Current with changes from the 2024 Legislative Session
Section 14-4705 - [Effective 10/1/2025](a) Nothing in this section may be construed to require a controller to reveal a trade secret.(b) A consumer shall have the right to: (1) Confirm whether a controller is processing the consumer's personal data;(2) If a controller is processing a consumer's personal data, access the consumer's personal data;(3) Considering the nature of the consumer's personal data and the purposes of the processing of the personal data, correct inaccuracies in the consumer's personal data;(4) Require a controller to delete personal data provided by, or obtained about, the consumer unless retention of the personal data is required by law;(5) If the processing of personal data is done by automatic means, obtain a copy of the consumer's personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to easily transmit the data to another controller without hindrance;(6) Obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data or a list of the categories of third parties to which the controller has disclosed any consumer's personal data if the controller does not maintain this information in a format specific to the consumer; and(7) Opt out of the processing of personal data for purposes of:(i) Targeted advertising;(ii) The sale of personal data; or(iii) Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.(c)(1) A controller shall establish a secure and reliable method for a consumer to exercise a consumer right under this section.(2) A consumer may exercise a consumer right under this section by the method established by the controller under paragraph (1) of this subsection.(d)(1) A consumer may designate an authorized agent in accordance with § 14-4606 of this subtitle to opt out of the processing of the consumer's personal data under subsection (b)(7) of this section on behalf of a consumer.(2) A parent or legal guardian of a child may exercise a consumer right listed in subsection (b) of this section on the child's behalf regarding the processing of personal data.(3) A guardian or conservator of a consumer subject to a guardianship, conservatorship, or other protective arrangement may exercise a consumer right listed in subsection (b) of this section on the consumer's behalf regarding the processing of personal data.(e)(1) Except as otherwise provided in this subtitle, a controller shall comply with a request by a consumer to exercise a consumer right listed in this section.(2)(i) A controller shall respond to a consumer request not later than 45 days after the controller receives the consumer request.(ii) A controller may extend the completion period by an additional 45 days if:1. It is reasonably necessary to complete the request based on the complexity and number of the consumer's requests; and2. The controller informs the consumer of the extension and the reason for the extension within the initial 45-day response period.(3) If a controller declines to act regarding a consumer's request, the controller shall: (i) Inform the consumer without undue delay, but not later than 45 days after receiving the request, of the justification for declining to act; and(ii) Provide instructions for how to appeal the decision.(4)(i) A controller shall provide information to a consumer in response to a consumer's request to exercise rights under this subtitle free of charge once during any 12-month period.(ii) If requests from a consumer are manifestly unfounded, excessive, technically infeasible, or repetitive, a controller may: 1. Charge the consumer a reasonable fee to cover the administrative costs of complying with the request; or2. Decline to act on the request.(iii) The controller has the burden of demonstrating the manifestly unfounded, excessive, technically infeasible, or repetitive nature of the request.(5) If a controller is unable to authenticate a request to exercise a consumer right afforded under subsection (b)(1) through (5) of this section using commercially reasonable efforts, the controller: (i) May not be required to comply with a request to initiate an action in accordance with this section; and(ii) Shall provide notice to the consumer that the controller is unable to authenticate the request to exercise the right until the consumer provides additional information reasonably necessary to authenticate the consumer and the consumer's request to exercise the consumer's rights.(6) A controller may not be required to authenticate an opt-out request.(7) A controller that has obtained personal data about a consumer from a source other than the consumer shall be considered compliant with the consumer's request to delete the consumer's data in accordance with subsection (b)(4) of this section by retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring that the consumer's personal data:(i) Remains deleted from the controller's records; and(ii) Is not being used for any other purpose.(f)(1) A controller shall establish a process for a consumer to appeal the controller's refusal to act on a consumer rights request within a reasonable period after the consumer receives the decision.(2) The appeal process shall be: (i) Conspicuously available; and(ii) Similar to the process for submitting requests to initiate an action in accordance with this section.(3) Not later than 60 days after receiving an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.(4) If a controller denies an appeal, the controller shall provide the consumer with an online mechanism, if available, through which the consumer may contact the Division to submit a complaint.Added by 2024 Md. Laws, Ch. 455,Sec. 1, eff. 10/1/2025.Added by 2024 Md. Laws, Ch. 454,Sec. 1, eff. 10/1/2025.