Entendiendo el Maryland Online Data Privacy Act (MODPA): Why It Matters

En Maryland Online Data Privacy Act (MODPA) Está previsto que entre en vigor el 1 de octubre de 2025, and marks a significant step towards enhancing data privacy for residents of Maryland. This comprehensive regulation aims to provide consumers with greater control over their datos personales while imposing stringent requirements on businesses that handle this information. Here’s a detailed look at what MODPA entails and why it’s important for both consumers and businesses.

Why is MODPA Important?

MODPA represents a significant advancement in data privacy regulation, aligning Maryland with other jurisdictions that prioritize consumer data protection. Businesses operating in Maryland must prepare to comply with these new standards, ensuring that they respect and safeguard the personal data of their consumers. The introduction of MODPA is crucial for several reasons:

1. Protección mejorada del consumidor: It provides Maryland residents with robust rights to access, control, and protect their personal data, fostering trust in digital transactions.
2. Transparency and Accountability: Businesses are held accountable for their data practices, ensuring greater transparency and reducing the likelihood of data misuse.
3. Seguridad de los datos: The regulation emphasizes the importance of data security, requiring businesses to implement appropriate measures to protect consumer data from breaches.
4. Adaptation to Modern Challenges: By addressing issues such as automated decision-making and targeted advertising, MODPA is tailored to the complexities of modern data processing.

Alcance y aplicación

MODPA applies to businesses that operate in Maryland or target their products and services to Maryland residents. Specifically, it covers entities that:

• Controlled or processed the personal data of at least 35,000 consumers in the previous calendar year (excluding data used solely for payment transactions).
• Controlled or processed the personal data of at least 10,000 consumers and made more than 20% of their gross revenue from selling personal data.

Notably, the act does not apply to employees or business-to-business (B2B) companies, focusing instead on consumer interactions.

Maryland Consumer Rights

MODPA aligns with the consumer privacy laws of most other states, defining a consumer as an individual residing in Maryland and acting solely in a personal capacity, excluding those acting in employment or commercial contexts. Under MODPA, consumers are granted several rights to ensure transparency and control over their personal data which include:

1. Access and Confirmation: Consumers can confirm whether their data is being processed and access their personal data held by controllers.
2. Correction: Consumers can correct inaccuracies in their personal data.
3. Deletion: Los consumidores pueden request the deletion of their data, unless retention is required by law.
4. Data Portability: If data is processed automatically, consumers can obtain a copy of their data in a portable format to transfer it to another controller.
5. Third-Party Disclosure: Consumers can obtain a list of third parties to whom their data has been disclosed.
6. Opt-Out Rights: Consumers can opt out of data processing for targeted advertising, the sale of personal data, or profiling that affects them legally or significantly.

Controllers must respond to consumer requests within 45 days, extendable by another 45 days if necessary. If a request is denied, the controller must inform the consumer of the reasons and provide instructions for an appeal.

Controller and Processor Responsibilities

MODPA sets forth strict guidelines for how controllers (entities that determine the purposes and means of processing personal data) and processors (entities that process data on behalf of controllers) handle consumer data:

• Prohibited Actions: Controllers cannot collect, process, or share sensitive data unless necessary to provide a requested service. They are also prohibited from selling sensitive data, processing data in a discriminatory manner, or targeting advertising at minors under 18 without consent.
• No discriminación: Controllers must not discriminate against consumers for exercising their rights under MODPA.
• Consumer Consent: Controllers must obtain consumer consent for data processing that goes beyond what is necessary for the disclosed purposes. Consumers can revoke consent, and controllers must cease processing the data within 30 days of the revocation.
• Appeals Process: Controllers must establish an appeals process for consumers whose requests are denied, with a response required within 60 days.

Data Protection and Security

Processors are required to adhere to the controller’s instructions and assist in fulfilling obligations related to consumer rights, data security, and breach notifications. They must also provide necessary information for controllers to conduct and document Data Protection Assessments (DPAs) for activities that pose a heightened risk of harm to consumers.

Under MODPA, controllers are required to perform “data protection assessments” for any processing activities that pose a heightened risk of harm. This includes an assessment for each algorithm used. Such activities encompass:

• Processing personal data for targeted advertising
• Venta de datos personales
• Tratamiento de datos sensibles
• Profiling personal data when it poses a foreseeable risk of unfair, abusive, or deceptive treatment of consumers or results in substantial consumer injury

These assessments must evaluate and compare the benefits of the processing activities for all parties involved against the potential risks to consumer rights. MODPA permits the use of evaluaciones de impacto conducted for other state privacy laws to fulfill its assessment requirements. These data protection assessment requirements will apply to processing activities starting on or after October 1, 2025.

Data Minimization Requirements

MODPA mandates that the collection of personal data be limited to what is reasonably necessary to provide or maintain the requested product or service. This requirement is even stricter for sensitive data. The Act also stipulates that controllers must obtain consent before processing personal data for purposes beyond those originally disclosed and deemed necessary or compatible.

However, MODPA allows controllers and processors to engage in specific processing activities, such as fraud prevention and internal operations, as long as these activities are reasonably necessary and proportionate to their intended purposes.

Special Provisions

MODPA includes specific provisions such as:

• Health Data: Special requirements apply to processing consumer health data.
• Third-Party Notice: Third parties must notify consumers before using or sharing their information in ways that differ from the initial collection terms.
• Algorithm Assessments: DPAs are required for any algorithmic activities that present heightened risks to consumers.

BigID’s Approach to MODPA

BigID is the industry leading platform for data privacy, security, compliance, and Gestión de datos de IA that enables organizations to proactively prepare for MODPA and achieve compliance with its patented identity-aware privacy automation.

Con BigID, las empresas pueden:

• Identificar todos los datos: Descubrir y clasificar datos to build an inventory, map data flows, and gain visibility on all personal and sensitive information subject to MODPA requirements.
• Automatizar la gestión de derechos de datos: Gestione automáticamente las solicitudes de privacidad, las preferencias y el consentimiento, incluida la exclusión voluntaria de la venta de datos, la publicidad dirigida y la elaboración de perfiles de usuario.
• Aplicar políticas: Remediate policy-based risk with controls and workflows to take action on MODPA requirements.
• Minimizar datos: Aplique prácticas de minimización de datos identificando, categorizando y eliminando datos personales innecesarios o excesivos para gestionar eficientemente el ciclo de vida de los datos.
• Implantar controles de protección de datos: Automate data protection controls to enforce data access and other security measures, which are crucial to safeguarding data and complying with MODPA.
• Evaluar el riesgo: Automatice privacy impact assessmentsLos sistemas de gestión de la conformidad, los informes de inventario de datos y los flujos de trabajo de corrección identifican y corrigen los riesgos para mantener la conformidad.

Programe una demostración 1:1 to see how BigID can accelerate your compliance with MODPA.

Autor

Alexis Porter

Responsable de marketing de contenidos

Alexis trabaja como Directora de Marketing de Contenidos para BigID, proveedor líder de DSPM. Se especializa en ayudar a las nuevas empresas tecnológicas a crear y perfeccionar su voz para contar historias más convincentes que resuenen con diversos públicos. Tiene una licenciatura en Escritura Profesional y un máster en Comunicación de Marketing por la Universidad de Denver. Alexis reside en Orlando, Florida.