Minnesota, Maryland, and Rhode Island have recently enacted their own data privacy laws, bringing the total number of comprehensive U.S. state privacy laws to 19. These laws, which will go into effect in 2025 and 2026, aim to provide individuals with greater control over their personal data and add new obligations to the privacy landscape in the United States.

Maryland Online Data Privacy Act

Key Takeaways: On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act (“MODPA”) into law. The MOPDA contains unique provisions concerning data minimization, sensitive data, and health data. The MODPA will become effective on October 1, 2025, but will not apply to any personal data processing activities before April 1, 2026.

Applicability and Scope

MODPA applies to businesses operating within Maryland or offering goods or services to its residents, provided the business:

• during a calendar year, controls or processes personal data of at least 35,000 Maryland consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• derives more than 20% of gross revenue from the sale of personal data and processes or controls the personal data of at least 10,000 Maryland consumers.

Like all other state laws except for the California Consumer Privacy Act (“CCPA”), “consumer” does not include employees or business-to-business contacts. MODPA does not include an exemption for non-profits or higher education institutions but does exempt entities subject to the Gramm-Leach-Bliley Act (“GLBA”) and data subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Requirements

Maryland’s law includes a few key differences from previously enacted state privacy laws:

• Data minimization:
  • Controllers must limit the collection of personal data to what is reasonably necessary and proportionate to provide and maintain a specific product or service requested by the consumer, unless the controller obtains the consumer's consent.
  • If a third party uses or shares a consumer’s information in a manner “inconsistent with promises made to the consumer at the time of collection of the information,” the third party must provide the consumer with notice of the new or changed practice before using or sharing the information.
  • Controllers may not collect, process, or transfer personal data or publicly available data that unlawfully discriminates in, or otherwise unlawfully makes unavailable, the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability.
• Sensitive data:
  • Sensitive data and personal data of a consumer who the controller knows or has reason to know is under the age of 18 may not be collected, processed, or shared unless strictly necessary to provide or maintain a specific product or service requested by the consumer. “Sensitive data” is personal data that reveals racial or ethnic origin, religious beliefs, personal data of a child under the age of 13, sex life or sexual orientation, certain consumer health data not subject to HIPAA, biometric or genetic data, precise geolocation data (within a radius of 1,750 feet), status as transgender or nonbinary, national origin, and citizenship or immigration status. “Biometric data” is broadly defined to include data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer’s identity.
  • The sale of sensitive data is prohibited, unless the sale is necessary to provide or maintain a specific product or service requested by the consumer. A “sale” of data is the exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration.
• Health data:
  • Consumer health data may not be accessed by employees or contractors unless the employee or contractor is subject to a contractual duty of confidentiality and may be accessed by a processor only if the processor is bound to the same obligations the controller has under the law.
  • The use of a geofence to identify, track, collect data from, or send notification to a consumer within 1,750 feet of a mental health, reproductive, or sexual health facility is prohibited.

Like many other state laws, the MODPA requires controllers to conduct a data protection assessment prior to processing personal data for targeted advertising, processing sensitive data, selling personal data, or processing for profiling, if the profiling presents an unreasonably foreseeable risk of unfair, abusive, or deceptive treatment unlawful disparate impact, financial, reputational, or physical injury, or a physical or other intrusion into a consumer’s private affairs, or processing that presents a heightened risk of harm.

Consumer Rights

Maryland consumers have the following privacy rights:

• Right to know and access personal data processed by a controller;
• Right to correct inaccurate personal data;
• Right to delete personal data;
• Right to obtain a copy of the consumer’s personal data;
• Right to obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data or a list of the categories of third parties to which the controller has disclosed any consumer’s personal data if the controller does not maintain this information in a format specific to the consumer; and
• Right to opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling that has certain significant consequences.

The MODPA requires controllers to honor requests sent through universal opt-out mechanisms (“UOOMs”).

