
468430
469- (VI) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A
470-THIRD PARTY AS AN AS SET THAT IS PART OF AN A CTUAL OR PROPOSED ME RGER,
471-ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION WHERE THE THIRD PART Y
472-ASSUMES CONTROL OF A LL OR PART OF THE CO NTROLLER’S ASSETS.
431+ (II) (2) A SOCIAL, PSYCHOLOGICAL , BEHAVIORAL, OR 9
432+MEDICAL INTERVENTION ; 10
473433
474- (FF) (GG) “SENSITIVE DATA” MEANS PERSONAL DATA THAT INCLUDES :
434+ (III) (3) A SURGERY OR PROCEDURE ; 11
475435
476- (1) DATA REVEALING:
436+ (IV) (4) THE PURCHASE OR USE O F A MEDICATION , 12
437+INCLUDING A MEDICATI ON PURCHASED OR USED FOR THE PURPOSES OF AN 13
438+ABORTION; 14
477439
478- (I) RACIAL OR ETHNIC ORIG IN;
440+ (V) (5) A SERVICE OR PRODUCT R ELATED TO A BODILY 15
441+FUNCTION, VITAL SIGN, OR MEASUREMENT THEREOF SYMPTOM; 16
479442
480- (II) RELIGIOUS BELIEFS ;
443+ (6) A MEASUREMENT OF A BOD ILY FUNCTION , VITAL SIGN, OR 17
444+SYMPTOM; AND 18
481445
482- (III) CONSUMER HEALTH DATA ;
446+ (VI) (7) AN ABORTION,, WHETHER SURGICAL OR MEDICAL; 19
447+AND 20
483448
484- (IV) SEX LIFE;
449+ (VII) A SERVICE RELATED T O AN ABORTION AND MEDICAL AND 21
450+NONMEDICAL SERVICES , PRODUCTS, DIAGNOSTICS, COUNSELING , AND FOLLOW –UP 22
451+SERVICES FOR AN ABOR TION. 23
485452
486- (V) SEXUAL ORIENTATION ;
453+ (DD) (EE) “REPRODUCTIVE OR SEXUA L HEALTH CARE FACILI TY” MEANS A 24
454+HEALTH CARE FACILITY WHERE NOT LESS THAN 70% OF SERVICES OFFERED ARE 25
455+REPRODUCTIVE OR SEXU AL HEALTH CARE SERVI CES. 26
487456
488- (VI) STATUS AS TRANSGENDER OR NONBINARY ;
457+ (EE) (FF) (1) “SALE OF PERSONAL DATA ” MEANS THE EXCHANGE O F 27
458+PERSONAL DATA BY A C ONTROLLER , A PROCESSOR , OR AN AFFILIATE OF A 28
459+CONTROLLER OR PROCES SER TO A THIRD PARTY FOR MONETARY OR OTHER 29
460+VALUABLE CONSIDE RATION. 30
489461
490- (VII) NATIONAL ORIGIN ; OR
462+ (2) “SALE OF PERSONAL DATA ” DOES NOT INCLUDE : 31
463+ SENATE BILL 541 11
491464
492- (VIII) CITIZENSHIP OR IMMIGRATION STATUS ;
493465
494- (2) GENETIC DATA OR BIOME TRIC DATA;
466+ (I) THE DISCLOSURE OF PER SONAL DATA TO A PROC ESSOR 1
467+THAT PROCESSES PERSO NAL DATA ON BEHALF O F A CONTROLLER IF LI MITED TO 2
468+THE PURPOSES OF THE PROCESSING; 3
495469
496- (3) PERSONAL DATA OF A CO NSUMER THAT THE CONT ROLLER KNOWS
497-OR HAS REASON TO KNO W IS A CHILD; OR
470+ (II) THE DISCLOSURE OF PER SONAL DATA TO A THIRD PARTY 4
471+FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE AFFIRMATIVELY 5
472+REQUESTED BY THE CON SUMER; 6
498473
499- (4) PRECISE GEOLOCATION D ATA.
474+ (III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN 7
475+AFFILIATE OF THE CON TROLLER FOR THE PURPOSE OF P ROVIDING A PRODUCT O R 8
476+SERVICE AFFIRMATIVEL Y REQUESTED BY THE CON SUMER; 9
500477
501- (GG) (HH) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING
502-ADVERTISEMENTS TO A CONSUMER OR ON A DEV ICE IDENTIFIED BY A UNIQUE
503-IDENTIFIER, WHERE THE ADVERTISEM ENT IS SELECTED BASE D ON PERSONAL DATA
504-OBTAINED OR INFERRED FROM THE CONSUMER ’S ACTIVITIES OVER TI ME AND Ch. 455 2024 LAWS OF MARYLAND
478+ (IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE 10
479+CONSUMER : 11
505480
506-– 12 –
507-ACROSS NONAFFILIATED WEBSITES OR ONLINE A PPLICATIONS THAT ARE
508-UNAFFILIATED WITH EA CH OTHER, IN ORDER TO PREDICT THE CONSUMER ’S
509-PREFERENCES OR INTER ESTS.
481+ 1. DIRECTS THE CONTROLLE R TO DISCLOSE THE 12
482+PERSONAL DATA ; OR 13
510483
511- (2) “TARGETED ADVERTISING ” DOES NOT INCLUDE :
484+ 2. INTENTIONALLY USES TH E CONTROLLER TO 14
485+INTERACT WITH A THIR D PARTY; 15
512486
513- (I) ADVERTISEMENTS BASED ON THE CONTEXT IN WHICH THE
514-ADVERTISEM ENT APPEARS AND DOES NOT VARY BASED ON WH O IS VIEWING THE
515-ADVERTISEMENT OF A CONSUMER ’S CURRENT SEARCH QUE RY, VISIT TO A WEBSITE,
516-OR ONLINE APPLICATIO N;
487+ (V) THE DISCLOSURE OF PERSONAL DATA THAT T HE 16
488+CONSUMER : 17
517489
518- (II) ADVERTISEMENTS BASED ON A CONSUMER ’S ACTIVITIES
519-WITHIN A CONTROLLER ’S WEBSITES OR ONLINE APPLICATIONS;
490+ 1. INTENTIONALLY MADE AV AILABLE TO THE GENER AL 18
491+PUBLIC THROUGH A CHA NNEL OF MASS MEDIA ; AND 19
520492
521- (III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN
522-RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR
493+ 2. DID NOT RESTRICT TO A SPECIFIC AUDIENCE ; OR 20
523494
524- (IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR
525-REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH.
495+ (VI) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A 21
496+THIRD PARTY AS AN ASSET THAT IS PART O F AN ACTUAL OR PROPO SED MERGER , 22
497+ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION WHERE THE THIRD PART Y 23
498+ASSUMES CONTROL OF A LL OR PART OF THE CO NTROLLER’S ASSETS. 24
526499
527- (HH) (II) “THIRD PARTY” MEANS A PERSON OTHER THAN THE RELEVANT
528-CONSUMER , CONTROLLER , PROCESSOR, OR AFFILIATE OF THE CONTROLLER OR
529-PROCESSOR OF RELEVAN T PERSONAL DATA .
500+ (FF) (GG) “SENSITIVE DATA” MEANS PERSONAL DATA THAT INCLUDES : 25
530501
531- (II) (JJ) (1) “TRADE SECRET” MEANS INFORMATION TH AT:
502+ (1) DATA REVEALING: 26
532503
533- (I) DERIVES INDEPENDENT E CONOMIC VALUE , ACTUAL OR
534-POTENTIAL, FROM NOT BEING GENER ALLY KNOWN TO , AND NOT BEING READIL Y
535-ASCERTAINABLE BY PRO PER MEANS BY , OTHER PERSONS WHO CO ULD OBTAIN
536-ECONOMIC VALUE FROM THE INFORMATION ’S DISCLOSURE OR USE ; AND
504+ (I) RACIAL OR ETHNIC ORIG IN; 27
537505
538- (II) IS THE SUBJECT OF EFF ORTS THAT ARE REASONABLE
539-UNDER THE CIRCUMSTAN CES TO MAINTAIN THE SECRECY OF THE INFOR MATION.
506+ (II) RELIGIOUS BELIEFS ; 28
540507
541- (2) “TRADE SECRET ” INCLUDES A FORMULA , PATTERN,
542-COMPILATION , PROGRAM, DEVICE, METHOD, TECHNIQUE, OR PROCESS HAS THE
543-MEANING STATED IN § 11–1201 OF THIS ARTICLE.
508+ (III) CONSUMER HEALTH DATA ; 29
509+ 12 SENATE BILL 541
544510
545-14–4602.
546511
547- THIS SUBTITLE APPLIES TO A PERSON THAT :
512+ (IV) SEX LIFE; 1
548513
549- (1) (I) CONDUCTS BUSINESS IN THE STATE; OR
550- WES MOORE, Governor Ch. 455
514+ (V) SEXUAL ORIENTATION ; 2
551515
552-– 13 –
553- (2) (I) (II) PRODUCES PROVIDES SERVICES OR PRODUCTS THAT
554-ARE TARGETED TO RESI DENTS OF THE STATE; AND
516+ (VI) STATUS AS TRANSGENDER OR NONBINARY ; 3
555517
556- (II) (2) DURING THE IMMEDIATEL Y PRECEDING CALENDAR
557-YEAR:
518+ (VII) NATIONAL ORIGIN ; OR 4
558519
559- 1. (I) CONDUCTS BUSINESS IN THE STATE OR PROVIDES
560-PRODUCTS OR SERVICES THAT ARE TARGETED TO RESIDENTS OF THE STATE, AND
561-THAT DURING THE PREC EDING CALENDAR YEAR DID ANY OF THE FOLLO WING:
520+ (VIII) CITIZENSHIP OR IMMIGRATION STATUS ; 5
562521
563- (1) CONTROLLED OR PROCESS ED THE PERSONAL DATA OF AT LEAST
564-35,000 CONSUMERS , EXCLUDING PERSONAL D ATA CONTROLLED OR PR OCESSED
565-SOLELY FOR THE PURPO SE OF COMPLETING A P AYMENT TRANSACTION ; OR
522+ (2) GENETIC DATA OR BIOME TRIC DATA; 6
566523
567- 2. (II) (2) CONTROLLED OR PROCESS ED THE PERSONAL
568-DATA OF AT LEAST 10,000 CONSUMERS AND DERIVE D MORE THAN 20% OF ITS GROSS
569-REVENUE FROM THE SALE OF PER SONAL DATA.
524+ (3) PERSONAL DATA OF A CO NSUMER THAT THE CONT ROLLER KNOWS 7
525+OR HAS REASON TO KNO W IS A CHILD; OR 8
570526
571-14–4603.
527+ (4) PRECISE GEOLOCATION D ATA. 9
572528
573- (A) THIS SUBTITLE DOES NO T APPLY TO:
529+ (GG) (HH) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 10
530+ADVERTISEMENTS TO A CONSUMER OR ON A DEV ICE IDENTIFIED BY A UNIQUE 11
531+IDENTIFIER, WHERE THE ADVERTISEM ENT IS SELECTED BASE D ON PERSONAL DATA 12
532+OBTAINED OR INFERRED FROM THE CONSUMER ’S ACTIVITIES OVER TI ME AND 13
533+ACROSS NONAFFILIATED WEBSITES OR ONLINE A PPLICATIONS THAT ARE 14
534+UNAFFILIATED WITH EA CH OTHER, IN ORDER TO PREDICT THE CONSUMER ’S 15
535+PREFERENCES OR INTER ESTS. 16
574536
575- (1) A REGULATORY , ADMINISTRATIVE , ADVISORY, EXECUTIVE,
576-APPOINTIVE, LEGISLATIVE, OR JUDICIAL BODY OR INSTRUMENTALITY OF THE
577-STATE, INCLUDING A BOARD , BUREAU, COMMISSION, OR UNIT OF THE STATE OR A
578-POLITICAL SUBDIVISIO N OF THE STATE;
537+ (2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 17
579538
580- (2) A NATIONAL SECURITIES ASSOCIATION THAT IS REGISTERED
581-UNDER § 15 OF THE FEDERAL SECURITIES EXCHANGE ACT OF 1934 OR A
582-REGISTERED FUTURES A SSOCIATION DESIGNATE D IN ACCORDANCE WITH § 17 OF
583-THE FEDERAL COMMODITY EXCHANGE ACT; OR
539+ (I) ADVERTISEMENTS BASED ON THE CONTEXT IN WHICH THE 18
540+ADVERTISEM ENT APPEARS AND DOES NOT VARY BASED ON WH O IS VIEWING THE 19
541+ADVERTISEMENT OF A CONSUMER ’S CURRENT SEARCH QUE RY, VISIT TO A WEBSITE, 20
542+OR ONLINE APPLICATIO N; 21
584543
585- (3) A FINANCIAL INSTITUTIO N OR, AN AFFILIATE OF A FINAN CIAL
586-INSTITUTION, OR DATA THAT IS SUBJECT TO TITLE V OF THE FEDERAL
587-GRAMM–LEACH–BLILEY ACT AND REGULATIONS A DOPTED UNDER THAT AC T; OR
544+ (II) ADVERTISEMENTS BASED ON A CONSUMER ’S ACTIVITIES 22
545+WITHIN A CONTROLLER ’S WEBSITES OR ONLINE APPLICATIONS; 23
588546
589- (4) A NONPROFIT CONTROLLE R THAT PROCESSES OR SHARES
590-PERSONAL DATA SOLELY FOR THE PURPOSES OF ASSISTING:
547+ (III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN 24
548+RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR 25
591549
592- (I) LAW ENFORCEMENT AGENC IES IN INVESTIGATING
593-CRIMINAL OR FRAUDULE NT ACTS RELATING TO INSURANCE; OR
550+ (IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR 26
551+REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH. 27
594552
595- (II) FIRST RESPONDERS IN R ESPONDING TO CATASTR OPHIC
596-EVENTS. Ch. 455 2024 LAWS OF MARYLAND
553+ (HH) (II) “THIRD PARTY” MEANS A PERSON OTHER THAN THE RELEVANT 28
554+CONSUMER , CONTROLLER , PROCESSOR, OR AFFILIATE OF THE CONTROLLER OR 29
555+PROCESSOR OF RELEVAN T PERSONAL DATA . 30 SENATE BILL 541 13
597556
598-– 14 –
599557
600- (B) THE FOLLOWING INFORMATIO N AND DATA ARE EXEMP T FROM THIS
601-SUBTITLE:
602558
603- (1) PROTECTED HEALTH INFO RMATION UNDER HIPAA;
559+ (II) (JJ) (1) “TRADE SECRET” MEANS INFORMATION TH AT: 1
604560
605- (2) PATIENT–IDENTIFYING INFORMAT ION FOR PURPOSES OF 42
606-U.S.C. § 290DD–2;
561+ (I) DERIVES INDEPENDENT E CONOMIC VALUE , ACTUAL OR 2
562+POTENTIAL, FROM NOT BEING GENER ALLY KNOWN TO , AND NOT BEING READIL Y 3
563+ASCERTAINABLE BY PRO PER MEANS BY , OTHER PERSONS WHO CO ULD OBTAIN 4
564+ECONOMIC VALUE FROM THE INFORMATION ’S DISCLOSURE OR USE ; AND 5
607565
608- (3) IDENTIFIABLE PRIVATE INFORMATION THAT IS USED FOR
609-PURPOSES OF THE FEDERAL POLICY F OR THE PROTECTION OF HUMAN SUBJECTS IN
610-ACCORDANCE WITH 45 C.F.R. § 46;
566+ (II) IS THE SUBJECT OF EFF ORTS THAT ARE REASON ABLE 6
567+UNDER THE CIRCUMSTAN CES TO MAINTAIN THE SECRECY OF THE INFOR MATION. 7
611568
612- (4) IDENTIFIABLE PRIVATE INFORMATION TO THE E XTENT THAT IT IS
613-COLLECTED AND USED A S PART OF HUMAN SUBJ ECTS RESEARCH IN ACC ORDANCE
614-WITH THE ICH 36 GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE
615-INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS
616-FOR PHARMACEUTICALS FOR HUMAN USE OR THE PROTECTION OF HUMAN
617-SUBJECTS UNDER 21 C.F.R. §§ 50 AND 56;
569+ (2) “TRADE SECRET ” INCLUDES A FORMULA , PATTERN, 8
570+COMPILATION , PROGRAM, DEVICE, METHOD, TECHNIQUE, OR PROCESS HAS THE 9
571+MEANING STATED IN § 11–1201 OF THIS ARTICLE. 10
618572
619- (5) PATIENT SAFETY WORK P RODUCT THAT IS CREAT ED AND USED
620-FOR PURPOSES OF PATI ENT SAFETY IMPROVEME NT IN ACCORDANCE WIT H 42
621-C.F.R. § 3, ESTABLISHED IN ACCOR DANCE WITH 42 U.S.C. §§ 299B–21 THROUGH
622-299B–26;
573+14–4602. 11
623574
624- (6) (I) INFORMATION TO THE EX TENT IT IS USED FOR PUBLIC
625-HEALTH, COMMUNITY HEALTH , OR POPULATION HEALTH ACTIVITIES AND
626-PURPOSES, AS AUTHORIZED BY HIPAA, WHEN PROVIDED BY OR TO A COVERED
627-ENTITY OR WHEN PROVI DED BY OR TO A BUSIN ESS ASSOCIATE IN ACC ORDANCE WITH
628-THE BUSINESS ASSOCIA TE AGREEMENT WITH A COVERED ENTITY ;
575+ THIS SUBTITLE APPLIES TO A PERSO N THAT: 12
629576
630- (II) INFORMATION THAT IS A MEDICAL RECORD UNDER § 4–301
631-OF THE HEALTH – GENERAL ARTICLE IF:
577+ (1) (I) CONDUCTS BUSINESS IN THE STATE; OR 13
632578
633- 1. THE INFORMATION IS HE LD BY AN ENTITY THAT IS A
634-COVERED ENTITY OR BU SINESS ASSOCIATE UND ER HIPAA BECAUSE IT COLLECTS ,
635-USES, OR DISCLOSES PROTECT ED HEALTH INFORMATIO N; AND
579+ (2) (I) (II) PRODUCES PROVIDES SERVICES OR PRODUCTS THAT 14
580+ARE TARGETED TO RESI DENTS OF THE STATE; AND 15
636581
637- 2. THE ENTITY APPLIES T HE SAME STANDARDS FO R THE
638-COLLECTION, USE, AND DISCLOSURE OF TH E INFORMATION AS REQ UIRED FOR
639-PROTECTED HEALTH INF ORMATION UNDER HIPAA AND MEDICAL RECORDS UNDER
640-§ 4–301 OF THE HEALTH – GENERAL ARTICLE, INCLUDING SPECIFIC S TANDARDS
641-REGARDING LEGALLY PR OTECTED HEALTH CARE ; AND WES MOORE, Governor Ch. 455
582+ (II) (2) DURING THE IMMEDIATEL Y PRECEDING CALENDAR 16
583+YEAR: 17
642584
643-– 15 –
585+ 1. (I) CONDUCTS BUSINESS IN THE STATE OR PROVIDES 18
586+PRODUCTS OR SERVICES THAT ARE TARGETED TO RESIDENTS OF THE STATE, AND 19
587+THAT DURING THE PREC EDING CALENDAR YEAR DID ANY OF THE FOLLO WING: 20
644588
645- (III) INFORMATION THAT IS D E–IDENTIFIED IN ACCORD ANCE
646-WITH THE REQUIREMENT S FOR DE–IDENTIFICATION SET F ORTH IN 45 C.F.R.
