Despite unexpected movement from U.S. Congress on a proposed comprehensive federal privacy law, U.S. state legislatures remain committed to passing state-level legislation in the absence of a federal standard. However, the Maryland General Assembly is not exactly following in other state's footsteps.

Maryland is set to add one of the toughest comprehensive privacy laws among states after companion bills that made their way through the House and Senate were consolidated and concurred upon 6 April. If enacted, the bill will take effect 1 Oct. 2025.

The nuance and strength compared to the 15 enacted state privacy laws vary, but the Maryland bill's broad data minimization standards are among the game-changing factors. Minimization is notable given the bills' coverage thresholds, which include businesses that control or process personal data on more than 35,000 consumers or derive 20% of revenue from selling the data of more than 10,000 consumers.

Additionally, the bill puts an all-out prohibition on sensitive data sales, includes provisions for universal opt-out mechanisms and anti-discrimination prohibitions, and offers a limited 60-day right to cure that sunsets in 2027.

"I think it's a wrinkle just like (Washington's) My Health My Data Act was one last year," Husch Blackwell Partner David Stauss, CIPP/E, CIPP/US, CIPT, FIP, PLS, said. "It's different, novel and has to be a real consideration. Every year we come out of the gates with state privacy bills that are sort of inconsequential ... and then toward the end of the year we get something dropped on us that's very consequential. There's no doubt this is going to be very consequential."

Minimization to the front 

Data minimization included in Maryland's bill is not entirely new. Laws in California and Colorado include data minimization while U.S. Congress' previously proposed American Data Privacy and Protection Act included minimization standards.

Maryland's take on minimization falls closer to what was set out in the proposed ADPPA. Maryland is set to require data controllers to limit data collection to what is "reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer." Additionally, the bill requires collection, processing and sharing of sensitive data to be reduced to what is "strictly necessary" in relation to a requested product or service.

Privacy advocacy groups have long sought the inclusion of data minimization in state privacy statutes. However, states considering and passing legislation in recent years showed reluctance or little appetite to go through with minimization.

"It's a real game-changer for consumers because it takes the onus off them to protect their privacy and instead requires companies to look at their data collection practices and change them to better meet consumer expectations," Electronic Privacy Information Center Deputy Director Caitriona Fitzgerald said.

EPIC released a joint report with the U.S. Public Interest Research Groups Education Fund in February grading the strength of the 14 enacted state laws at the time of publication. Only three states received better than a "C" grade while six state laws were graded "F" based on an EPIC-generated criteria.

"Most (state laws) are copycats of each other, but especially the ones recently passed," Fitzgerald added. "It was really encouraging to see Maryland legislators say 'No, this is not enough.' It's not enough to say companies can put whatever they want in privacy policies. Instead, they said companies need to look at the context of the interactions they're having with the consumer and the collection necessary for that."

Maryland's data minimization is a move in a "positive direction," according to Boltive CEO Dan Frechtling, who expects a particular impact in the mobile apps market. He indicated the advertising technology privacy compliance vendor observes high-risk data sharing from apps, which is then put toward targeted advertising.

"It's not unusual for apps to share data with five to 10 third parties through SDKs, libraries and other traffic mechanisms," Frechtling said. "Boltive software shows mobile app and website trackers are often added over time, sometimes growing back as soon as a month after audits are complete."

More novelty

Complying with Maryland's bill will take more than the standard compliance framework that applies to a majority of existing state laws. Data minimization is not the only factor driving those increased considerations.

The ban on sensitive data sales to an individual of any age is a wrinkle companies will need to assess. Maryland's definition of sensitive data somewhat aligns with that found in Connecticut, Delaware and Oregon's comprehensive statutes. It includes any data related to an individual's health, ethnicity and religion along with biometric data, geolocation data and data belonging to a known minor under age 18.

Protections for children's data are also noteworthy in Maryland's bill. There is a ban on targeted advertising and sale of data belonging to minors under 18, but companies are left to review whether they "knew or should have known that the consumer is under the age of 18 years."

"There are going to be a lot of people questioning whether that's going to require age verification or age assurance," Husch Blackwell's Stauss said. "A 'should've known' standard could be interpreted as an affirmative duty to investigate who is visiting a website or app. If that's the case, you're not a far cry from verification or assurance procedures, and then it raises First Amendment issues."

Frechtling expects companies targeting ads to children that are covered in Maryland will "err on the side of caution" and eliminate targeted advertising from their business altogether. That is the preferred route "rather than risk violating the law or request more sensitive information to determine age," he added.

There's a unique aspect to universal opt-out mechanism provisions as well. The bill describes UOOMs as an alternative to a conspicuous "do not sell" mechanism on a given website, which would mark the first time a state made recognition of UOOMs optional.

"I wonder if that's a drafting error. States using this language have said you need a link and recognition of universal opt-outs. Using 'and,' not 'or,'" Stauss said. "I strongly suspect that wasn't intentional."

The sunset on the right to cure is notable given so few state laws include the limitation. Maryland goes a step further with attorney general discretion over when a 60-day cure can be applied.

"There's no need to be giving mandatory cure periods to attorneys general. They would already have the flexibility to work with companies that made an honest mistake or are a first-time violator," EPIC's Fitzgerald said. "Attorney general enforcement resources are already so limited that I imagine they'll be saving them for the most egregious cases anyway."