Maryland Privacy Law's Quirks Warrant Review of Data Practices, Lawyers Say
Businesses should comb through their data-collection practices to comply with the unusual aspects of the Maryland Online Data Privacy Act (MODPA), Kelley Drye privacy lawyers Aaron Burstein and Austin Del Priore blogged Friday.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
MODPA, which took effect Oct. 1, includes uncommon and broadly applicable data-minimization requirements (see 2509290023). It states that businesses may collect only personal data that's "reasonably necessary and proportionate to provide or maintain” a service and sensitive data that's "strictly necessary." MODPA also says that controllers may not sell sensitive data.
“A couple of steps can help businesses to address these restrictions,” said the Kelley Drye lawyers. “First, reviewing and documenting the extent of sensitive data collection and use will help businesses assess whether they are restricting their use to what is ‘reasonably necessary.’ Data protection assessments -- which MODPA and several other states require for sensitive data processing -- are a logical place to document this analysis.”
Second, businesses should check if they sell sensitive data of Maryland residents, the attorneys said.
In addition, MODPA contains strict treatment of the data of children, defined as those younger than 18. The federal COPPA defines a child as younger than 13. “For businesses that engage in targeted advertising or sell data, the [MODPA] minors’ privacy provisions raise the importance of identifying instances of data collection that could meet Maryland’s combination of an under-18 age range and a constructive knowledge standard,” said Burstein and Del Priore.
Another quirk of the Maryland law relates to data protection assessments, they said. “Although Maryland’s data processing assessment requirements track other states’ laws in many respects, MODPA is unusual in requiring assessments to cover ‘each algorithm that is used’ for heightened-risk activities.”
With “algorithm” not defined in the privacy law, “this requirement is potentially expansive,” the lawyers wrote. “Focusing on algorithms that directly relate to the 'heightened risk' practice being assessed could help direct resources to areas that are most relevant to the assessment.”