Maryland Implements New Immigration-Related Consumer Privacy Law
A new law in Maryland that focuses on immigration-related consumer privacy protections will take effect on July 1, mandating targeted businesses to ensure compliance. This legislation amends the Maryland Online Data Privacy Act (MODPA), which was just implemented on October 1. The updates specifically aim to restrict the sale and disclosure of personal data to government agencies involved in immigration enforcement. Businesses must understand these new requirements and take appropriate steps to prepare.
Details of the Legislation
The Maryland bill amending MODPA (HB 711) was enacted into law on May 31 without the governor’s signature. The law seeks to bolster privacy protections for consumers, particularly concerning how businesses handle personal data in relation to immigration enforcement.
Eligible Businesses Under MODPA
HB 711 does not alter the eligibility criteria set forth in MODPA. The legislation continues to apply to businesses that control or process the personal data of at least 35,000 Maryland residents, or 10,000 residents if 20% of their gross revenue is derived from the sale of personal data.
Prohibitions Under HB 711
As of July 1, covered entities classified as “controllers,” those who define the purposes and means of processing personal data, are barred from knowingly selling consumer data to any federal, state, or local government that has engaged in civil immigration enforcement within the six months prior to the sale. An exception exists if the company receives a valid warrant issued by a court explicitly detailing the personal data requested.
Requests from Non-Immigration Enforcement Agencies
Companies may still comply with discovery requests via subpoena from governmental entities, provided those entities have not been involved in civil immigration enforcement within the previous six months. Similarly, compliance is permitted if law enforcement agencies request access to personal data, as long as they have not participated in immigration enforcement efforts within that timeframe.
Preparation Steps for Businesses
To align with HB 711, businesses should undertake several important steps. These include identifying key personnel responsible for responding to data requests—individuals from legal, privacy, sales, or law enforcement teams. Training should encompass updates to MODPA, emphasizing how to verify the authenticity of warrants. Organizations should assess whether they sell or disclose consumer data to government entities, including federal, state, and local agencies, as well as data brokers and contractors. A thorough diligence process should be implemented to evaluate requests, including the identity of the requester, the purpose for data usage, and past involvement in immigration enforcement.
Ensuring Compliance and Legal Readiness
Companies must develop protocols for warrant reviews to confirm the legitimacy of court-issued requests. Steps should include validating that the warrant originates from an appropriate jurisdiction, ensuring it specifies the data requested, and confirming its validity prior to compliance. Organizations are advised to collaborate with data privacy attorneys to create or amend contractual language addressing limits on personal data usage in the context of immigration enforcement.
With the enforcement of MODPA resting with the Maryland Department of Consumer Protection under the Attorney General, companies must act promptly, as violations are classified as unfair trade practices and may lead to penalties under the Maryland Consumer Protection Act. It is essential for businesses to enhance their controls regarding sensitive data and strengthen their processes around data disclosures, particularly in relation to immigration enforcement.
