Maryland Moving Toward Becoming 15th State With Privacy Laws
Maryland this week moved one step closer to becoming the 15th state to pass comprehensive online privacy legislation by hosting debate in both chambers on Tuesday and Wednesday.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The House Economic Matters Committee considered the privacy bill during a Tuesday hearing, and the Senate Finance Committee considered the same measure Wednesday. Industry and media groups are opposed, with CTIA saying the federal government should handle the issue, avoiding an ever-expanding patchwork of state privacy laws. However, consumer advocates touted Maryland's data minimization requirements, saying the bill is stronger than watered-down laws in Virginia and Connecticut. Should Maryland pass the new law, legislators must increase resources for the attorney general’s office, which would have sole enforcement responsibility, said AG Anthony Brown (D).
Del. Sara Love and Sen. Dawn Gile, both Democrats, introduced the Maryland Online Data Privacy Act HB-567/SB-541. The bill lets consumers opt out of targeted advertising and gives them a right to know what data is collected, how it’s used and to block it. It doesn’t include a private right of action, though industry groups said this provision lacks clarity. In addition, the bill doesn't include a right to cure, unlike those in Colorado, Connecticut, Virginia and Utah. It’s a compromise bill that incorporates 32 amendments from stakeholders, said Love. Gile said social media companies shouldn’t operate unchecked, gathering sensitive information without user consent.
Having a patchwork of state laws creates compliance confusion and burdens companies and consumers, said Hannah Garagiola, who testified on behalf of CTIA. NetChoice Vice President Carl Szabo urged Maryland to follow the leads of Virginia and Connecticut, while also speaking in favor of data collection standards adopted in Colorado. Both TechNet and the Computer & Communications Industry Association spoke about clarifying bill language about a private right of action. The groups believe nothing in the bill should open the door to individual claims against companies.
Maryland’s data collection limitations go “a little bit” further than Connecticut's, and the language is overly broad, said Rebecca Snyder, deputy director of the Maryland Delaware D.C. Press Association. The association wants clarification that the Maryland AG is the only entity that can bring a lawsuit.
The Electronic Privacy Information Center and U.S. Public Interest Research Group recently scored the 14 state privacy laws and Maryland’s proposed legislation. Connecticut received a D, Maryland a B-. Companies in Connecticut continue to collect sensitive data as long as it’s authorized by privacy policy “no one ever reads,” said EPIC Deputy Director Caitriona Fitzgerald. “This is fake privacy protection.”
The strongest elements in the Maryland bill are data minimization requirements, said Matt Schwartz, policy analyst at Consumer Reports. The bill will go a long way toward stopping rampant data collection, he said. He suggested the drafters broaden opt-out rights to include all data sharing so as to close loopholes in the current definitions. He also endorsed the inclusion of a private right of action.
Both committees considered separate kids’ safety-related legislation. The Maryland Kids Code (HB-603/SB571) is modeled after the California Age-Appropriate Design Code Act, which a federal judge blocked on First Amendment grounds. It’s also modeled after a similar law in the U.K., which remains in effect. Maryland’s bill would require online products and services “reasonably likely to be accessed by children and teens under 18 to be age appropriate and designed in kids' best interests.”
The Maryland State Education Association and Free State PTA spoke in favor of the Maryland Kids Code. The impact assessments required for social media companies would help parents understand the digital world their children are navigating, said Laura Stewart, Free State PTA vice president-advocacy. Too many students are suffering from unregulated social media, said Maryland State Education Association specialist Lauren Lamb: Harms include invasive data collection, online harassment, misinformation and addictive design features.
Companies have explicitly ignored how they harm children, said Hanna Abrams, AG Consumer Protection Division assistant attorney general. However, Abrams highlighted how the legislation duplicates a law already on Maryland's books. The Maryland Consumer Protection Act provides penalties that are more robust and flexible than what's in the proposed bill, she said: “There’s no need for a new framework. It's inefficient.”
Like the bill in California, Maryland’s is unconstitutional and will protect “zero children,” said Szabo. CCIA State Policy Manager Jordan Rodell said the bill includes vague language like “best interests of a child.” There are among many vague terms that would be impossible to comply with, she said.