Comprendre le Loi sur la confidentialité des données en ligne du Maryland (MODPA): Pourquoi c'est important

Le Loi sur la confidentialité des données en ligne du Maryland (MODPA) is set to take effect on October 1, 2025, and marks a significant step towards enhancing data privacy for residents of Maryland. This comprehensive regulation aims to provide consumers with greater control over their données personnelles while imposing stringent requirements on businesses that handle this information. Here’s a detailed look at what MODPA entails and why it’s important for both consumers and businesses.

Why is MODPA Important?

MODPA represents a significant advancement in data privacy regulation, aligning Maryland with other jurisdictions that prioritize consumer data protection. Businesses operating in Maryland must prepare to comply with these new standards, ensuring that they respect and safeguard the personal data of their consumers. The introduction of MODPA is crucial for several reasons:

1. Enhanced Consumer Protection: It provides Maryland residents with robust rights to access, control, and protect their personal data, fostering trust in digital transactions.
2. Transparence et responsabilité : Businesses are held accountable for their data practices, ensuring greater transparency and reducing the likelihood of data misuse.
3. Sécurité des données : The regulation emphasizes the importance of data security, requiring businesses to implement appropriate measures to protect consumer data from breaches.
4. Adaptation to Modern Challenges: By addressing issues such as automated decision-making and targeted advertising, MODPA is tailored to the complexities of modern data processing.

Scope and Application

MODPA applies to businesses that operate in Maryland or target their products and services to Maryland residents. Specifically, it covers entities that:

• Controlled or processed the personal data of at least 35,000 consumers in the previous calendar year (excluding data used solely for payment transactions).
• Controlled or processed the personal data of at least 10,000 consumers and made more than 20% of their gross revenue from selling personal data.

Notably, the act does not apply to employees or business-to-business (B2B) companies, focusing instead on consumer interactions.

Maryland Consumer Rights

MODPA aligns with the consumer privacy laws of most other states, defining a consumer as an individual residing in Maryland and acting solely in a personal capacity, excluding those acting in employment or commercial contexts. Under MODPA, consumers are granted several rights to ensure transparency and control over their personal data which include:

1. Access and Confirmation: Consumers can confirm whether their data is being processed and access their personal data held by controllers.
2. Correction: Consumers can correct inaccuracies in their personal data.
3. Deletion: Consumers can request the deletion of their data, unless retention is required by law.
4. Data Portability: If data is processed automatically, consumers can obtain a copy of their data in a portable format to transfer it to another controller.
5. Third-Party Disclosure: Consumers can obtain a list of third parties to whom their data has been disclosed.
6. Droits de retrait : Consumers can opt out of data processing for targeted advertising, the sale of personal data, or profiling that affects them legally or significantly.

Controllers must respond to consumer requests within 45 days, extendable by another 45 days if necessary. If a request is denied, the controller must inform the consumer of the reasons and provide instructions for an appeal.

Controller and Processor Responsibilities

MODPA sets forth strict guidelines for how controllers (entities that determine the purposes and means of processing personal data) and processors (entities that process data on behalf of controllers) handle consumer data:

• Prohibited Actions: Controllers cannot collect, process, or share sensitive data unless necessary to provide a requested service. They are also prohibited from selling sensitive data, processing data in a discriminatory manner, or targeting advertising at minors under 18 without consent.
• Non-discrimination : Controllers must not discriminate against consumers for exercising their rights under MODPA.
• Consumer Consent: Controllers must obtain consumer consent for data processing that goes beyond what is necessary for the disclosed purposes. Consumers can revoke consent, and controllers must cease processing the data within 30 days of the revocation.
• Appeals Process: Controllers must establish an appeals process for consumers whose requests are denied, with a response required within 60 days.

Data Protection and Security

Processors are required to adhere to the controller’s instructions and assist in fulfilling obligations related to consumer rights, data security, and breach notifications. They must also provide necessary information for controllers to conduct and document Data Protection Assessments (DPAs) for activities that pose a heightened risk of harm to consumers.

Under MODPA, controllers are required to perform “data protection assessments” for any processing activities that pose a heightened risk of harm. This includes an assessment for each algorithm used. Such activities encompass:

• Processing personal data for targeted advertising
• Vente de données personnelles
• Traitement des données sensibles
• Profiling personal data when it poses a foreseeable risk of unfair, abusive, or deceptive treatment of consumers or results in substantial consumer injury

These assessments must evaluate and compare the benefits of the processing activities for all parties involved against the potential risks to consumer rights. MODPA permits the use of impact assessments conducted for other state privacy laws to fulfill its assessment requirements. These data protection assessment requirements will apply to processing activities starting on or after October 1, 2025.

Data Minimization Requirements

MODPA mandates that the collection of personal data be limited to what is reasonably necessary to provide or maintain the requested product or service. This requirement is even stricter for sensitive data. The Act also stipulates that controllers must obtain consent before processing personal data for purposes beyond those originally disclosed and deemed necessary or compatible.

However, MODPA allows controllers and processors to engage in specific processing activities, such as fraud prevention and internal operations, as long as these activities are reasonably necessary and proportionate to their intended purposes.

Special Provisions

MODPA includes specific provisions such as:

• Health Data: Special requirements apply to processing consumer health data.
• Third-Party Notice: Third parties must notify consumers before using or sharing their information in ways that differ from the initial collection terms.
• Algorithm Assessments: DPAs are required for any algorithmic activities that present heightened risks to consumers.

BigID’s Approach to MODPA

BigID is the industry leading platform for data privacy, security, compliance, and Gestion des données d'IA that enables organizations to proactively prepare for MODPA and achieve compliance with its patented identity-aware privacy automation.

Avec BigID, les entreprises peuvent :

• Identifier toutes les données : Découvrir et classer les données to build an inventory, map data flows, and gain visibility on all personal and sensitive information subject to MODPA requirements.
• Automatiser la gestion des droits sur les données : Gérer automatiquement les demandes, les préférences et le consentement en matière de protection de la vie privée, y compris le refus de la vente de données, de la publicité ciblée et du profilage des utilisateurs.
• Apply Policies: Remediate policy-based risk with controls and workflows to take action on MODPA requirements.
• Réduire les données : Appliquez des pratiques de minimisation des données en identifiant, en catégorisant et en supprimant les données personnelles inutiles ou excessives pour gérer efficacement le cycle de vie des données.
• Mettre en œuvre des contrôles de protection des données : Automate data protection controls to enforce data access and other security measures, which are crucial to safeguarding data and complying with MODPA.
• Évaluer les risques : Automatiser évaluations de l'impact sur la vie privéeIl s'agit d'identifier les risques et d'y remédier afin de maintenir la conformité.

Planifiez une démonstration individuelle to see how BigID can accelerate your compliance with MODPA.

Auteur

Alexis Porter

Responsable du marketing de contenu

Alexis est responsable du marketing de contenu pour BigID, fournisseur de DSPM leader sur le marché. Elle se spécialise dans l'aide aux startups technologiques pour qu'elles créent et affinent leur voix, afin de raconter des histoires plus convaincantes qui trouvent un écho auprès de divers publics. Elle est titulaire d'une licence en rédaction professionnelle et d'une maîtrise en communication marketing de l'Université de Denver. Alexis est basée à Orlando, en Floride.