Communications Litigation Today was a Warren News publication.
Growing State Patchwork

Md. Passes Privacy and Kids Code Bills, Thwarting Industry

Maryland legislators received strong responses after sending privacy and online safety bills to Gov. Wes Moore (D) for final approval. Consumer Reports (CR) applauded the General Assembly for the comprehensive privacy bill (SB-541/HB-567) that it said exceeded other states’ laws in certain ways. On the other hand, tech industry group NetChoice bemoaned a growing patchwork of state laws, 16 and counting.

Kentucky joined the state privacy rolls last week (see 2404050004). Privacy bills have also advanced recently in Minnesota (see 2404050057), Maine (see 2403270045), Pennsylvania (see 2403190009 and Vermont (see 2403220040). Maryland could become the 17th state with a comprehensive privacy law.

The Maryland Senate voted 42-0 Saturday to concur with House changes to a Senate version of the privacy bill, while the House voted 104-34 Monday to concur with Senate changes to the House version. In addition, Maryland lawmakers Saturday approved a kids’ safety bill (SB-571/HB-603) modeled after the California Age-Appropriate Design Code Act. The Senate voted 43-0 to concur with House changes to SB-571 and to recede from its own proposed amendments to HB-603. Lawmakers also held votes on the privacy and kids’ safety bills earlier last week (see 2404050041 and 2404040030).

CR has long championed data minimization provisions like those included in SB 541 because they will protect consumers by default, instead of requiring them to make endless consent choices in order to fully protect themselves,” said Policy Analyst Matt Schwartz. “Bright line bans of harmful data practices, such as the sale of sensitive information and third-party targeted advertisements to children are also extremely welcome.”

"This shows why there needs to be a federal, comprehensive privacy bill that protects all Americans and their data,” countered NetChoice General Counsel Carl Szabo. Without a national law, “the state patchwork continues to expand, hurting small businesses the most with soaring compliance costs.” Congress took a big step over the weekend toward possibly passing such a national law (see 2404080062). CTIA in February raised concerns that Maryland’s proposal didn’t mesh well with privacy laws in other states. The wireless association didn’t comment Monday.

Industry groups had “raised concerns about problematic divergences from other existing state privacy laws and encouraged lawmakers to implement modifications that would support harmonization of key definitions and principles,” said Khara Boender, Computer & Communications Industry Association state director. “The Maryland General Assembly passed bills that still include significant divergences. If Gov. Moore chooses to sign the legislation into law, it is foreseeable that this will make it more difficult for businesses operating across state borders to comply with obligations, while muddying the clarity consumers have in understanding their data rights across jurisdictions.”

The state privacy bill differs from comprehensive laws in other states in various ways, said Husch Blackwell’s David Stauss, a privacy attorney for businesses, in a blog post Monday. “Maryland will be the first state to pass a Washington Privacy Act variant that contains unique provisions regarding data minimization, sensitive data, minor’s data privacy, and unlawful discrimination,” he wrote. Plus, the proposed law “contains a low threshold for applicability such that even smaller companies may need to comply with its provisions.”

Maryland’s privacy law would be one of the toughest in the country, particularly due to its data minimization standards, the International Association of Privacy Professionals (IAPP) said in a Monday post. “Minimization is notable given the bills' coverage thresholds, which include businesses that control or process personal data on more than 35,000 consumers or derive 20% of revenue from selling the data of more than 10,000 consumers. Additionally, the bill puts an all-out prohibition on sensitive data sales, includes provisions for universal opt-out mechanisms and anti-discrimination prohibitions, and offers a limited 60-day right to cure that sunsets in 2027.”

NetChoice asked Moore to veto the kids’ safety measure. “We ask that you oppose [the proposal] and instead use this bill as a way to jumpstart a larger conversation about how best to protect minors online and consider alternatives that do not raise constitutional issues,” wrote Szabo in a Monday letter to the governor.

However, parent and education advocates urged Moore to sign the bill quickly. “These unanimous votes show that support for the Kids Code’s safety-by-design and privacy-by-default principles transcends political divides, and they reflect mounting public calls for smart, effective policy solutions to protect kids online,” said a spokesperson for the Maryland Kids Code Coalition, which includes Common Sense Media, the Maryland Public Health Association, 5Rights Foundation and Doctors for America.