Businesses Must Soon Comply With Novel Md. Data Minimization Law

MODPA’s data minimization standard limits the amount of data businesses can collect. It states they may only collect personal data that's "reasonably necessary and proportionate to provide or maintain” a service, and sensitive data that is "strictly necessary." MODPA also says that controllers may not sell sensitive data.

“The reasonably necessary and proportionate" standard is stricter than other states' privacy laws, said Wiley privacy attorney Duane Pozza. “It's relatively undefined in the context of U.S. privacy law, and we haven't seen really any guidance [from] Maryland as to how they're going to interpret it.” Companies across all industries must “reevaluate their data collection practices … to determine whether ... they think they could fit under the standard.”

Pozza predicted that MODPA’s prohibition on selling sensitive data could soon lead to businesses treating data in Maryland differently than they do in other states. Unacast, a location-intelligence company, recently told us that this restriction will lessen the quality of its Maryland product (see 2509220061). The company and others from industry also asked DOJ to consider preempting MODPA.

“Maryland restricts the processing of data more than any other state privacy law,” said privacy attorney Nancy Libin of Davis Wright. As in Maryland, privacy laws in other states prohibit companies from processing more personal data than is reasonably necessary, said Libin: But in Maryland, companies can’t process sensitive data, “regardless of a consumer's consent, unless the processing is strictly necessary to provide or maintain a specific product or service that the consumer requests.”

Because sensitive data is defined so broadly, that means companies can't process precise data on geolocation, demographics like race or ethnicity, or consumer health data for targeted ads, she said. The latter, which covers “health status as opposed to diagnosis or condition,” is “defined so broadly that it could capture information about nutrition or fitness," she added.

As a result, the rule could stop companies from offering “certain service enhancements that might not be strictly necessary” to provide a service, but which “would be a nice thing for consumers to have,” said Libin: For example, it might stop a cooking app from taking into account that a user is vegan when recommending recipes.

Baker McKenzie’s Jonathan Tam zeroed in on a “unique and restrictive” MODPA requirement prohibiting controllers from processing personal data of minors for targeted advertising and from selling their personal data “if the controller knew, or should have known, that the consumer is under the age of 18.” That could especially affect video game and other interactive entertainment services like streaming TV, he said.

“This is quite a restrictive requirement because there's no … consent defense to this prohibition,” said Tam. “It’s just a blanket, categorical prohibition on using minors’ information knowingly for targeted advertising purposes or selling the personal data.” As a result, “companies that are looking to adhere to the kind of high watermark across the country … would have to basically comply with this one, somewhat unique requirement in the entire country, even though it's from a relatively small state.”

Libin noted that Maryland’s age limit for who counts as a minor is higher than in many other states, which typically set the bar at 13- or 16-years-old. The attorney also highlighted a broader-than-usual definition for biometric data, which, she said, covers any information that “can” be used for authentication, even if it’s “never intended to be.”

MODPA will apply to many companies due to its relatively low applicability threshold, as compared to other state privacy laws, added Libin. It applies to for-profit entities that do business in the state and control or process personal data of at least 35,000 consumers or control or process data of at least 10,000 consumers and derive more than 20% revenue or price discounts from selling personal data. While Delaware has the same threshold, Maryland's population is much larger.

The NAI expects advertisers to respond to the new Maryland law in various ways, said LeDuc. NAI members include ad networks of all sizes, including big ones like Google and Microsoft. While MODPA makes clear “that targeted advertising is allowed subject to a consumer’s opt-out choice,” its “novel data minimization” rules “require companies to do complex analysis about their collection and processing of personal information,” he said.

“In the absence of additional guidance from the [Maryland attorney general’s office], compliance strategies will range widely from exiting the Maryland market entirely for some companies, to maintaining a ‘business-as-usual’ approach for others. Over the longer term, the NAI is hopeful that the legislature will clarify the law’s parallel goals of providing strong data protections for citizens, while also enabling responsible data-driven advertising.”

‘Muscular’ Enforcement Expected

The Maryland AG’s office, which has sole enforcement authority under MODPA, declined to comment on its enforcement approach. Privacy attorneys said that the office has yet to provide clues. However, Libin cautioned that “it’s a muscular attorney general’s office” that takes “consumer protection seriously.”

In other states, privacy enforcers have conducted outreach and issued guidance to signal their expectations, noted Pozza. “It's generally in the interest of state enforcers to put out guidance and answer questions about how this might be interpreted because that helps everyone deal with compliance and not have to rely on individual enforcement actions, which are inevitably going to be more piecemeal.”

To prepare for MODPA, Libin recommended that companies “define the service and product they're providing,” since the data minimization requirement hinges on an organization knowing what’s necessary to provide and maintain a requested service. “Knowing what that is” and documenting it will be important, she said.

Similarly, Tam said companies should ensure they “have a good understanding” of what types of data processing they engage in “and then use that understanding as the basis for risk assessments, data protection impact assessments, privacy notices, data processing agreements, data subject request protocols and the rest of the documents that make up a comprehensive compliance program.”

Complying specifically with the data minimization standard “really requires looking at the functionality of the service at issue and thinking through” questions like whether it collects sensitive data and if it knowingly collects children’s data, said Tam. “If yes, then … why do we need it? And are the purposes for which we're using it lawful? If not, then you probably have to just chuck those. There's no notice-and-consent workaround.”

Pozza said “step one is doing a data inventory” to better understand what information you are collecting and why. Another way to mitigate risk is to have “an internal justification for data collection practices,” he said. That way, “if anyone asks, you can explain.”

Possible Ripple Effects

Among other novel aspects, MODPA includes an uncommon consumer right to obtain a list of categories of third parties to whom personal data has been disclosed. Like several others but not all states, Maryland requires companies to honor universal opt-out signals. Otherwise, MODPA has consumer rights like those in other states:

1. Confirm controller is processing personal data
2. Access personal data
3. Correct inaccuracies in personal data
4. Delete personal data
5. Obtain copies of personal data in a portable format
6. Obtain a list of categories of third parties to whom personal data has been disclosed
7. Opt out of personal data sale, targeted advertising and profiling

MODPA includes one of the longer lists of sensitive data, including national origin and transgender/nonbinary status:

1. Racial or ethnic origin
2. religious beliefs
3. consumer health data
4. sex life, sexual orientation or status as transgender or nonbinary
5. national origin
6. citizenship or immigration status
7. genetic or biometric data
8. children's data
9. precise geolocation data

Maryland’s law includes entity-level exemptions for governments, nonprofits, national securities associations and financial institutions subject to the federal Gramm-Leach-Bliley Act. Also, it has data-level exemptions, including for employee and B2B data and information covered by HIPAA, the Federal Credit Reporting Act and some other laws.

Companies still have a window for compliance. While the law becomes effective Oct. 1, it won’t apply to data processing activities until April 1, 2026. Also, until April 1, 2027, MODPA includes a 60-day right to cure potential violations.

What happens after MODPA takes effect will probably affect other states’ “willingness to go as far as Maryland,” said Libin. An active Massachusetts bill that recently passed the Senate contains a similar data minimization requirement (see 2509250048), though earlier this year a Maine bill with the same provision stalled out (see 2506260028).

Tam agreed that there could be ripple effects. “Historically, we've seen state legislatures … be inspired by their sister or brother states' legislative efforts in the privacy realm.”