647-164.514 THAT IS DERIVED FROM INDIVIDUALLY IDENTIF IABLE HEALTH
648-INFORMATION AS DESCR IBED IN HIPAA OR PERSONAL INFORMATION CONSISTE NT
649-WITH THE HUMAN SUBJE CT PROTECTION REQUIR EMENTS OF THE U.S. FOOD AND
650-DRUG ADMINISTRATION ;
589+ (1) CONTROLLED OR PROCESS ED THE PERSONAL DATA OF AT LEAST 21
590+35,000 CONSUMERS , EXCLUDING PERSONAL D ATA CONTROLLED OR PR OCESSED 22
591+SOLELY FOR THE PURPO SE OF COMPLETING A P AYMENT TRANSACTION ; OR 23
651592
652- (7) THE COLLECTION , MAINTENANCE , DISCLOSURE, SALE,
653-COMMUNICATION , OR USE OF PERSONAL I NFORMATION BEARING O N A CONSUMER ’S
654-CREDITWORTHINESS , CREDIT STANDING , CREDIT CAPACITY , CHARACTER , GENERAL
655-REPUTATION, PERSONAL CHARACTERIS TICS, OR MODE OF LIVING BY A CONSUMER
656-REPORTING AGENCY , FURNISHER, OR USER THAT PROVIDE S INFORMATION FOR US E
657-IN A CONSUMER REPORT , AND BY A USER OF A C ONSUMER REPORT , BUT ONLY TO
658-THE EXTENT THAT THE ACTIVITY IS REGULATE D BY AND AUTHORIZED UNDER THE
659-FEDERAL FAIR CREDIT REPORTING ACT;
593+ 2. (II) (2) CONTROLLED OR PROCESS ED THE PERSONAL 24
594+DATA OF AT LEAST 10,000 CONSUMERS AND DERIVE D MORE THAN 20% OF ITS GROSS 25
595+REVENUE FROM THE SALE OF PER SONAL DATA. 26
660596
661- (8) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED
662-IN COMPLIANCE WITH T HE FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994;
597+14–4603. 27
663598
664- (9) PERSONAL DATA REGULATED BY THE FEDERAL FAMILY
665-EDUCATIONAL RIGHTS AND PRIVACY ACT;
599+ (A) THIS SUBTITLE DOES NO T APPLY TO: 28
600+ 14 SENATE BILL 541
666601
667- (10) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED
668-IN COMPLIANCE WITH T HE FEDERAL FARM CREDIT ACT;
669602
670- (11) DATA PROCESSED OR MAI NTAINED:
603+ (1) A REGULATORY , ADMINISTRATIVE , ADVISORY, EXECUTIVE, 1
604+APPOINTIVE, LEGISLATIVE, OR JUDICIAL BODY OR INSTRUMENTALITY OF THE 2
605+STATE, INCLUDING A BOARD , BUREAU, COMMISSION, OR UNIT OF THE STATE OR A 3
606+POLITICAL SUBDIVISIO N OF THE STATE; 4
671607
672- (I) IN THE COURSE OF AN INDIVIDUAL APPLYING TO,
673-EMPLOYED BY , OR ACTING AS AN AGEN T OR INDEPENDENT CON TRACTOR OF A
674-CONTROLLER , PROCESSOR, OR THIRD PARTY , TO THE EXTENT THAT T HE DATA IS
675-COLLECTED AND USED W ITHIN THE CONTEXT OF THE ROLE;
608+ (2) A NATIONAL SECURITIES ASSOCIATION THAT IS REGISTERED 5
609+UNDER § 15 OF THE FEDERAL SECURITIES EXCHANGE ACT OF 1934 OR A 6
610+REGISTERED FUTURES A SSOCIATION DESIGNATE D IN ACCORDANCE WITH § 17 OF 7
611+THE FEDERAL COMMODITY EXCHANGE ACT; OR 8
676612
677- (II) AS THE EMERGENCY CONT ACT INFORMATION OF A
678-CONSUMER IF THE DATA IS USED FOR EMERGENC Y CONTACT PURPOSES ; OR
613+ (3) A FINANCIAL INSTITUTIO N OR, AN AFFILIATE OF A FINAN CIAL 9
614+INSTITUTION, OR DATA THAT IS SUBJECT TO TITLE V OF THE FEDERAL 10
615+GRAMM–LEACH–BLILEY ACT AND REGULATIONS A DOPTED UNDER THAT AC T; OR 11
679616
680- (III) THAT IS:
617+ (4) A NONPROFIT CONTROLLER THAT PROCESSES OR SH ARES 12
618+PERSONAL DATA SOLELY FOR THE PURPOSES OF ASSISTING: 13
681619
682- 1. NECESSARY TO RETAIN T O ADMINISTER BENEFIT S
683-FOR ANOTHER INDIVIDU AL RELATING TO THE C ONSUMER WHO IS THE S UBJECT OF
684-THE INFORMATION UNDE R ITEM (I) OF THIS ITEM; AND
620+ (I) LAW ENFORCEMENT AGENC IES IN INVESTIGATING 14
621+CRIMINAL OR FRAUDULE NT ACTS RELATING TO INSURANCE; OR 15
685622
686- 2. USED FOR THE PURPOSES OF ADMINISTERING THE
687-BENEFITS; AND Ch. 455 2024 LAWS OF MARYLAND
623+ (II) FIRST RESPONDERS IN R ESPONDING TO CATASTR OPHIC 16
624+EVENTS. 17
688625
689-– 16 –
626+ (B) THE FOLLOWING INFORMA TION AND DATA ARE EX EMPT FROM THIS 18
627+SUBTITLE: 19
690628
691- (12) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED
692-IN RELATION TO PRICE , ROUTE, OR SERVICE BY AN AIR CARRIER SUBJECT TO T HE
693-FEDERAL AIRLINE DEREGULATION ACT TO THE EXTENT THI S SUBTITLE IS
694-PREEMPTED BY THE FED ERAL AIRLINE DEREGULATION ACT; AND
629+ (1) PROTECTED HEALTH INFO RMATION UNDER HIPAA; 20
695630
696- (13) PERSONAL DATA TO THE EXTENT IT IS COLLECTED FOR,
697-PROVIDED TO, OR USED BY BY OR ON BEHALF OF A PERSON REGULATED U NDER THE
698-INSURANCE ARTICLE OR AN AFFILIA TE OF SUCH A PERSON , IN FURTHERANCE OF
699-THE BUSINESS OF INSU RANCE.
631+ (2) PATIENT–IDENTIFYING INFORMAT ION FOR PURPOSES OF 42 21
632+U.S.C. § 290DD–2; 22
700633
701- (C) CONTROLLERS AND PROCE SSORS THAT COMPLY WI TH THE VERIFIABLE
702-PARENTAL CONSENT REQ UIREMENTS OF COPPA SHALL BE CONSIDERED
703-COMPLIANT WITH AN OB LIGATION TO OBTAIN P ARENTAL CONSENT IN A CCORDANCE
704-WITH THIS SUBTITLE W ITH RESPECT TO A CONSUMER WHO IS A CHILD.
634+ (3) IDENTIFIABLE PRIVATE INFORMATION THAT IS USED FOR 23
635+PURPOSES OF THE FEDE RAL POLICY FOR THE P ROTECTION OF HUMAN S UBJECTS IN 24
636+ACCORDANCE WITH 45 C.F.R. § 46; 25
705637
706-14–4604.
638+ (4) IDENTIFIABLE PRIVATE INFORMATION TO THE E XTENT THAT IT IS 26
639+COLLECTED AND USED A S PART OF HUMAN SUBJ ECTS RESEARCH IN ACC ORDANCE 27
640+WITH THE ICH 36 GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE 28
641+INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 29
642+FOR PHARMACEUTICALS FOR HUMAN USE OR THE PROTECTION OF HUMAN 30
643+SUBJECTS UNDER 21 C.F.R. §§ 50 AND 56; 31
707644
708- A PERSON MAY NOT :
645+ (5) PATIENT SAFETY WORK P RODUCT THAT IS CREAT ED AND USED 32
646+FOR PURPOSES OF PATI ENT SAFETY IMPROVEME NT IN ACCORDANCE WIT H 42 33 SENATE BILL 541 15
709647
710- (1) PROVIDE AN EMPLOYEE O R A CONTRACTOR ACCES S TO
711-CONSUMER HEALTH DATA UNLESS THE:
712648
713- (I) THE EMPLOYEE OR CONTRACT OR IS SUBJECT TO A
714-CONTRACTUAL OR STATU TORY DUTY OF CONFIDE NTIALITY; OR
649+C.F.R. § 3, ESTABLISHED IN ACCOR DANCE WITH 42 U.S.C. §§ 299B–21 THROUGH 1
650+299B–26; 2
715651
716- (II) CONFIDENTIALITY IS RE QUIRED AS A CONDITIO N OF
717-EMPLOYMENT OF THE EM PLOYEE;
652+ (6) (I) INFORMATION TO THE EX TENT IT IS USED FOR PUBLIC 3
653+HEALTH, COMMUNITY HEALTH , OR POPULATION HEALTH ACTIVITIES AND 4
654+PURPOSES, AS AUTHORIZED BY HIPAA, WHEN PROVIDED BY O R TO A COVERED 5
655+ENTITY OR WHEN PROVI DED BY OR TO A BUSIN ESS ASSOCIATE IN ACC ORDANCE WITH 6
656+THE BUSINESS ASSOCIA TE AGREEMENT WITH A COVERED ENTITY ; 7
718657
719- (2) PROVIDE A PROCESSOR A CCESS TO CONSUMER HE ALTH DATA
720-UNLESS THE PERSON PR OVIDING ACCESS TO TH E CONSUMER HEALTH DA TA AND
721-THE PROCESSOR COMPLY WITH § 14–4607 14–4608 OF THIS SUBTITLE; OR
658+ (II) INFORMATION THAT IS A MEDICAL RECORD UNDER § 4–301 8
659+OF THE HEALTH – GENERAL ARTICLE IF: 9
722660
723- (3) USE A GEOFENCE :
661+ 1. THE INFORMATION IS HELD BY A N ENTITY THAT IS A 10
662+COVERED ENTITY OR BU SINESS ASSOCIATE UND ER HIPAA BECAUSE IT COLLECTS , 11
663+USES, OR DISCLOSES PROTECT ED HEALTH INFORMATIO N; AND 12
724664
725- (I) TO IDENTIFY, TRACK, COLLECT DATA FROM , OR SEND A
726-NOTIFICATION TO A CO NSUMER REGARDING THE CONSUMER ’S CONSUMER HEALTH
727-DATA; AND
665+ 2. THE ENTITY APPLIES TH E SAME STANDARDS FOR THE 13
666+COLLECTION, USE, AND DISCLOSURE OF TH E INFORMATION AS REQUI RED FOR 14
667+PROTECTED HEALTH INF ORMATION UNDER HIPAA AND MEDICAL RECORDS UNDER 15
668+§ 4–301 OF THE HEALTH – GENERAL ARTICLE, INCLUDING SPECIFIC S TANDARDS 16
669+REGARDING LEGALLY PR OTECTED HEALTH CARE ; AND 17
728670
729- (II) WITHIN 1,750 FEET OF A MENTAL HEA LTH FACILITY OR
730-REPRODUCTIVE OR SEXU AL HEALTH FACILITY ; OR
731- WES MOORE, Governor Ch. 455
671+ (III) INFORMATION THAT IS D E–IDENTIFIED IN ACCORDANCE 18
672+WITH THE REQUIREMENT S FOR DE–IDENTIFICATION SET F ORTH IN 45 C.F.R. 19
673+164.514 THAT IS DERIVED FROM INDIVIDUALLY IDENTIF IABLE HEALTH 20
674+INFORMATION AS DESCR IBED IN HIPAA OR PERSONAL INFORMAT ION CONSISTENT 21
675+WITH THE HUMAN SUBJE CT PROTECTION REQUIR EMENTS OF THE U.S. FOOD AND 22
676+DRUG ADMINISTRATION ; 23
732677
733-– 17 –
734- (4) SELL OR OFFER TO SELL CONSUMER HEALTH DATA WITHOUT THE
735-CONSENT OF THE CONSU MER WHOSE HEALTH DAT A IS TO BE SOLD OR O FFERED TO
736-BE SOLD TO ESTABLISH A VIRTU AL BOUNDARY THAT IS WITHIN 1,750 FEET OF ANY
737-MENTAL HEALTH FACILI TY OR REPR ODUCTIVE OR SEXUAL H EALTH FACILITY FOR
738-THE PURPOSE OF IDENT IFYING, TRACKING, OR COLLECTING DATA F ROM, OR
739-SENDING ANY NOTIFICA TION TO A CONSUMER R EGARDING THE CONSUME R’S
740-CONSUMER HEALTH DATA .
678+ (7) THE COLLECTION , MAINTENANCE , DISCLOSURE, SALE, 24
679+COMMUNICATION , OR USE OF PERSONAL I NFORMATION BEARING O N A CONSUMER ’S 25
680+CREDITWORTHINESS , CREDIT STANDING , CREDIT CAPACITY , CHARACTER , GENERAL 26
681+REPUTATION, PERSONAL CHARACTERISTICS , OR MODE OF LIVING BY A CONSUMER 27
682+REPORTING AGENCY , FURNISHER, OR USER THAT PROVIDE S INFORMATION FOR US E 28
683+IN A CONSUMER REPORT , AND BY A USER OF A C ONSUMER REPORT , BUT ONLY TO 29
684+THE EXTENT THAT THE ACTIVITY IS REGULATE D BY AND AUTHORIZED UNDER THE 30
685+FEDERAL FAIR CREDIT REPORTING ACT; 31
741686
742-14–4605.
687+ (8) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 32
688+IN COMPLIANCE WITH T HE FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994; 33
743689
744- (A) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO REQUIRE A
745-CONTROLLER TO REVEAL A TRADE SECRET .
690+ (9) PERSONAL DATA REGULAT ED BY THE FEDERAL FAMILY 34
691+EDUCATIONAL RIGHTS AND PRIVACY ACT; 35
692+ 16 SENATE BILL 541
746693
747- (B) A CONSUMER SHALL HAVE THE RIGHT TO:
748694
749- (1) CONFIRM WHETHER A CON TROLLER IS PROCESSIN G THE
750-CONSUMER ’S PERSONAL DATA , UNLESS THAT CONFIRMA TION WOULD REQUIRE T HE
751-DISCLOSURE OF A TRAD E SECRET;
695+ (10) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 1
696+IN COMPLIANCE WITH T HE FEDERAL FARM CREDIT ACT; 2
752697
753- (2) IF A CONTROLLER IS PROCESSI NG A CONSUMER ’S PERSONAL
754-DATA, ACCESS THE CONSUMER ’S PERSONAL DATA UNLESS THAT ACCESS W OULD
755-REQUIRE THE DISCLOSU RE OF A TRADE SECRET ;
698+ (11) DATA PROCESSED OR MAI NTAINED: 3
756699
757- (3) CONSIDERING THE NATUR E OF THE CONSUMER ’S PERSONAL
758-DATA AND THE PURPOSE S OF THE PROCESSING OF THE PERSONAL DATA , CORRECT
759-INACCURACIES IN THE CONSUMER ’S PERSONAL DATA ;
700+ (I) IN THE COURSE OF AN I NDIVIDUAL APPLYING T O, 4
701+EMPLOYED BY , OR ACTING AS AN AGEN T OR INDEPEN DENT CONTRACTOR OF A 5
702+CONTROLLER , PROCESSOR, OR THIRD PARTY , TO THE EXTENT THAT T HE DATA IS 6
703+COLLECTED AND USED W ITHIN THE CONTEXT OF THE ROLE; 7
760704
761- (4) REQUIRE A CONTROLLER TO DELETE PERSONAL D ATA PROVIDED
762-BY, OR OBTAINED ABOUT , THE CONSUMER UNLESS RETENTION OF THE PERSONAL
763-DATA IS REQUIRED BY LAW;
705+ (II) AS THE EMERGENCY CONT ACT INFORMATION OF A 8
706+CONSUMER IF THE DATA IS USED FOR EMERGENC Y CONTACT PURPOSES ; OR 9
764707
765- (5) IF THE PROCESSING OF PERSONAL DATA IS DONE BY AUTOMATIC
766-MEANS, OBTAIN A COPY OF THE CONSUMER ’S PERSONAL DATA PROC ESSED BY THE
767-CONTROLLER IN A PORT ABLE AND, TO THE EXTENT TECHNI CALLY FEASIBLE ,
768-READILY USABLE FORMA T THAT ALLOWS THE CO NSUMER TO EASILY TRA NSMIT THE
769-DATA TO ANOTHER C ONTROLLER WITHOUT HI NDRANCE;
708+ (III) THAT IS: 10
770709
771- (6) OBTAIN A LIST OF THE CATEGORIES OF THIRD PARTIES TO WHICH
772-THE CONTROLLER HAS D ISCLOSED THE CONSUME R’S PERSONAL DATA OR A LIST OF
773-THE CATEGORIES OF TH IRD PARTIES TO WHICH THE CONTROLLER HAS D ISCLOSED
774-ANY CONSUMER ’S PERSONAL DATA IF THE CONTR OLLER DOES NOT MAINT AIN THIS
775-INFORMATION IN A FOR MAT SPECIFIC TO THE CONSUMER ; AND
776- Ch. 455 2024 LAWS OF MARYLAND
710+ 1. NECESSARY TO RETAIN T O ADMINISTER BENEFIT S 11
711+FOR ANOTHER INDIVIDU AL RELATING TO THE C ONSUMER WHO IS THE S UBJECT OF 12
712+THE INFORMATION UNDE R ITEM (I) OF THIS ITEM; AND 13
777713
778-– 18 –
779- (7) OPT OUT OF THE PROCES SING OF PERSONAL DAT A FOR PURPOSES
780-OF:
714+ 2. USED FOR THE PURPOSES OF ADMINISTERING THE 14
715+BENEFITS; AND 15
781716
782- (I) TARGETED ADVERTISING ;
717+ (12) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 16
718+IN RELATION TO PRICE , ROUTE, OR SERVICE BY AN AIR CARRIER SUBJECT TO T HE 17
719+FEDERAL AIRLINE DEREGULATION ACT TO THE EXTENT THI S SUBTITLE IS 18
720+PREEMPTED BY THE FED ERAL AIRLINE DEREGULATION ACT; AND 19
783721
784- (II) THE SALE OF PERSONAL DATA; OR
722+ (13) PERSONAL DATA TO THE EXTENT IT IS COLLECTED FOR, 20
723+PROVIDED TO, OR USED BY BY OR ON BEHALF OF A PERSON REGULATED U NDER THE 21
724+INSURANCE ARTICLE OR AN AFFILIA TE OF SUCH A PERSON , IN FURTHERANCE OF 22
725+THE BUSINESS OF INSU RANCE. 23
785726
786- (III) PROFILING IN FURTHERA NCE OF SOLELY AUTOMA TED
787-DECISIONS THAT PRODU CE LEGAL OR SIMILARL Y SIGNIFICANT EFFECT S
788-CONCERNING THE CONSU MER.
727+ (C) CONTROLLERS AND PROCE SSORS THAT COMPLY WITH THE VERIFIABLE 24
728+PARENTAL CONSENT REQ UIREMENTS OF COPPA SHALL BE CONSIDERED 25
729+COMPLIANT WITH AN OB LIGATION TO OBTAIN P ARENTAL CONSENT IN A CCORDANCE 26
730+WITH THIS SUBTITLE W ITH RESPECT TO A CON SUMER WHO IS A CHILD . 27
789731
790- (C) (1) A CONTROLLER SHALL EST ABLISH A SECURE AND RELIABLE
791-METHOD FOR A CONSUME R TO EXERCISE A CONS UMER RIGHT UNDER THI S SECTION.
732+14–4604. 28
792733
793- (2) A CONSUMER MAY EXERCIS E A CONSUMER RIGHT U NDER THIS
794-SECTION BY THE METHO D ESTABLISHED BY THE CONTROLLER UNDER PAR AGRAPH
795-(1) OF THIS SUBSECTION .
734+ A PERSON MAY NOT : 29
796735
797- (D) (1) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT IN
798-ACCORDANCE WITH § 14–4606 OF THIS SUBTITLE TO OPT OUT OF TH E PROCESSING
799-OF THE CONSUMER ’S PERSONAL DATA UNDE R SUBSECTION (B)(7) OF THIS SECTION
800-ON BEHALF OF A CONSU MER.
736+ (1) PROVIDE AN EMPLOYEE O R A CONTRACTOR ACCES S TO 30
737+CONSUMER HEALTH DATA UNLESS THE: 31
738+ SENATE BILL 541 17
801739
802- (2) A PARENT OR LEGAL GUAR DIAN OF A CHILD MAY EXERCISE A
803-CONSUMER RIGHT LISTE D IN SUBSECTION (B) OF THIS SECTION ON T HE CHILD’S
804-BEHALF REGARDING THE PROCESSING OF PERSON AL DATA.
