Three reasons Maryland’s SB 541 is a US privacy law game-changer

Maryland has followed New Jersey, New Hampshire, and Kentucky as the fourth US state to pass a comprehensive privacy law this year, following the 12 US states that had enacted such legislation at the close of 2023. 

Outside California, every state has followed the template set by the Virginia Consumer Data Protection Act (VCDPA). Maryland’s SB 541, currently awaiting the governor’s signature, includes a particularly broad application and two unprecedented provisions that could make it America’s strictest privacy law yet. 

1. A broad application

Maryland’s SB 541 applies to any business (subject to exemptions) that conducts business in Maryland or provides products or services targeted to Maryland residents and that during the preceding calendar year, either: 

• Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or 
• Both: 
  • Controlled or processed the personal data of at least 10,000 consumers and  
  • Derived more than 20% of its gross revenue from the sale of personal data 

This is a relatively broad application – the first population threshold of 35,000 consumers is low, given Maryland’s population of just over 6 million people. As such, many businesses operating in Maryland will be covered by SB 541. 

Like every state privacy law outside of California, SB 541 does not apply to employee or business-to-business data. The bill also excludes protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) – but does not exempt covered entities altogether. 

2. Strict ‘data minimization’ requirements

Maryland’s SB 541 includes some “data minimization” provisions that go beyond any other comprehensive state privacy laws. 

SB 541 states that a controller must “limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.” 

There are many possible implications of this provision, depending on how authorities and courts decide what is “reasonably necessary and proportionate” to provide a product or service.  

For example, is collecting data for online advertising reasonably necessary and proportionate to provide a news website? If not, a controller might be prohibited from collecting personal data for advertising purposes. 

Secondly, unless the controller obtains the consumer’s consent, it may not process personal data for a purpose that is neither “reasonably necessary to” nor “compatible with” the “disclosed purposes for which the personal data is processed, as disclosed to the consumer.” 

In other words, once a controller tells a consumer why it is processing the consumer’s personal data, the controller may only process the data in a way that is “reasonably necessary” for and compatible with that purpose—unless the controller obtains the consumer’s consent to process the data for other purposes. 

This provision would prevent controllers from changing the ways they process personal data as set out in their privacy notices without obtaining consent.  

3. Strict rules on processing sensitive data

SB 541 includes some particularly strict rules on the processing of sensitive data. 

“Sensitive data” means personal data that includes: 

• Data revealing: 
  • Racial or ethnic origin 
  • Religious beliefs 
  • Consumer health data (defined as “personal data that a controller uses to identify a consumer’s physical or mental health status,” including data related to “gender-affirming care treatment or reproductive or sexual health care”) 
  • Sex life 
  • Sexual orientation 
  • Status as transgender or nonbinary 
  • National origin 
  • Citizenship or immigration status 
• Genetic data or biometric data 
• Personal data of a consumer that the controller knows or has reason to know is a child, or 
• Precise geolocation data 

This is a broad range of sensitive data categories, including some, such as “consumer health data” and “national origin” that appear in few other states. 

In addition to this broad “sensitive data” definition Maryland’s privacy law states that: 

• A controller may not “collect, process, or share sensitive data” unless “strictly necessary to provide or maintain a specific product or service requested by the consumer”. 
• Selling sensitive data is prohibited outright. 

Note that these rules exceed the general data minimization requirement regarding personal data in general – ”strictly necessary” is a higher bar than “reasonably necessary”. While selling personal data in general is not prohibited, selling sensitive data is. 

There’s no consent exception, meaning a business cannot even ask a consumer if the business can sell their sensitive data—or process their sensitive for any reason that is not “strictly necessary to provide or maintain a specific product or service”. 

Could Maryland become the strictest state on privacy? 

As Maryland stands on the brink of enacting SB 541, the implications for privacy protections are profound and far-reaching. With the bill’s broad applicability to a significant number of businesses, rigorous data minimization requirements, and stringent controls over sensitive data, Maryland could set a new benchmark for privacy legislation in the United States. The upcoming decision by the governor to sign this bill could not only redefine consumer privacy rights within the state but could also inspire similar legislative efforts across the country.

If enacted, SB 541 could position Maryland as a leader in privacy regulation, potentially surpassing established frameworks such as the GDPR in specific aspects of consumer protection. This move reflects a growing recognition of the importance of safeguarding personal data amidst an increasingly digital economy. For businesses, adapting to these stringent requirements will be crucial, while consumers stand to gain significantly greater control and security over their personal information. In this light, Maryland’s legislative approach may well become a model for future privacy laws nationwide, shaping the landscape of data protection for years to come.

Do you need to comply with SB 541?

In this evolving regulatory landscape, implementing a consent and preference management platform (CMP) can be immensely beneficial for businesses aiming to comply with laws like Maryland’s SB 541. CMPs enable businesses to transparently manage and document consumer consent for the use of their personal data, aligning with the strict consent requirements detailed in the law, this not only helps in adhering to legal standards but also enhances consumer trust by empowering individuals to control the processing of their data actively.

Consent and preference management can simplify the complexities of collecting, storing, and managing user consent, ensuring that data practices are transparent and easily auditable. Using a CMP like Cassie, organizations can adjust dynamically to changes in consumer preferences or legal requirements, providing businesses with flexibility and resilience in the face of evolving privacy norms. As Maryland potentially sets new precedents for privacy protection, adopting such technologies will be crucial for businesses to maintain compliance and deliver a privacy-first culture.