Enforcement

The MODPA will not apply to any personal data processing activities before April 1, 2026. MODPA violations will be considered unfair, abusive, or deceptive trade practices under Maryland’s Consumer Protection Act, and violations will be enforced by the Maryland Division of Consumer Protection of the Office of the Attorney General. The MODPA contains a discretionary 60-day cure period for alleged violations that sunsets on April 1, 2027. The MODPA does not specifically provide consumers with a private right of action, but it also does not prevent consumers from pursuing remedies provided by other laws.

Minnesota Consumer Data Privacy Act

Key Takeaways: On May 24, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (“MCDPA”) into law. The law will become effective on July 31, 2025. While the MCDPA is similar to the state privacy laws of Washington, New Hampshire, and Maryland, it also includes unique features such as an exemption for small businesses.

Applicability and Scope

MCDPA applies to businesses operating within Minnesota or offering goods or services to its residents, provided the business:

• during a calendar year, controls or processes personal data of at least 100,000 Minnesota consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• derives more than 25% of gross revenue from the sale of personal data and processes or controls the personal data of at least 25,000 Minnesota consumers.

The MCDPA provides an exemption for small businesses as defined by the United States Small Business Administration. This mirrors the approach seen in Texas and Nebraska, although those state laws do not incorporate the 100,000-consumer threshold for applicability. Minnesota also aligns with Texas and Nebraska in that small businesses, regardless of the number of consumers’ data they handle, are prohibited from selling sensitive consumer data without prior consent.

Like all other state laws except for the CCPA, “consumer” does not include employees or business-to-business contacts. The MCDPA exempts data subject to HIPAA or GLBA but does not include entity-level exemptions for non-profits or entities subject to HIPAA or GLBA.

Requirements

The MCDPA outlines several responsibilities for data controllers:

• Transparency Obligations:
  • Controllers must provide consumers with a privacy notice that details the types of personal data processed, sold, shared, or profiled by the controller, the duration for which personal data is held by the controller, and the rights consumers possess regarding their personal data. Notably, controllers must electronically notify consumers of material changes to the controller’s privacy policy and provide consumers with a reasonable opportunity to withdraw consent to any materially different processing activities.
  • The MCDPA also requires controllers to document and maintain a description of the policies and procedures they have adopted to comply with the MCDPA, including the name and contact information of the controller’s chief privacy officer or another individual responsible for compliance and a description of the controller’s policies and procedures for compliance with the specific requirements of the law.
• Sensitive Data: Controllers may not process sensitive data without consumer consent, which may be revoked at any time.
  • Sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying an individual, data collected from a known child, and specific geolocation data.
  • In contrast to other state privacy laws which provide a precise geolocation radius, specific geolocation is defined as “information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the geographic coordinates of a consumer or a device linked to a consumer with an accuracy of more than three decimal degrees of latitude and longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates.”
• Non-Discrimination: Controllers may not process personal data based on specific protected classifications (such as race or gender) in a manner that discriminates against consumers of that category in significant areas like housing, employment, and public accommodation.
• Data Privacy and Protection Assessments: The MCDPA requires controllers to conduct these assessments prior to processing personal data for targeted advertising, processing sensitive data, selling personal data, processing for profiling, if the profiling presents an unreasonably foreseeable risk of unfair or deceptive treatment, financial, reputational, or physical injury, or a physical or other intrusion into a consumer’s private affairs, or processing that presents a heightened risk of harm.

Consumer Rights

Minnesota consumers have the following privacy rights:

• Right to know and access personal data processed by a controller;
  • Like the Oregon Consumer Privacy Act, the MCDPA provides consumers with a right to request a list of specific third parties to whom the controller has disclosed the consumer’s personal data.
• Right to correct inaccurate personal data;
• Right to delete personal data;
• Right to obtain a copy of the consumer’s personal data;
• Right to opt out of the processing of personal data for purposes of targeted advertising; the sale of personal data; or profiling that has certain significant consequences; and
• Right to review, understand, question, and correct how personal data has been profiled.
  • This right is unique to the MCDPA. Consumers have the right to review their data that has been used for profiling. If the decision was based on inaccurate data, consumers have the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Consumers also have the right to “question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.”