805740
806- (3) A GUARDIAN OR CONSERVA TOR OF A CONSUMER SU BJECT TO A
807-GUARDIANSHIP , CONSERVATORSHIP , OR OTHER PROTECTIVE ARRANGEMENT MAY
808-EXERCISE A CONSUMER RIGHT LISTED IN SUBS ECTION (B) OF THIS SECTION ON T HE
809-CONSUMER ’S BEHALF REGARDING T HE PROCESSING OF PER SONAL DATA.
741+ (I) THE EMPLOYEE OR CONTRACT OR IS SUBJECT TO A 1
742+CONTRACTUAL OR STATU TORY DUTY OF CONFIDE NTIALITY; OR 2
810743
811- (E) (1) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, A
812-CONTROLLER SHALL COM PLY WITH A REQUEST B Y A CONSUMER TO EXER CISE A
813-CONSUMER RIGHT LISTE D IN THIS SECTION.
744+ (II) CONFIDENTIALITY IS RE QUIRED AS A CONDITIO N OF 3
745+EMPLOYMENT OF THE EMPLOYEE ; 4
814746
815- (2) (I) A CONTROLLER SHALL RESPOND TO A CONSUME R REQUEST
816-NOT LATER THAN 45 DAYS AFTER THE CONTR OLLER RECEIVES THE C ONSUMER
817-REQUEST.
747+ (2) PROVIDE A PROCESSOR A CCESS TO CONSUMER HE ALTH DATA 5
748+UNLESS THE PERSON PR OVIDING ACCESS TO TH E CONSUMER HEALTH DA TA AND 6
749+THE PROCESSOR COMPLY WITH § 14–4607 14–4608 OF THIS SUBTITLE; OR 7
818750
819- (II) A CONTROLLER MAY EXTEN D THE COMPLETION PER IOD BY
820-AN ADDITIONAL 45 DAYS IF:
821- WES MOORE, Governor Ch. 455
751+ (3) USE A GEOFENCE : 8
822752
823-– 19 –
824- 1. IT IS REASONABLY NECE SSARY TO COMPLETE TH E
825-REQUEST BASED ON THE COMPLEXITY AND N UMBER OF THE CONSUME R’S
826-REQUESTS; AND
753+ (I) TO IDENTIFY, TRACK, COLLECT DATA FROM , OR SEND A 9
754+NOTIFICATION TO A CO NSUMER REGARDING THE CONSUMER ’S CONSUMER HEALTH 10
755+DATA; AND 11
827756
828- 2. THE CONTROLLER INFORM S THE CONSUMER OF TH E
829-EXTENSION AND THE RE ASON FOR THE EXTENSI ON WITHIN THE INITIA L 45–DAY
830-RESPONSE PERIOD .
757+ (II) WITHIN 1,750 FEET OF A MENTAL HEA LTH FACILITY OR 12
758+REPRODUCTIVE OR SEXU AL HEALTH FACILITY ; OR 13
831759
832- (III) A CONTROLLER SHALL NOT IFY THE CONSUMER WIT HIN 30
833-DAYS AFTER COMPLYING WITH THE CONSUMER ’S REQUEST THAT THE C ONTROLLER
834-HAS COMPLIED WITH TH E CONSUMER ’S REQUEST.
760+ (4) SELL OR OFFER TO SELL CONSUMER HEALTH DAT A WITHOUT THE 14
761+CONSENT OF THE CONSU MER WHOSE HEALTH DAT A IS TO BE SOLD OR O FFERED TO 15
762+BE SOLD TO ESTABLISH A VIRTU AL BOUNDARY THAT IS WITHIN 1,750 FEET OF ANY 16
763+MENTAL HEALTH FACILI TY OR REPRODUCTIVE O R SEXUAL HEALTH FACI LITY FOR 17
764+THE PURPOSE OF IDENT IFYING, TRACKING, OR COLLECTING DATA F ROM, OR 18
765+SENDING ANY NOTIFICA TION TO A CONSUMER R EGARDING THE CONSUME R’S 19
766+CONSUMER HEALTH DATA . 20
835767
836- (3) IF A CONTROLLER DECLI NES TO ACT REGARDING A CONSUMER ’S
837-REQUEST, THE CONTROLLER SHALL :
768+14–4605. 21
838769
839- (I) INFORM THE CONSUMER W ITHOUT UNDUE DELAY , BUT NOT
840-LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST , OF THE JUSTIFICATION FOR
841-DECLINING TO ACT ; AND
770+ (A) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO REQUIRE A 22
771+CONTROLLER TO REVEAL A TRADE SECRET . 23
842772
843- (II) PROVIDE INSTRUCTIONS FOR HOW TO APPEAL TH E
844-DECISION.
773+ (B) A CONSUMER SHALL HAVE THE RIGHT TO: 24
845774
846- (4) (I) A CONTROLLER SHALL PRO VIDE INFORMATION TO A
847-CONSUMER IN RESPONSE TO A CONSUMER ’S REQUEST TO EXERCISE RI GHTS UNDER
848-THIS SUBTITLE FREE O F CHARGE ONCE DURING ANY 12–MONTH PERIOD .
775+ (1) CONFIRM WHETHER A CON TROLLER IS PROCESSIN G THE 25
776+CONSUMER ’S PERSONAL DATA , UNLESS THAT CONFIRMA TION WOULD REQUIRE T HE 26
777+DISCLOSURE OF A TRAD E SECRET; 27
849778
850- (II) IF REQUESTS FROM A CO NSUMER ARE MANIFESTL Y
851-UNFOUNDED , EXCESSIVE, TECHNICALLY INFEASIB LE, OR REPETITIVE , A
852-CONTROLLER MAY :
779+ (2) IF A CONTROLLER IS PR OCESSING A CONSUMER ’S PERSONAL 28
780+DATA, ACCESS THE CONSUMER ’S PERSONAL DATA UNLESS THAT ACCESS W OULD 29
781+REQUIRE THE DISCLOSU RE OF A TRADE SECRET ; 30
782+ 18 SENATE BILL 541
853783
854- 1. CHARGE THE CONSUMER A REASONABLE FEE TO
855-COVER THE ADMINISTRA TIVE COSTS OF COMPLY ING WITH THE REQUEST ; OR
856784
857- 2. DECLINE TO ACT ON THE REQUEST.
785+ (3) CONSIDERING THE NATUR E OF THE CONSUMER ’S PERSONAL 1
786+DATA AND THE PURPOSE S OF THE PROCESSING OF THE PERSONAL DATA , CORRECT 2
787+INACCURACIES IN THE CONSUMER ’S PERSONAL DATA ; 3
858788
859- (III) THE CONTROLLER HAS TH E BURDEN OF DEMONSTR ATING
860-THE MANIFESTLY UNFOU NDED, EXCESSIVE, TECHNICALLY INFEASIB LE, OR
861-REPETITIVE NATU RE OF THE REQUEST .
789+ (4) REQUIRE A CONTROLLER TO DELETE PERSONAL D ATA PROVIDED 4
790+BY, OR OBTAINED ABOUT , THE CONSUMER UNLESS RETENTION OF THE PERSONAL 5
791+DATA IS REQUIRED BY LAW; 6
862792
863- (5) IF A CONTROLLER IS UN ABLE TO AUTHENTICATE A REQUEST TO
864-EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5)
865-OF THIS SECTION USIN G COMMERCIALLY REASO NABLE EFFORTS , THE
866-CONTROLLER :
867- Ch. 455 2024 LAWS OF MARYLAND
793+ (5) IF THE PROCESSING OF PERSONAL DATA IS DON E BY AUTOMATIC 7
794+MEANS, OBTAIN A COPY OF THE CONSUMER ’S PERSONAL DATA PROCESSE D BY THE 8
795+CONTROLLER IN A PORT ABLE AND, TO THE EXTENT TECHNI CALLY FEASIBLE , 9
796+READILY USABLE FORMA T THAT ALLOWS THE CO NSUMER TO EASILY TRA NSMIT THE 10
797+DATA TO ANOTHER CONT ROLLER WITHOUT HINDR ANCE; 11
868798
869-– 20 –
870- (I) MAY NOT BE REQUIRED T O COMPLY WITH A REQUEST TO
871-INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION; AND
799+ (6) OBTAIN A LIST OF THE CATEGORIES OF THI RD PARTIES TO WHICH 12
800+THE CONTROLLER HAS D ISCLOSED THE CONSUME R’S PERSONAL DATA OR A LIST OF 13
801+THE CATEGORIES OF TH IRD PARTIES TO WHICH THE CONTROLLER HAS D ISCLOSED 14
802+ANY CONSUMER ’S PERSONAL DATA IF T HE CONTROLLER DOES N OT MAINTAIN THIS 15
803+INFORMATION IN A FOR MAT SPECIFIC TO THE CONSU MER; AND 16
872804
873- (II) SHALL PROVIDE NOTICE TO THE CONSUMER THAT THE
874-CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUEST TO EXERCISE THE RIGHT
875-UNTIL THE CONSUMER P ROVIDES ADDITIONAL I NFORMATION REASONABLY
876-NECESSARY TO AUTHENT ICATE THE CONSUMER A ND THE CONSUMER ’S REQUEST TO
877-EXERCISE THE CONSUME R’S RIGHTS.
805+ (7) OPT OUT OF THE PROCES SING OF PERSONAL DAT A FOR PURPOSES 17
806+OF: 18
878807
879- (6) A CONTROLLER MAY NOT B E REQUIRED TO AUTHEN TICATE AN
880-OPT–OUT REQUEST .
808+ (I) TARGETED ADVERTISING ; 19
881809
882- (7) A CONTROLLER THAT HAS OBTAINED PERSONAL DA TA ABOUT A
883-CONSUMER FROM A SOURCE OTHER THAN THE CONSUMER SH ALL BE CONSIDERED
884-COMPLIANT WITH THE C ONSUMER’S REQUEST TO DELETE THE CONSUMER ’S DATA IN
885-ACCORDANCE WITH SUBS ECTION (B)(4) OF THIS SECTION BY R ETAINING A RECORD
886-OF THE DELETION REQU EST AND THE MINIMUM DATA NECESSARY FOR THE
887-PURPOSE OF ENSURING THAT THE CONSUMER ’S PERSONAL DATA :
810+ (II) THE SALE OF PERSONAL DATA; OR 20
888811
889- (I) REMAINS DELETED FROM THE CONTROLLER ’S RECORDS;
890-AND
812+ (III) PROFILING IN FURTHERA NCE OF SOLELY AUTOMA TED 21
813+DECISIONS THAT PRODU CE LEGAL OR SIMILARLY SIGNIFICAN T EFFECTS 22
814+CONCERNING THE CONSU MER. 23
891815
892- (II) IS NOT BEING USED FOR ANY OTHER PURPOSE .
816+ (C) (1) A CONTROLLER SHALL EST ABLISH A SECURE AND RELIABLE 24
817+METHOD FOR A CONSUME R TO EXERCISE A CONS UMER RIGHT UNDER THI S SECTION. 25
893818
894- (F) (1) A CONTROLLER SHALL EST ABLISH A PROCESS FOR A CONSUMER
895-TO APPEAL THE CONTROLLER ’S REFUSAL TO ACT ON A CONSUMER RIGHTS RE QUEST
896-WITHIN A REASONABLE PERIOD AFTER THE CON SUMER RECEIVES THE D ECISION.
819+ (2) A CONSUMER MAY EXERCIS E A CONSUMER RIGHT U NDER THIS 26
820+SECTION BY THE METHOD ESTABLISH ED BY THE CONTROLLER UNDER PARAGRAPH 27
821+(1) OF THIS SUBSECTION . 28
897822
898- (2) THE APPEAL PROCESS SH ALL BE:
823+ (D) (1) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT IN 29
824+ACCORDANCE WITH § 14–4606 OF THIS SUBTITLE TO OPT OUT OF THE PROCE SSING 30
825+OF THE CONSUMER ’S PERSONAL DATA UNDE R SUBSECTION (B)(7) OF THIS SECTION 31
826+ON BEHALF OF A CONSU MER. 32
827+ SENATE BILL 541 19
899828
900- (I) CONSPICUOUSLY AVAILAB LE; AND
901829
902- (II) SIMILAR TO THE PROCES S FOR SUBMITTING REQ UESTS TO
903-INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION.
830+ (2) A PARENT OR LEGAL GUAR DIAN OF A CHILD MAY EXERCISE A 1
831+CONSUMER RIGHT LISTE D IN SUBSECTION (B) OF THIS SECTION ON T HE CHILD’S 2
832+BEHALF REGARDING THE PROCESSING OF PERSON AL DATA. 3
904833
905- (3) NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A
906-CONTROLLER SHALL INF ORM THE CONSUMER IN WRITING OF ANY ACTIO N TAKEN OR
907-NOT TAKEN IN RESPONS E TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF
908-THE REASONS FOR THE DECISIONS.
834+ (3) A GUARDIAN OR CONSERVATOR OF A CONSUMER SUBJECT T O A 4
835+GUARDIANSHIP , CONSERVATORSHIP , OR OTHER PROTECTIVE ARRANGEMENT MAY 5
836+EXERCISE A CONSUMER RIGHT LISTED IN SUBS ECTION (B) OF THIS SECTION ON T HE 6
837+CONSUMER ’S BEHALF REGARDING T HE PROCESSING OF PER SONAL DATA. 7
909838
910- (4) IF A CONTROLLER DENIE S AN APPEAL, THE CONTROLLER SHALL
911-PROVIDE THE CONSUMER WITH AN ONLINE MECHA NISM, IF AVAILABLE, THROUGH
912-WHICH THE CONSUMER M AY CONTACT THE DIVISION TO SUBMIT A COMPLAINT. WES MOORE, Governor Ch. 455
839+ (E) (1) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, A 8
840+CONTROLLER SHALL COM PLY WITH A REQUEST B Y A CONSUMER TO EXER CISE A 9
841+CONSUMER RIGHT LISTE D IN THIS SECTION. 10
913842
914-– 21 –
843+ (2) (I) A CONTROLLER SHALL RES POND TO A CONSUMER R EQUEST 11
844+NOT LATER THAN 45 DAYS AFTER THE CONTR OLLER RECEIVES THE CONS UMER 12
845+REQUEST. 13
915846
916-14–4606.
847+ (II) A CONTROLLER MAY EXTEN D THE COMPLETION PER IOD BY 14
848+AN ADDITIONAL 45 DAYS IF: 15
917849
918- (A) (1) A CONSUMER MAY DESIGNATE AN INDIVIDUAL TO SERVE AS THE
919-CONSUMER ’S AUTHORIZED AGENT A ND ACT ON THE CONSUM ER’S BEHALF TO OPT
920-OUT OF THE PROCESSIN G OF THE CONSUMER ’S PERSONAL DATA FOR ONE OR MORE
921-OF THE PURPOSES SPEC IFIED IN § 14–4605(B)(7) OF THIS SUBTITLE.
850+ 1. IT IS REASONABLY NECE SSARY TO COMPLETE TH E 16
851+REQUEST BASED ON THE COMPLEXITY AND NUMBE R OF THE CONSUMER ’S 17
852+REQUESTS; AND 18
922853
923- (2) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT BY AN
924-INTERNET LINK OR A BR OWSER SETTING , BROWSER EXTENSION , GLOBAL DEVICE
925-SETTING, OR OTHER SIMILAR TEC HNOLOGY, INDICATING A CONSUME R’S INTENT TO
926-OPT OUT OF THE PROCE SSING OF THE CONSUME R’S PERSONAL DATA .
854+ 2. THE CONTROLLER INFORMS T HE CONSUMER OF THE 19
855+EXTENSION AND THE RE ASON FOR THE EXTENSI ON WITHIN THE INITIA L 45–DAY 20
856+RESPONSE PERIOD . 21
927857
928- (B) A CONTROLLER SHALL COM PLY WITH AN OPT–OUT REQUEST RECEIVED
929-FROM AN AUTHORIZED A GENT IF, USING COMMERCIALLY R EASONABLE EFFORTS ,
930-THE CONTROLLER IS AB LE TO AUTHENTICATE :
858+ (III) A CONTROLLER SHALL NOT IFY THE CONSUMER WIT HIN 30 22
859+DAYS AFTER COMPLYING WITH THE CONSUMER ’S REQUEST THAT THE C ONTROLLER 23
860+HAS COMPLIED WITH THE CO NSUMER’S REQUEST. 24
931861
932- (1) THE IDENTITY OF THE C ONSUMER; AND
862+ (3) IF A CONTROLLER DECLI NES TO ACT REGARDING A CONSUMER ’S 25
863+REQUEST, THE CONTROLLER SHALL : 26
933864
934- (2) THE AUTHORIZED AGENT ’S AUTHORITY TO ACT ON THE
935-CONSUMER ’S BEHALF.
865+ (I) INFORM THE CONSUMER W ITHOUT UNDUE DELAY , BUT NOT 27
866+LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST , OF THE JUSTIFICATIO N FOR 28
867+DECLINING TO ACT ; AND 29
936868
937-14–4607.
