.svg)
Maryland joined the growing list of states enacting comprehensive data privacy legislation with the Maryland Online Data Privacy Act (MODPA), signed into law by Governor Wes Moore on May 9, 2024. The law became effective on October 1, 2025, though it actually begins to apply to data processing activities that occur on and after April 1, 2026. This timing provides organizations with a transition window to achieve compliance, though preparation should have begun well before these critical dates.
Generally speaking, MODPA is considered somewhat of an outlier compared with other state data privacy regulations. For example, MODPA imposes stricter requirements on businesses handling consumer data, particularly sensitive data. The law also introduces novel provisions around algorithmic decision-making and data minimization that distinguish it from privacy laws in other states.
Continue reading to discover what you need to know about the MODPA and how to strengthen your company’s compliance posture accordingly.
Is my company subject to MODPA?
MODPA applies to entities that conduct business in Maryland, provide products or services targeted at Maryland residents, and meet specific processing thresholds. The law establishes two alternative paths to applicability during the preceding calendar year:
- A company controls or processes the personal data of at least 35,000 consumers, excluding data processed solely for payment transactions; or
- A company controls or processes the personal data of at least 10,000 consumers while deriving 20 percent or more of gross revenue from selling personal data.
These thresholds are notably lower than those established by many other state consumer data privacy laws. For comparison, Oregon's data privacy law applies to businesses that process 100,000 or more consumer records, making MODPA's 35,000-consumer threshold significantly more inclusive.
This broader scope captures mid-sized businesses that might not fall under other state privacy regimes, expanding the law's reach considerably.
Who is a consumer under MODPA?
The law defines a "consumer" as a Maryland resident acting in an individual or household capacity, excluding individuals acting in a commercial or employment capacity.
This employment exemption provides some relief to employers, as MODPA does not apply to data collected during the employment relationship, leaving California as the only comprehensive U.S. privacy law that covers employment data.
Limited exemption for nonprofit entities
MODPA's treatment of nonprofit organizations marks a departure from many other state consumer data privacy laws. While most state data privacy laws broadly exempt nonprofits, Maryland applies its law to these organizations with only narrow exceptions.
Specifically, only nonprofits that process personal data solely to assist law enforcement in investigating insurance fraud or to help first responders respond to catastrophic events are carved out. This means many nonprofit organizations will face the same compliance obligations as for-profit companies.
Does MODPA impose restrictions around processing children’s data?
Yes. In fact, Maryland is somewhat of an outlier among state-level consumer data laws with its heightened restrictions around processing children’s data. Specifically, MODPA prohibits the processing of children’s data for purposes of targeted advertising or selling data belonging to a minor (defined as someone under the age of 18) when a company “knows or should reasonably know” that a consumer is a minor.
Looking for more info about underage privacy regulations? Check out our deep dive into new children’s data privacy regulations here.
Does MODPA require companies to respond to data subject requests?
Yes. MODPA provides Maryland residents with a comprehensive set of statutory privacy rights that align with other state consumer data privacy laws, while adding certain unique elements. For example, Maryland consumers have the right to:
- Confirm whether a business is processing their personal data and to access that data.
- Request correction of inaccurate personal data
- Request deletion of their data (unless retention is required by law)
- Request a copy of their personal data in a portable format for transfer to another company
MODPA also provides consumers with the right to opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. Profiling, under MODPA, is defined as any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to certain aspects and behaviors of a consumer, such as their:
- Economic situation
- Health situation
- Demographic characteristics
- Personal preferences or interests
- Reliability or behavior
- Location, or movements
MODPA allows consumers to opt-out of profiling if automated decisions produce legal or similarly significant effects concerning the consumer.
Mandatory disclosure of third parties receiving personal data
A distinctive feature of MODPA is its requirement that controllers disclose not only the categories of personal data being shared but also the categories of third parties that receive it. This provision sets Maryland apart from most other state privacy laws, which typically require disclosure only of data categories collected.
Currently, only a handful of states provide consumers with this level of transparency into who receives their information.
Timeline for responding to data subject requests
Controllers must respond to consumer requests within 45 days, though this period may be extended for another 45 days if reasonably necessary, with notice to the consumer. If a request is denied, controllers must inform the consumer of the reasons and establish an appeal process.
Appeal process
Within 60 days of receiving an appeal, the controller must inform the consumer of the outcome with an explanation. If the appeal is denied, controllers must provide an online mechanism for consumers to contact Maryland’s Consumer Protection Division to submit a complaint.
