Insights: PublicationsMaryland and Nebraska Pass Consumer Data Privacy Laws, and Maryland Adds a Kids CodeApril 24, 2024 The United States privacy landscape becomes more cluttered by the week. While most of the legal media is focusing on federal legislation coming out of Washington, the most significant privacy development in the United States has come 30 miles from the east, in Annapolis. The Maryland legislature recently passed two privacy bills that could disrupt the current legal landscape. In this alert, we cover three timely developments from the last couple of months:
We discuss each of these developments in turn, below. Maryland Online Data Privacy Act of 2024 On April 6, the Maryland legislature passed a comprehensive privacy bill containing many unique provisions that could impact companies' privacy compliance programs. If signed, the measure would take effect on October 1, 2025. The bill has low thresholds for applicability, meaning that it could apply to more companies than some similar laws. The law applies to any person (excluding individuals who are acting in an employment or commercial context) who conducts business in Maryland or provides products or services targeted to Maryland residents and either:
(i) controls or processes the personal data of at least 35,000 Maryland consumers; or The bill materially restricts how companies may use sensitive data, including a blanket prohibition on the sale of sensitive data. Controllers must also avoid collecting sensitive data unless such information is strictly necessary to provide or maintain a product or service requested by the consumer. Some other unique aspects of the law are as follows:
Maryland's Online Kids Code SB 571 was passed on April 6 and is awaiting the Governor's signature. If signed, it would be effective on October 1, 2024, and Maryland would join California (the California AADC is temporarily enjoined) and Florida in having its own “age-appropriate design code.” The law would apply to covered entities that provide an online product reasonably likely to be accessed by children. The law contains four main provisions:
Some key takeaways of the law are as follows:
Nebraska Data Privacy Act The Nebraska legislature passed a comprehensive privacy bill on April 12, 2024. If signed, the law becomes effective on January 1, 2025. Unlike many US privacy laws, Nebraska's law does not have an applicability threshold. Instead, it follows the Texas approach and applies to all companies that conduct business in Nebraska or produce a product or service consumed by Nebraska residents, process or engage in the sale of personal data, and are not small businesses under the Small Business Act. The law excludes individuals acting in an employment or commercial context. The law is not unique. Instead, it mirrors Texas' Data Privacy and Security Act. Some notable provisions include:
Businesses already compliant with other US comprehensive state privacy laws should not have a heavy lift to ensure compliance in Nebraska. The rate at which state privacy laws are proposed and enacted does not seem to be slowing down for 2024. Perhaps the uniqueness of the Maryland law or the sheer volume of state laws will at some point trigger a tipping point and a demand for federal legislation. Related People![]() John M. Brigagliano
jbrigagliano@ktslaw.com |

