Data Privacy

Kentucky, Colorado & Maryland Advance State Privacy Laws

On April 4, Governor Andy Beshear signed into law HB 15 becoming the 15th state to enact comprehensive consumer data privacy legislation. The new Kentucky Consumer Data Protection Act (KCDPA) largely tracks the Virginia’s law but without this year’s amendments relating to children’s data. For agencies already complying with other non-California privacy laws, the Kentucky bill will not require any additional compliance burdens. Kentucky’s legislation uses Connecticut’s more consumer-friendly definition of biometric data, which states that a video or audio recording or data generated is not biometric data unless it is used to identify a specific individual. KCDPA applies to persons that, during the prior calendar year either controlled or processed the personal data of at least 100,000 consumers or 2.22% of state’s 4.5 million population and derives over 50% of gross revenue from sale, control or processing of personal data for at least 25,000 consumers. The KCDPA becomes effective on January 1, 2026 and is enforceable by the Kentucky Attorney General’s office. There is no private right of action.

Health data privacy provisions advanced in Colorado as its Senate passed HB 1058 on March 26 which previously passed the House. The bill redefines “sensitive data” to include biological data that is “generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual’s body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes.” The bill further defines neural data is “generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device” to the Colorado Privacy Act and goes into effect 90 days after the Colorado General Assembly adjourns.

The Maryland legislature passed the Maryland Online Data Privacy Act of 2024 (MODPA) (SB 541) and its companion House bill (HB 567). Assuming MODPA is signed into law by Governor Wes Moore, Maryland will become the 16th state to pass broad consumer data privacy legislation. With its use of novel data minimization and other requirements, the Maryland legislation is more consumer protective than the existing laws in states like Connecticut, Colorado, Oregon and Delaware. In doing so, Maryland injects a new wrinkle into the state privacy law debate much like Washington did with last year’s My Health My Data Act.  MODPA would take effect on October 1, 2025 and is enforceable by the Division of Consumer Protection in the Maryland Attorney General’s office. There is no private right of action. It contains a limited 60-day right to cure that expires April 1, 2027.

Low Applicability Threshold

MODPA also contains a low threshold for applicability such that even smaller companies may need to comply with its provisions. MODPA applies to persons that, during the prior calendar year either controlled or processed the personal data of at least 35,000 consumers (excluding payment transaction data) or controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data. With a population of over 6 million people, 35,000 threshold is only 0.56% of Maryland’s population meaning that it is likely to apply more broadly than these other laws – as compared to Colorado (1.72%), Connecticut (2.78%), Delaware (3.43%), Oregon (2.35%), and Virginia (1.16%) laws.

Novel Data Minimization Rule

MODPA creates different data minimization rules based on whether the data at issue as personal data or sensitive data.  It shifts the focus from the data controller’s specified purposes (i.e., what is stated in a privacy notice) to what is reasonably necessary to provide or maintain the requested product or service.  MODPA states that a controller may not collect, process or share sensitive personal data unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.” This provision diverts from other health privacy data laws, which require data controllers to obtain consumer consent to process sensitive data or provide a notice and offer an opt-out (such as Iowa or Utah). In brief, if collection of personal data is limited to what is reasonably necessary to provide the requested product, the data controller could use it for other purposes so long as those purposes are disclosed to the consumer.  These requirements are bound to create numerous compliance questions, including how the legislation impacts the use of online advertising and data brokering (such as buying personal data).

Sensitive Health Data

MODPA’s definition of sensitive data is similar, but not identical to other health data privacy laws. MODPA defines consumer health data to mean personal data that a controller uses to identify a “consumer’s physical or mental health status.” Similar to Connecticut’s law, MODPA adds consumer health data to its definition of sensitive data and creates additional obligations for data controllers including access, confidentiality, and geofence restrictions. However, MODPA follows Oregon’s approach and does not provide a pseudonymous data exemption.

Selling Sensitive Data Prohibition

MODPA states that data controllers may not sell sensitive data which it defines as revealing (1) racial or ethnic origins; (2) religious beliefs; (3) consumer health data; (4) sex life; (5) sexual orientation; (6) status as transgender or nonbinary; (7) national origin; or (8) citizenship or immigration status. It also includes genetic or biometric, children’s and precise geolocation data.

Enhanced Children’s Data Protections

MODPA states that a data controller cannot processing the personal data of a consumer for purposes of targeted advertising or sell the personal data of a consumer if the controller “knew or should have known that the consumer is under the age of 18 years.”  The “should have known” standard, instead utilizing the actual knowledge and/or willful disregard standards may require data controllers to use age verification or not to engage in targeted advertising or selling of children’s personal data at all. Definitions of “sale” and “targeted advertising” in different sections of the bill may create an exemption when the data controller obtains consent. But there is no explicit exception in this section.

The Maryland General Assembly also passed legislation concerning consumer protection, online services and use of children’s personal data, otherwise known as the “Maryland Kids Code” (HB 603 / SB 571). Those bills are similar in vein to the California Age-Appropriate Design Code Act but have been heavily revised to take into account constitutional issues raised with respect to the California law.

States where consumer privacy legislation has stalled includes Georgia whose legislature closed without passing SB 473 which passed the Senate but was not able to clear the House before the Georgia legislative session ended.  Rhode Island’s House Technology Committee recommended that HB 7787 be held for further study.

For further information, please contact Jim Potter, CHC Executive Director at jpotter@cohealth.com.