Maryland Becomes First State to Ban Targeted Food Pricing and Passes the Broadest Sensitive Data Inference Definition in the Nation

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Just two weeks after the enforcement date of Maryland’s comprehensive privacy law, which itself pushed the boundaries of privacy legislation in many respects, Maryland continues its role as the new frontrunner of privacy legislation by passing two groundbreaking bills.

Keep reading to learn more and discover my takeaways.

United States

HB 711, Further Expanding the Reach of Sensitive Data.

HB 711, which passed the Maryland legislature and was sent to the governor, amends the state’s comprehensive privacy law in several ways. One change would potentially expand the definition of “sensitive data” beyond that of any other state. The categories of sensitive data remain unchanged from the existing law.

They include data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin or citizenship or immigration status; and, separately (without the “data revealing” qualifier) genetic data or biometric data, personal data of a consumer that the controller knows or has reason to know is a child, or precise geolocation data. The change adds the following language: “‘sensitive data’ includes data inferred by a controller based on personal data that, alone or in combination with other data, is used to indicate any data described under [the full list of sensitive data categories, including both under and not under the “data revealing” bucket].

TAKEAWAY

This amendment is more far-reaching than laws or rules in other states that incorporate “inferences” into sensitive data definitions.  For example, Colorado rules define “sensitive data inferences” as “inferences made by a Controller based on Personal Data, alone or in combination with other data, which are used to indicate an individual’s racial or ethnic origin; religious beliefs, mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.”  

That definition includes only inferences of a subset of the state’s broader “sensitive data” definition, which also includes genetic or biometric data, personal data from a known child, or biological data. Essentially, for that latter bucket, only the raw data (and not inferences of that data) constitutes sensitive data. Maryland HB 0711, however, would include inferences of genetic or biometric data, personal data of a consumer that the controller knows or has reason to know is a child, or precise geolocation data, in the definition of sensitive data.

 The implications of this are further exacerbated because Maryland’s comprehensive privacy law imposes stricter restrictions on sensitive data than any other state. Most notably, the law prohibits collecting, processing, or sharing sensitive data, except when “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.” It also includes an outright prohibition on the sale of sensitive data. Neither of these prohibitions is seen in any other comprehensive privacy law. It is unclear how these new categories of inferences, coupled with the existing strict restrictions, will be interpreted and enforced in practice if the governor signs this bill. 

HB 895, Prohibiting Use of Personal Data for Targeted Food Pricing.

 Maryland HB 895, which also passed the legislature and was sent to the governor for signature, would prohibit food retailers and third-party food delivery services from using personal data to offer a higher price for food or to offer a personalized price for a good or service based on the consumer’s personal data. Several exceptions to the prohibition exist, including offering different pricing based on participation in voluntary loyalty programs or subscriptions, or consumer consent to provide personal information in exchange for obtaining the price. The law would also prohibit using protected class data to offer, advertise or sell a consumer good if it has the effect of denying a consumer an accommodation, advantage or privilege afforded to others.

TAKEAWAY

Although Maryland would be the first state to pass such an aggressive targeted restriction, regulators outside Maryland have scrutinized the use of personal data to dynamically set prices for consumer goods or services, particularly by food retailers and delivery services. Similar legislation has been proposed in other states, including New Jersey, Minnesota, Oklahoma and Tennessee. Additionally, the FTC this week issued an advanced notice of proposed rulemaking to broadly explore unfair or deceptive fees in online food delivery services. 

The notice specifically mentioned “evidence that food delivery platforms like other online retailers, are sometimes charging different prices to different consumers for the same goods and services”, which “may not be fully disclosed to consumers and could pose problems for consumers seeking to effectively comparison shop across delivery platforms.” 

The FTC seeks public comment on, among other questions, the extent to which online food delivery platforms charge different prices, fees, or charges to individuals for the same goods or services based on individualized consumer data (such as geolocation, demographics, purchasing history, app usage, browser history or other online behavior, device hardware, IP address), the types of data used and how and why they’re used, the extent to which they’re disclosed, and the costs and benefits of such personalized pricing. Therefore, although this Maryland bill is a first, it reflects a nationwide trend and will likely be followed by additional regulation.

A LITTLE MORE PRIVACY, IF YOU PLEASE

• Alabama Governor signs comprehensive privacy law
• Kentucky Governor signs privacy amendment restricting use of smart tv ACR
• Virginia Governor signs bill banning sale of location data
• EDPB adopts DPIA template
• CNIL publishes recommendations for pixels in email
• Belgium DPA issues AI privacy guidance
  
  
  

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.