Maryland Governor Wes Moore on Thursday signed a privacy law that imposes tough new restrictions on online data collection and ad targeting.
Major ad industry groups had urged Moore to veto the measure, which the groups said includes “the most onerous and restrictive approach to data privacy in the United States to date.”
“The bill’s limitations on data collection are likely to result in significant degradation of beneficial products and services for Maryland consumers and harm local businesses,” the Association of National Advertisers, American Association of Advertising Agencies, Interactive Advertising Bureau, American Advertising Federation and Digital Advertising Alliance wrote in a letter sent to Moore last month.
The Maryland Online Data Privacy Act includes provisions that ban companies from collecting more personal data than “reasonably necessary and proportionate” to provide a product or service requested by consumers.
advertisement
advertisement
The ad industry groups said in their letter to Moore that the measure's curbs will prevent businesses from using data to “develop new products or services for that customer or market its products, services, or discounts to that customer.”
But consumer advocates have long sought limits on data collection, arguing that the current notice-and-choice approach to privacy is too cumbersome. That approach typically involves informing consumers about data collection via lengthy privacy policies, and allowing people to opt out of certain uses of their data.
Consumer Reports policy analyst Matt Schwartz stated last month the Maryland law's restrictions on data collection “will protect consumers by default, instead of requiring them to make endless consent choices in order to fully protect themselves.”
The Electronic Privacy Information Center likewise praised the Maryland statute, stating it “sets a new standard for state privacy laws.”
The Maryland law also requires businesses to allow consumers to opt out of ad targeting based on non-sensitive data collected over time and across unaffiliated websites.
The law effectively bans “third-party targeted advertising” based on sensitive data, according to Consumer Reports. The measure's definition of sensitive data includes information that would reveal a consumer's race, religion, health, sexual orientation and immigration status.
In addition, the law prohibits businesses from serving behaviorally targeted ads to minors under 18, if the businesses knew or should have known the users' ages.
The privacy law is slated to take effect in October 2025.
Separately, Moore also signed the Maryland Age-Appropriate Design Code Act, which requires online businesses likely to be accessed by minors (meaning users under 18) to create “data protection impact assessments” each time the businesses create new services or features. Those assessments must evaluate whether the new features could harm underage users.
That law -- slated to take effect this October -- additionally requires online businesses to configure minors' default settings to a “high level” of privacy, unless the business shows that a less private setting is in minors' best interests.