In the world we live in trends are an everyday thing, from YouTube Videos to TikTok challenges, from the clothes people wear to the music they listen to. We see trends in every part of our everyday lives. Sometimes in government, just like in our private lives, when something is a good idea (sometimes even a not so good idea) it catches on.

In 2018, in Europe, the General Data Protection Regulation (GDPR) came into force. The regulation established a set of rights for citizens with respect to the processing of their personal data and defined requirements for those processing personal data. Since then the trend for creating data protection laws has caught on. Countries throughout the world have established laws protecting personal data. According to the United Nations Conference on Trade and Development (UNCTAD), 137 out of 194 countries have implemented data privacy legislation. In total, 71% of countries have privacy regulations, 9% of countries have draft legislation, and 15% of countries have no legislation.

From trendsetter to laggard: the U.S. and data protection

Usually a trendsetter, here the U.S. has lagged behind and has yet to adopt a comprehensive federal law protecting personal data. Although as I pointed out in my article “The American Privacy Rights Act – a New Chapter in the U.S. Data Privacy Story” last month, the U.S. may be getting closer to adopting a federal law. However, since the federal government has been moving so slowly, individual states have decided not to wait and have jumped on the data privacy law band wagon on their own.

In 2020, California was the first state in the Union to enact a comprehensive data privacy law and since then many states have followed suit. On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA), making it the latest state to do so.

Maryland: currently the newest state to adopt a data privacy law

Maryland’s new law, like most states’, is applicable to those conducting business in the state or who have products or services targeted to residents. However, the additional parameters are stricter in Maryland than most other states,

“During the preceding calendar year [the company ] did any of the following:

  • Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • Controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.”

Just like in other states the law provides rights to their citizens. In most state regulations, as in Maryland, those rights include:

  • the right of access
  • the right of rectification
  • the right of erasure
  • the right to data portability

Along with these rights there is also the requirements in Maryland that the data subjects may obtain information regarding third parties who receive their data and for data subjects to have the ability to opt-out of targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

Challenging conditions for companies

By January 2026, there will be 18 states which have enacted privacy laws, these laws provide citizens with additional rights and protections with regard to their personal data. Although, as stated above, these laws contain some similar rights and requirements, each state law is slightly different from the others which makes it extremely difficult for companies to comply with exactness to all of them.

As someone in the data privacy field, it is always exciting to see even one more person receive more protections with regard to their personal data. However, I do hope that the U.S. federal government will be able to get a federal law passed in order to bring consistency in the area of data protection, affording all U.S. citizens the same rights. This step will not only be good for consumers whose data is being processed but will help companies processing personal data be more compliant due to consistency and confidence in the legal landscape.