Section 14-4601 - [Effective 10/1/2025] Definitions(a) In this subtitle the following words have the meanings indicated.(b) "Affiliate" means a person that, directly or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with another person, such that the person: (1) Owns or has the power to vote more than 50 % of the outstanding shares of any voting class of the other person's securities;(2) Has the power to elect or influence the election of a majority of the directors, members, or managers of the other person;(3) Has the power to direct the management of the other person; or(4) Is subject to the other person's exercise of the powers described in item (1), (2), or (3) of this subsection.(c) "Authenticate" means to use reasonable means to determine that a request to exercise a consumer right in accordance with § 14-4605 of this subtitle is being made by, or on behalf of, a consumer who is entitled to exercise the consumer right with respect to the personal data at issue.(d)(1) "Biometric data" means data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer's identity.(2) "Biometric data" includes: (iii) An eye retina or iris image; and(iv) Any other unique biological characteristics that can be used to uniquely authenticate a consumer's identity.(3) "Biometric data" does not include: (i) A digital or physical photograph;(ii) An audio or video recording; or(iii) Any data generated from a digital or physical photograph or an audio or video recording, unless the data is generated to identify a specific consumer.(e) "Business associate" has the meaning stated in HIPAA.(f) "Child" has the meaning stated in COPPA.(g)(1) "Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer for a particular purpose.(2) "Consent" includes: (ii) A written statement by electronic means; or(iii) Any other unambiguous affirmative action.(3) "Consent" does not include: (i) Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information;(ii) Hovering over, muting, pausing, or closing a piece of content; or(iii) Agreement obtained through the use of dark patterns.(h)(1) "Consumer" means an individual who is a resident of the State.(2) "Consumer" does not include: (i) An individual acting in a commercial or employment context; or(ii) An individual acting as an employee, an owner, a director, an officer, or a contractor of a company, a partnership, a sole proprietorship, a nonprofit organization, or a governmental unit whose communications or transactions with a controller occur only within the context of the individual's role with the company, partnership, sole proprietorship, nonprofit organization, or governmental unit.(i)(1) "Consumer health data" means personal data that a controller uses to identify a consumer's physical or mental health status.(2) "Consumer health data" includes data related to: (i) Gender -affirming treatment; or(ii) Reproductive or sexual health care.(j) "Control" means: (1) Ownership of or the power to vote more than 50% of the outstanding shares of any class of voting security of a business;(2) Any manner of control over the election of a majority of the directors of a business, or individuals exercising similar functions; or(3) The power to exercise a controlling influence over the management of a business.(k) "Controller" means a person that, alone or jointly with others, determines the purpose and means of processing personal data.(l) "COPPA" means the federal Children's Online Privacy Protection Act of 1998 and the regulations, rules, guidance, and exemptions adopted under the Act, and as the Act and the regulations, rules, guidance, and exemptions may be amended.(m) "Covered entity" has the meaning stated in HIPAA.(n)(1) "Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting user autonomy, decision making, or choice.(2) "Dark pattern" includes any practice the Federal Trade Commission refers to as a "dark pattern".(o) "Decisions that produce legal or similarly significant effects concerning the consumer" means decisions that result in the provision or denial of:(1) Financial or lending services;(3) Education enrollment or opportunity;(5) Employment opportunities;(6) Health care services; or(7) Access to essential goods or services.(p) "De-identified data has the meaning stated in § 14-4401 of this title." (q) "Gender-affirming treatment" has the meaning stated in § 15-151(a) of the Health - General Article.(r) "Genetic data" has the meaning stated in § 14-4401 of this title.(s)(1) "Geofence" means technology that establishes a virtual geographical boundary.(2) "Geofence" includes boundaries that are established or monitored through the use of: (i) Global positioning technology;(ii) Cell tower connectivity;(iv) Radio frequency identification;(v) Wireless fidelity technology; or(vi) Any other form of location determination technology.(t) "HIPAA" means the federal Health Insurance Portability and Accountability Act of 1996.(u) "Identified or identifiable consumer" means a consumer who can readily be identified, either directly or indirectly.(v) "Mental health facility" means a health care facility in which not less than 70% of health care services offered are mental health services.(w)(1) "Personal data" means any information that is linked or can be reasonably linked to an identified or identifiable consumer.