Section 14-4607 - [Effective 10/1/2025] Duties of controller(a) A controller may not: (1) Except where the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains, collect, process, or share sensitive data concerning a consumer;(3) Process personal data in violation of State or federal laws that prohibit unlawful discrimination;(4) Process the personal data of a consumer for the purposes of targeted advertising if the controller knew or should have known that the consumer is under the age of 18 years;(5) Sell the personal data of a consumer if the controller knew or should have known that the consumer is under the age of 18 years;(6) Discriminate against a consumer for exercising a consumer right contained in this subtitle, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer;(7) Collect, process, or transfer personal data or publicly available data in a manner that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability, unless the collection, processing, or transfer of personal data is for: (i) The controller's self-testing to prevent or mitigate unlawful discrimination;(ii) The controller's diversifying of an applicant, participant, or customer pool; or(iii) A private club or group not open to the public, as described in § 201(e) of the Civil Rights Act of 1964; or(8) Unless the controller obtains the consumer's consent, process personal data for a purpose that is neither reasonably necessary to, nor compatible with, the disclosed purposes for which the personal data is processed, as disclosed to the consumer.(b)(1) A controller shall: (i) Limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains;(ii) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue; and(iii) Provide an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent.(2) If a consumer revokes consent under this section, the controller shall stop processing the consumer's personal data as soon as practicable, but not later than 30 days after receiving the request.(c) Nothing in subsection (a) or (b) of this section may be construed to:(1) Require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain; or(2) Prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program, provided that the selling of personal data is not a condition of participation in the program. (d) A controller shall provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:(1) The categories of personal data processed by the controller, including sensitive data;(2) The controller's purpose for processing personal data;(3) How a consumer may exercise the consumer's rights under this subtitle, including how a consumer may appeal a controller's decision regarding the consumer's request or may revoke consent;(4) The categories of third parties with which the controller shares personal data with a level of detail that enables a consumer to understand the type of, business model of, or processing conducted by each third party;(5) The categories of personal data, including sensitive data, that the controller shares with third parties; and(6) An active e-mail address or other online mechanism that a consumer may use to contact the controller.(e)(1) If a controller sells personal data to third parties or processes personal data for targeted advertising or for the purposes of profiling the consumer in furtherance of decisions that produce legal or similarly significant effects, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.(2) The disclosure required under paragraph (1) of this subsection shall be prominently displayed, and use clear, easy to understand, and unambiguous language, to state whether the consumer's personal data will be sold or shared with a third party.(f)(1) The privacy notice under subsection (d) of this section shall establish one or more secure and reliable methods for a consumer to submit a request to exercise a consumer right in accordance with this subtitle that take into account: (i) The ways in which consumers normally interact with the controller;(ii) The need for secure and reliable communication of consumer requests; and(iii) The ability of the controller to verify the identity of a consumer making the request.(2)(i) A controller may not require a consumer to create a new account in order to exercise a consumer right.(ii) A controller may require a consumer to use an existing account to exercise a consumer right.(3) A controller may utilize the following methods to satisfy paragraph (1) of this subsection: (i) Providing a clear and conspicuous link on the controller's website to a webpage that allows a consumer, or an authorized agent of the consumer, to opt out of the targeted advertising or the sale of the consumer's personal data; or(ii) On or before October 1, 2025, allowing a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of personal data, through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale.(4) A platform, technology, or mechanism used in accordance with paragraph (3) of this subsection shall: (i) Be consumer-friendly and easy to use by the average consumer;(ii) Use clear, easy to understand, and unambiguous language;(iii) Be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or State law or regulation;(iv) Enable the controller to reasonably determine whether the consumer:1. Is a resident of the State; and2. Has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising; and(v) Require a consumer to make an affirmative, unambiguous, and voluntary choice in order to opt out of any processing of the consumer's personal data.(5) A platform, technology, or mechanism used in accordance with paragraph (3) of this subsection may not: (i) Unfairly disadvantage another controller; or(ii) Use a default setting to opt a consumer out of any processing of the consumer's personal data.(g)(1) If a consumer's decision to opt out of the processing of the consumer's personal data for the purposes of targeted advertising, or the sale of personal data through an opt-out preference signal sent in accordance with subsection (f)(3)of this section conflicts with the consumer's existing controller-specific privacy setting or the consumer's voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller may notify the consumer of a conflict and provide the choice to confirm controller-specific privacy settings or participation in a program listed in this paragraph.(2) A controller that recognizes signals approved by other states shall be considered in compliance with this section.Added by 2024 Md. Laws, Ch. 455,Sec. 1, eff. 10/1/2025.Added by 2024 Md. Laws, Ch. 454,Sec. 1, eff. 10/1/2025.