Last Thursday, Free State Governor Wes Moore signed into law the Maryland Online Data Privacy Act of 2024 (MODPA). With the stroke of his pen, Maryland became the eighteenth state to adopt a comprehensive data privacy statute – one with the most onerous "data-minimization" requirements we have seen thus far.
Forgive me if I sound like a broken record, but this most-recent addition to the already substantial set of state-specific data privacy laws further compounds the confusion experienced by consumers and the compliance challenges faced by companies, particularly small businesses.
Should it become federal law, the American Privacy Rights Act (APRA) discussion draft, about which I wrote in a recent Perspectives from FSF Scholars, would preempt this patchwork and establish a desperately needed nationwide data privacy regime.For a general overview of the MODPA, please see my two previous posts to the Free State Foundation blog on the topic, which can be found here and here. For present purposes, I want to focus specifically on the MODPA's data-minimization language, which states that "controllers" must "[l]imit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains" (emphasis added).
The data-minimization model differs from the notice-and-consent approach – pursuant to which the bounds of permissible data collection are set forth in a company's privacy policy – that until recently served as the de facto standard nationwide. And Maryland's version is the most extreme data-minimization implementation to date.
Strict data-minimization requirements such as this, and the one spelled out in the APRA, could have unintended anti-consumer consequences. Limitations on the collection of personal data beyond what is "reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains" – or, in the case of the APRA, "beyond what is necessary, proportionate, or limited to provide or maintain a product or service requested by an individual" (emphases added) – are inherently subjective standards that create substantial uncertainty and risk for companies. And that uncertainty and risk could have a chilling effect.
For example, companies may refrain from offering the "free" (that is, ad-supported) services that many consumers have come to rely on. The notice-and-consent model traditionally has allowed consumers to weigh the benefits of sharing personal information in exchange for these free services. The shift to a data-minimization approach could undermine that model, potentially leading to a reduction in the availability of complimentary online offerings.
The MODPA will go into effect on October 1, 2025, a year later than originally proposed.