One of the most challenging aspects of being a privacy professional is keeping track of and managing new laws and amendments and the ways they impact the organization’s privacy program. Understanding the impact of a novel compliance obligation requires drilling down through the organization’s privacy program’s policies, processes, communications and trainings to ensure compliance obligations are met.
In April 2024, Maryland’s legislature passed the Maryland Online Data Privacy Act, which goes into effect 1 Oct. 2025. While most U.S. state privacy laws require consent to process sensitive personal information, Maryland took a different approach — one that provides an excellent example of how variations in laws can mean significant effort, resources and costs to businesses.
While there’s nothing out of the ordinary about the elements of data Maryland considers SPI, instead of requiring consent, the state bans the collection, processing, or sharing of SPI unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.”
It seems like a small thing, but if an organization processes SPI that falls within the scope of MODPA, it’s time to update practices.
Definitions
First things first. What is SPI? And what does “strictly necessary” mean?
MODPA includes racial and ethnic origin, consumer health data, religious beliefs, sex life or orientation, transgender or non-binary status, citizenship or immigration status, personal information about a child, precise geolocation data, genetic and biometric data in its definition of SPI.
As far as strictly necessary goes, we will likely need an enforcement action — or many — to get solid insight on this. Until then, legal teams will need to make their best educated guess of what processing activities fit the standard and document the justification.
Business decision
Next, a business decision must be made: Should this obligation be applied universally, limited to data subjects in Maryland, or is the organization willing to accept the potential risks associated with non-compliance? This largely depends on resources, technological capabilities and the company’s risk profile.
Data protection assessments
Most U.S. state consumer privacy laws require organizations to conduct a data protection assessment prior to processing SPI. Before this MODPA obligation, data protection assessments could look relatively standard for all areas of heightened risk. Complying with MODPA will now require an additional necessity assessment for any processing of SPI. Privacy pros must ensure this is done not only for new processing activities, but also for all existing and ongoing processing involving SPI.
This is a great time to ensure the privacy risk assessment process is defined and effective — and if the company doesn’t have one, it’s time to put one in place. Identify and document all current use cases of SPI and determine the most effective method for organizing this information—whether through a spreadsheet, Word document, or a purpose-specific technology. Work with business units to ensure risk assessments are built into workflows to capture the new processing of SPI; train teams so they know how and when to conduct privacy risk assessments.
Data inventory
Privacy risk assessments and data inventories work hand-in-hand. Companies that have a solid data inventory in place will have a head start here because current uses of SPI should be documented. Companies that currently don't have a reliable data inventory can leverage the risk assessment process to build one.
Even companies that have a data inventory will need to update it to include whether the company conducted a necessity assessment for processing SPI and document the results of that assessment.
Don’t forget to document all these steps to ensure appropriate accountability mechanisms are in place in case a regulator comes knocking.
Processing activities
If an organization can’t show the SPI is necessary according to the law, it will need to change how it manages SPI handling practices. If an organization is currently processing SPI but cannot justify it based on this new “strictly necessary” standard, the collection, use, retention, and sharing of the SPI will need to be halted to comply with MODPA. Remember that processing is literally anything done to or with personal information.
Privacy notice
It’s likely that your consumer-facing privacy notice includes information on the collection of SPI and includes text affirming to the customer that the company only processes it with consent from the data subject.
To comply with MODPA, privacy notices will need to be updated to ensure they appropriately reflect the practices around only using SPI when it is strictly necessary to provide or maintain a product or service as requested by the individual.
Third-party risk management
This is another area where having a solid data inventory provides a strong foundation.
Privacy pros should take a look at data sharing practices and review all agreements that involve the sharing or selling of SPI. Cross-check these agreements with the new list of processing activities that comprise strictly necessary processing to ensure they all meet this standard. Then, review the data protection agreements to make sure appropriate protections are being passed to recipients.
Initially, this may feel daunting but starting with contracts based on criticality to the organization can help prioritize practices. Going forward, a strong third-party risk management program that feeds into your data protection assessment and data inventory will simplify this process.
Conclusion
When a new privacy obligation is passed, it’s important to follow the impact of that obligation through all phases of the data life cycle and all aspects of the privacy program. Ensuring that program leadership is on board, training and documentation will give you the accountability mechanisms to show regulators and others your efforts.
What should be your immediate next step for MODPA compliance? Start documenting data protection assessments for all SPI collection and use cases.
It’s not a question of if but when new laws or amendments will pass, keeping all privacy professionals on their toes. Implementing privacy program tenets like privacy risk assessments, data inventories, and third-party risk management processes will lighten the load of integrating new obligations.
Jodi Daniels, CIPP/US, is the founder and CEO of Red Clover Advisors.