869+ (II) PROVIDE INSTRUCTIONS FOR HOW TO APPEAL TH E 30
870+DECISION. 31
871+ 20 SENATE BILL 541
938872
939- (A) A CONTROLLER MAY NOT :
940873
941- (1) COLLECT PERSONAL DATA FOR THE SOLE PURPOSE OF CONTENT
942-PERSONALIZATION OR M ARKETING WITHOUT THE CONSENT OF THE CONSU MER
943-WHOSE PERSONAL DATA IS COLLECTED;
874+ (4) (I) A CONTROLLER SHALL PRO VIDE INFORMATION TO A 1
875+CONSUMER IN RESPONSE TO A CONSUMER ’S REQUEST TO EXERCIS E RIGHTS UNDER 2
876+THIS SUBTITLE FREE O F CHARGE ONCE DURING ANY 12–MONTH PERIOD . 3
944877
945- (2) (1) EXCEPT WHERE THE COLL ECTION OR PROCESSING IS
946-STRICTLY NECESSARY T O PROVIDE OR MAINTAI N A SPECIFIC PRODUCT OR SERVICE
947-REQUESTED BY THE CON SUMER TO WHOM THE PE RSONAL DATA PERTAINS AND
948-UNLESS THE CONTROLLE R OBTAINS THE CONSUM ER’S CONSENT , COLLECT,
949-PROCESS, OR SHARE SENSITIVE DATA CONCERNING A CONSUME R;
878+ (II) IF REQUESTS FROM A CO NSUMER ARE MANIFESTL Y 4
879+UNFOUNDED , EXCESSIVE, TECHNICALLY INFEASIB LE, OR REPETITIVE , A 5
880+CONTROLLER MAY : 6
950881
951- (3) (2) SELL SENSITIVE DATA ;
882+ 1. CHARGE THE CONSUMER A REASONABLE FEE TO 7
883+COVER THE ADMINISTRA TIVE COSTS OF COMPLY ING WITH THE REQUEST; OR 8
952884
953- (4) (3) PROCESS PERSONAL DATA IN VIOLATION OF STATE OR
954-FEDERAL LAWS THAT PR OHIBIT UNLAWFUL DISC RIMINATION;
885+ 2. DECLINE TO ACT ON THE REQUEST. 9
955886
956- (5) (4) PROCESS THE PERSONAL DATA OF A CONSUMER F OR THE
957-PURPOSES OF TARGETED ADVERTISING IF THE C ONTROLLER KNEW OR SH OULD Ch. 455 2024 LAWS OF MARYLAND
887+ (III) THE CONTROLLER HAS TH E BURDEN OF DEMONSTR ATING 10
888+THE MANIFESTLY UNFOU NDED, EXCESSIVE, TECHNICALLY INFEASIB LE, OR 11
889+REPETITIVE NATURE OF THE REQUEST . 12
958890
959-– 22 –
960-HAVE KNOWN THAT THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE
961-OF 18 YEARS;
891+ (5) IF A CONTROLLER IS UN ABLE TO AUTHENTICATE A REQUEST TO 13
892+EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5) 14
893+OF THIS SECTION USIN G COMMERCIALLY REASO NABLE EFFORTS , THE 15
894+CONTROLLER : 16
962895
963- (6) (5) SELL THE PERSONAL DAT A OF A CONSUMER WITHOUT THE
964-CONSUMER ’S CONSENT IF THE CONTROLLER KN EW OR SHOULD HAVE KN OWN THAT
965-THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE OF 18 YEARS;
896+ (I) MAY NOT BE REQUIRED T O COMPLY WITH A REQU EST TO 17
897+INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION; AND 18
966898
967- (7) (6) DISCRIMINATE AGAINST A CONSUMER FOR EXERC ISING A
968-CONSUMER RIGHT CONTA INED IN THIS SUBTITL E, INCLUDING DEN YING GOODS OR
969-SERVICES, CHARGING DIFFERENT P RICES OR RATES FOR G OODS OR SERVICES , OR
970-PROVIDING A DIFFEREN T LEVEL OF QUALITY O F GOODS OR SERVICES TO THE
971-CONSUMER ;
899+ (II) SHALL PROVIDE NOTICE TO THE CONSUMER THAT THE 19
900+CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUEST TO EXERCISE THE RIGHT 20
901+UNTIL THE CONSUMER P ROVIDES ADDITIONAL I NFORMATION REASONABL Y 21
902+NECESSARY TO AUTHENT ICATE THE CONSUMER A ND THE CONSUMER ’S REQUEST TO 22
903+EXERCISE THE CONSUME R’S RIGHTS. 23
972904
973- (8) (7) COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR
974-PUBLICLY AVAILABLE D ATA IN A MANNER THAT UNLAWFULLY DISC RIMINATES IN OR
975-OTHERWISE UNLAWFULLY MAKES UNAVAILABLE TH E EQUAL ENJOYMENT OF GOODS
976-OR SERVICES ON THE B ASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN , SEX,
977-SEXUAL ORIENTATION , GENDER IDENTITY , OR DISABILITY , UNLESS THE
978-COLLECTION, PROCESSING, OR TRANSFER OF PERSO NAL DATA IS FOR:
905+ (6) A CONTROLLER MAY NOT B E REQUIRED TO AUTHEN TICATE AN 24
906+OPT–OUT REQUEST . 25
979907
980- (I) THE CONTROLLER ’S SELF–TESTING TO PREVENT O R
981-MITIGATE UNLAWFUL DI SCRIMINATION ;
908+ (7) A CONTROLLER THAT HAS OBTAINED PERSONAL DA TA ABOUT A 26
909+CONSUMER FROM A SOUR CE OTHER THAN THE CO NSUMER SHALL BE CONS IDERED 27
910+COMPLIANT WITH THE CONSUMER ’S REQUEST TO DELETE THE CONSUMER ’S DATA IN 28
911+ACCORDANCE WITH SUBS ECTION (B)(4) OF THIS SECTION BY R ETAINING A RECORD 29
912+OF THE DELETION REQU EST AND THE MINIMUM DATA NECESSARY FOR T HE 30
913+PURPOSE OF ENSURING THAT THE CONSUMER ’S PERSONAL DATA : 31
982914
983- (II) THE CONTROLLER ’S DIVERSIFYING OF AN APPLICANT,
984-PARTICIPANT, OR CUSTOMER POOL ; OR
915+ (I) REMAINS DELETED FROM THE CONTROLLER ’S RECORDS; 32
916+AND 33
917+ SENATE BILL 541 21
985918
986- (III) A PRIVATE CLUB OR GROU P NOT OPEN TO THE PUBL IC, AS
987-DESCRIBED IN § 201(E) OF THE CIVIL RIGHTS ACT OF 1964; OR
988919
989- (9) (8) UNLESS THE CONTROLLER OBTAINS THE CONSUMER ’S
990-CONSENT, PROCESS PERSONAL DAT A FOR A PURPOSE THAT IS NEITHER
991-REASONABLY NECESSARY TO, NOR COMPATIBLE WITH , THE DISCLOSED PURPOSES
992-FOR WHICH THE PERSON AL DATA IS PROCESSED , AS DISCLOSED TO THE CONSUMER .
920+ (II) IS NOT BEING USED FOR ANY OTHER PURPOSE . 1
993921
994- (B) (1) A CONTROLLER SHALL :
922+ (F) (1) A CONTROLLER SHALL EST ABLISH A PROCESS FOR A CONSUMER 2
923+TO APPEAL THE CONTRO LLER’S REFUSAL TO ACT ON A CONSUMER RIGHTS RE QUEST 3
924+WITHIN A REASONAB LE PERIOD AFTER THE CONSUMER RECEIVES TH E DECISION. 4
995925
996- (I) LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS
997-REASONABLY NECESSARY AND PROPORTIONATE TO PROVIDE OR MAINTAIN A
998-SPECIFIC PRODU CT OR SERVICE REQUES TED BY THE CONSUMER TO WHOM THE
999-DATA PERTAINS ;
926+ (2) THE APPEAL PROCESS SH ALL BE: 5
1000927
1001- (II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE
1002-ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO WES MOORE, Governor Ch. 455
928+ (I) CONSPICUOUSLY AVAILAB LE; AND 6
1003929
1004-– 23 –
1005-PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL
1006-DATA APPROPRIATE TO THE VOLUME AND NATUR E OF THE PERSONAL DA TA AT
1007-ISSUE; AND
930+ (II) SIMILAR TO THE PROCES S FOR SUBMITTING REQ UESTS TO 7
931+INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION. 8
1008932
1009- (III) PROVIDE AN EFFECTIVE MECHANISM FOR A CONS UMER TO
1010-REVOKE THE CONSUMER ’S CONSENT UNDER THIS SECTION THAT IS AT L EAST AS
1011-EASY AS THE MECHANIS M BY WHICH THE CONSU MER PROV IDED THE CONSUMER ’S
1012-CONSENT.
933+ (3) NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A 9
934+CONTROLLER SHALL INF ORM THE CONSUMER IN WRITING OF ANY ACTIO N TAKEN OR 10
935+NOT TAKEN IN RESPONS E TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF 11
936+THE REASONS FOR THE DECISIONS. 12
1013937
1014- (2) IF A CONSUMER REVOKES CONSENT UNDER THIS S ECTION, THE
1015-CONTROLLER SHALL STO P PROCESSING THE CON SUMER’S PERSONAL DATA AS S OON
1016-AS PRACTICABLE , BUT NOT LATER THAN 15 30 DAYS AFTER RECEIVING THE
1017-REQUEST.
938+ (4) IF A CONTROLLER DENIE S AN APPEAL, THE CONTROLLER SHALL 13
939+PROVIDE THE CONSUMER WITH AN ONLINE MECHA NISM, IF AVAILABLE, THROUGH 14
940+WHICH THE CONSUMER M AY CONTACT THE DIVISION TO SUBMIT A COMPLAINT. 15
1018941
1019- (C) NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE
1020-CONSTRUED TO :
942+14–4606. 16
1021943
1022- (1) REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE
1023-THAT REQUIRES THE PE RSONAL DATA OF A CON SUMER THAT THE CONTR OLLER
1024-DOES NOT COLLECT OR MAINTAIN; OR
944+ (A) (1) A CONSUMER MAY DESIGNA TE AN INDIVIDUAL TO SERVE AS THE 17
945+CONSUMER ’S AUTHORIZED A GENT AND ACT ON THE CONSUMER’S BEHALF TO OPT 18
946+OUT OF THE PROCESSIN G OF THE CONSUMER ’S PERSONAL DATA FOR ONE OR MORE 19
947+OF THE PURPOSES SPEC IFIED IN § 14–4605(B)(7) OF THIS SUBTITLE. 20
1025948
1026- (2) PROHIBIT A CONTROLLER FROM OFFE RING A DIFFERENT PRI CE,
1027-RATE, LEVEL, QUALITY, OR SELECTION OF GOOD S OR SERVICES TO A C ONSUMER,
1028-INCLUDING OFFERING G OODS OR SERVICES FOR NO FEE, IF THE OFFERING IS I N
1029-CONNECTION WITH A CO NSUMER’S VOLUNTARY PARTICIP ATION IN A BONA FIDE
1030-LOYALTY, REWARDS, PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM ,
1031-PROVIDED THAT THE SE LLING OF PERSONAL DA TA IS NOT A CONDITIO N OF
1032-PARTICIPATION IN THE PROGRAM.
949+ (2) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT BY AN 21
950+INTERNET LINK OR A B ROWSER SETTING , BROWSER EXTENSION , GLOBAL DEVICE 22
951+SETTING, OR OTHER SIMILAR TEC HNOLOGY, INDICATING A CONSUME R’S INTENT TO 23
952+OPT OUT OF THE PROCE SSING OF THE CONSUME R’S PERSONAL DATA . 24
1033953
1034- (D) A CONTROLLER SHALL PRO VIDE A CONSUMER WITH A REASONABLY
1035-ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVA CY NOTICE THA T INCLUDES:
954+ (B) A CONTROLLER SHALL COM PLY WITH AN OPT–OUT REQUEST RECEIVED 25
955+FROM AN AUT HORIZED AGENT IF , USING COMMERCIALLY R EASONABLE EFFORTS , 26
956+THE CONTROLLER IS AB LE TO AUTHENTICATE : 27
1036957
1037- (1) THE CATEGORIES OF PER SONAL DATA PROCESSED BY THE
1038-CONTROLLER , INCLUDING SENSITIVE DATA;
958+ (1) THE IDENTITY OF THE C ONSUMER; AND 28
1039959
1040- (2) THE CONTROLLER ’S PURPOSE FOR PROCES SING PERSONAL DATA ;
960+ (2) THE AUTHORIZED AGENT ’S AUTHORITY TO ACT O N THE 29
961+CONSUMER ’S BEHALF. 30
1041962
1042- (3) HOW A CONSUMER MAY EX ERCISE THE CONSUMER ’S RIGHTS
1043-UNDER THIS SUBTITLE , INCLUDING HOW A CONSUMER MAY A PPEAL A
1044-CONTROLLER ’S DECISION REGARDING THE CONSUMER ’S REQUEST OR MAY REV OKE
1045-CONSENT;
963+14–4607. 31 22 SENATE BILL 541
1046964
1047- (4) THE CATEGORIES OF THI RD PARTIES WITH WHIC H THE
1048-CONTROLLER SHARES PE RSONAL DATA WITH A L EVEL OF DETAIL THAT ENABLES A Ch. 455 2024 LAWS OF MARYLAND
1049965
1050-– 24 –
1051-CONSUMER TO UNDERSTA ND WHAT TYPE OF ENTITY EACH THIRD PARTY IS AND, TO
1052-THE EXTENT POSSIBLE , HOW EACH THIRD PARTY MAY PROCESS THE PERS ONAL
1053-DATA THE TYPE OF, BUSINESS MODEL OF , OR PROCESSING CONDUC TED BY EACH
1054-THIRD PARTY;
1055966
1056- (5) THE CATEGORIES OF PER SONAL DATA , INCLUDING SENSITIVE
1057-DATA, THAT THE CONTROLLER SHARES WITH THIRD PA RTIES; AND
967+ (A) A CONTROLLER MAY NOT : 1
1058968
1059- (6) AN ACTIVE E–MAIL ADDRESS OR OTHE R ONLINE MECHANISM
1060-THAT A CONSUMER MAY USE TO CONTACT THE C ONTROLLER .
969+ (1) COLLECT PERSONAL DATA FOR THE SOLE PURPOSE OF CONTENT 2
970+PERSONALIZATION OR M ARKETING WITHOUT THE CONSENT OF THE CONSU MER 3
971+WHOSE PERSONAL DATA IS COLLECTED; 4
1061972
1062- (E) (1) IF A CONTROLLER SELLS PERSONAL DATA TO THI RD PARTIES OR
1063-PROCESSES PERSONAL D ATA FOR TARGETED ADV ERTISING OR FOR THE PURPOSES
1064-OF PROFILING THE CON SUMER IN FURTHERANCE OF DECISIONS THAT PR ODUCE
1065-LEGAL OR SIMILARLY S IGNIFICANT EFFECTS , THE CONTROLLER SHALL CLEARLY
1066-AND CONSPICUOUSLY DI SCLOSE THE SALE OR PROCESSING, AS WELL AS THE
1067-MANNER IN WHICH A CO NSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE
1068-SALE OR PROCESSING.
973+ (2) (1) EXCEPT WHERE THE COLL ECTION OR PROCESSING IS 5
974+STRICTLY NECESSARY T O PROVIDE OR MAINTAI N A SPECIFIC PRODUCT OR SER VICE 6
975+REQUESTED BY THE CON SUMER TO WHOM THE PE RSONAL DATA PERTAINS AND 7
976+UNLESS THE CONTROLLE R OBTAINS THE CONSUM ER’S CONSENT , COLLECT, 8
977+PROCESS, OR SHARE SENSITIVE D ATA CONCERNING A CON SUMER; 9
1069978
1070- (2) THE DISCLOSURE REQUIR ED UNDER PARAGRAPH (1) OF THIS
1071-SUBSECTION SHALL BE PROMINENTLY DISPLA YED, AND USE CLEAR , EASY TO
1072-UNDERSTAND , AND UNAMBIGUOUS LANG UAGE, TO STATE WHETHER THE
1073-CONSUMER’S INFORMATION WILL B E SOLD OR SHARED WIT H A THIRD PARTY.
979+ (3) (2) SELL SENSITIVE DATA ; 10
1074980
1075- (F) (1) THE PRIVACY NOTICE UN DER SUBSECTION (D) OF THIS SECTION
1076-SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A
1077-CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN
1078-ACCORDANCE WITH THIS SUBTITLE THAT TAKE I NTO ACCOUNT :
981+ (4) (3) PROCESS PERSONAL DATA IN VIOLATION OF STATE OR 11
982+FEDERAL LAWS THAT PR OHIBIT UNLAWFUL DISC RIMINATION; 12
1079983
1080- (I) THE WAYS IN WHICH CON SUMERS NORMALLY INTE RACT
1081-WITH THE CONTROLLER ;
984+ (5) (4) PROCESS THE PERSONAL DATA OF A CONSUMER F OR THE 13
985+PURPOSES OF TARGETED ADVERTISING IF THE C ONTROLLER KNEW OR SH OULD 14
986+HAVE KNOWN THAT THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE 15
987+OF 18 YEARS; 16
1082988
1083- (II) THE NEED FOR SECURE A ND RELIABLE COMMUNICATION
1084-OF CONSUMER REQUESTS ; AND
989+ (6) (5) SELL THE PERSONAL DAT A OF A CONSUMER WITHOUT THE 17
990+CONSUMER ’S CONSENT IF THE CONTROLLER KN EW OR SHOULD HAVE KN OWN THAT 18
991+THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE OF 18 YEARS; 19
1085992
1086- (III) THE ABILITY OF THE CO NTROLLER TO VERIFY T HE
1087-IDENTITY OF A CONSUM ER MAKING THE REQUES T.
993+ (7) (6) DISCRIMINATE AGAINST A CONSUMER FOR EXERC ISING A 20
994+CONSUMER RIGHT CONTA INED IN THIS SUBTITL E, INCLUDING DENYING GO ODS OR 21
995+SERVICES, CHARGING DIFFERENT P RICES OR RATES FOR G OODS OR SERVICES , OR 22
996+PROVIDING A DIFFEREN T LEVEL OF QUALITY O F GOODS OR SERVICES TO THE 23
997+CONSUMER ; 24
1088998
1089- (2) (I) A CONTROLLER MAY NOT R EQUIRE A CONSUMER TO
1090-CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT .
999+ (8) (7) COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR 25
1000+PUBLICLY AVAILABLE D ATA IN A MANNER THAT UNLAWFULLY DISCRIMIN ATES IN OR 26
1001+OTHERWISE UNLAWFULLY MAKES UNAVAILABLE TH E EQUAL ENJOYMENT OF GOODS 27
1002+OR SERVICES ON THE B ASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN , SEX, 28
1003+SEXUAL ORIENTATION , GENDER IDENTITY , OR DISABILITY , UNLESS THE 29
1004+COLLECTION, PROCESSING, OR TRANSFER OF PERSO NAL DATA IS FOR: 30
10911005
1092- (II) A CONTROLLER MAY REQUI RE A CONSUMER TO USE AN
1093-EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT. WES MOORE, Governor Ch. 455
1006+ (I) THE CONTROLLER ’S SELF–TESTING TO PREVENT O R 31
1007+MITIGATE UNLAWFUL DI SCRIMINATION ; 32
1008+ SENATE BILL 541 23
10941009
1095-– 25 –
10961010
1097- (3) A CONTROLLER MAY UTILI ZE THE FOLLOWING MET HODS TO
1098-SATISFY PARAGRAPH (1) OF THIS SUBSECTION :
1011+ (II) THE CONTROLLER ’S DIVERSIFYING OF AN APPLICANT, 1
1012+PARTICIPANT, OR CUSTOMER POOL ; OR 2
10991013
1100- (I) PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE
1101-CONTROLLER’S WEBSITE TO A WEBPA GE THAT ALLOWS A CON SUMER, OR AN
1102-AUTHORIZED AGENT OF THE CONSUMER , TO OPT OUT OF THE TA RGETED
1103-ADVERTISING OR THE S ALE OF THE CONSUMER ’S PERSONAL DATA ; OR
1014+ (III) A PRIVATE CLUB OR GROU P NOT OPEN TO THE PU BLIC, AS 3
1015+DESCRIBED IN § 201(E) OF THE CIVIL RIGHTS ACT OF 1964; OR 4
11041016
1105- (II) ON OR BEFORE OCTOBER 1, 2025, ALLOWING A CONSUMER
1106-TO OPT OUT OF A NY PROCESSING OF THE CONSUMER ’S PERSONAL DATA FOR THE
1107-PURPOSES OF TARGETED ADVERTISING, OR ANY SALE OF PERSO NAL DATA,
1108-THROUGH AN OPT –OUT PREFERENCE SIGNA L SENT, WITH THE CONSUMER ’S
1109-CONSENT, BY A PLATFORM , TECHNOLOGY , OR MECHANISM TO THE CONTROLLER
1110-INDICATING THE CONSUMER ’S INTENT TO OPT OUT OF THE PROCESSING OR SALE.
1017+ (9) (8) UNLESS THE CONTROLLER OBTAINS THE CONSUMER ’S 5
1018+CONSENT, PROCESS PERSONAL DAT A FOR A PURPOSE THAT IS NEITHER 6
1019+REASONABLY NECESSARY TO, NOR COMPATIBLE WITH , THE DISCLOSED PURPOS ES 7
1020+FOR WHICH THE PERSON AL DATA IS PROCESSED , AS DISCLOSED TO THE CONSUMER . 8
11111021
1112- (4) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN
1113-ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION S HALL:
1022+ (B) (1) A CONTROLLER SHALL : 9
11141023
1115- (I) BE CONSUMER –FRIENDLY AND EASY TO USE BY THE
1116-AVERAGE CONSUMER ;
1024+ (I) LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS 10
1025+REASONABLY NECESSARY AND PROPORTIONATE TO PROVIDE OR MAINTAIN A 11
1026+SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE CONSUMER TO WHOM THE 12
1027+DATA PERTAINS ; 13
11171028
1118- (II) USE CLEAR, EASY TO UNDERSTAND , AND UNAMBIGUOUS
1119-LANGUAGE;
1029+ (II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 14
1030+ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO 15
1031+PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 16
1032+DATA APPROPRIATE TO THE VOLUME AND NATUR E OF THE PERSONAL DA TA AT 17
1033+ISSUE; AND 18
11201034
1121- (III) BE AS CONSISTENT AS P OSSIBLE WITH ANY OTH ER SIMILAR
1122-PLATFORM, TECHNOLOGY , OR MECHANISM REQUIRE D BY ANY FEDERAL OR STATE
1123-LAW OR REGULATION ;
1035+ (III) PROVIDE AN EFFECTIVE MECHANISM FOR A CONS UMER TO 19
1036+REVOKE THE CONSUMER ’S CONSENT UNDER THIS SECTION THAT IS AT L EAST AS 20
1037+EASY AS THE MECHANIS M BY WHICH THE CONSU MER PROVIDED THE CON SUMER’S 21
1038+CONSENT. 22
11241039
1125- (IV) ENABLE THE CONTROLLER TO REASONABLY DETERM INE
1126-WHETHER THE CONSUMER :
1040+ (2) IF A CONSUMER REVOKES CONSENT UNDER THIS S ECTION, THE 23
1041+CONTROLLER SHALL STO P PROCESSING THE CON SUMER’S PERSONAL DATA AS S OON 24
1042+AS PRACTICABLE , BUT NOT LATER THAN 15 30 DAYS AFTER RECEIVING THE 25
1043+REQUEST. 26
11271044
1128- 1. IS A RESIDENT OF THE STATE; AND
1045+ (C) NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE 27
1046+CONSTRUED TO : 28
11291047
1130- 2. HAS MADE A LEGITIMATE REQUEST TO OPT OUT O F
1131-ANY SALE OF THE CONS UMER’S PERSONAL DATA OR T ARGETED ADVERTISING ; AND
1048+ (1) REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE 29
1049+THAT REQUIRES THE PE RSONAL DATA OF A CON SUMER THAT THE CONTR OLLER 30
1050+DOES NOT COLLECT OR MAINTAIN; OR 31
11321051
1133- (V) REQUIRE A CONSUMER TO MAKE AN AFFIRMATIVE ,
1134-UNAMBIGUOUS , AND VOL UNTARY CHOICE IN ORD ER TO OPT OUT OF ANY
1135-PROCESSING OF THE CO NSUMER’S PERSONAL DATA .
