The Maryland Online Data Privacy Act of 2024, a proposed bill set to impact data collection and online privacy, successfully passed both the Senate and House of Delegates and now awaits approval by Gov. Wes Moore.
The legislation, set to take effect by October 2025, marks a pivotal moment in Maryland’s approach to safeguarding consumer data, but it faces opposition from trade groups and small business owners, who have voiced their concerns.
In a letter addressed to the Senate Finance Committee, the Maryland Chamber of Commerce expressed concerns, including the need to ensure that definitions and requirements align with those of neighboring states, particularly concerning biometric information, consumer health data and sensitive data.
The chamber emphasized the importance of retaining sole enforcement responsibility with the attorney general. Additionally, it advocated for extending the compliance deadline until October 2026, providing businesses with ample time to adapt to the new rule.
“The Maryland Chamber of Commerce and its members place a high priority on consumer privacy and believe that privacy laws should provide strong safeguards for consumers but also balance the need for industry to innovate,” the chamber noted in the letter.
Local small businesses, such as T|W Tote, a bags manufacturer, have voiced similar concerns about the bill’s potential implications.
“We operate completely online,” T|W Tote owners Shallon Thomas and Sherika Wynter said in a report this month by TheBayNet.com. “Digital ads are one of the primary ways we find new customers, grow our business and compete with national brands. We believe in protecting people’s privacy but worry the Maryland Online Privacy Act will over-regulate online data collection and use, making it more difficult and expensive for our business to advertise.”
These concerns echo the findings outlined in a review paper from The University of Chicago Booth School of Business, highlighting the potential financial burden of data privacy laws on small businesses that heavily rely on data-driven digital advertising to attract and engage new customers.
“Targeted advertising works by finding someone it would be appropriate to send an ad to — people who have not yet bought the product but who would be interested in it,” Chicago Booth’s Bradley Shapiro, one of the co-authors, said. “The more niche the product, the harder it is to find those people, so companies need better data to find them. If you take some of that away, it’s going to be harder to find those appropriate customers.”
Meanwhile, another bill, the Maryland Kids Code, aimed at curbing tech platforms’ exploitation of personal data, especially concerning young consumers, has also passed both chambers, despite opposition from industry giants like Amazon, Google and Meta.
Once effective, the law will restrict tracking and manipulative techniques employed by online platforms, such as automatically playing videos or inundating children with notifications, aimed at keeping them engaged online.
In a broader context, the United States is inching closer to establishing nationwide data privacy protections under the American Privacy Rights Act, announced Sunday (April 7).
The law seeks to establish “clear, national data privacy rights and protections for Americans,” including minimizing data collection by companies, enhancing consumer control over their data, and enforcing stricter safeguards against unauthorized data transfers.
These legislative efforts emerge against the backdrop of a dynamic connected economy where consumer data privacy is becoming increasingly difficult to attain, with every online interaction likely to create a lasting digital footprint.
However, other developments, such as Google’s Chrome browser testing a new Tracking Protection feature, signal a broader industry shift toward privacy-centric solutions.
“When it comes to improving privacy on the web, the work is never finished,” Anthony Chavez, vice president of Privacy Sandbox, said in a Dec. 14 blog post. “That’s why in Chrome, we continue to invest in features that protect your data and provide more control over how it’s used. This includes taking steps to limit the ability to track your activity across different websites.”