Maryland and Virginia are the most recent states taking initiatives to enact consumer-focused privacy laws.  They join a growing trend among states to pass privacy protection laws aimed at protecting their residents.  The most notable and widely talked about was the California Consumer Privacy Act (also known as CCPA), which went into effect on January 1, 2020.

Maryland’s Proposed Privacy Law

Maryland’s proposed privacy law, introduced in HB 249, seeks to amend the state’s Commercial Law by adding Subtitle 42, “Consumer Personal Information Privacy.”  The proposed Maryland privacy law has some similar characteristics to that of the CCPA in that it (1) defines who the privacy law would apply to, and (2) provides consumers specific rights when a covered business discloses their personal information.

It is important to note that the proposed Maryland law is not as broad as the CCPA.  Under the proposed Maryland law, “disclosure” by a covered business, is subject to certain exceptions and occurs when the covered business transfers the consumer’s personal information to a third party, including selling, renting, releasing, disseminating, making available, transferring, or otherwise communicating by any means.

The proposed Maryland privacy law also provides consumers a right, subject to some exceptions, to demand a covered business to not disclose their personal information to third parties. This right is referred to as a “Right to opt out of third-party disclosure.”  If a covered business receives direction from a consumer to not disclose their personal information to third parties, the covered business may not disclose that consumer’s personal information to third parties, unless the consumer later provides express consent for disclosure.  The proposed privacy law provides consumers additional protections and requirements that covered businesses must follow.

Virginia’s Proposed Privacy Law

Virginia’s proposed privacy law, introduced in HB 473, seeks to amend the Code of Virginia by adding Chapter 52 to Title 59.1 (Trade and Commerce), titled “Virginia Privacy Act.”  The Virginia privacy law has some similar characteristics to that of the CCPA and Maryland in that it (1) provides a scope of who the privacy law would apply to, and (2) provides specific rights to consumers when a covered business discloses consumer’s personal information.

In summary, the Virginia Privacy Act aims to: (1) provide a list of consumer rights; (2) ensure controllers of personal information are transparent as to how they handle consumer’s personal information; and (3) require controllers of personal information to conduct risk assessments as to their activities to ensure that they adequately protect the data.  A “controller” is being defined as “the person, alone or jointly with others, determines the purposes and means of the processing of personal data.”

Similar to the CCPA and the proposed Maryland privacy law, the proposed Virginia Privacy Act provides certain rights to Virginia consumers.  In summary, these rights, subject to certain exceptions and procedures, require covered businesses (i.e., controllers) upon request to: (1) confirm whether they maintain personal information on a particular consumer; (2) correct inaccurate personal data; (3) delete personal information without undue delay; (4) restrict processing of personal information; (5) provide the personal information they maintain on a specific consumer; and (6) object to the processing of their personal information.

What happens if I don’t comply?

These proposed legislations were just introduced in January 2020 and have not passed yet and are therefore not in effect.  If passed and when in effect, a violation of the proposed Maryland privacy law would be a deceptive trade practice under the Maryland Consumer Protection Act and subject to certain penalty provisions.  If passed and when in effect, a violation of the proposed Virginia Privacy Act would “constitute a prohibited practice” under the Virginia Consumer Protection Act and would be subject to enforcement provisions provided for in that Act.

What Should I Do Next?

It is too early to take any action.  The proposed Maryland and Virginia privacy laws need to make their way through the legislative process, which can be several months.  It is also possible that the final passed bill may differ from the original bills.  We will continue to monitor the progress of these two bills as they make their way through the legislative cycle and will provide updates as necessary.

Shakir Hussaini is an Associate in Cybersecurity & Data Privacy practice group at Berenzweig Leonard.  Shakir can be reached at [email protected]