1052+ (2) PROHIBIT A CONTROLLER FROM OFFERING A DIFF ERENT PRICE, 32
1053+RATE, LEVEL, QUALITY, OR SELECTION OF GOOD S OR SERVICES TO A C ONSUMER, 33
1054+INCLUDING OFFERING G OODS OR SERVICES FOR NO FEE, IF THE OFFERING IS I N 34 24 SENATE BILL 541
11361055
1137- (5) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN
1138-ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION M AY NOT:
1139- Ch. 455 2024 LAWS OF MARYLAND
11401056
1141-– 26 –
1142- (I) UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER ; OR
1057+CONNECTION WITH A CO NSUMER’S VOLUNTARY PARTICIP ATION IN A BONA FIDE 1
1058+LOYALTY, REWARDS, PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM, 2
1059+PROVIDED THAT THE SE LLING OF PERSONAL DA TA IS NOT A CONDITIO N OF 3
1060+PARTICIPATION IN THE PROGRAM. 4
11431061
1144- (II) USE A DEFAULT SETTING TO OPT A CONSUMER OU T OF ANY
1145-PROCESSING OF THE CO NSUMER’S PERSONAL DATA .
1062+ (D) A CONTROLLER SHALL PRO VIDE A CONSUMER WITH A REASONABLY 5
1063+ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVA CY NOTICE THAT INCLU DES: 6
11461064
1147- (G) (1) IF A CONSUMER ’S DECISION TO OPT OU T OF THE PROCESSING OF
1148-THE CONSUMER ’S PERSONAL DATA FOR THE PURPOSES OF TARG ETED
1149-ADVERTISING, OR THE SALE OF PERSO NAL DATA THROUGH AN OP T–OUT
1150-PREFERENCE SIGNAL SE NT IN ACCORDANCE WIT H SUBSECTION (F)(3) OF THIS
1151-SECTION CONFLICTS WI TH THE CONSUMER ’S EXISTING CONTROLLE R–SPECIFIC
1152-PRIVACY SETTING OR T HE CONSUMER ’S VOLUNTARY PARTICIP ATION IN A
1153-CONTROLLER ’S BONA FIDE LOYALTY , REWARDS, PREMIUM FEATURES , DISCOUNTS,
1154-OR CLUB CARD PROGRAM , THE CONTROLLER MAY N OTIFY THE CONSUMER O F A
1155-CONFLICT AND PROVIDE THE CHOICE TO CONFIR M CONTROLLER –SPECIFIC
1156-PRIVACY SETTINGS OR PARTICIPATION IN A P ROGRAM LISTED IN THI S PARAGRAPH .
1065+ (1) THE CATEGORIES OF P ERSONAL DATA PROCESS ED BY THE 7
1066+CONTROLLER , INCLUDING SENSITIVE DATA; 8
11571067
1158- (2) A CONTROL LER THAT RECOGNIZES SIGNALS APPROVED BY
1159-OTHER STATES SHALL B E CONSIDERED IN COMP LIANCE WITH THIS SEC TION.
1068+ (2) THE CONTROLLER ’S PURPOSE FOR PROCES SING PERSONAL DATA ; 9
11601069
1161-14–4608.
1070+ (3) HOW A CONSUMER MAY EX ERCISE THE CONSUMER ’S RIGHTS 10
1071+UNDER THIS SUBTITLE , INCLUDING HOW A CONS UMER MAY APPEAL A 11
1072+CONTROLLER ’S DECISION REGARDING THE CONSUMER ’S REQUEST OR MAY REV OKE 12
1073+CONSENT; 13
11621074
1163- (A) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE
1164-PERSONAL DATA OF CON SUMERS, THE CONTROLLER AND T HE PROCESSOR SHALL
1165-ENTER INTO A CONTRAC T THAT GOVERNS THE P ROCESSOR’S DATA PROCESSING
1166-PROCEDURES WITH RESP ECT TO PROCESSING PE RFORMED ON BEHALF OF THE
1167-CONTROLLE R.
1075+ (4) THE CATEGORIES OF THI RD PARTIES WITH WHIC H THE 14
1076+CONTROLLER SHARES PE RSONAL DATA WITH A L EVEL OF DETAIL THAT ENABLES A 15
1077+CONSUMER TO UNDERSTA ND WHAT TYPE OF ENTITY EACH THIRD PARTY IS AND, TO 16
1078+THE EXTENT POSSIBLE , HOW EACH THIRD PARTY MAY PROCESS THE PERS ONAL 17
1079+DATA THE TYPE OF, BUSINESS MODEL OF , OR PROCESSING CONDUC TED BY EACH 18
1080+THIRD PARTY; 19
11681081
1169- (2) THE CONTRACT SHALL BE BINDING AND SHALL CL EARLY SET
1170-FORTH INSTRUCTIONS FOR :
1082+ (5) THE CATEGORIES OF PER SONAL DATA , INCLUDING SENSITIVE 20
1083+DATA, THAT THE CONTROLLER SHARES WITH THIRD PARTIE S; AND 21
11711084
1172- (I) PROCESSING INSTRUCTIONS FOR PROC ESSING DATA;
1085+ (6) AN ACTIVE E–MAIL ADDRESS OR OTHE R ONLINE MECHANISM 22
1086+THAT A CONSUMER MAY USE TO CONTACT THE C ONTROLLER . 23
11731087
1174- (II) THE NATURE AND PURPOS E OF PROCESSING ;
1088+ (E) (1) IF A CONTROLLER SELLS PERSONAL DATA TO THI RD PARTIES OR 24
1089+PROCESSES PERSONAL D ATA FOR TARGETED ADV ERTISING OR FOR THE PURPOSES 25
1090+OF PROFILING THE CON SUMER IN FURTHERANCE OF DECISIONS THAT PR ODUCE 26
1091+LEGAL OR SIMILARLY S IGNIFICANT EFFECTS , THE CONTROLLER SHALL CLEARLY 27
1092+AND CONSPICUOUSLY DI SCLOSE THE SALE OR PROCESSING, AS WELL AS THE 28
1093+MANNER IN WHICH A CO NSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE 29
1094+SALE OR PROCESSING. 30
11751095
1176- (III) THE TYPE OF DATA SUBJ ECT TO PROCESSING ;
1096+ (2) THE DISCLOSURE REQUIR ED UNDER PARAGRAPH (1) OF THIS 31
1097+SUBSECTION SHALL BE PROMINENTLY DISPLA YED, AND USE CLEAR , EASY TO 32
1098+UNDERSTAND , AND UNAMBIGUOUS LANG UAGE, TO STATE WHETHER THE 33
1099+CONSUMER’S INFORMATION WILL B E SOLD OR SHARED WIT H A THIRD PARTY. 34
1100+ SENATE BILL 541 25
11771101
1178- (IV) THE DURATION OF PROCESSI NG; AND
11791102
1180- (V) THE RIGHTS AND OBLIGA TIONS OF BOTH PARTIE S.
1103+ (F) (1) THE PRIVACY NOTICE UN DER SUBSECTION (D) OF THIS SECTION 1
1104+SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A 2
1105+CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN 3
1106+ACCORDANCE WITH THIS SUBTITLE THAT TAKE I NTO ACCOUNT : 4
11811107
1182- (3) THE CONTRACT SHALL RE QUIRE THAT THE PROCE SSOR:
1183- WES MOORE, Governor Ch. 455
1108+ (I) THE WAYS IN WHICH CON SUMERS NORMALLY INTE RACT 5
1109+WITH THE CONTROLLER ; 6
11841110
1185-– 27 –
1186- (I) ENSURE THAT EACH PERS ON PROCESSING PERSON AL DATA
1187-IS SUBJECT TO A DUTY OF CONFIDENTIALITY W ITH RESPECT TO THE P ERSONAL
1188-DATA;
1111+ (II) THE NEED FOR SECURE A ND RELIABLE COMMUNICATI ON 7
1112+OF CONSUMER REQUESTS ; AND 8
11891113
1190- (II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE
1191-ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO
1192-PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL
1193-DATA, CONSIDERING THE VOLU ME AND NATURE OF THE PERSONAL DATA;
1114+ (III) THE ABILITY OF THE CO NTROLLER TO VERIFY T HE 9
1115+IDENTITY OF A CONSUM ER MAKING THE REQUES T. 10
11941116
1195- (III) STOP PROCESSING DATA ON REQUEST BY THE CO NTROLLER
1196-MADE IN ACCORDANCE W ITH A CONSUMER ’S AUTHENTICATED REQU EST;
1117+ (2) (I) A CONTROLLER MAY NOT R EQUIRE A CONSUMER TO 11
1118+CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIG HT. 12
11971119
1198- (IV) AT THE CONTROLLER ’S DIRECTION, DELETE OR RETURN
1199-ALL PERSONAL DATA TO THE CONTROLLER AS RE QUESTED AT THE END O F THE
1200-PROVISION OF SERVICE, UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED
1201-BY LAW;
1120+ (II) A CONTROLLER MAY REQUI RE A CONSUMER TO USE AN 13
1121+EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT. 14
12021122
1203- (V) ON THE REASONABLE REQ UEST OF THE CONTROLL ER,
1204-MAKE AVAILABLE TO TH E CONTROLLER ALL INF ORMATION IN THE PROC ESSOR’S
1205-POSSESSION NECESSARY TO DEMONSTRATE THE P ROCESSOR’S COMPLIANCE WITH
1206-THE OBLIGATIONS IN T HIS SUBTITLE;
1123+ (3) A CONTROLLER MAY UTILI ZE THE FOLLOWING MET HODS TO 15
1124+SATISFY PARAGRAPH (1) OF THIS SUBSECTION : 16
12071125
1208- (VI) AFTER PROVIDING THE C ONTROLLER AN OPPORTU NITY TO
1209-OBJECT, ENGAGE A SUBCONTRACT OR TO ASSIST WITH PR OCESSING PERSONAL DA TA
1210-ON THE CONTROLLER ’S BEHALF ONLY IN ACC ORDANCE WITH A WRITT EN CONTRACT
1211-THAT REQUIRES THE SU BCONTRACTOR TO MEET THE PROCESSOR ’S OBLIGATION S
1212-REGARDING THE PERSON AL DATA UNDER THE PR OCESSOR’S CONTRACT WITH THE
1213-CONTROLLER ; AND
1126+ (I) PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE 17
1127+CONTROLLER ’S WEBSITE TO A WEBPA GE THAT ALLOWS A CON SUMER, OR AN 18
1128+AUTHORIZED AGENT OF THE CONSUMER , TO OPT OUT OF THE TA RGETED 19
1129+ADVERTISING OR THE S ALE OF THE CONSUMER ’S PERSONAL DATA ; OR 20
12141130
1215- (VII) ALLOW AND COOPERATE W ITH REASONABLE ASSES SMENTS
1216-BY THE CONTROLLER , THE CONTROLLER ’S DESIGNATED ASSESSO R, OR A QUALIFIED
1217-AND INDEPENDENT ASSE SSOR ARRANGED FOR BY THE PROCESSOR TO ASS ESS THE
1218-PROCESSOR’S POLICIES AND TECHN ICAL AND ORGANIZATIO NAL MEASURES IN
1219-SUPPORT OF THE OBLIG ATIONS UNDER THIS SU BTITLE.
1131+ (II) ON OR BEFORE OCTOBER 1, 2025, ALLOWING A CONSUMER 21
1132+TO OPT OUT OF ANY PROCESSING OF THE CONSUMER ’S PERSONAL DATA FOR THE 22
1133+PURPOSES OF TARGETED ADVERTISING, OR ANY SALE OF PERSO NAL DATA, 23
1134+THROUGH AN OPT –OUT PREFERENCE SIGNA L SENT, WITH THE CONSUMER ’S 24
1135+CONSENT, BY A PLATFORM , TECHNOLOGY , OR MECHANISM TO THE CONTROLLER 25
1136+INDICATING THE CONSUME R’S INTENT TO OPT OUT OF THE PROCESSING OR SALE. 26
12201137
1221- (4) (I) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT
1222-OF AN ASSESSMENT REQ UIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION TO THE
1223-CONTROLLER .
1138+ (4) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN 27
1139+ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION S HALL: 28
12241140
1225- (II) AN ASSESSMENT CONDUCT ED IN ACCORDANCE WIT H
1226-PARAGRAPH (3)(V) OF THIS SUBSECTION S HALL BE CONDUCTED US ING AN
1227-APPROPRIATE AND ACCE PTED CONTROL STANDAR D OR FRAMEWORK AND
1228-ASSESSMENT PROCEDURE FOR THE ASSESSMENTS .
1229- Ch. 455 2024 LAWS OF MARYLAND
1141+ (I) BE CONSUMER –FRIENDLY AND EASY TO USE BY THE 29
1142+AVERAGE CONSUMER ; 30
12301143
1231-– 28 –
1232- (B) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE
1233-PERSONAL DATA OF CON SUMERS, THE CONTROLLER SHALL PROVIDE THE
1234-PROCESSOR WITH INSTR UCTIONS ON HOW TO PR OCESS PERSONAL DATA .
1144+ (II) USE CLEAR, EASY TO UNDERSTAND , AND UNAMBIGUOUS 31
1145+LANGUAGE; 32
1146+ 26 SENATE BILL 541
12351147
1236- (2) A PROCESSOR SHALL :
12371148
1238- (I) (1) ADHERE TO THE CONTRAC T AND INSTRUCTIONS O F A
1239-CONTROLLER ;
1149+ (III) BE AS CONSISTENT AS P OSSIBLE WITH ANY OTH ER SIMILAR 1
1150+PLATFORM, TECHNOLOGY , OR MECHANISM REQUIRE D BY ANY FEDERAL OR STATE 2
1151+LAW OR REGULATION ; 3
12401152
1241- (II) (2) ASSIST THE CONTROLLER IN MEETING THE
1242-CONTROLLER ’S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING, CONSIDERING
1243-THE NATURE OF PROCESSING AND THE I NFORMATION AVAILABLE TO THE
1244-PROCESSOR:
1153+ (IV) ENABLE THE CONTROLLER TO REASONABLY DETER MINE 4
1154+WHETHER THE CONSUMER : 5
12451155
1246- 1. (I) BY APPROPRIATE TECHNI CAL AND ORGANIZATIO NAL
1247-MEASURES AS MUCH AS REASONABLY PRACTICAB LE TO FULFILL THE
1248-CONTROLLER ’S OBLIGATION TO RESP OND TO CONSUMER RIGH TS REQUESTS ,
1249-CONSIDERING THE NATU RE OF PROCESSING AND THE INFORMATION AVAI LABLE TO
1250-THE PROCESSOR ; AND
1156+ 1. IS A RESIDENT OF THE STATE; AND 6
12511157
1252- 2. (II) BY ASSISTING THE CONT ROLLER IN MEETING THE
1253-CONTROLLER ’S OBLIGATIONS IN REL ATION TO THE SECURIT Y OF PROCESSING THE
1254-PERSONAL DATA AND IN RELATION TO THE NOTI FICATION OF A BREACH OF THE
1255-SECURITY OF A SYSTEM , AS DEFINED IN § 14–3504 OF THIS TITLE; AND
1158+ 2. HAS MADE A LEGITIMATE REQUEST TO OPT OUT O F 7
1159+ANY SALE OF THE CONS UMER’S PERSONAL DATA OR T ARGETED ADVERTISING ; AND 8
12561160
1257- (III) (3) PROVIDE NECESSARY INF ORMATION TO ENABLE TH E
1258-CONTROLLER TO CONDUC T AND DOCUMENT DATA PROTECTION ASSESSMEN TS.
1161+ (V) REQUIRE A CONSUMER TO MAKE AN AFFIRMATIVE , 9
1162+UNAMBIGUOUS , AND VOLUNTARY CHOICE IN ORDER TO OPT OUT OF ANY 10
1163+PROCESSING OF THE CO NSUMER’S PERSONAL DATA . 11
12591164
1260- (C) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO RELIEVE A
1261-CONTROLLER OR A PROC ESSOR FROM THE LIABI LITIES IMPOSED ON TH E
1262-CONTROLLER OR PROCES SOR BY VIRTUE OF THE CONTROLLER ’S OR PROCESSOR ’S
1263-ROLE IN THE PROCESSI NG RELATIONSHIP IN A CCORDANCE WITH THIS SECTION.
1165+ (5) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN 12
1166+ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION M AY NOT: 13
12641167
1265- (D) (1) THE DETERMINATION OF WHETHER A PERSON IS ACTING AS A
1266-CONTROLLER OR A PROC ESSOR WITH RESPECT T O A SPECIFIC PROCESS ING OF DATA
1267-IS A FACT–BASED DETERMIN ATION THAT DEPENDS O N THE CONTEXT IN WHI CH
1268-PERSONAL DATA IS BEI NG PROCESSED .
1168+ (I) UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER ; OR 14
12691169
1270- (2) A PERSON IS CONSIDERED TO BE A CONTROLLER I F THE PERSON:
1170+ (II) USE A DEFAULT SETTING TO OPT A CONSUMER OU T OF ANY 15
1171+PROCESSING OF THE CO NSUMER’S PERSONAL DATA . 16
12711172
1272- (I) IS NOT LIMITED IN THE PERSON’S PROCESSING OF SPEC IFIC
1273-PERSONAL DATA IN ACC ORDANCE WITH A CONTR OLLER’S INSTRUCTIONS ; OR
1274- WES MOORE, Governor Ch. 455
1173+ (G) (1) IF A CONSUMER ’S DECISION TO OPT OU T OF THE PROCESSING OF 17
1174+THE CONSUMER ’S PERSONAL DATA FOR THE PURPOSES OF TARG ETED 18
1175+ADVERTISING, OR THE SALE OF PER SONAL DATA THROUGH A N OPT–OUT 19
1176+PREFERENCE SIGNAL SE NT IN ACCORDANCE WIT H SUBSECTION (F)(3) OF THIS 20
1177+SECTION CONFLICTS WI TH THE CONSUMER ’S EXISTING CONTROLLE R–SPECIFIC 21
1178+PRIVACY SETTING OR T HE CONSUMER ’S VOLUNTARY PARTICIP ATION IN A 22
1179+CONTROLLER ’S BONA FIDE LOYAL TY, REWARDS, PREMIUM FEATURES , DISCOUNTS, 23
1180+OR CLUB CARD PROGRAM , THE CONTROLLER MAY N OTIFY THE CONSUMER O F A 24
1181+CONFLICT AND PROVIDE THE CHOICE TO CONFIR M CONTROLLER –SPECIFIC 25
1182+PRIVACY SETTINGS OR PARTICIPATION IN A P ROGRAM LISTED IN THI S PARAGRAPH . 26
12751183
1276-– 29 –
1277- (II) FAILS TO ADHERE TO A CONTROLLER ’S INSTRUCTIONS
1278-WITH RESPECT TO A SP ECIFIC PROCESSING OF PERSONAL DATA .
