The Maryland Online Data Privacy Act (MODPA): The Essentials

The Maryland General Assembly passed the Maryland Online Data Privacy Act and imposed rigorous duties on businesses starting in late 2025. 

Although vastly similar to other US state laws, this one introduces yet-unseen data minimization requirements that are not typical for US state legislators.

What is the Maryland Online Data Privacy Act (MODPA)?

The Maryland Online Data Privacy Act is the state's comprehensive consumer data privacy law. It grants consumers the usual privacy rights, but it also imposes severe limitations on businesses regarding the data they can collect and process.

It comes into effect on October 1, 2025.

Is the MODPA applicable to my business?

The Maryland comprehensive privacy law will affect many businesses because of its low applicability thresholds.

It applies to all businesses that either conduct business in the state or target Maryland consumers from outside the state and either:

• Processes the data of at least 35,000 Maryland consumers, or
• Processed the data of at least 10,000 Maryland consumers and derived at least 20% of the revenue by selling consumer data.

This means that if you are a small business and collect the data of 35,000 Maryland residents using Google Analytics or Meta Pixel, you must comply with this law.

Companies subject to sector-specific privacy laws (HIPAA, GLBA, and others) are exempt from many other state privacy laws. 

What is personal data under the Maryland privacy law?

Personal data is any piece of information that could identify an individual, directly or indirectly.

The law further defines sensitive personal data, which includes:

• Any data revealing: Racial or ethnic origin; Religious beliefs; Consumer health data; Sex life; Sexual orientation; Status as transgender or nonbinary; National origin; or Citizenship or immigration status.
• Children's data
• Biometric data
• Precise geolocation data

The MODPA has a special regime for sensitive personal information. 

What are the MODPA consumer rights?

Consumers have the right to:

• Know about the processing
• Access their data
• Data portability
• Delete their data
• Correct their data
• Opt out of the sale of data or the processing for targeted advertising or profiling.

Consumers can submit requests at any time and businesses are obliged to honor the requests. Businesses have 45 days to respond to a request. Before granting it, they can verify the requester's identity.

Unlike in other states, Maryland consumers have the right to appeal a controller's decision to decline the privacy request. It is incumbent upon the controller to establish an appeals mechanism.

What are the Maryland data minimization principles?

The MODPA prescribes strong data minimization requirements for businesses. These include:

• A general ban on selling sensitive data
• A general ban on collecting and processing sensitive data except where it is strictly necessary for providing a service (for example, fitness apps must process health data, dating apps must process sexual data, etc.)
• A general ban on knowingly processing personal data of persons under 18 years of age
• A general ban on processing personal data that is not necessary for the purposes disclosed to the consumer unless the business obtains explicit consent
• A limit the processing of personal data to what is reasonably necessary

This is in line with the data minimization approach in the GDPR of the EU and other data protection laws worldwide, but differs from the practices established by other US state laws. It is not typical for the American data privacy and protection landscape.

Do I need a privacy policy to comply with the MODPA?

Yes, you need a privacy notice to comply with the MODPA. It needs to contain at least the following:

• Categories of data processed
• Purposes of processing
• With whom data is shared
• Categories of data shared with third parties
• Consumer rights and how to exercise them
• Controller's email and other contact information
• Information on selling data or processing data for targeted advertising and how to opt-out

Keeping in mind the data minimization and purpose limitation requirements, you have to ensure that your privacy notice is up-to-date. If you provide consumers with the wrong information about your processing purposes, processing the data would be unlawful.

What opt-out methods are required?

Businesses must allow customers to opt out of selling personal data, targeted advertising, and profiling by submitting a consumer request.

In addition, controllers have to provide them with an opt-out link in a conspicuous place on the website, and from January 1, 2025, businesses must honor opt-out signals sent from consumers' browsers.

What are the requirements for service providers?

Service providers are the businesses that process the data on behalf of the controller.

They must not process any data without a written agreement in place. Such an agreement shall contain at least:

• Instructions for processing
• Purposes and nature of processing
• Types of data subjects
• Duration of the processing
• Rights and duties of both parties
• The security measures the service provider must take
• Confidentiality clauses
• Requirement to help the controller comply with the provisions of the law.

Do we need to conduct Data Protection Assessments?

Data protection assessments are required in certain cases. They are a good practice for any business that wants to be proactive about data privacy, but they are explicitly required for the following activities:

• Sale of personal data
• Processing data for targeted advertising
• Processing sensitive data
• Processing data for profiling where it poses a risk to the consumer.

You have to conduct an assessment for each risky processing activity.

There is a caveat: it is not required for processing activities occurring before October 1, 2025.

Enforcement and penalties for Maryland privacy law

The Division enforces the MODPA. If they find that a violation has occurred, they will give the controller a cure period of at least 60 days. If the controller does not remedy the violation within the given timeframe, the penalties are USD 7,500 per violation.