Maryland Considering SB613 / HB0901 – Online Consumer Protection Act
We have been closely following the states that are considering privacy bills in the wake of the California Consumer Privacy Act (CCPA) and realized this week that there was one introduced in February which we still have not covered.
Maryland SB613 is the Online Consumer Protection Act. It was introduced by Senator Susan Lee, a Democrat representing District 16 (Montgomery County) and the Senate Majority Whip. The House version of the bill is HB0901. HB901 is sponsored by Delegates Ned Carey, Benjamin Brooks and Terri Hill.
We have used SB0613 for the bill’s details (in case there are any minor differences):
It applies to for-profit entities that meet one of the thresholds (1) annual gross revenue over $25 million; (2) annual personal information of 100,000 consumers, households or device; or (3) at least one-half of annual revenue from selling personal information. It would go into effect on January 1, 2021.
The law would be enforced by the Attorney General of Maryland and provide for a civil penalty up to $2500 and a maximum for intentional violations of $7500.
– Categories of personal information the business will collect
– The business purposes for the personal information
– The categories of third-parties to which the business discloses personal information
– The business purpose for third-party disclosure
– The consumer’s rights to request a copy of their personal information, the deletion of their personal information, and opt out of third-party disclosures.
Right to Access:
– Specific pieces of personal information collected
– Sources from which it was collected
– Names of third-parties receiving disclosures
– Business purpose for third-party disclosure.
Right to Delete:
– Consumers have the right to delete any personal information collected from the consumer.
– Businesses must delete after a verifiable consumer request and direct service providers to do so as well.
– Exemptions include: completing the transaction, security detection and protection, identifying errors that impair functionality, the exercise of free speech, certain research, and complying with a legal obligation.
It provides adult consumers the Right to Opt Out of Third-Party Disclosures at any time. Businesses may not disclose personal information of consumers under the age of 18 to a third party. This is an absolute prohibition and not a requirement for opt-in consent as provided by the CCPA.
It prohibits discrimination against a consumer for exercising their rights under the law, including by denying goods or services, charging a different price or rate, providing a different level or quality of goods/services, or suggesting that the consumer will receive a different price or level or quality.
There are also limitations on the research that can be done with personal information collected from a consumer in the course of interaction with a business.
There is a hearing on the Online Consumer Protection listed for Wednesday in the House Economic Matters Committee and Friday in the Senate Finance Committee.
Other Relevant Posts:
Maine Considering LD 946 to Protect Privacy of ISP Customers
Illinois House Passes Data Transparency and Privacy Act; Senate Passes KIDS Act
Texas Considers Consumer Privacy Act and Privacy Protection Act
Update: Special Session of Appropriations Committee Saves Washington Privacy Act for Another Week
No Washington Privacy Act This Year?
Washington Privacy Act – Initial Look at the Current House Version
Summary of Connecticut SB 1108 on Data Privacy
Summary of Public Hearings on Maryland Online Consumer Protection Act
Summary of Washington Privacy Act After State Senate Passes
Florida Legislature Considers Biometric Information Privacy Act
With SD341, Massachusetts Joins States Considering CCPA-like Data Privacy Laws
Public Hearing on Washington Privacy Act (SSB 5376) in Senate Ways & Means – More Work to Be Done?
State CCPA Privacy Bills in Rhode Island, Hawaii and New Jersey
North Dakota Considers Study on Privacy Practices of Data Brokers