A case study in privacy operations: The Maryland SPI rule

One of the most challenging aspects of being a privacy professional is keeping track of and managing new laws and amendments and the ways they impact the organization’s privacy program. Understanding the impact of a novel compliance obligation requires drilling down through the organization’s privacy program’s policies, processes, communications and trainings to ensure compliance obligations are met.

In April 2024, Maryland’s legislature passed the Maryland Online Data Privacy Act, which goes into effect 1 Oct. 2025. While most U.S. state privacy laws require consent to process sensitive personal information, Maryland took a different approach — one that provides an excellent example of how variations in laws can mean significant effort, resources and costs to businesses.

While there’s nothing out of the ordinary about the elements of data Maryland considers SPI, instead of requiring consent, the state bans the collection, processing, or sharing of SPI unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.”

It seems like a small thing, but if an organization processes SPI that falls within the scope of MODPA, it’s time to update practices.

Definitions

First things first. What is SPI? And what does “strictly necessary” mean?

MODPA includes racial and ethnic origin, consumer health data, religious beliefs, sex life or orientation, transgender or non-binary status, citizenship or immigration status, personal information about a child, precise geolocation data, genetic and biometric data in its definition of SPI.