The month of May, 2024 has seen the passing of two new consumer privacy laws in the United States. Both Vermont and Maryland have now joined the ranks of other states such as California, Virginia, Montana, etc. who have data privacy laws in place, designed to protect the personal information of their residents.
Senate Bill 541, known as the Maryland Online Data Privacy Act (MODPA), was signed into law by Governor Wes Moore on May 9, 2024, making Maryland the eighteenth state in the United States to adopt comprehensive data privacy laws. The MDOPA will become effective on October 1, 2025.
House Bill 121, known as the Vermont Data Privacy Act (VDPA), was passed with unanimous approval in the House of Representatives on May 10, 2024 and is now awaiting the signature of the state’s governor, Phil Scott. The VDPA stands out through the private right of action granted to consumers, stricter requirements around the data of minors, and the data broker registration requirement and is set to become effective on July 1, 2025.
Here is a brief summary of the two consumer privacy laws:
Maryland Online Data Privacy Act Summary
Who Needs to Comply?
MODPA applies to entities, termed as "Controllers," that operate in Maryland or target Maryland residents with their products or services and meet one of the following criteria within a calendar year:
- Control or process personal data of at least 35,000 Maryland consumers, or
- Control or process personal data of 10,000 Maryland consumers and derive over 20% of their gross revenue from selling personal data.
Notably, the 20% revenue threshold is lower than similar requirements in states like Kentucky, Florida, and Tennessee.
Exemptions
Certain entities and types of data are exempt from compliance, including:
- State and local government agencies,
- Financial institutions governed by the Gramm-Leach-Bliley Act,
- Non-profits assisting law enforcement or first responders,
- Data protected by other federal statutes like HIPAA and FERPA.
Consumer Rights
Under the Maryland Online Data Privacy Act, residents have several new rights concerning their personal data:
- Access and Confirmation: Consumers can confirm if a Controller is processing their data and access it.
- Correction: They can correct inaccuracies in their personal data.
- Deletion: Consumers can request the deletion of their data unless retention is legally required.
- Portability: They can obtain a copy of their data in a usable format.
- Disclosure: Consumers can request a list of third parties who have received their data.
- Opt-Out: They can opt-out of data processing for targeted advertising, the sale of their data, or profiling.
Controllers must respond to these requests within 45 days, with a possible extension if necessary. An appeals process must also be available if a request is denied.
Obligations for Businesses
The Maryland Online Data Privacy Act outlines several obligations for businesses:
- Data Minimization: Only collect data necessary for providing services.
- Security Measures: Implement robust security practices to protect data.
- Consent Mechanisms: Provide easy methods for consumers to give and revoke consent.
- Transparency: Clearly inform consumers if their data is sold or used for targeted advertising and provide opt-out options.
- Non-Discrimination: Treat consumers equally, regardless of their data privacy choices.
- Impact Assessments: Conduct assessments for processing activities that pose significant risks to consumers.
Enforcement and penalties
The Maryland Attorney General's Consumer Protection Division holds exclusive enforcement authority of MODPA. There is no private right of action under this law. Violations may result in civil penalties up to $10,000 per violation, increasing to $25,000 for repeated offenses. Controllers and processors will have 60 days to rectify any violations after receiving a notice from the Attorney General.
Vermont Data Privacy Act (VDPA) Summary
Who Needs to Comply?
The VDPA applies to businesses that conduct operations in Vermont or offer products or services to Vermont residents, provided they control or process the personal data of at least 25,000 consumers or derive more than 50% of their gross revenue from the sale of personal data.
Exemptions
- Government Entities: Federal, state, tribal, or local government entities.
- Healthcare: Covered entities and business associates under HIPAA, public health activities, human subjects research, substance use disorder records, and patient safety work products.
- Employment and Financial Data: Activities under the Fair Credit Reporting Act and nonpublic personal information handled by financial institutions under the Gramm-Leach-Bliley Act.
- Specific Entities: Financial institutions, third-party administrators, nonprofits involved in preventing insurance fraud, and nonprofits providing school enrollment data.
- Nonprofits and Media: Nonprofit victim services, healthcare services, noncommercial media activities, licensed radio/TV stations, and information services like press associations.
- Public Utilities: Regulated by the Vermont Public Utility Commission until July 1, 2026.
Consumer Rights
Under the Vermont Data Privacy Act, residents are granted several rights concerning their personal data:
- Access: Consumers can confirm whether their personal data is being processed and access that data.
- Correction: Consumers have the right to correct inaccuracies in their personal data.
- Deletion: Consumers can request the deletion of their personal data, subject to certain exceptions.
- Data Portability: Consumers can obtain a copy of their personal data in a portable and readily usable format.
- Opt-Out: Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling.
Obligations for Businesses
Businesses covered under the VDPA, referred to as "controllers" and "processors," must adhere to several obligations:
- Data Minimization: Collect only the personal data necessary for specified, legitimate purposes and retain it only as long as needed to fulfill those purposes.
- Security Practices: Implement reasonable administrative, technical, and physical security measures to protect personal data's confidentiality, integrity, and accessibility.
- Consent Requirements: Obtain clear and affirmative consent from consumers before processing sensitive data, such as biometric or health information.
- Transparency: Provide transparent information about data collection and processing activities through easily accessible privacy notices.
- Responding to Consumer Requests: Establish procedures to respond to consumer requests to exercise their rights within specified time frames.
Enforcement and penalties
The Vermont Attorney General’s Office has the exclusive authority to enforce the Vermont Data Privacy Act. Violations may result in civil penalties, with fines up to $10,000 per violation. The VDPA also includes a private right of action, allowing consumers to sue data brokers or large data holders for specific violations, such as the mishandling of sensitive or health data.
Special Provisions
The VDPA includes specific measures to protect minors' personal data and sensitive health data. For children under 13 years old, companies must obtain verifiable parental consent before collecting or processing their personal data. Additionally, the use of geofencing technology around healthcare facilities to track or collect data is prohibited without explicit consent.