Md. Code, Com. § 14-4801

Current with changes from the 2024 Legislative Session
Section 14-4801 - Definitions
(a) In this subtitle the following words have the meanings indicated.
(b)
(1) "Aggregate consumer information" means information:
(i) That relates to a group or category of consumers;
(ii) From which individual consumer identities have been removed; and
(iii) That is not linked or reasonably linkable to any consumer or household, including by a device.
(2) "Aggregate consumer information" does not include individual consumer records that have been de-identified.
(c) "Best interests of children" means a covered entity's use of the personal data of children or the design of an online product in a way that does not:
(1) Benefit the covered entity to the detriment of children; and
(2) Result in:
(i) Reasonably foreseeable and material physical or financial harm to children;
(ii) Severe and reasonably foreseeable psychological or emotional harm to children;
(iii) A highly offensive intrusion on children's reasonable expectation of privacy; or
(iv) Discrimination against children based on race, color, religion, national origin, disability, gender identity, sex, or sexual orientation.
(d)
(1) "Biometric data" means data generated by automatic measurements of an individual's biological characteristics.
(2) "Biometric data" includes :
(i) A fingerprint;
(ii) A voiceprint;
(iii) An eye retina or iris pattern; or
(iv) Any other unique biological pattern or characteristic that is used to identify a specific individual.
(3) "Biometric data" does not include:
(i) A digital or physical photograph;
(ii) An audio or video recording; or
(iii) Data generated from a digital or physical photograph, or an audio or video recording, unless the data is generated to identify a specific individual.
(e) "Child " means a consumer who is under the age of 18 years .
(f)
(1) "Collect " means to buy, rent, gather, obtain, receive, or access personal data relating to a consumer.
(2) "Collect " includes :
(i) Receiving data from the consumer; and
(ii) Observing the consumer's behavior.
(g)
(1) "Consumer " means an individual who is a resident of the State .
(2) "Consumer " does not include an individual acting in a commercial or employment context or as an employer, an owner, a director, an officer, or a contractor of a company, partnership, sole proprietorship, nonprofit organization, or governmental unit whose communications or transactions with the covered entity occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit organization, or governmental unit.
(h)
(1) "Covered entity" means a sole proprietorship, a limited liability company, a corporation, an association, or any other legal entity that:
(i) Is organized or operated for the profit or financial benefit of its shareholders or other owners;
(ii) Collects consumers' personal data or uses another entity to collect consumers'personal data on its behalf;
(iii) Alone, or jointly with its affiliates or subsidiaries, determines the purposes and means of the processing of consumers'personal data;
(iv) Does business in the State; and
(v)
1.

Has annual gross revenues in excess of $25,000,000, adjusted every odd-numbered year to reflect adjustments in the Consumer Price Index;