1184+ (2) A CONTROLLER THAT RECOGNI ZES SIGNALS APPROVED BY 27
1185+OTHER STATES SHALL B E CONSIDERED IN COMP LIANCE WITH THIS SEC TION. 28
12791186
1280- (3) A PROCESSOR THAT CONTI NUES TO ADHERE TO A CONTROLLER ’S
1281-INSTRUCTIONS WITH RE SPECT TO A SPECIFIC PROCESSING OF PERSON AL DATA
1282-REMAINS A PROCESSOR .
1187+14–4608. 29
12831188
1284- (4) IF A PROCESSOR OR THI RD PARTY BEGINS , ALONE OR JOINTLY
1285-WITH OTHERS , DETERMINING THE PURP OSES AND MEANS OF TH E PROCESSING OF
1286-PERSONAL DATA , THE PROCESSOR :
1189+ (A) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE 30
1190+PERSONAL DATA OF CON SUMERS, THE CONTROLLER AND T HE PROCESSOR SHALL 31
1191+ENTER INTO A CONTRACT THAT GOVE RNS THE PROCESSOR ’S DATA PROCESSING 32 SENATE BILL 541 27
12871192
1288- (I) IS A CONTROLLER WITH RESPECT TO THE PROCE SSING; AND
12891193
1290- (II) MAY BE SUBJECT TO AN E NFORCEMENT ACTION UN DER
1291-THIS SUBTITLE.
1194+PROCEDURES WITH RESP ECT TO PROCESSING PE RFORMED ON BEHALF OF THE 1
1195+CONTROLLER . 2
12921196
1293- (E) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO ALTER A
1294-CONTROLLER ’S OBLIGATION TO LIMI T A PERSON’S PROCESSING OF PERS ONAL DATA
1295-OR TO TAKE STEPS TO ENSURE THAT A PROCES SOR ADHERES TO THE C ONTROLLER’S
1296-INSTRUCTIONS .
1197+ (2) THE CONTRACT SHALL BE BINDING AND SHALL CL EARLY SET 3
1198+FORTH INSTRUCTIONS FOR : 4
12971199
1298-14–4609.
1200+ (I) PROCESSING INSTRUCTIONS FOR PROCESSING DATA; 5
12991201
1300- (A) IF A THIRD PARTY USES OR SHARES A CONSUMER ’S INFORMATION IN A
1301-MANNER INCONSISTENT WITH PROMISES MADE T O THE CONSUMER AT TH E TIME OF
1302-COLLECTION OF THE IN FORMATION, THE THIRD PARTY SHAL L PROVIDE AN
1303-AFFECTED CONSUMER WI TH NOTICE OF THE NEW OR C HANGED PRACTICE BEFO RE
1304-IMPLEMENTING THE NEW OR CHANGED PRACTICE .
1202+ (II) THE NATURE AND PURPOS E OF PROCESSING ; 6
13051203
1306- (B) THE NOTICE PROVIDED U NDER SUBSECTION (A) OF THIS SECTION
1307-SHALL BE PROVIDED IN A MANNER AND AT A TI ME REASONABLY CALCUL ATED TO
1308-ALLOW A CONSUMER TO EXERCISE THE RIGHTS PROVIDED UNDER THIS SUBTITLE.
1204+ (III) THE TYPE OF DATA SUBJ ECT TO PROCESSING ; 7
13091205
1310-14–4610.
1206+ (IV) THE DURATION OF PROCE SSING; AND 8
13111207
1312- (A) IN THIS SECTION , “PROCESSING ACTIVITIE S THAT PRESENT A
1313-HEIGHTENED RISK OF H ARM TO A CONSUMER ” MEANS:
1208+ (V) THE RIGHTS AND OBLIGA TIONS OF BOTH PARTIE S. 9
13141209
1315- (1) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF
1316-TARGETED ADVERTISING ;
1210+ (3) THE CONTRACT SHALL RE QUIRE THAT THE PROCESSOR: 10
13171211
1318- (2) THE SALE OF PERSONAL DATA;
1212+ (I) ENSURE THAT EACH PERS ON PROCESSING PERSON AL DATA 11
1213+IS SUBJECT TO A DUTY OF CONFIDENTIALITY W ITH RESPECT TO THE P ERSONAL 12
1214+DATA; 13
13191215
1320- (3) THE PROCESSING OF SEN SITIVE DATA; AND Ch. 455 2024 LAWS OF MARYLAND
1216+ (II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 14
1217+ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRAC TICES TO 15
1218+PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 16
1219+DATA, CONSIDERING THE VOLU ME AND NATURE OF THE PERSONAL DATA ; 17
13211220
1322-– 30 –
1221+ (III) STOP PROCESSING DATA ON REQUEST BY THE CO NTROLLER 18
1222+MADE IN ACCORDANCE W ITH A CONSUMER ’S AUTHENTICATED REQU EST; 19
13231223
1324- (4) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF
1325-PROFILING, IN WHICH THE PROFILI NG PRESENTS A REASON ABLY FORESEEABLE
1326-RISK OF:
1224+ (IV) AT THE CONTROLLER ’S DIRECTION, DELETE OR RETURN 20
1225+ALL PERSONAL DATA TO THE CONTROLLER AS RE QUESTED AT THE END O F THE 21
1226+PROVISION OF SERVICE , UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED 22
1227+BY LAW; 23
13271228
1328- (I) UNFAIR, ABUSIVE, OR DECEPTIVE TREATME NT OF A
1329-CONSUMER ;
1229+ (V) ON THE REASONABLE REQ UEST OF THE CONTROLLER , 24
1230+MAKE AVAILABLE TO TH E CONTROLLER ALL INF ORMATION IN THE PROC ESSOR’S 25
1231+POSSESSION NECESSARY TO DEMONSTRATE THE P ROCESSOR’S COMPLIANCE WITH 26
1232+THE OBLIGATIONS IN T HIS SUBTITLE; 27
13301233
1331- (II) HAVING AN UNLAWFUL DI SPARATE IMPACT ON A
1332-CONSUMER ;
1234+ (VI) AFTER PROVIDING THE C ONTROLLER AN OPPORTU NITY TO 28
1235+OBJECT, ENGAGE A SUBCONTRACTOR TO ASS IST WITH PROCESSING PERSONAL DATA 29
1236+ON THE CONTROLLER ’S BEHALF ONLY IN ACC ORDANCE WITH A WRITT EN CONTRACT 30
1237+THAT REQUIRES THE SU BCONTRACTOR TO MEET THE PROCESSOR ’S OBLIGATIONS 31 28 SENATE BILL 541
13331238
1334- (III) FINANCIAL, PHYSICAL, OR REPUTATIONAL INJU RY TO A
1335-CONSUMER ;
13361239
1337- (IV) A PHYSICAL OR OTHER IN TRUSION ON THE SOLIT UDE OR
1338-SECLUSION OR THE PRI VATE AFFAIRS OR CONC ERNS OF A CONSUMER I N WHICH THE
1339-INTRUSION WOULD BE OF FENSIVE TO A REASONA BLE PERSON; OR
1240+REGARDING THE PERSON AL DATA UNDER THE PR OCESSOR’S CONTRACT WITH THE 1
1241+CONTROLLER ; AND 2
13401242
1341- (V) OTHER SUBSTANTIAL INJ URY TO A CONSUMER .
1243+ (VII) ALLOW AND COOPERATE W ITH REASONABLE ASSES SMENTS 3
1244+BY THE CONTROLLER , THE CONTROLLER ’S DESIGNATED ASSESSO R, OR A QUALIFIED 4
1245+AND INDEPENDENT ASSE SSOR ARRANGED FOR BY THE PROCESSOR TO ASS ESS THE 5
1246+PROCESSOR’S POLICIES AND TECHN ICAL AND ORGANIZATIONAL ME ASURES IN 6
1247+SUPPORT OF THE OBLIG ATIONS UNDER THIS SU BTITLE. 7
13421248
1343- (B) A CONTROLLER SHALL CON DUCT AND DOCUMENT , ON A REGULAR
1344-BASIS, A DATA PROTECTION AS SESSMENT FOR EACH OF THE CONTROLLER ’S
1345-PROCESSING ACTIVITIE S THAT PRESENT A HEIGHTENED RISK OF HARM TO A
1346-CONSUMER , INCLUDING AN ASSESSM ENT FOR EACH ALGORIT HM THAT IS USED.
1249+ (4) (I) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT 8
1250+OF AN ASSESSMENT REQ UIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION T O THE 9
1251+CONTROLLER . 10
13471252
1348- (C) (1) A DATA PROTECTION ASSE SSMENT CONDUCTED IN ACCORDANCE
1349-WITH THIS SECTION SH ALL IDENTIFY AND WEI GH THE BENEFITS THAT MAY FLOW
1350-DIRECTLY AND INDIR ECTLY FROM THE PROCE SSING TO THE CONTROL LER, THE
1351-CONSUMER , OTHER INTERESTED PAR TIES, AND THE PUBLIC AGAIN ST:
1253+ (II) AN ASSESSMENT CONDUCT ED IN ACCORDANCE WITH 11
1254+PARAGRAPH (3)(V) OF THIS SUBSECTION S HALL BE CONDUCTED US ING AN 12
1255+APPROPRIATE AND ACCE PTED CONTROL STANDAR D OR FRAMEWORK AND 13
1256+ASSESSMENT PROCEDURE FOR THE ASSESSMENTS . 14
13521257
1353- (I) THE POTENTIAL RISKS T O THE RIGHTS OF THE CONSUMER
1354-ASSOCIATED WITH THE PROCESSING AS MITIGA TED BY SAFEGUARDS TH AT MAY BE
1355-EMPLOYED BY THE CON TROLLER TO REDUCE TH ESE RISKS; AND
1258+ (B) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE 15
1259+PERSONAL DATA O F CONSUMERS , THE CONTROLLER SHALL PROVIDE THE 16
1260+PROCESSOR WITH INSTR UCTIONS ON HOW TO PR OCESS PERSONAL DATA . 17
13561261
1357- (II) THE NECESSITY AND PRO PORTIONALITY OF PROC ESSING IN
1358-RELATION TO THE STAT ED PURPOSE OF THE PR OCESSING.
1262+ (2) A PROCESSOR SHALL : 18
13591263
1360- (2) THE CONTROLLER SHALL FACTOR INTO A DATA P ROTECTION
1361-ASSESSMENT :
1264+ (I) (1) ADHERE TO THE CONTRAC T AND INSTRUCTIONS O F A 19
1265+CONTROLLER ; 20
13621266
1363- (I) THE USE OF DE–IDENTIFIED DATA ;
1267+ (II) (2) ASSIST THE CONTROLLER IN MEETING THE 21
1268+CONTROLLER ’S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING, CONSIDERING 22
1269+THE NATURE OF PROCESSING AND THE I NFORMATION AVAILABLE TO THE 23
1270+PROCESSOR: 24
13641271
1365- (II) THE REASONABLE EXPECT ATIONS OF CONSUMERS ;
1366- WES MOORE, Governor Ch. 455
1272+ 1. (I) BY APPROPRIATE TECHNI CAL AND ORGANIZATION AL 25
1273+MEASURES AS MUCH AS REASONABLY PRACTICAB LE TO FULFILL THE 26
1274+CONTROLLER ’S OBLIGATION TO RESP OND TO CONSUMER RIGH TS REQUESTS , 27
1275+CONSIDERING THE NATU RE OF PROCESSING AND THE INFORMATION AVAI LABLE TO 28
1276+THE PROCESSOR ; AND 29
13671277
1368-– 31 –
1369- (III) THE CONTEXT OF THE PR OCESSING; AND
1278+ 2. (II) BY ASSISTING THE CONT ROLLER IN MEETING TH E 30
1279+CONTROLLER ’S OBLIGATIONS IN REL ATION TO THE SEC URITY OF PROCESSING THE 31
1280+PERSONAL DATA AND IN RELATION TO THE NOTI FICATION OF A BREACH OF THE 32
1281+SECURITY OF A SYSTEM , AS DEFINED IN § 14–3504 OF THIS TITLE; AND 33
1282+ SENATE BILL 541 29
13701283
1371- (IV) THE RELATIONSHIP BETW EEN THE CONTROLLER A ND THE
1372-CONSUMER WHOSE PERSO NAL DATA WILL BE PRO CESSED.
13731284
1374- (D) (1) THE DIVISION MAY REQUIRE THAT A CONTROLLER MA KE
1375-AVAILABLE TO THE DIVISION A DATA PROTE CTION ASSESSMENT THA T IS RELEVANT
1376-TO AN INVESTIGATION CONDUCTED BY THE DIVISION.
1285+ (III) (3) PROVIDE NECESSARY INF ORMATION TO ENABLE T HE 1
1286+CONTROLLER TO CONDUC T AND DOCUMENT DATA PROTECTION ASSESSMEN TS. 2
13771287
1378- (2) (I) THE DIVISION MAY EVALUATE A DATA PROTECTION
1379-ASSESSMENT FOR COMPL IANCE WITH THE RESPO NSIBILITIES ESTABLIS HED IN THIS
1380-SUBTITLE.
1288+ (C) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO RELIEVE A 3
1289+CONTROLLER OR A PROC ESSOR FROM THE LIABI LITIES IMPOSED ON TH E 4
1290+CONTROLLER OR PROCES SOR BY VIRTUE OF THE CONTROLLER ’S OR PROCESSOR ’S 5
1291+ROLE IN THE PROCESSI NG RELATIONSHIP IN ACCORDANCE WITH THIS SECTION. 6
13811292
1382- (II) A CONTROLLER ’S DATA PROTECTION AS SESSMENT MAY BE
1383-USED IN AN ACTION TO ENFORCE THIS SUBTITL E.
1293+ (D) (1) THE DETERMINATION OF WHETHER A PERSON IS ACTING AS A 7
1294+CONTROLLER OR A PROC ESSOR WITH RESPECT T O A SPECIFIC PROCESS ING OF DATA 8
1295+IS A FACT–BASED DETERMINATION THAT DEPENDS ON THE CONTEXT IN WHICH 9
1296+PERSONAL DATA IS BEI NG PROCESSED. 10
13841297
1385- (3) A DATA PROTECTION ASSE SSMENT IS CONFIDENTI AL AND IS
1386-EXEMPT FROM DISCLOSU RE UNDER THE FEDERAL FREEDOM OF INFORMATION ACT
1387-OR THE PUBLIC INFORMATION ACT.
1298+ (2) A PERSON IS CONSIDERED TO BE A CONTROLLER I F THE PERSON: 11
13881299
1389- (E) A SINGLE DATA PROTECTI ON ASSESSMENT MAY AD DRESS A
1390-COMPARABLE SET OF PR OCESSING OPERATIONS THAT INCLUDE SIMILAR
1391-ACTIVITIES.
1300+ (I) IS NOT LIMITED IN THE PERSON’S PROCESSING OF SPEC IFIC 12
1301+PERSONAL DATA IN ACC ORDANCE WITH A CONTR OLLER’S INSTRUCTIONS ; OR 13
13921302
1393- (F) IF A CONTROLLER CONDU CTS A DATA PROTECTIO N ASSESSMENT FOR
1394-THE PURPOSE OF COMPL YING WITH ANOTHER AP PLICABLE LAW OR RE GULATION,
1395-THE DATA PROTECTION ASSESSMENT SHALL BE CONSIDERED TO SATISF Y THE
1396-REQUIREMENTS ESTABLI SHED IN THIS SECTION IF THE DATA PROTECTI ON
1397-ASSESSMENT IS REASON ABLY SIMILAR IN SCOP E AND EFFECT TO THE DATA
1398-PROTECTION ASSESSMEN T THAT WOULD OTHERWI SE BE CONDU CTED IN
1399-ACCORDANCE WITH THIS SECTION.
1303+ (II) FAILS TO ADHERE TO A CONTROLLER ’S INSTRUCTIONS 14
1304+WITH RESPECT TO A SP ECIFIC PROCESSING OF PERSONAL DATA . 15
14001305
1401- (G) TO THE EXTENT THAT AN Y INFORMATION CONTAI NED IN A DATA
1402-PROTECTION ASSESSMEN T DISCLOSED TO THE DIVISION INCLUDES INF ORMATION
1403-SUBJECT TO ATTORNEY –CLIENT PRIVILEGE OR WORK PRODUCT PROTECT ION, THE
1404-DISCLOSURE MAY NOT CONSTITUTE A WAIVER OF THAT PRIVILEGE OR PROTECTION.
1306+ (3) A PROCESSOR THAT CONTI NUES TO ADHERE TO A CONTROLLER ’S 16
1307+INSTRUCTIONS WITH RE SPECT TO A SPECIFIC PROCESSING OF PERSON AL DATA 17
1308+REMAINS A PROCESSOR . 18
14051309
1406- (H) A DATA PROTECTION ASSE SSMENT CONDUCTED UND ER THIS SECTION:
1310+ (4) IF A PROCESSOR OR THI RD PARTY BEGINS , ALONE OR JOINTLY 19
1311+WITH OTHERS , DETERMINING THE PURP OSES AND MEANS OF TH E PROCESSING OF 20
1312+PERSONAL DATA , THE PROCESSOR : 21
14071313
1408- (1) SHALL APPLY TO PROCES SING ACTIVITIES THAT OCCUR ON OR
1409-AFTER OCTOBER 1, 2025; AND
1314+ (I) IS A CONTROLLER WITH RESPECT TO THE PROCE SSING; AND 22
14101315
1411- (2) IS NOT REQUIRED FOR P ROCESSING ACTIVITIES THAT OCCUR
1412-BEFORE OCTOBER 1, 2025. Ch. 455 2024 LAWS OF MARYLAND
1316+ (II) MAY BE SUBJECT TO AN ENFORCEMENT ACTION U NDER 23
1317+THIS SUBTITLE. 24
14131318
1414-– 32 –
1319+ (E) NOTHING IN THIS SECTION MAY BE CONSTRUED TO ALTE R A 25
1320+CONTROLLER ’S OBLIGATION TO LIMI T A PERSON’S PROCESSING OF PERS ONAL DATA 26
1321+OR TO TAKE STEPS TO ENSURE THAT A PROCES SOR ADHERES TO THE C ONTROLLER ’S 27
1322+INSTRUCTIONS . 28
14151323
1416-14–4611.
1324+14–4609. 29
14171325
1418- (A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A
1419-CONTROLLER OR A PROC ESSOR TO:
1326+ (A) IF A THIRD PARTY USES OR SHARES A CON SUMER’S INFORMATION IN A 30
1327+MANNER INCONSISTENT WITH PROMISES MADE T O THE CONSUMER AT TH E TIME OF 31
1328+COLLECTION OF THE IN FORMATION, THE THIRD PARTY SHAL L PROVIDE AN 32 30 SENATE BILL 541
14201329
1421- (1) RE–IDENTIFY DE–IDENTIFIED DATA ;
14221330
1423- (2) MAINTAIN DATA IN AN I DENTIFIABLE FORM ; OR
1331+AFFECTED CONSUMER WI TH NOTICE OF THE NEW OR CHANGED PRACTICE BEFORE 1
1332+IMPLEMENTING THE NEW OR CHANGED PRACTICE. 2
14241333
1425- (3) COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA O R
1426-TECHNOLOGY IN ORDER TO BE CAPABLE OF ASS OCIATING AN AUTHENTI CATED
1427-CONSUMER REQUEST WIT H PERSONAL DATA .
1334+ (B) THE NOTICE PROVIDED U NDER SUBSECTION (A) OF THIS SECTION 3
1335+SHALL BE PROVIDED IN A MANNER AND AT A TI ME REASONABLY CALCUL ATED TO 4
1336+ALLOW A CONSUMER TO EXERCISE THE RIGHTS PROVIDED UNDER THIS SUBTITLE. 5
14281337
1429- (B) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A
1430-CONTROLLER OR PROCES SOR TO COMPLY WITH A N AUTHENTICATED CONS UMER
1431-RIGHTS REQUEST IF TH E CONTROLLER :
1338+14–4610. 6
14321339
1433- (1) IS NOT REASONABLY CAP ABLE OF ASSOCIATING THE REQUEST
1434-WITH THE PERSONAL DA TA OR IT WOULD BE UN REASONABLY BURDENSOM E FOR THE
1435-CONTROLLER TO ASSOCI ATE THE REQUEST WITH THE PERSONAL DATA ;
1340+ (A) IN THIS SECTION , “PROCESSING ACTIVITIES THAT PRESENT A 7
1341+HEIGHTENED RISK OF H ARM TO A CONSUMER ” MEANS: 8
14361342
1437- (2) DOES NOT USE THE PERS ONAL DATA TO RECOGNIZE OR RESPOND
1438-TO THE SPECIFIC CONS UMER WHO IS THE SUBJ ECT OF THE PERSONAL DATA OR
1439-ASSOCIATE THE PERSON AL DATA WITH OTHER P ERSONAL DATA ABOUT T HE SAME
1440-SPECIFIC CONSUMER ; AND
1343+ (1) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 9
1344+TARGETED ADVERTISING ; 10
14411345
1442- (3) DOES NOT SELL THE PER SONAL DATA TO A THIR D PARTY OR
1443-OTHERWIS E VOLUNTARILY DISCLO SE THE PERSONAL DATA TO A THIRD PARTY
1444-OTHER THAN A PROCESS OR, EXCEPT AS OTHERWISE ALLOWED IN THIS SUBT ITLE.
