Maryland recently took the first step in enacting a comprehensive biometric data privacy law. On March 13, 2022, the Maryland House of Delegates passed the Biometric Data Privacy Act. The Act now goes to the Maryland Senate for review and potential passage into law. Maryland joins the growing number of states that are strengthening their data protection laws. The new Act introduces a number of requirements for biometric data (i.e. fingerprint, voiceprint, retina scan, etc.) and prohibits certain practices.

In a recent decision, the Fourth Circuit reaffirmed a constitutional right to informational privacy and joined other circuits in rejecting a private cause of action for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In the wake of Virginia passing its own privacy statute, Representative Suzan DelBene (D-Wash.) introduced the Information Transparency and Personal Data Control Act in the House. The proposed legislation would preempt conflicting state laws and provide for an opt-in requirement for sensitive personal data.

On March 2nd, 2021, Virginia Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (CDPA). In doing so, Virginia became the second state (after California) to implement a comprehensive data privacy scheme. The new law takes effect January 1, 2023. Those businesses that operate in Virginia or target Virginia residents and fall within the statute’s scope should begin assessing what data they collect and the statute’s effect on such data collection.

Earlier this month, the Office of the Comptroller of Currency (OCC) assessed an $80 million civil penalty, and ordered certain remedial actions, against Capital One Bank “based on the bank's failure to establish effective risk assessment” prior to migrating information technology operations to the cloud. Specifically, the bank violated 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards,” which addresses administrative, technical and physical safeguards to protect the security and confidentiality of customer information.

Several bills were introduced in the General Assembly that would affect businesses.  While they are too numerous for a single blog post, two affect individuals’ privacy rights, which I have previously written about.

An expansion of Maryland’s Personal Information Protection Act goes into effect on October 1st.