The MCDPA requires controllers to honor opt-out requests sent through UOOMs.

Enforcement

The Minnesota Attorney General will enforce the MCDPA, who may initiate a civil action against businesses that breach this privacy regulation by imposing fines of up to $7,500 per violation. Businesses will be granted a 30-day right to cure any violations, which will expire on January 31, 2026.

Rhode Island Data Transparency and Privacy Protection Act

Key Takeaways: On June 29, 2024, the Rhode Island Data Transparency and Privacy Protection Act (“Rhode Island Act”) was passed as Governor Daniel McKee transmitted the bill without signature. The Rhode Island Act is fairly consistent with other state privacy laws and will take effect on January 1, 2026.

Applicability and Scope

The Rhode Island Act applies to businesses that conduct business in Rhode Island, produce products, or provide services to Rhode Island residents, provided the business:

• during a calendar year, controls or processes personal data of at least 35,000 Rhode Island consumers (excludes personal data controlled or processed for the sole purpose of completing payment transactions); or
• controls or processes personal data of at least 10,000 Rhode Island consumers and derives more than 20% of gross revenue from the sale of personal data.

In addition, any commercial website conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction must designate a controller and post a privacy policy that identifies the categories of data collected through the website, identifies the third parties to whom the controller has sold or may sell personal information, and provides contact information for the controller.

The Rhode Island Act contains exemptions for information subject to HIPAA or GLBA, non-profit organizations, and institutions of higher education. Like all other state laws except for the CCPA, “consumer” does not include employees or business-to-business contacts.

Requirements

The Rhode Island Act outlines several responsibilities for data controllers that are generally consistent with those found in other state privacy laws:

• Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
• Controllers must not process sensitive data without first obtaining consumer consent, or in the case of a known child, without processing the data in accordance with the Children's Online Privacy Protection Act (“COPPA”).
  • Sensitive data is defined as personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; citizenship or immigration status; genetic or biometric data used to identify an individual; data collected from a known child; and precise geolocation data (within a radius of 1,750 feet).
• Controllers must provide customers with a mechanism to grant and revoke consent where consent is required.
• Controllers must conduct a data protection impact assessment (“DPIA”) on the processing of personal data that presents a heightened risk of harm to the customer, including targeted advertising, processing sensitive data, selling personal data, or processing for profiling, if the profiling presents an unreasonably foreseeable risk of unfair or deceptive treatment or disparate impact on customers, financial or physical injury to customers, or an intrusion offensive to a reasonable customer upon their “solitude or seclusion, or the private affairs, or concerns.” The DPIA requirement will apply to data processing activity from January 1, 2026 onward. 

Consumer Rights

Rhode Island consumers have the following privacy rights:

• Right to know and access personal data processed by a controller;
• Right to correct inaccurate personal data;
• Right to delete personal data;
• Right to obtain a copy of customer's personal data processed by the controller in a portable and technically feasible format; and
• Right to opt out of the processing of personal data for purposes of targeted advertising; the sale of personal data; or profiling that has certain significant consequences.

The Rhode Island Act does not require controllers to honor opt-out requests sent through UOOMs.

Enforcement

The Rhode Island Attorney General has the sole authority to enforce provisions of the bill, which will go into effect starting January 1, 2026, with potential civil penalties of up to $10,000 per violation. There is no private right of action. Further, if a business “intentionally discloses personal data” to a shell company or entity created to circumvent the act or in violation of any provision of the act, the entity shall pay a fine of between $100 and $500 for each such disclosure. No cure period is provided.

Koley Jessen will continue to monitor developments related to these laws and advise as updates become available. If you have questions on whether your business needs to comply with the laws or what steps you must take to comply, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.

^{*Special thanks to summer associate Jessica Valdez for her contributions to this article.}

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}