1346+ (2) THE SALE OF PERSONAL DATA; 11
14451347
1446- (C) (1) A CONTROLLER THAT DISC LOSES DE–IDENTIFIED DATA SHAL L:
1348+ (3) THE PROCESSING OF SEN SITIVE DATA; AND 12
14471349
1448- (I) EXERCISE REASONABLE O VERSIGHT TO MONITOR
1449-COMPLIANCE WITH ANY CONTRACTUAL COMM ITMENTS TO WHICH THE
1450-DE–IDENTIFIED DATA IS S UBJECT; AND
1350+ (4) THE PROCESSING OF PERSON AL DATA FOR THE PURP OSES OF 13
1351+PROFILING, IN WHICH THE PROFILI NG PRESENTS A REASON ABLY FORESEEABLE 14
1352+RISK OF: 15
14511353
1452- (II) TAKE APPROPRIATE STEP S TO ADDRESS ANY BRE ACHES OF
1453-ANY CONTRACTUAL COMM ITMENTS.
1354+ (I) UNFAIR, ABUSIVE, OR DECEPTIVE TREATME NT OF A 16
1355+CONSUMER ; 17
14541356
1455- (2) THE DETERMINATION OF WHETHER OVERSIGHT IS REASONABLE
1456-AND WHETHER APPROPRI ATE STEPS WERE TAKEN IN ACCORD ANCE WITH
1457-PARAGRAPH (1) OF THIS SUBSECTION S HALL TAKE INTO ACCOU NT WHETHER THE WES MOORE, Governor Ch. 455
1357+ (II) HAVING AN UNLAWFUL DI SPARATE IMPACT ON A 18
1358+CONSUMER ; 19
14581359
1459-– 33 –
1460-DISCLOSED DATA INCLU DES DATA THAT WOULD BE CONSIDERED SENSIT IVE DATA IF
1461-THE DATA WERE RE –IDENTIFIED.
1360+ (III) FINANCIAL, PHYSICAL, OR REPUTATIONAL INJU RY TO A 20
1361+CONSUMER ; 21
14621362
1463-14–4612.
1363+ (IV) A PHYSICAL OR OTHER IN TRUSION ON THE SOLIT UDE OR 22
1364+SECLUSION OR THE PRI VATE AFFAIRS OR CONC ERNS OF A CONSUMER I N WHICH THE 23
1365+INTRUSION WOULD BE O FFENSIVE TO A REASON ABLE PERSON; OR 24
14641366
1465- (A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO RESTRIC T A
1466-CONTROLLER ’S OR PROCESSOR ’S ABILITY TO:
1367+ (V) OTHER SUBSTANTIAL INJ URY TO A CONSUMER . 25
14671368
1468- (1) COMPLY WITH FEDERAL , STATE, OR LOCAL LAWS OR
1469-REGULATIONS ;
1369+ (B) A CONTROLLER SHALL CON DUCT AND DOCUMENT , ON A REGULAR 26
1370+BASIS, A DATA PROTECTION AS SESSMENT FOR EACH OF THE CONTROLLER ’S 27
1371+PROCESSING ACTIVITIE S THAT PRESENT A HEI GHTENED RISK OF HARM TO A 28
1372+CONSUMER , INCLUDING AN ASSESSMENT FOR EACH ALGORITHM THAT IS US ED. 29
1373+ SENATE BILL 541 31
14701374
1471- (2) COMPLY WITH A CIVIL , CRIMINAL, OR REGULATORY INQUIR Y,
1472-INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, STATE, LOCAL, OR OTHER
1473-GOVERNMENTAL AUTHORI TY COMPLY WITH A CIVIL OR CRIMINAL SUBPOENA OR
1474-SUMMONS BY A FEDERAL , STATE, LOCAL, OR OTHER JUDICIAL BO DY, CRIMINAL, OR
1475-REGULATORY INQUIRY , INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL,
1476-STATE, LOCAL, OR OTHER GOVERNMENTA L AUTHORITY;
14771375
1478- (3) COOPERATE WITH LAW EN FORCEMENT AGENCIES C ONCERNING
1479-CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONA BLY AND
1480-IN GOOD FAITH BELIEV ES MAY VIOLATE FEDER AL, STATE, OR LOCAL LAWS OR
1481-REGULATIONS ;
1376+ (C) (1) A DATA PROTECTION ASSE SSMENT CONDUCTED IN ACCORDANCE 1
1377+WITH THIS SECTION SH ALL IDENTIFY AND WEI GH THE BENEFITS THAT MAY FLOW 2
1378+DIRECTLY AND INDIREC TLY FROM THE PROCESS ING TO THE CONTROLLE R, THE 3
1379+CONSUMER , OTHER INTERESTED PART IES, AND THE PUBLIC AGAIN ST: 4
14821380
1483- (4) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR , OR DEFEND
1484-A LEGAL CLAIM;
1381+ (I) THE POTENTIAL RISKS T O THE RIGHTS OF THE CONSUMER 5
1382+ASSOCIATED WITH THE PROCESSING AS MITIGA TED BY SAFEGUARDS TH AT MAY BE 6
1383+EMPLOYED BY THE CONT ROLLER TO REDUCE THE SE RISKS; AND 7
14851384
1486- (5) PROVIDE A PRODUCT OR SERVICE SPECIFICALLY REQUESTED BY
1487-A CONSUMER ;
1385+ (II) THE NECESSITY AN D PROPORTIONALITY OF PROCESSING IN 8
1386+RELATION TO THE STAT ED PURPOSE OF THE PR OCESSING. 9
14881387
1489- (6) PERFORM UNDER A CONTR ACT TO WHICH A CONSU MER IS A
1490-PARTY, INCLUDING FULFILLING THE TERMS OF A WRITT EN WARRANTY ;
1388+ (2) THE CONTROLLER SHALL FACTOR INTO A DATA P ROTECTION 10
1389+ASSESSMENT : 11
14911390
1492- (7) TAKE STEPS AT THE REQUEST OF A CONSUME R BEFORE
1493-ENTERING INTO A CONT RACT;
1391+ (I) THE USE OF DE–IDENTIFIED DATA ; 12
14941392
1495- (8) TAKE IMMEDIATE STEPS TO PROTECT AN INTERE ST THAT IS
1496-ESSENTIAL FOR THE LI FE OR PHYSICAL SAFET Y OF A CONSUMER OR A NOTHER
1497-INDIVIDUAL AND WHEN THE PROCESSING CANNO T BE MANIFESTLY BASE D ON
1498-ANOTHER LE GAL BASIS;
1393+ (II) THE REASONABLE EXPECT ATIONS OF CONSUMERS ; 13
14991394
1500- (9) PREVENT, DETECT, PROTECT AGAINST , INVESTIGATE,
1501-PROSECUTE THOSE RESP ONSIBLE, OR OTHERWISE RESPOND TO A SECURITY
1502-INCIDENT, IDENTITY THEFT , FRAUD, HARASSMENT , MALICIOUS OR DECEPTI VE
1503-ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY ; Ch. 455 2024 LAWS OF MARYLAND
1395+ (III) THE CONTEXT OF THE PR OCESSING; AND 14
15041396
1505-– 34 –
1397+ (IV) THE RELATIONSHIP BETW EEN THE CONTROLLER A ND THE 15
1398+CONSUMER WHOSE PERSO NAL DATA WILL BE PRO CESSED. 16
15061399
1507- (10) PRESERVE THE INTEGRIT Y OR SECURITY OF SYS TEMS; OR
1400+ (D) (1) THE DIVISION MAY REQUIRE THAT A CONTROLLER MA KE 17
1401+AVAILABLE TO THE DIVISION A DATA PROTE CTION ASSESSMENT THA T IS RELEVANT 18
1402+TO AN INVESTIGATION CONDUCTED BY THE DIVISION. 19
15081403
1509- (11) ASSIST ANOTHER CONTRO LLER, PROCESSOR, OR THIRD PARTY
1510-WITH AN OBLIGATION U NDER THIS SUBTITLE .
1404+ (2) (I) THE DIVISION MAY EVALUATE A DATA PROTECTION 20
1405+ASSESSMENT FOR COMPL IANCE WITH THE RESPO NSIBILITIES ESTABLIS HED IN THIS 21
1406+SUBTITLE. 22
15111407
1512- (B) (1) THIS SUBSECTION DOES NOT APPLY TO AN OBLI GATION
1513-REQUIRED UNDER § 14–4611 OF THIS SUBTITLE.
1408+ (II) A CONTROLLER ’S DATA PROTECTION AS SESSMENT MAY BE 23
1409+USED IN AN ACTION TO ENFORCE THIS SUBTITL E. 24
15141410
1515- (2) AN OBLIGATION IMPOSED ON A CONTROLLER OR P ROCESSOR
1516-UNDER THIS SUBTITLE MAY NOT RESTRICT A C ONTROLLER ’S OR PROCESSOR ’S
1517-ABILITY TO COLLECT , USE, OR RETAIN PERSONAL D ATA FOR INTERNAL USE TO:
1411+ (3) A DATA PROTECTION ASSE SSMENT IS CONFIDENTI AL AND IS 25
1412+EXEMPT FROM DISCLOSU RE UNDER THE FEDERAL FREEDOM OF INFORMATION ACT 26
1413+OR THE PUBLIC INFORMATION ACT. 27
15181414
1519- (I) EFFECTUATE A PRODUCT RECALL;
1415+ (E) A SINGLE DATA PROTECTI ON ASSESSMENT MAY AD DRESS A 28
1416+COMPARABLE SET OF PR OCESSING OPERATIONS THAT INCLUDE SIMILAR 29
1417+ACTIVITIES. 30
1418+ 32 SENATE BILL 541
15201419
1521- (II) IDENTIFY AND REPAI R TECHNICAL ERRORS T HAT IMPAIR
1522-EXISTING OR INTENDED FUNCTIONALITY ; OR
15231420
1524- (III) PERFORM INTERNAL OPER ATIONS THAT ARE :
1421+ (F) IF A CONTROLLER CONDU CTS A DATA PROTECTIO N ASSESSMENT FOR 1
1422+THE PURPOSE OF COMPL YING WITH ANOTHER AP PLICABLE LAW OR REGU LATION, 2
1423+THE DATA PROTECTION ASSESSMENT SHALL BE CONSIDERE D TO SATISFY THE 3
1424+REQUIREMENTS ESTABLI SHED IN THIS SECTION IF THE DATA PROTECTI ON 4
1425+ASSESSMENT IS REASON ABLY SIMILAR IN SCOP E AND EFFECT TO THE DATA 5
1426+PROTECTION ASSESSMEN T THAT WOULD OTHERWI SE BE CONDUCTED IN 6
1427+ACCORDANCE WITH THIS SECTION. 7
15251428
1526- 1. REASONABLY ALIGNED WI TH THE EXPECTATIONS OF
1527-THE CONSUMER OR CAN BE REASONABLY ANTICI PATED BASED ON THE C ONSUMER’S
1528-EXISTING RELATIO NSHIP WITH THE CONTR OLLER; OR
1429+ (G) TO THE EXTENT T HAT ANY INFORMATION CONTAINED IN A DATA 8
1430+PROTECTION ASSESSMEN T DISCLOSED TO THE DIVISION INCLUDES INF ORMATION 9
1431+SUBJECT TO ATTORNEY –CLIENT PRIVILEGE OR WORK PRODUCT PROTECT ION, THE 10
1432+DISCLOSURE MAY NOT C ONSTITUTE A WAIVER O F THAT PRIVILEGE OR PROTECTION. 11
15291433
1530- 2. OTHERWISE COMPATIBLE WITH PROCESSING DATA IN
1531-FURTHERANCE OF :
1434+ (H) A DATA PROTECTION ASSE SSMENT CONDUCTED UND ER THIS SECTION: 12
15321435
1533- A. THE PROVISION OF A PR ODUCT OR SERVICE
1534-SPECIFICALLY REQUEST ED BY A CONSUMER ; OR
1436+ (1) SHALL APPLY TO PROCES SING ACTIVITIES THAT OCCUR ON OR 13
1437+AFTER OCTOBER 1, 2025; AND 14
15351438
1536- B. THE PERFORMANCE OF A CONTRACT TO WHICH TH E
1537-CONSUMER IS A PARTY .
1439+ (2) IS NOT REQUIRED FOR P ROCESSING ACTIVITIES THAT OCCUR 15
1440+BEFORE OCTOBER 1, 2025. 16
15381441
1539- (C) (1) AN OBLIGATION IMPOSED ON A CONTROLLER OR A PROCESSOR
1540-UNDER THIS SUBTITLE DOES NOT APPLY WHEN COMPLIANCE BY THE CO NTROLLER
1541-OR PROCESSOR WITH TH E SUBTITLE WOULD VIO LATE AN EVIDENTIARY PRIVILEGE
1542-UNDER STATE LAW.
1442+14–4611. 17
15431443
1544- (2) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PREV ENT A
1545-CONTROLLER OR PROCES SOR FROM PROVIDING P ERSONAL DATA CONCERN ING A
1546-CONSUMER TO A PERSON COVERED BY AN EVIDEN TIARY PRIVILEGE UNDE R STATE
1547-LAW AS PART OF A PRI VILEGED COMMUNICATIO N.
1548- WES MOORE, Governor Ch. 455
1444+ (A) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQU IRE A 18
1445+CONTROLLER OR A PROC ESSOR TO: 19
15491446
1550-– 35 –
1551- (D) (1) A CONTROLLER OR PROCES SOR THAT DISCLOSES PERSONAL
1552-DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS
1553-SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE IF THE PROCESS OR OR
1554-THIRD–PARTY CONTROLLER THA T RECEIVES THE PERSO NAL DATA VIOLATES TH IS
1555-SUBTITLE AND,:
1447+ (1) RE–IDENTIFY DE–IDENTIFIED DATA ; 20
15561448
1557- (I) AT THE TIME THE DISCLOSING CONTROLLE R OR
1558-PROCESSOR DISCLOSED THE PERSONAL DATA , THE DISCLOSING CONTR OLLER OR
1559-PROCESSOR DID NOT HA VE ACTUAL KNOWLEDGE THAT THE RECEIVING P ROCESSOR
1560-OR THIRD–PARTY CONTROLLER WOU LD VIOLATE THIS SUBT ITLE; AND
1449+ (2) MAINTAIN DATA IN AN I DENTIFIABLE FORM ; OR 21
15611450
1562- (II) THE DISCLOSING CONTR OLLER WAS, AND REMAINED , IN
1563-COMPLIANCE WITH ITS OBLIGATIONS AS THE D ISCLOSER OF THE PERS ONAL DATA.
1451+ (3) COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA O R 22
1452+TECHNOLOGY IN ORDER TO BE CAPABLE OF ASSOCIATING AN AUTHE NTICATED 23
1453+CONSUMER REQUEST WIT H PERSONAL DATA . 24
15641454
1565- (2) A THIRD–PARTY CONTROLLER OR PROCESSOR THAT RECEI VES
1566-PERSONAL DATA FROM A CONTROLLER OR PROCES SOR IN COMPLIANCE WI TH THIS
1567-SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE FOR THE INDEPE NDENT
1568-MISCONDUCT OF THE CO NTROLLER OR PROCESSO R FROM WHICH THE
1569-THIRD–PARTY CONTROLLER OR PROCES SOR RECEIVED THE PER SONAL DATA.
1455+ (B) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A 25
1456+CONTROLLER OR PROCES SOR TO COMPLY WITH A N AUTHENTICATED CONS UMER 26
1457+RIGHTS REQUEST IF TH E CONTROLLER : 27
15701458
1571- (E) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO:
1459+ (1) IS NOT REASONABLY CAPABLE OF ASSOCIATI NG THE REQUEST 28
1460+WITH THE PERSONAL DA TA OR IT WOULD BE UN REASONABLY BURDENSOM E FOR THE 29
1461+CONTROLLER TO ASSOCI ATE THE REQUEST WITH THE PERSONAL DATA ; 30
15721462
1573- (1) IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR
1574-THAT ADVERSELY AFFEC TS THE RIGHTS OR FRE EDOMS OF ANY PERSON , INCLUDING
1575-THE RIGHTS OF A PERS ON TO FREEDOM OF SPEE CH OR FREEDOM OF THE PRESS AS
1576-GUARANTEED IN THE FIRST AMENDMENT TO THE U.S. CONSTITUTION; OR
1463+ (2) DOES NOT USE THE PERS ONAL DATA TO RECOGNI ZE OR RESPOND 31
1464+TO THE SPECIFIC CONS UMER WHO IS THE SUBJECT OF TH E PERSONAL DATA OR 32 SENATE BILL 541 33
15771465
1578- (2) APPLY TO A PERSON ’S PROCESSING OF PERS ONAL DATA DURING
1579-THE PERSON’S PERSONAL OR HOUSEH OLD ACTIVITIES.
15801466
1581- (F) IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL D ATA IN
1582-ACCORDANCE WITH AN E XEMPTION UNDER THIS SECTION, THE CONTROLLER OR
1583-PROCESSOR SHALL DEMONSTRATE TH AT THE PROCESSING :
1467+ASSOCIATE THE PERSON AL DATA WITH OTHER P ERSONAL DATA ABOUT T HE SAME 1
1468+SPECIFIC CONSUMER ; AND 2
15841469
1585- (1) QUALIFIES FOR AN EXEM PTION; AND
1470+ (3) DOES NOT SELL THE PER SONAL DATA TO A THIR D PARTY OR 3
1471+OTHERWISE VOLUNTARIL Y DISCLOSE THE PERSO NAL DATA TO A THIRD PARTY 4
1472+OTHER THAN A PROCESSO R, EXCEPT AS OTHERWISE ALLOWED IN THIS SUBT ITLE. 5
15861473
1587- (2) COMPLIES WITH THE REQ UIREMENTS OF SUBSECT ION (G) OF THIS
1588-SECTION.