2. Annually buys, receives, sells, or shares the personal data of 50,000 or more consumers, households, or devices, alone or in combination with its affiliates or subsidiaries, for the covered entity's commercial purposes; or
3. Derives at least 50% of its annual revenues from the sale of consumers'personal data.
(2) "Covered entity" includes:
(i) An entity that controls or is controlled by a business and that shares a name, service mark, or trademark that would cause a reasonable consumer to understand that two or more entities are commonly owned; and
(ii) A joint venture or partnership composed of businesses in which each has at least a 40% interest in the joint venture or partnership.
(i)
(1) "Dark pattern" means a user interface designed or manipulated with the purpose of subverting or impairing user autonomy, decision making, or choice.
(2) "Dark pattern" includes any practice identified by the Federal Trade Commission as a dark pattern.
(j) "Data protection impact assessment" or "assessment " means a systematic survey to assess compliance with the duty to act in the best interests of children.
(k) "Default " means a preselected option adopted by the covered entity for an online product.
(l) "Division " means the Division of Consumer Protection of the Office of the Attorney General.
(m)
(1) "Online product" means an online service, product, or feature.
(2) "Online product" does not include:
(i) A telecommunications service, as defined in 47 U.S.C. § 153;
(ii) The sale, delivery, or use of a physical product sold by an online retailer; or
(iii) A broadband Internet access service, as defined in 47 C.F.R. § 8.1(b).
(n)
(1) "Personal data" means information that is linked or reasonably able to be linked to an identified or identifiable individual.
(2) "Personal data" does not include:
(i) De-identified data; or
(ii) Publicly available information.
(o)
(1) "Precise geolocation" means information derived from technology that can precisely and accurately identify the specific location of a consumer within a radius of 1,750 feet .
(2) "Precise geolocation" includes latitude and longitude coordinates of similar precision to those produced by a global positioning system or a similar mechanism.
(3) "Precise geolocation" does not include:
(i) The content of communications;
(ii) Data generated by or connected with a utility company's advanced metering infrastructure; or
(iii) Data generated by equipment used by a utility company.
(p)
(1) "Process " means to perform an operation or set of operations by manual or automated means on personal data.
(2) "Process " includes collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.
(q) "Profiling " means any form of automated processing of personal data that uses personal data to evaluate, analyze, or predict certain aspects relating to an individual, including an individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
(r)
(1)"Publicly available information" means information that:
(i) Is lawfully made available from federal, state, or local government records; or
(ii) A covered entity has a reasonable basis to believe is lawfully made available to the general public by the consumer or by widely distributed media.
(2) "Publicly available information" does not include biometric data collected by a covered entity about a consumer without the consumer's knowledge.
(s) "Reasonably likely to be accessed by children" means it is reasonable to expect that the online product would be accessed by children, based on satisfying any of the following criteria:
(1) The online product is directed to children as defined in the federal Children's Online Privacy Protection Act;
(2) The online product is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children;
(3) The online product is substantially similar or the same as an online product that satisfies item (2) of this subsection;
(4) The online product features advertisements marketed to children;
(5) The covered entity's internal research findings determine that a significant amount of the online product's audience is composed of children; or
(6) The covered entity knows or should have known that a user is a child.
(t)
(1) "Sell " means to transfer, rent, release, disclose, disseminate, make available, or otherwise communicate, whether orally, in writing, or by electronic or other means, a consumer's personal data, in a transaction for monetary or other valuable consideration between a covered entity and a third party.
(2) "Sell " does not include:
(i) The disclosure of personal data to the service provider that processes personal data on behalf of the covered entity;
(ii) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
(iii) The disclosure or transfer of personal data to an affiliate or subsidiary of the covered entity;
(iv) The disclosure of personal data where the consumer directs the covered entity to disclose the personal data or intentionally uses the covered entity to interact with a third party; or
(v) The disclosure or transfer of personal data to a third party as an asset that is part of an actual or proposed merger, acquisition, bankruptcy, or other transaction, in which the third party assumes control of all or part of the covered entity's assets.
(u) "Service provider" means a person that processes personal data on behalf of a covered entity and that receives from or on behalf of the covered entity a consumer's personal data for business purposes in accordance with a written contract, if the contract prohibits the person from:
(1) Selling or sharing the personal data;
(2) Retaining, using, or disclosing the personal data for any purpose other than for the business purposes specified in the contract for the covered entity, including retaining, using, or disclosing the personal data for a commercial purpose other than the business purposes specified in the contract with the covered entity, or as otherwise allowed under this subtitle;
(3) Retaining, using, or disclosing the personal data outside the direct business relationship between the service provider and the covered entity; and
(4) Combining the personal data that the service provider receives from, or on behalf of, the covered entity with personal data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer.
(v) "Share " means to rent, release, disseminate, make available, transfer, or otherwise communicate, whether orally, in writing, or by electronic or other means, a consumer's personal data to a third party for cross-context behavioral advertising whether or not for monetary or other valuable consideration, including in a transaction between a covered entity and a third party for targeted advertising for the benefit of a covered entity in which no money is exchanged.
(w) "Third party" means a person who is not:
(1) The covered entity with which the consumer intentionally interacts and that collects personal data from the consumer as part of the consumer's interaction with the covered entity; or
(2) A service provider for the covered entity.

Md. Code, CL § 14-4801

Added by 2024 Md. Laws, Ch. 461,Sec. 1, eff. 10/1/2024.
Added by 2024 Md. Laws, Ch. 460,Sec. 1, eff. 10/1/2024.