(2) "Personal data" does not include: (i) De-identified data; or(ii) Publicly available information.(x)(1) "Precise geolocation data" means information derived from technology that can precisely and accurately identify the specific location of a consumer within a radius of 1,750 feet.(2) "Precise geolocation data" includes global positioning system level latitude and longitude coordinates or other similar mechanisms.(3) "Precise geolocation data" does not include: (i) The content of communications;(ii) Data generated by or connected to an advanced utility metering infrastructure system; or(iii) Data generated by equipment used by a utility company.(y)(1) "Process" means an operation or set of operations performed by manual or automated means on personal data.(2) "Process" includes collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.(z) "Processor" means a person that processes personal data on behalf of a controller.(aa) "Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable consumer's economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.(bb) "Protected health information" has the meaning stated in HIPAA.(cc)(1) "Publicly available information" means information that a person: (i) Lawfully obtains from a record of a governmental entity;(ii) Reasonably believes a consumer or widely distributed media has lawfully made available to the general public; or(iii) If the consumer has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.(2) "Publicly available information" does not include biometric data collected by a business about a consumer without the consumer's knowledge. (dd) "Reproductive or sexual health care" means a health care-related service or product rendered or provided concerning a consumer's reproductive system or sexual well-being, including: (1) A service or product provided related to an individual health condition, status, disease, diagnosis, test, or treatment;(2) A social, psychological, behavioral, or medical intervention;(3) A surgery or procedure;(4) The purchase or use of a medication, including a medication purchased or used for the purposes of an abortion;(5) A service or product related to a bodily function, vital sign, or symptom;(6) A measurement of a bodily function, vital sign, or symptom; and(7) An abortion, and medical and nonmedical services, products, diagnostics, counseling, and follow-up services for an abortion.
(ee) "Reproductive or sexual health facility" means a health care facility where not less than 70% of services offered are reproductive or sexual health care services.(ff)(1) "Sale of personal data" means the exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration.(2) "Sale of personal data" does not include: (i) The disclosure of personal data to a processor that processes personal data on behalf of a controller if limited to the purposes of the processing;(ii) The disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer;(iii) The disclosure or transfer of personal data to an affiliate of the controller;(iv) The disclosure of personal data where the consumer:1. Directs the controller to disclose the personal data; or2. Intentionally uses the controller to interact with a third party;(v) The disclosure of personal data that the consumer:1. Intentionally made available to the general public through a channel of mass media; and2. Did not restrict to a specific audience; or(vi) The disclosure or transfer of personal data to a third party as an asset that is part of an actual or proposed merger, acquisition, bankruptcy, or other transaction where the third party assumes control of all or part of the controller's assets.(gg) "Sensitive data" means personal data that includes:(1) Data revealing: (i) Racial or ethnic origin;(iii) Consumer health data;(vi) Status as transgender or nonbinary;(vii) National origin; or(viii) Citizenship or immigration status;(2) Genetic data or biometric data;(3) Personal data of a consumer that the controller knows or has reason to know is a child; or(4) Precise geolocation data.(hh)(1) "Targeted advertising" means displaying advertisements to a consumer or on a device identified by a unique identifier, where the advertisement is selected based on personal data obtained or inferred from the consumer's activities over time and across nonaffiliated websites or online applications that are unaffiliated with each other, in order to predict the consumer's preferences or interests.(2) "Targeted advertising" does not include: (i) Advertisements based on the context of a consumer's current search query, visit to a website, or online application;(ii) Advertisements based on a consumer's activities within a controller's websites or online applications;(iii) Advertisements directed to a consumer in response to the consumer's request for information or feedback; or(iv) Processing personal data solely to measure or report advertising frequency, performance, or reach.(ii) "Third party" means a person other than the relevant consumer, controller, processor, or affiliate of the controller or processor of relevant personal data.(jj) "Trade secret" has the meaning stated in § 11-1201 of this article.Added by 2024 Md. Laws, Ch. 455,Sec. 1, eff. 10/1/2025.Added by 2024 Md. Laws, Ch. 454,Sec. 1, eff. 10/1/2025.