Maryland Online Data Privacy Act
The Trust Challenge

Key obligations and consequences

The following are few key obligations & consequences flowing from the MODPA, on any organization to whom these provisions apply:

If your business operates in Maryland or targets Maryland consumers from outside the state, the Maryland Online Data Privacy Act (MODPA) likely applies to you. There are two main criteria:

  • If your business processes the data of at least 35,000 Maryland consumers.
  • If your business processed the data of at least 10,000 Maryland consumers and earned at least 20% of its revenue from selling consumer data.

For example, even if you're a small business using tools like Google Analytics or Meta Pixel and collect data from 35,000 Maryland residents, you'll need to comply with this law.

However, if your company is already subject to specific privacy laws like HIPAA or GLBA, you may be exempt from certain aspects of other state privacy laws.

The Act would ban the sale of “Sensitive Personal Data” without exception. “Sensitive Personal Data” would include data related to an individual's race, religious beliefs, sex life or orientation, genetic or biometric data, Consumer Health Data, or precise (within 1,750 feet) geolocation. The Act would also ban the sale of any personal data about individuals who are under the age of 18.

The Act would impose strict data access controls for personnel or subcontractors who access Consumer Health Data. “Consumer Health Data” would be personal data that identifies a consumer’s physical or mental health status, gender-related treatment, or reproductive or sexual health care.

The Act would prohibit businesses from selling Personal Data without consent if the business knows or “should have known” the individual at issue is under age 18. This language is similar to that found in the Children’s Online Privacy Protection Act, which requires businesses to more proactively monitor whether children under the age of 13 may be using a website. The Act’s requirement may prompt businesses to adopt similar monitoring or age-verification requirements in Maryland (or stop processing such data altogether).

The Act’s language with respect to universal opt-out mechanisms, or "UOOMs,” is one area where the Act appears to be more lenient than many other state laws. A UOOM is a signal set at the user’s browser level that tells a site not to collect information like cookies. The Act would appear to make adoption of an UOOM Most state privacy laws make UOOMs mandatory after a certain date. Notably, the Act states that if a business recognizes UOOMs approved by other states, the UOOM will be deemed compliant with the Act.

The Trust Challenge

Key Challenges in brief:

Requiring businesses to be transparent about what data they collect, how it's used, and who it's shared with.

Establishing clear guidelines for obtaining user consent before collecting or processing their personal data.

Granting individuals the right to access, correct, or delete their personal data held by businesses.

Establishing effective enforcement mechanisms and penalties for non-compliance to ensure businesses adhere to the regulations.

Addressing challenges related to cross-border data transfers and ensuring that data protection standards are maintained when data is transferred outside the state.

Win-Win Situation

Our Solutions

TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

TurtleShield (Right to Erasure with Assured Deletion) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

The Trust Challenge

Key Obligations & Consequences

Pointer

Applicability:

If your business operates in Maryland or targets Maryland consumers from outside the state, the Maryland Online Data Privacy Act (MODPA) likely applies to you. There are two main criteria:

  • If your business processes the data of at least 35,000 Maryland consumers.
  • If your business processed the data of at least 10,000 Maryland consumers and earned at least 20% of its revenue from selling consumer data.

For example, even if you're a small business using tools like Google Analytics or Meta Pixel and collect data from 35,000 Maryland residents, you'll need to comply with this law.

However, if your company is already subject to specific privacy laws like HIPAA or GLBA, you may be exempt from certain aspects of other state privacy laws.

Pointer

Bans on sales of personal data:

Every data collector, data processor or data controller is required to register with the Personal Data Protection Office as stipulated by Regulation 15 (1) of the Data Protection and Privacy Regulations.

Pointer

Consumer health data:

The Act would impose strict data access controls for personnel or subcontractors who access Consumer Health Data. “Consumer Health Data” would be personal data that identifies a consumer’s physical or mental health status, gender-related treatment, or reproductive or sexual health care.

Pointer

Children’s data:

Failure to register and or renew the registration, one commits an offence and will be liable on conviction to a fine or imprisonment not exceeding three months or both.

Pointer

Universal opt-out mechanisms:

The Act’s language with respect to universal opt-out mechanisms, or "UOOMs,” is one area where the Act appears to be more lenient than many other state laws. A UOOM is a signal set at the user’s browser level that tells a site not to collect information like cookies. The Act would appear to make adoption of an UOOM Most state privacy laws make UOOMs mandatory after a certain date. Notably, the Act states that if a business recognizes UOOMs approved by other states, the UOOM will be deemed compliant with the Act.

The Trust Challenge

Key Challenges in brief:

Pointer

Data Security

Ensuring that personal data collected online is securely stored and protected from unauthorized access or breaches.

Pointer

Data Collection Transparency

Requiring businesses to be transparent about what data they collect, how it's used, and who it's shared with.

Pointer

User Consent

Where the collection or processing of personal data poses a high risk to the rights and freedoms of natural persons, the data collector, data processor or data controller shall, prior to the collection or processing, carry out an assessment of the impact of the envisaged collection or processing operations on the protection of personal data.

Every Data protection impact assessment shall include-

  • A systematic description of the envisaged processing and the purposes of the processing.
  • An assessment of the risks to personal data and the measures to address the risk.
  • Any other matter the office may require.
Win-Win Situation

Solutions

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News, Blogs

Everything You Need to Know About The Digital Operational Resilience Act (DORA)

The European Union's introduction of the Digital Operational Resilience Act (DORA) represents a pivotal advancement toward creating a more secure and stable financial ecosystem.

Colorado Becomes the First State to Pass Comprehensive AI Legislation

On May 17, 2024, Colorado Governor Jared Polis signed the Colorado Artificial Intelligence Act (CAIA), marking the first comprehensive AI legislation in the U.S.

Navigating Privacy: Consent vs. Data Minimization

In today's digital age, where personal data has become a currency of sorts, two fundamental principles stand out in discussions of privacy and data protection: consent and data minimization

Be the first to catch our latest updates,
happenings and more.

Follow us