DOJ Asked to Preempt Privacy Laws in Maryland and Other States

Compared with other types of information classified as sensitive under MODPA, “commercially available location data is of extreme economic consequence to businesses,” the CPO, Unacast's Jason Sarfati, said in an interview. “It's how a lot of the modern digital economy runs today.” For example, it’s important for modeling consumer demand, he said: “If you have an increase of aggregate visitors to certain retail establishments … that's an indicator that parts of that economy are doing well.”

DOJ and the National Economic Council asked in August for help identifying state laws “that significantly and adversely affect the national economy or interstate economic activity.” Responses were due last week.

“Categorical bans on the sale of precise geolocations are already harming national security private sector business operations,” Unacast said in its Sept. 15 filing at DOJ. “A federal baseline that preempts categorical state sale bans will best protect privacy of consumers, national security, and the economy.”

The Software & Information Industry Association also told DOJ that MODPA is problematic. “While most states follow a reasonableness standard,” Maryland requires “data use only to the extent ‘strictly necessary,’” the group said. “This undefined standard creates impossible compliance challenges. For example, what data is ‘strictly necessary’ for a recommendation algorithm? For fraud prevention? For accessibility features? Companies must guess at the answer, knowing that a regulator's post-hoc determination could trigger substantial penalties.”

SIIA additionally raised concerns with many other privacy, AI and kids online safety laws from various states. “While we respect states’ important role in our federal system, the inherently interstate nature of digital services requires national solutions. We urge the DOJ to use all available tools to address this crisis of regulatory fragmentation and restore a unified national marketplace for digital innovation.”

The National Retail Federation said that while a national privacy law is the best way to “resolve the growing patchwork,” DOJ and the FTC “should evaluate where state privacy laws conflict with federal statutes and enforcement authority and determine where preemption may be appropriate.”

The group also suggested that DOJ step in to end “a recent spate of plaintiff suits against retailers and web vendors that use state wiretap statutes,” such as the California Invasion of Privacy Act.

“A federal statute preempting these interpretations is crucial to establishing a uniform standard that acknowledges both the realities of modern web technology and the importance of user privacy,” it said. “The absence of federal preemption in this area has allowed state courts to stretch the meaning of wiretap statutes -- often enacted decades before the advent of digital tracking technologies -- to reach conduct that was never contemplated by their drafters.”

Others who raised concerns at DOJ about a so-called patchwork of state privacy laws included Cato Institute Senior Fellow Jennifer Huddleston and the International Pharmaceutical & Medical Device Privacy Consortium.

However, a group of state legislators and civil society organizations, including consumer privacy advocates, objected to the premise of DOJ's request for information about overriding state policies. "We respectfully urge you to withdraw this RFI."

Unacast: MODPA to Diminish Product Quality

Unacast uses commercially available location data to provide insights to private- and public-sector customers about the place where they operate, including on commuter patterns and other information about people’s movement, said Sarfati. For example, the company was able to measure the effect of the bridge collapse in Baltimore and provide information that may assist city planners, government officials and companies like FedEx, he said.

However, MODPA’s prohibition on businesses selling sensitive data covers precise location information. “So that prohibits companies like mine from selling software solutions which identify the accuracy of devices within 1,750 feet,” Sarfati said. That limit might work for rural areas, “but one need not walk the streets of Baltimore too long to recognize that” an area of about the size of “six football fields in a place like downtown Baltimore does make, actually, a very measurable difference.” As a result, “the quality of the products that companies like mine are able to provide regarding the Maryland market will … be impacted.”

That expected dip in quality will affect Unacast customers outside Maryland, too, Sarfati noted. “Most companies take an interest in national-level movement patterns, so certainly having reduced quality of data in Maryland, which happens to sit right in the middle of the Eastern Seaboard, does impact national-level products.”

Unacast already updated its offerings to comply with MODPA ahead of the Oct. 1 effective date, said Sarfati, adding that it took “several months to complete.”

The CPO predicted that, in time, location data customers will “start recognizing that a lot of the … data solutions that they rely on, which work great in neighboring Pennsylvania, for example, suddenly just don't work as well in states like Maryland.” That could “have some impact on enforcement, because I believe any thoughtful regulator is going to also want to think through what's the real-world impact of an enforcement action and” how it connects to "other economic activities.”

The Maryland attorney general’s office hasn’t provided additional guidance about enforcement, said Sarfati. Such guidance "from regulators is very valuable,” because otherwise, companies “are basically left with only reading the plain language interpretation of what the law says.” The AG’s office declined to comment on its enforcement approach for MODPA.

Maryland state legislators considered a bill to amend MODPA this year, but it didn’t go anywhere (see 2502100032). Sarfati hopes the legislature will “reevaluate this topic at the beginning of the next session,” he said. “There's going to be a direct impact to Maryland consumers and businesses,” and when the 2026 session opens this January, “that is something the Maryland legislature will hear more about.”

Unacast said in its DOJ filing that “unlike targeted geofencing limits, a blanket sale prohibition breaks interstate data markets by foreclosing secondary lawful uses and multi-state analytics that depend on commercial availability of standardized geolocation inputs.”

In addition to flagging the Maryland law, Unacast raised concerns about a 2025 Oregon law (HB-2008), which similarly bans selling precise location information (see 2506040027). The filing also addressed location privacy bills in California and Massachusetts.

“These state actions, together with related geofencing restrictions” in Washington state’s My Health My Data Act, “create a patchwork that fragments nationwide data flows and impedes beneficial commercial and public interest use cases (disaster response, transportation planning, public health, anti-child/sex trafficking) which rely on interstate mobility data,” said Unacast.

The company urged DOJ to adopt a federal standard for precise geolocation and to “specifically designate the [Oregon, Maryland, California and Massachussetts] bills as laws that significantly burden commerce in other states and between states.” As interim relief, DOJ should “seek [temporary restraining orders], preliminary injunctions, and pursue stipulated non-enforcement with these state AGs.” Among other things, “DOJ should encourage a 24-36 month AG forbearance and waiver mechanism for national security, emergency management, and consumer protection (e.g. fraud prevention) use cases.”