Analyzing the 2020 Maryland Right to Opt Out of Third-Party Disclosures Act by David Stauss, Partner at Husch Blackwell LLP, Erik Dullea, Partner at Husch Blackwell LLP and Malia Rogers, Attorney at Husch Blackwell LLP
On January 17, 2020, Maryland House Delegates Courtney Watson and Ned Carey introduced HB0249. If enacted in its current form, the bill would allow Maryland residents to opt-out of certain types of transfers of their personal information to third parties. However, it would not create other CCPA-like privacy rights such as the right to deletion and would not require businesses to make disclosures regarding their privacy practices.
Maryland joins a growing list of states considering consumer privacy legislation, including Florida, Illinois, Virginia, Washington state, Nebraska, New Jersey, New Hampshire, and Hawaii.
Below is our analysis of the Maryland legislation (as introduced).
To Whom Does it Apply?
“Consumers,” which is defined as an individual who resides in Maryland.
What Entities are Covered?
The Act would apply to “businesses” which is defined as entities that (1) are organized or operated for the profit or financial benefit of their shareholders or other owners; (2) collect the personal information of consumers; and (3) satisfy one of the following thresholds: (a) have annual gross revenues in excess of $25,000,000; (b) annually buy, receive for their commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 100,000 or more consumers, households or devices; or (c) derive at least 50% of their annual revenues from selling consumers’ personal information. The definition also includes entities that control or are controlled by a business and that share a name, service mark, or trademark with that business.
What Information is Covered?
“Personal information,” which is defined as “information that reasonably identifies, relates to, describes, or could be linked to, directly or indirectly, a particular consumer, household or consumer’s device.” Personal information does not include information that is lawfully made available from federal, state or local government records or de-identified or aggregate consumer information.
What Rights are Created?
Consumers would have the right to demand that a business not disclose the consumer’s personal information to third parties.
The bill defines “disclose” broadly to mean a transfer of “personal information by a business to a third party, including selling, renting, releasing, disseminating, making available, transferring, or otherwise communicating by any means.” It exempts transfers to “service providers [if] necessary to the performance of an operational purpose,” transfers to third parties to effectuate an opt-out request, and transfers to third parties as part of an asset sale.
In turn, the bill defines “service provider” somewhat similar to the CCPA’s definition as “an entity that processes personal information disclosed by a business or on behalf of a business in accordance with a written contract if the contract prohibits the entity receiving the information from: (1) retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise allowed by [the bill]; and (2) combining the personal information with personal information received by the entity from another source.”
In contrast to the CCPA, which was amended in 2019 to allow businesses to offer financial incentives to consumers in exchange for the collection of their personal information (aka Loyalty Programs) under certain conditions, this practice would apparently not be allowed in Maryland. As introduced, the bill would prohibit businesses from charging different prices or rates, including the use of discounts or other benefits, against consumers who exercised their right to opt-out.
The bill also would prohibit businesses from disclosing the personal information of consumers to third parties if the business has actual knowledge of or willfully disregards the fact that the consumer is under 18 years old.
Are there Any Exemptions?
No. As introduced, the bill does not contain any exemptions such as exemptions for GLBA and HIPAA-regulated entities.
Would Companies Need to Update their Online Privacy Policies?
No, but businesses would need to provide a link on their homepages to a webpage that enables consumers to submit requests. As initially drafted, the bill apparently would require all businesses to have such a link, regardless of whether they transfer personal information that would be subject to the right to opt-out.
How Would it be Enforced?
Violations would constitute an unfair or deceptive trade practice under Maryland’s Consumer Protection Act, which allows actions to be brought by the Division of Consumer Protection, the Maryland Attorney General and individuals who sustain a loss due to the prohibited practice.