Maryland Online Data Privacy Act of 2024 Compliance Guide 

On May 9, 2024, the Governor of Maryland signed MD SB541, enacting the Maryland Online Data Privacy Act of 2024. This law will go into effect on October 1, 2025 and will provide privacy rights to residents of the State and will impose various compliance obligations on businesses such as the requirement to have a comprehensive Privacy Policy that includes all of the disclosures enumerated in this privacy law. In this Compliance Guide, we will discuss Maryland’s new privacy law, including: 

• Who needs to comply with the Maryland Online Data Privacy Act; 
• How this privacy law defines “personal data”; 
• The privacy rights provided to residents of Maryland; 
• The Privacy Policy requirements of Maryland’s privacy law; 
• The penalties for violations; and 
• How Termageddon will handle Privacy Policy updates for this new law. 

Who needs to comply with the Maryland Online Data Privacy Act 

Maryland’s new privacy law has a broad application in the sense that your business does not have to be located in Maryland for this privacy law to apply to you. The Maryland Online Data Privacy Act applies to persons that conduct business in the State or that provide services or products that are targeted to residents of the State and that during the immediately preceding calendar year: 

1. Controlled or processed the personal data of at least 35,000 residents of Maryland; or 
2. Controlled or processed the personal data of at least 10,000 residents of Maryland and derived more than 25% of its gross revenue from the sale of personal data. 

It is important that the law specifically exempts nonprofits that process personal data to assist law enforcement agencies in investigating criminal or fraudulent acts relating to insurance or first responders in responding to catastrophic events. However, the law does not exempt nonprofits working in other causes. 

How Maryland’s privacy law defines “personal data”

Since Maryland’s privacy law applies to persons who meet the criteria above, it is important to know how this law defines “personal data.” Maryland’s privacy law defines “personal data” as “any information that is linked or can be reasonably linked to an identified or identifiable individual.” This means that information commonly collected through websites such as names, emails, phone numbers, physical addresses or IP addresses would qualify as “personal data” and thus be protected under this law. It is important to note that the law specifically exempts de-identified data or publicly available information from the definition of personal data. 

Privacy rights provided to residents of Maryland 

The purpose of the Maryland Online Data Privacy Act is to protect the personal data and privacy of residents of the State by providing them with the following privacy rights: 

1. Confirm whether a business is processing their personal data; 
2. Access their personal data; 
3. Correct inaccuracies in their personal data; 
4. Delete their personal data; 
5. Obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format; 
6. Obtain a list of the categories of third parties to which the business has disclosed the personal data; 
7. Opt out of targeted advertising; 
8. Opt out of the sale of their personal data; 
9. Opt out of the use of their personal data for profiling in furtherance of solely automated decisions that produce a legal or similarly significant effect concerning the consumer; 
10. Not be discriminated against based upon the exercise of their privacy rights. 

Businesses who receive a privacy rights request from a Maryland resident will have 45 days to respond to such request, though this period may be extended by an additional 45 days if necessary. Individuals will also have the ability to appeal a privacy rights decision if they are not satisfied with the business’s response. 

Maryland Online Data Privacy Act Privacy Policy requirements 

Businesses that need to comply with Maryland’s privacy law are required to provide a reasonably accessible, clear, and meaningful Privacy Policy that includes the following disclosures: 

1. The categories of personal data processed; 
2. The purpose for processing the personal data; 
3. How a consumer can exercise their privacy rights, including how to appeal a privacy rights decision; 
4. The categories of third parties with whom personal data is shared; 
5. The categories of personal data shared with third parties; 
6. An active e-mail address or other online mechanism that a consumer may use to contact the business; 
7. Whether the personal data is sold to third parties, processed for targeted advertising or used for profiling purposes. 

Penalties for violations 

Maryland’s new privacy law will be enforced by the Maryland Attorney General’s Office, Division of Consumer Protection. The Attorney General’s Office will have multiple enforcement abilities, such as the ability to issue an injunction, issue fines of up to $10,000 per violation (or up to $25,000 per subsequent violation), ability to recover attorneys’ fees, and even the ability to issue criminal proceedings for violations. 

How Termageddon will update Privacy Policies for this new law

We have been tracking Maryland’s new privacy law since its introduction as a bill and will continue to monitor for any amendments, rules, regulations, and guidance. We will also update client policies accordingly prior to the law’s effective date on October 1, 2025. If you do not currently have a Privacy Policy or do not have a strategy to keep your Privacy Policy up to date with changes such as this one, make sure to check out the Termageddon Privacy Policy generator.