Does MODPA require companies to enter into contractual agreements with data processors?
Yes. MODPA imposes detailed contractual requirements on the relationship between controllers (i.e., companies subject to the Maryland law) and processors. These data processing contracts must clearly outline the rights and obligations of both parties. In addition, the contracts must provide specific, clear instructions on how the processor should handle data, including permitted and prohibited uses.
The contract must also establish processor responsibilities, such as:
- Maintaining the confidentiality of the data for all personnel with access
- Implementing reasonable security practices that meet or exceed industry standards and MODPA requirements
- Stopping processing, deleting, or returning data at the company’s request with specific timelines and verification procedures.
Processors must also assist companies with the following:
- Responding to data subject requests
- Conducting and documenting data protection assessments
- Ensuring the security of personal data processing
Specific contractual obligations for handling health data
MODPA imposes special obligations on any person who provides access to consumer health data. For example, employees and contractors cannot access this data unless they are subject to a contractual or statutory confidentiality obligation, or confidentiality is required as a condition of employment.
In addition, processors cannot access consumer health data unless both the processor and the entity providing access comply with MODPA's processor contract requirements and the processor assists the controller in meeting its obligations.
How is MODPA different from other state data privacy laws?
{{us-map-link}}
MODPA distinguishes itself from other state consumer data privacy laws through several provisions. Perhaps most significantly, MODPA establishes a blanket prohibition on selling sensitive data, making it the first state consumer data privacy law to implement such a restriction.
For example, MODPA generally prohibits the sale of sensitive personal data regardless of consumer consent, marking a fundamental shift away from the consent-based frameworks that characterize most other state laws.
Heightened restrictions on sensitive data
As mentioned, the law’s approach to sensitive data is much stricter than that of other state data privacy laws. MODPA also defines sensitive personal data broadly to include:
- Biometric and genetic data (even when not used for identification purposes)
- Consumer health data
- Precise geolocation within 1,750 feet
- Data revealing race, ethnicity, religious beliefs, sex life, sexual orientation, citizenship, immigration status, and national origin.
Companies are restricted from collecting, processing, or sharing sensitive data except where strictly necessary to provide or maintain a specific product or service requested by the consumer.
Consent Revocation
In addition to heightened restrictions around the collection of sensitive data, the MODPA requires companies to provide a mechanism for consumers to revoke their consent to the processing of their personal data.
If a consumer uses this consent revocation mechanism, companies must halt processing the consumer’s data as soon as possible or within 30 days of revocation of consent. This is a notable diversion from other state data privacy laws. In fact, only California and Florida require such a consent revocation mechanism.
Considering these new complexities to obtaining (and maintaining) consent to process personal data, companies should consider using a Consent Management Platform (CMP) that adapts to their business and specific technical needs. Check out our comparison article to weigh in your options:
{{top-ten-best-cmp}}
Broad definition of consumer health data
Maryland's definition of consumer health data is notably expansive. The law defines it as personal data used to identify a consumer's physical or mental health status, expressly including gender-affirming care and reproductive or sexual health services.
This status-based framing may broaden applicability compared with states like Connecticut, which limit the definition to a consumer's condition or diagnosis.
MODPA also prohibits geofencing within 1,750 feet of mental health facilities or sexual and reproductive health facilities for the purpose of tracking, identifying, collecting data from, or sending notifications to consumers regarding their health data.
This provision directly addresses privacy concerns around sensitive location tracking near healthcare facilities.
Strict data minimization standards
The law imposes stringent data minimization requirements that exceed those in most other state consumer data privacy laws. For example, companies may collect or process personal data only when reasonably necessary to provide or maintain a product or service requested by the consumer.
In addition, MODPA prohibits processing personal data for purposes beyond those disclosed to consumers unless consent is obtained. The law also prohibits processing in an unlawfully discriminatory manner, with certain exceptions for diversifying applicant pools, loyalty programs, and self-testing to prevent or mitigate unlawful discrimination.
Does MODPA require companies to conduct data protection assessments?
Yes. Companies that engage in certain data processing activities must conduct data protection assessments. Specifically, a data protection assessment is required when a company processes data that poses a heightened risk of harm to consumers.
Data protection assessments are required for the following types of processing activities:
- Sales of personal data
- Targeted advertising
- Profiling
- Processing of sensitive data.
Notably, these assessments only apply to processing activities occurring on or after October 1, 2025.
