ONE, TWO PUNCH: Maryland Signs into Law Consumer Data Privacy, While Vermont’s BEAST of a Bill Awaits Signature

This week was busy in the world of Consumer Data Privacy both Maryland and Vermont passed their respective state law. Maryland’s Governor was fast acting and signed the bill the very next day while Vermont is on the Governor’s desk awaiting to be signed, which they always do, and with that, here is what you are going to need to know!

First up Maryland, signed into law their new  Maryland Online Data Protection Act of 2024! This will apply to those who conduct business in the state or provide products or services to residents of the state. The effective date is October 1, 2025. Maryland does not provide a private right of action but does offer consumers to pursue other remedies provided by law, however, that will not be an option until on or after April 1, 2027.

Controlled or processed personal data of at least 35,000 consumers or at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

Consumers will be afforded the following rights free of charge once every 12-month period:

• Right to Know
• Right to Access
• Right to Correct
• Right to Delete
• Right to Data Portability
• Right to Obtain a List of Categories of Third Parties
• Right to Opt Out of
  • Targeted Advertising
  • Sale of Personal Data
  • Automated Decisioning

Businesses will have up to 45 days to respond and may obtain an additional 45 days if it is reasonably necessary based on the complexity and the consumer is informed of the extension within the first 45 days of the initial request. If a consumer request is declined, the business shall inform the consumer without delay and within 45 days with the justification for declining the request and provide instruction on how to appeal the decision. If an appeal is made a consumer should be informed within 60 days in writing of any action taken or not taken and the reasons. If the appeal is denied the consumer must be provided with an online option, if available, to submit a complaint to the Division.

Business must:

• Establish a secure and reliable method for consumer to exercise their rights
• Establish an appeal process for declined request
• Limit collection of personal data with what is reasonably necessary to provide or maintain specific products or services requested by a consumer
• Establish and maintain reasonable data security practices
• Provide an effective option for consumers to revoke consent as easily as they provided consent
  • Revocation of consent shall be as soon as possible but not later than 30 days
• Include a link on the webpage that allows a consumer to opt out of targeted advertising for the sale of personal data
• By October 1, 2025, the business must be able to receive the consumers opt-out preference signals

Business may not:

• Collect or share sensitive data unless strictly necessary to provide or maintain a specific product or service
• Sell sensitive data
• Process personal data in violation of state or federal law that prohibits unlawful discrimination
• Process personal data of consumers for targeted advertising if they know or should have known the consumer is under the age of 18
• Sell personal data of consumers if they know or should have known the consumer is under the age of 18
• Discriminate against consumer for exercising their rights
• Process personal data for a purpose that is not reasonably necessary or compatible with the disclosed purpose unless they obtain consumer consent

The Privacy Policy must provide the consumer with a reasonably accessible, clear, and meaningful notice that includes

• Categories of personal and sensitive data processed
• The purpose for processing
• How they may exercise their rights
• Make an appeal
• Revoke consent
• Categories of third parties they share personal data, with levels of details so consumers understand the type of business or processing each third party does
• Categories of personal and sensitive data shared with third parties
• Active email or other method a consumer can contact the business

There are exemptions offered, you can read the new law here.

 

On to Vermont, again this bill is waiting for the Governor’s signature, but in the meantime, here is what you need to know at a high level about this MASSIVE bill. Pay attention here, VT is coming in with the lowest threshold yet and is the most extensive covering of consumers’ personal data. Once signed the effective date is July 1, 2025.

Controlled or processed personal data of over 6,500 consumers; or Controlled or processed personal data of over 3,250 consumers and more than 20% of the gross revenue derived from the sale of personal data.

Consumers will be afforded the following rights free of charge once every 12 months:

• Right to Know and Access
• Right to Obtain a List of Third Parties personal data has been transferred to
• Right to Correct
• Right to Delete
• Right to Data Portability
• Right to Opt Out of
  • Targeted Advertising
  • Sale of Personal Data
  • Automated Decisioning

 

Businesses will have up to 45 days to respond and may obtain an additional 45 days if it is reasonably necessary based on the complexity and the consumer is informed of the extension within the first 45 days of the initial request. If a consumer request is declined, the business shall inform the consumer without delay and within 45 days with the justification for declining the request and provide instruction on how to appeal the decision and allow reasonable time. If an appeal is made a consumer should be informed within 45 days in writing of the decision and the reasons. If the appeal is denied the consumer must be provided information on how to contact the Attorney General to submit a complaint.

Business must:

• Only process personal data that is reasonably necessary and proportionate to provide the service which the data was collected for and then consumer reasonably expects
• Establish and maintain data security practices
• Provide an effective mechanism for consumers to revoke consent as easy as it was to provide consent
• Once consumer revokes consent the personal data must cease processing no later than 15 days
• Provide a clear and conspicuous link to a website where a consumer may opt out of processing, if a business does not have the capacity to provide a link another method must be provided
• Allow opt out signals on consumer’s behalf that does not discriminate and require an affirmative choice to opt out
• Conduct a data protection assessment for each processing activity that presents a heightened risk of harm and must be retained for 5 year

Business may not:

• Process personal data beyond what is reasonably necessary and proportionate to the purpose
• Process sensitive personal data without obtaining consumer consent
• Process personal data in a way that would discriminate against a consumer
• Discriminate against a consumer who exercises their rights

 

The Privacy Policy must provide the consumer with a reasonably accessible, clear, and meaningful notice that includes

• Express the purposes for collecting and processing personal data
• List of categories of personal and sensitive data this is processed
• List of categories of personal and sensitive data that is shared with third parties
• The purpose for processing personal data
• How a consumer can exercise their rights
• Categories of third parties they share personal data, with levels of details so consumers understand the type of business and if possible how they process personal data
• Provide an email or other online option for a consumer to contact the business
• Identifies the business name, the name registered with the Secretary of State, and any assumed business names used in the state
• Clear description of any processing of personal data for targeted advertising, sales to third parties, or profiling of personal data and how a consumer may opt out
• How a consumer may submit a request to exercise their rights

If a consumer is harmed and notifies the business and then fails to cure a violation within 60 days of notice, the consumer may bring an action in Superior Court

(A) the greater of $1,000.00 or actual damages;

(B) injunctive relief;

(C) punitive damages in the case of an intentional violation; or

(D) reasonable costs and attorney’s fees.

The AG’s office may issue a notice to cure prior to initiating actions, however, that will be determined by set criteria.

Vermont has a multiple expansive section that addresses a business’s duties to minors. A section dedicated specifically to data brokers and all the requirements that will need to be met if you fall into this category. You can read more here and check out the exemptions offered under this bill.

On a side note, with Oregon’s law going into effect this summer on July 1, they have released a FAQ for both consumers and businesses. You can take a peek here.