Overview
The Maryland Online Data Privacy Act (MODPA) is a comprehensive data privacy law that enhances data protection rights for Maryland residents while establishing clear compliance obligations for businesses. Signed into law on May 9, 2024, MODPA takes effect on October 1, 2025.
Marylandβs privacy law is considered one of the strongest consumer privacy laws in the U.S., closely resembling Californiaβs CPRA while introducing unique requirements for data minimization and opt-in consent for sensitive data processing.
Who Must Comply?
MODPA applies to businesses that operate in Maryland or target Maryland residents and meet one of the following criteria:
β Process personal data of at least 35,000 Maryland consumers annually
β Process personal data of at least 10,000 Maryland consumers and derive over 20% of gross revenue from selling personal data
Exemptions:
The law does not apply to:
π« Government agencies
π« Nonprofits
π« Financial institutions subject to GLBA
π« HIPAA-covered entities
π« Higher education institutions
Key Consumer Rights Under MODPA
β Right to Access β Consumers can request a copy of their personal data.
β Right to Correct β Consumers can request corrections to inaccurate personal data.
β Right to Delete β Consumers can request the deletion of personal data.
β Right to Data Portability β Consumers can receive their data in a portable format.
β Right to Opt-Out β Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
π Universal Opt-Out Mechanism Required (2026) β Businesses must recognize Global Privacy Control (GPC) signals starting in 2026.
Business Compliance Requirements
β Opt-In Consent for Sensitive Data β Businesses must obtain explicit consumer consent before processing:
π Racial/ethnic origin
π Religious beliefs
π Biometric data
π Health conditions
π Childrenβs data
β Transparency & Privacy Notices β Companies must provide clear privacy policies detailing data collection and usage.
β Data Protection & Security β Businesses must implement reasonable security safeguards to protect consumer data.
β Data Minimization Rules β Businesses must limit data collection to what is strictly necessary for their purpose.
β Data Protection Assessments (DPA) β Businesses must conduct risk assessments for:
π Targeted advertising
π Data sales
π AI-driven decision-making
Real-World Enforcement Cases
The Maryland Attorney Generalβs Office enforces MODPA, with penalties of up to $10,000 per violation.
π Cure Period Ends in 2026 β Until January 1, 2026, businesses have 60 days to fix violations before penalties apply.
Since MODPA does not take effect until October 1, 2025, major enforcement cases have not yet occurred, but businesses failing to provide opt-out mechanisms or lacking proper security protections are expected to face early enforcement actions.
π Comparison with Other State Privacy Laws
The Maryland MODPA is one of the strongest privacy laws in the U.S. due to:
β
Lower Applicability Threshold (35,000 consumers) β More businesses must comply than in Virginia (100,000 consumers).
β
Universal Opt-Out Mechanism Required (2026) β Businesses must honor automated privacy requests.
β
Strict Data Minimization Rules β Companies must collect only essential data, unlike many other state laws.
Future of MODPA Regulation
π Stronger enforcement expected in 2026, particularly for AI-driven profiling.
π Potential expansion of consumer rights in future amendments.
π Possible updates to align with federal privacy laws if enacted.
Marylandβs MODPA sets a new standard for consumer privacy, with strict enforcement, universal opt-out requirements, and broad applicability.