Algorithmic assessments
A unique aspect of MODPA is its explicit requirement to address each algorithm used in high-risk processing activities within the data protection assessment. This algorithmic assessment requirement underscores Maryland's focus on automated decision-making and represents a more granular approach than other state privacy laws, which typically require broader assessments for categories of data processing rather than for every algorithm deployed.
The law requires companies to document necessity and proportionality, including explaining the rationale for decisions, alternatives considered, and mitigation steps taken. These assessments should be maintained as living documents, with regular reviews when systems are retrained, new features are added, or risk levels shift.
Do companies need to honor universal opt-out requests under MODPA?
Yes. MODPA generally requires companies to recognize user-selected universal opt-out mechanisms (UOOMs) that allow consumers to opt out of the processing of their personal data. The platform, technology, or mechanism for the opt preference must:
- Be consumer-friendly and easy to use by the average consumer
- Use clear and unambiguous language
- Must not use a default setting to opt consumers out of any processing
In addition, the mechanism must enable the company to accurately determine whether the consumer is a Maryland resident and made a legitimate opt-out request.
Notably, companies that recognize opt-out signals approved by other states are considered compliant with Maryland's universal opt-out signal requirements, which appears to be an effort to help facilitate multi-state compliance.
What are the penalties for failing to comply with MODPA?
The Maryland Attorney General's Consumer Protection Division holds exclusive enforcement authority under MODPA. Unlike some state privacy laws that provide a private right of action, consumers cannot file lawsuits directly under MODPA, leaving enforcement entirely to the state. However, the law specifically states that consumers are not prohibited from pursuing other remedies available under the law.
When the Attorney General identifies a potential violation, they may issue a notice of violation to the controller or processor. The decision to issue such notice is discretionary and depends on whether the Attorney General determines that a cure is possible. Factors considered include:
- The number of violations
- The size and complexity of the controller or processor
- The likelihood of injury to the public
- Other relevant determinants.
60-Day cure period
If the Attorney General issues a written notice of violation, the controller or processor receives a 60-day cure period to address and remedy the violation. If the violation remains uncured after this period, the Attorney General may initiate an enforcement action.
It is important to note that this cure provision sunsets on April 1, 2027, after which the Attorney General may proceed with enforcement immediately without offering an opportunity to cure.
Non-compliance Penalties
Violations of MODPA are treated as unfair, abusive, or deceptive trade practices under the Maryland Consumer Protection Act. As a result, Maryland courts may impose civil penalties of up to $10,000 per violation, with repeat violations subject to penalties of up to $25,000 for each subsequent violation.
It is notable that these penalties are much higher than those under other state consumer data privacy laws. For example, Virginia’s consumer data privacy law limits non-compliance penalties to $7,500 per violation.
How can Didomi help companies comply with the Maryland Online Data Privacy Act?
As state consumer data privacy laws continue to evolve, MODPA signals a trend toward more protective standards that prioritize consumer welfare over business flexibility. Organizations subject to the law should undertake compliance efforts immediately.
Keeping up with the pace and scope of these new data privacy regulations adds compliance complexity and risk to your business operations. Learn more about our multi-regulation Consent Management Platform (CMP), which covers privacy laws and regimes in the U.S. and worldwide, or discuss your challenges and how Didomi could help:
{{talk-to-an-expert}}
Maryland Online Data Privacy Act: Frequently Asked Questions (FAQs)
Can a consumer sue a company for failing to comply with MODPA?
No. MODPA does not provide consumers with a private right of action. Enforcement actions can only be pursued by the Maryland Attorney General’s Office.
Are companies given time to correct an alleged compliance violation under MODPA?
Yes. MODPA provides a 60-day cure period in which companies can take steps to correct an alleged compliance violation. However, the 60-day cure period sunsets (i.e., expires) on April 1, 2027.
Are any companies exempt from MODPA?
Yes. MODPA exempts several types of entities, including:
- State and city government agencies
- Financial institutions and data regulated by the Gramm-Leach-Bliley Act
- National securities associations registered under the Securities Exchange Act
Are any types of data exempt from MODPA?
Yes. MODPA exempts certain types of information and data, including:
- Data that has been de-identified
- Data processed or maintained for emergency contact purposes.
- Consumer credit-reporting data
- Data covered by the Drivers' Privacy Protection Act,
- Data covered by the Family Educational Rights and Privacy Act
- Data covered by the Farm Credit Act
- Data covered by HIPAA and other health care statutes
.avif)
.webp)
