Maryland AG Could Make Data Privacy Rules, Says WilmerHale Lawyer
Maryland’s attorney general could make privacy rules despite lacking direct rulemaking authority from the Maryland Online Data Privacy Act (MODPA), WilmerHale’s Samuel Kane said Thursday during a webinar by Privado, a compliance vendor. That could tighten requirements under the state's comprehensive privacy law taking effect next month, the privacy attorney said. Meanwhile, MODPA is set to break ground for state privacy laws due to its unique data minimization provision, but companies can prepare now by more closely documenting how they use data, Kane said.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
While MODPA doesn’t authorize the AG to conduct a privacy rulemaking, the Maryland AG separately can “create rules related to unfair [and] deceptive trade practices,” said the WilmerHale lawyer. “We might see the Maryland AG … issue regulations pursuant to that authority.” Maryland’s AG office didn’t comment.
Kane warned that while AG rules “often are intended to provide kind of implementation guidance,” in some cases they can “actually impose new substantive obligations on companies.” For example, this potentially could occur in New Jersey, based on regulations the state has proposed to implement its comprehensive privacy law (see 2509030001).
One key difference with MODPA, compared to other states’ privacy laws, is its data minimization requirement, which limits the amount of data that businesses collect from the start. Under Maryland’s law, businesses may only collect personal data that is "reasonably necessary" to provide a service, and sensitive data that is "strictly necessary.”
“This departs from the norm of other state privacy laws because it doesn't include … a consent exception” and “it also does not rely on what you as a company disclose to the consumer in your privacy policy,” said Kane. “It looks rather at … whether that collection of personal data is reasonably, necessary and proportionate in relation to the product or service requested.” There is “some ambiguity” to the rule, as well, because MODPA doesn’t define key terms like “reasonably necessary,” he added.
To prepare for the requirement, Kane recommended that companies better understand the data and document decisions they make with it. For instance, it requires understanding “what kinds of data processing activities you're engaged” in and “conducting … a reasoned analysis of whether that can be reasonably treated as … meeting MODPA’s relevant requirements and thresholds.”
Businesses still have time to comply. Kane noted that, while the Maryland privacy law takes effect Oct. 1, it doesn’t apply to data processing activities until April 2026. In addition, MODPA includes a discretionary 60-day right to cure that won’t expire until April 1, 2027.
It's “too early to tell” whether Maryland will remain an outlier on data minimization, said Kane. “We'll certainly have a better sense of how these provisions are applied once we start seeing guidance from the Maryland AG or even enforcement actions, and that might prompt” amendments to MODPA or, “conversely, might encourage other states to implement similar provisions.”