1474+ (C) (1) A CONTROLLER THAT DISC LOSES DE–IDENTIFIED DATA SHAL L: 6
15891475
1590- (G) PERSONAL DATA PROCESS ED BY A CONTROLLER OR PROCESSOR IN
1591-ACCORDANCE WITH THIS SECTION:
1476+ (I) EXERCISE REASONABLE O VERSIGHT TO MONITOR 7
1477+COMPLIANCE WITH ANY CONTRACTUAL COMMITME NTS TO WHICH THE 8
1478+DE–IDENTIFIED DA TA IS SUBJECT; AND 9
15921479
1593- (1) SHALL BE SUBJECT TO R EASONABLE ADMINISTRA TIVE,
1594-TECHNICAL, AND PHYSICAL MEASURE S TO: Ch. 455 2024 LAWS OF MARYLAND
1480+ (II) TAKE APPROPRIATE STEP S TO ADDRESS ANY BRE ACHES OF 10
1481+ANY CONTRACTUAL COMM ITMENTS. 11
15951482
1596-– 36 –
1483+ (2) THE DETERMINATION OF WHETHER OVERSIGHT IS REASONABLE 12
1484+AND WHETHER APPROPRI ATE STEPS WERE TAKEN IN ACCORDANCE WITH 13
1485+PARAGRAPH (1) OF THIS SUBSECT ION SHALL TAKE INTO ACCOUNT WHETHER THE 14
1486+DISCLOSED DATA INCLU DES DATA THAT WOULD BE CONSIDERED SENSIT IVE DATA IF 15
1487+THE DATA WERE RE –IDENTIFIED. 16
15971488
1598- (I) PROTECT THE CONFIDENT IALITY, INTEGRITY, AND
1599-ACCESSIBILITY OF THE PERSONAL DATA ; AND
1489+14–4612. 17
16001490
1601- (II) REDUCE REASONABLY FOR ESEEABLE RISKS OF HA RM TO
1602-CONSUMERS RELATING T O THE COLLECTION , USE, OR RETENTION OF PERS ONAL
1603-DATA; AND
1491+ (A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO RESTRICT A 18
1492+CONTROLLER ’S OR PROCESSOR ’S ABILITY TO: 19
16041493
1605- (2) MAY BE PROCESSED TO T HE EXTENT THAT THE P ROCESSING IS:
1494+ (1) COMPLY WITH FEDERAL , STATE, OR LOCAL LAWS OR 20
1495+REGULATIONS ; 21
16061496
1607- (I) REASONABLY NECESSARY AND PROPORTIONATE TO THE
1608-PURPOSES LISTED IN T HIS SECTION; AND
1497+ (2) COMPLY WITH A CIVIL , CRIMINAL, OR REGULATORY INQUIR Y, 22
1498+INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, STATE, LOCAL, OR OTHER 23
1499+GOVERNMENTAL AUTHORI TY COMPLY WITH A CIVIL OR CRIMINAL SUBPOENA OR 24
1500+SUMMONS BY A FEDERAL , STATE, LOCAL, OR OTHER JUDICIAL BO DY, CRIMINAL, OR 25
1501+REGULATORY INQUIRY , INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, 26
1502+STATE, LOCAL, OR OTHER GOVERNMENTA L AUTHORITY; 27
16091503
1610- (II) ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS
1611-NECESSARY IN RELATIO N TO THE SPECIFIC PU RPOSES LISTED IN THI S SECTION.
1504+ (3) COOPERATE WITH LAW EN FORCEMENT AGENCIES C ONCERNING 28
1505+CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONA BLY AND 29
1506+IN GOOD FAITH BELIEV ES MAY VIOLATE FEDER AL, STATE, OR LOCAL LAWS OR 30
1507+REGULATIONS ; 31
16121508
1613- (H) A PERSON THAT PROCESSE S PERSONAL DATA FOR A PURPOSE
1614-EXPRESSLY IDENTIFIED IN THIS S ECTION MAY NOT BE CO NSIDERED A CONTROLLE R
1615-SOLELY BASED ON THE PROCESSING OF PERSON AL DATA.
1509+ (4) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR , OR DEFEND 32
1510+A LEGAL CLAIM; 33 34 SENATE BILL 541
16161511
1617-14–4613.
16181512
1619- (A) EXCEPT AS PROVIDED IN SUBSECTION (B) OF THIS SECTION , A
1620-VIOLATION OF THIS SU BTITLE IS:
16211513
1622- (1) AN UNFAIR, ABUSIVE, OR DECEPTIVE TR ADE PRACTICE WITHIN
1623-THE MEANING OF TITLE 13 OF THIS ARTICLE; AND
1514+ (5) PROVIDE A PRODUCT OR SERVICE SPECIFICA LLY REQUESTED BY 1
1515+A CONSUMER ; 2
16241516
1625- (2) SUBJECT TO THE ENFORC EMENT AND PENALTY PR OVISIONS
1626-CONTAINED IN TITLE 13 OF THIS ARTICLE, EXCEPT FOR § 13–408 OF THIS ARTICLE.
1517+ (6) PERFORM UNDER A CONTR ACT TO WHICH A CONSU MER IS A 3
1518+PARTY, INCLUDING FULFILLING THE TERMS OF A WRITT EN WARRANTY ; 4
16271519
1628- (B) THIS SECTION DOES NOT PREVENT A CONSUMER F ROM PURSUI NG ANY
1629-OTHER REMEDY PROVIDE D BY LAW.
1520+ (7) TAKE STEPS AT THE REQ UEST OF A CONSUMER B EFORE 5
1521+ENTERING INTO A CONT RACT; 6
16301522
1631-14–4614.
1523+ (8) TAKE IMMEDIATE STEPS TO PROTECT AN INTERE ST THAT IS 7
1524+ESSENTIAL FOR THE LI FE OR PHYSICAL SAFET Y OF A CONSUMER OR A NOTHER 8
1525+INDIVIDUAL AND WHEN THE PROCESSING CANNO T BE MANIFESTLY BASE D ON 9
1526+ANOTHER LEGAL BASIS ; 10
16321527
1633- (A) THIS SECTION APPLIES TO AN ENFORCEMENT AC TION UNDER § 14–4613
1634-OF THIS SUBTITLE FOR AN ALLEGED VIOLATION THAT OCCURS ON OR BE FORE APRIL
1635-1, 2027.
1528+ (9) PREVENT, DETECT, PROTECT AGAINST , INVESTIGATE, 11
1529+PROSECUTE THOSE RESP ONSIBLE, OR OTHERWISE RESPOND TO A SECURITY 12
1530+INCIDENT, IDENTITY THEFT , FRAUD, HARASSMENT , MALICIOUS OR DECEPTI VE 13
1531+ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY ; 14
16361532
1637- (B) BEFORE INITIATING ANY ACTION UNDER § 14–4613 OF THIS SUBTITLE,
1638-THE DIVISION MAY ISSUE A NOTICE OF VIOLATION TO THE CONTROLLER OR
1639-PROCESSOR IF THE DIVISION DETERMINES T HAT A CURE IS POSSIB LE.
1640- WES MOORE, Governor Ch. 455
1533+ (10) PRESERVE THE INTEGRIT Y OR SECURITY OF SYS TEMS; OR 15
16411534
1642-– 37 –
1643- (C) (1) IF THE DIVISION ISSUES A NOT ICE OF VIOLATION UND ER
1644-SUBSECTION (B) OF THIS SECTION, THE CONTROLLER OR PROCESSOR SHALL HAVE
1645-AT LEAST 60 DAYS TO CURE THE VIO LATION AFTER RECEIPT OF THE NOTICE.
1535+ (11) ASSIST ANOTHER CONTROLLER , PROCESSOR, OR THIRD PARTY 16
1536+WITH AN OBLIGATION U NDER THIS SUBTITLE . 17
16461537
1647- (2) IF THE CONTROLLER OR PROCESSOR FAILS TO C URE THE
1648-VIOLATION WITHIN THE TIME PERIOD SPECIFIE D BY THE DIVISION, THE DIVISION
1649-MAY BRING AN ENFORCE MENT ACTION UNDER § 14–4613 OF THIS SUBTITLE.
1538+ (B) (1) THIS SUBSECTION DOES NOT APPLY TO AN OBLI GATION 18
1539+REQUIRED UNDER § 14–4611 OF THIS SUBTITLE. 19
16501540
1651- (D) IN DETERMINING WHETHE R TO GRANT A CONTROL LER OR PROCESSOR
1652-AN OPPORTUNITY TO CU RE AN ALLEGED VIOLAT ION, THE DIVISION MAY CONSIDER
1653-THE FOLLOWING FACTOR S:
1541+ (2) AN OBLIGATION IMPOSED ON A CONTROLLER OR P ROCESSOR 20
1542+UNDER THIS SUBTITLE MAY NOT RES TRICT A CONTROLLER ’S OR PROCESSOR ’S 21
1543+ABILITY TO COLLECT , USE, OR RETAIN PERSONAL D ATA FOR INTERNAL USE TO: 22
16541544
1655- (1) THE NUMBER OF VIOLATI ONS;
1545+ (I) EFFECTUATE A PRODUCT RECALL; 23
16561546
1657- (2) THE SIZE AND COMPLEXI TY OF THE CONTROLLER OR PROCES SOR;
1547+ (II) IDENTIFY AND REPAIR T ECHNICAL ERRORS THAT IMPAIR 24
1548+EXISTING OR INTENDED FUNCTIONALITY ; OR 25
16581549
1659- (3) THE NATURE AND EXTENT OF THE CONTROLLER ’S OR
1660-PROCESSOR’S PROCESSING ACTIVIT IES;
1550+ (III) PERFORM INTERNAL OPER ATIONS THAT ARE : 26
16611551
1662- (4) THE LIKELIHOOD OF INJ URY TO THE PUBLIC ;
1552+ 1. REASONABLY ALIGNED WI TH THE EXPECTATIONS OF 27
1553+THE CONSUMER OR CAN BE REASONABLY ANTICI PATED BASED ON THE C ONSUMER’S 28
1554+EXISTING RELATIONSHI P WITH THE CONTROLLE R; OR 29
1555+ SENATE BILL 541 35
16631556
1664- (5) THE SAFETY OF PERSONS OR PROPERTY ;
16651557
1666- (6) WHETHER THE ALLEGED V IOLATION WAS LIKELY CAUSED BY A
1667-HUMAN OR TECHNICAL E RROR; AND
1558+ 2. OTHERWISE COMPATIBLE WITH PROCESSING DATA IN 1
1559+FURTHERANCE OF : 2
16681560
1669- (7) THE EXTENT TO WHICH T HE CONTROLLER OR PRO CESSOR HAS
1670-VIOLATED THIS SUBTIT LE OR SIMILAR LAWS I N THE PAST.
1561+ A. THE PROVISION OF A PR ODUCT OR SERVICE 3
1562+SPECIFICALLY REQUEST ED BY A CONSUMER ; OR 4
16711563
1672- SECTION 2. AND BE IT FURTHER ENACTED, That § 14 –4612 of the Commercial
1673-Law Article, as enacted by Section 1 of this Act, shall be construed to apply only
1674-prospectively and may not be applied or interpreted to have any effect on or application to
1675-any personal data processing activities before April 1, 2025 2026.
1564+ B. THE PERFORMANCE OF A CONTRACT TO WHICH TH E 5
1565+CONSUMER IS A PARTY . 6
16761566
1677- SECTION 3. AND BE IT FURTHER ENACTED, That, if any provision of this Act or
1678-the application thereof to any person or circumstance is held invalid for any reason in a
1679-court of competent jurisdiction, the invalidity does not affect other provisions or any other
1680-application of this Act that can be given effect without the invalid provision or application,
1681-and for this purpose the provisions of this Act are declared severable.
1567+ (C) (1) AN OBLIGATION IMPOSED ON A CONTROLLER OR A PROCESSOR 7
1568+UNDER THIS SUBTITLE DOES NOT APPLY WHEN COMPLIANCE BY THE CO NTROLLER 8
1569+OR PROCESSOR WITH TH E SUBTITLE WOULD VIO LATE AN EVIDENTIARY PRIVILEGE 9
1570+UNDER STATE LAW. 10
16821571
1683- SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect
1684-October 1, 2024 2025.
1572+ (2) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PREVENT A 11
1573+CONTROLLER OR PROCES SOR FROM PROVIDING PERSONAL D ATA CONCERNING A 12
1574+CONSUMER TO A PERSON COVERED BY AN EVIDEN TIARY PRIVILEGE UNDE R STATE 13
1575+LAW AS PART OF A PRI VILEGED COMMUNICATIO N. 14
16851576
1686-Approved by the Governor, May 9, 2024.
1577+ (D) (1) A CONTROLLER OR PROCES SOR THAT DISCLOSES P ERSONAL 15
1578+DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH T HIS 16
1579+SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE IF THE PROCESS OR OR 17
1580+THIRD–PARTY CONTROLLER THA T RECEIVES THE PERSO NAL DATA VIOLATES TH IS 18
1581+SUBTITLE AND,: 19
1582+
1583+ (I) AT THE TIME THE DISC LOSING CONTROLLER OR 20
1584+PROCESSOR DISCLOSED THE PERSONAL DATA , THE DISCLOSING CONTR OLLER OR 21
1585+PROCESSOR DID NOT HA VE ACTUAL KNOWLEDGE THAT THE RECEIVING P ROCESSOR 22
1586+OR THIRD–PARTY CONTROLLER WOU LD VIOLATE THIS SUBT ITLE; AND 23
1587+
1588+ (II) THE DISCLOSING CONTR OLLER WAS, AND REMAINED , IN 24
1589+COMPLIANCE WITH ITS OBLIGATIONS AS THE DISCLOSE R OF THE PERSONAL DA TA. 25
1590+
1591+ (2) A THIRD–PARTY CONTROLLER OR PROCESSOR THAT RECEI VES 26
1592+PERSONAL DATA FROM A CONTROLLER OR PROCES SOR IN COMPLIANCE WI TH THIS 27
1593+SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE FOR THE INDEPE NDENT 28
1594+MISCONDUCT OF THE CO NTROLLER OR PROCESSO R FROM WHICH THE 29
1595+THIRD–PARTY CONTROLLER OR PROCES SOR RECEIVED THE PER SONAL DATA. 30
1596+
1597+ (E) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO: 31
1598+
1599+ (1) IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR 32
1600+THAT ADVERSELY AFFEC TS THE RIGHTS OR FRE EDOMS OF ANY PERSON , INCLUDING 33 36 SENATE BILL 541
1601+
1602+
1603+THE RIGHTS OF A PERS ON TO FREEDOM OF SPEE CH OR FREEDOM OF THE PRESS AS 1
1604+GUARANTEED IN THE FIRST AMENDMENT TO THE U.S. CONSTITUTION; OR 2
1605+
1606+ (2) APPLY TO A PERSON ’S PROCESSING OF PERS ONAL DATA DURING 3
1607+THE PERSON’S PERSONAL OR HOUSEH OLD ACTIVITIES. 4
1608+
1609+ (F) IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL D ATA IN 5
1610+ACCORDANCE WITH AN E XEMPTION UNDER THIS SECTION, THE CONTROLLER OR 6
1611+PROCESSOR SHALL DEMONSTRATE TH AT THE PROCESSING : 7
1612+
1613+ (1) QUALIFIES FOR AN EXEM PTION; AND 8
1614+
1615+ (2) COMPLIES WITH THE REQ UIREMENTS OF SUBSECT ION (G) OF THIS 9
1616+SECTION. 10
1617+
1618+ (G) PERSONAL DATA PROCESS ED BY A CONTROLLER OR PROCESSOR IN 11
1619+ACCORDANCE WITH THIS SECTION: 12
1620+
1621+ (1) SHALL BE SUBJECT TO R EASONABLE ADMINISTRA TIVE, 13
1622+TECHNICAL, AND PHYSICAL MEASURE S TO: 14
1623+
1624+ (I) PROTECT THE CONFIDENT IALITY, INTEGRITY, AND 15
1625+ACCESSIBILITY OF THE PERSONAL DATA ; AND 16
1626+
1627+ (II) REDUCE REASONABLY FOR ESEEABLE RISKS OF HA RM TO 17
1628+CONSUMERS RELATING T O THE COLLECTION , USE, OR RETENTION OF PERS ONAL 18
1629+DATA; AND 19
1630+
1631+ (2) MAY BE PROCESSED TO T HE EXTENT THAT THE P ROCESSING IS: 20
1632+
1633+ (I) REASONABLY NECESSARY AND PROPORTIONATE TO THE 21
1634+PURPOSES LISTED IN T HIS SECTION; AND 22
1635+
1636+ (II) ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS 23
1637+NECESSARY IN RELATIO N TO THE SPECIFIC PU RPOSES LISTED IN THI S SECTION. 24
1638+
1639+ (H) A PERSON THAT PROCESSE S PERSONAL DATA FOR A PURPOSE 25
1640+EXPRESSLY IDENTIF IED IN THIS SECTION MAY NOT BE CONSIDERE D A CONTROLLER 26
1641+SOLELY BASED ON THE PROCESSING OF PERSON AL DATA. 27
1642+
1643+14–4613. 28
1644+
1645+ (A) EXCEPT AS PROVIDED IN SUBSECTION (B) OF THIS SECTION , A 29
1646+VIOLATION OF THIS SU BTITLE IS: 30 SENATE BILL 541 37
1647+
1648+
1649+
1650+ (1) AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE P RACTICE WITHIN 1
1651+THE MEANING OF TITLE 13 OF THIS ARTICLE; AND 2
1652+
1653+ (2) SUBJECT TO THE ENFORC EMENT AND PENALTY PR OVISIONS 3
1654+CONTAINED IN TITLE 13 OF THIS ARTICLE, EXCEPT FOR § 13–408 OF THIS ARTICLE. 4
1655+
1656+ (B) THIS SECTION DOES NOT PREVENT A CONSUMER F ROM PURSUING ANY 5
1657+OTHER REMEDY PROVIDE D BY LAW. 6
1658+
1659+14–4614. 7
1660+
1661+ (A) THIS SECTION APPLIES TO AN ENFORCEMENT AC TION UNDER § 14–4613 8
1662+OF THIS SUBTITLE FOR AN ALLEGED VIOLATION THAT OCCURS ON OR BE FORE APRIL 9
1663+1, 2027. 10
1664+
1665+ (B) BEFORE INITIATING ANY ACTION UNDER § 14–4613 OF THIS SUBTITL E, 11
1666+THE DIVISION MAY ISSUE A NOTICE OF VIOLATION TO THE CONTROLLER OR 12
1667+PROCESSOR IF THE DIVISION DETERMINES T HAT A CURE IS POSSIB LE. 13
1668+
1669+ (C) (1) IF THE DIVISION ISSUES A NOT ICE OF VIOLATION UND ER 14
1670+SUBSECTION (B) OF THIS SECTION, THE CONTROLLER OR PR OCESSOR SHALL HAVE 15
1671+AT LEAST 60 DAYS TO CURE THE VIO LATION AFTER RECEIPT OF THE NOTICE. 16
1672+
1673+ (2) IF THE CONTROLLER OR PROCESSOR FAILS TO C URE THE 17
1674+VIOLATION WITHIN THE TIME PERIOD SPECIFIE D BY THE DIVISION, THE DIVISION 18
1675+MAY BRING AN ENFORCE MENT ACTION UNDER § 14–4613 OF THIS SUBTITLE. 19
1676+
1677+ (D) IN DETERMINING WHETHE R TO GRANT A CONTROL LER OR PROCESSOR 20
1678+AN OPPORTUNITY TO CU RE AN ALLEGED VIOLAT ION, THE DIVISION MAY CONSIDER 21
1679+THE FOLLOWING FACTOR S: 22
1680+
1681+ (1) THE NUMBER OF VIOLATI ONS; 23
1682+
1683+ (2) THE SIZE AND COMPLEXI TY OF THE CONTROLLE R OR PROCESSOR ; 24
1684+
1685+ (3) THE NATURE AND EXTENT OF THE CONTROLLER ’S OR 25
1686+PROCESSOR’S PROCESSING ACTIVIT IES; 26
1687+
1688+ (4) THE LIKELIHOOD OF INJ URY TO THE PUBLIC ; 27
1689+
1690+ (5) THE SAFETY OF PERSONS OR PROPERTY ; 28
1691+ 38 SENATE BILL 541
1692+
1693+
1694+ (6) WHETHER THE ALLEGED V IOLATION WAS LIKELY CAUSED BY A 1
1695+HUMAN OR TECHNICAL ERROR ; AND 2
1696+
1697+ (7) THE EXTENT TO WHICH T HE CONTROLLER OR PRO CESSOR HAS 3
1698+VIOLATED THIS SUBTIT LE OR SIMILAR LAWS I N THE PAST. 4
1699+
1700+ SECTION 2. AND BE IT FURTHER ENACTED, That § 14 –4612 of the Commercial 5
1701+Law Article, as enacted by Section 1 of this Act, shall be construed to apply only 6
1702+prospectively and may not be applied or interpreted to have any effect on or application to 7
1703+any personal data processing activities before April 1, 2025 2026. 8
1704+
1705+ SECTION 3. AND BE IT FURTHER ENACTED, That, if any provision of this Act or 9
1706+the application thereof to any person or circumstance is held invalid for any reason in a 10
1707+court of competent jurisdiction, the invalidity does not affect other provisions or any other 11
1708+application of this Act that can be given effect without the invalid provision or application, 12
1709+and for this purpose the provisions of this Act are declared severable. 13
1710+
1711+ SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect 14
1712+October 1, 2024 2025. 15
1713+
1714+
1715+
1716+Approved:
1717+________________________________________________________________________________
1718+ Governor.
1719+________________________________________________________________________________
1720+ President of the Senate.
1721+________________________________________________________________________________
1722+ Speaker of the House of Delegates.