On May 9, 2024, Maryland joined the growing list of states with comprehensive data privacy laws by enacting the Maryland Online Data Privacy Act (MODPA). With the compliance deadline approaching October 1, 2025, businesses collecting data from Maryland residents need to understand their new obligations and prepare accordingly.
Table of Contents
This guide breaks down the key provisions of Maryland Online Data Privacy Act and what they mean for your business.
Who Must Comply with Maryland Online Data Privacy Act?
The Maryland Online Data Privacy Act applies to “controllers” (businesses that determine how and why personal data is processed) that:
- Do business in Maryland or intentionally target products/services to Maryland residents, AND
- In the previous calendar year, either:
- Controlled or processed personal data of 35,000 or more Maryland consumers, OR
- Controlled or processed personal data of 10,000 or more Maryland consumers AND derived over 20% of gross revenue from selling personal data
These thresholds are significantly lower than similar laws in California (100,000 consumers or 50% revenue from data sales) and Virginia (100,000 consumers, or 25,000 consumers plus 50% revenue), meaning MODPA will likely apply to many small and medium-sized businesses.
Key Exemptions
MODPA includes several exemptions at both the entity and data level:
Entity-level exemptions:
- Government agencies
- Financial institutions covered by the Gramm-Leach-Bliley Act
- HIPAA-covered entities and business associates
- Nonprofit organizations that support law enforcement
- SEC-registered securities associations
Data-level exemptions:
- Data covered by the Fair Credit Reporting Act
- Information regulated by the Driver’s Privacy Protection Act
- Educational records covered by FERPA
- Protected health information under HIPAA
- De-identified data
Notably, MODPA does not apply to business-to-business (B2B) or employee data, focusing instead on consumer personal information.
Consumer Rights Under Maryland Online Data Privacy Act
MODPA grants Maryland consumers comprehensive rights over their personal data:
Access and Confirmation
Consumers can confirm whether their data is being processed and obtain a copy of their personal data.
Correction
Consumers can correct inaccuracies in their personal data.
Deletion
Consumers can request deletion of their personal data (with some exceptions, such as when retention is required by law).
Data Portability
Consumers can receive their personal data in a readily usable format to transfer it to another controller.
Disclosure of Third-Party Sharing
Consumers can obtain a list of categories of third parties to whom their personal data has been disclosed.
Opt-Out Rights
Consumers can opt out of:
- Targeted advertising using their personal data
- Sale of their personal data (defined as exchange for monetary or other valuable consideration)
- Profiling that produces legal or similarly significant effects
Response Timeline
Controllers must respond to consumer requests within 45 days, with the possibility of a 45-day extension when reasonably necessary. If a request is denied, the controller must explain in detail how to appeal the decision.
Special Protections for Minors
Parents or guardians can exercise these rights for children under 13. MODPA also prohibits using personal data for targeted advertising for any consumer the controller knows or should know is under 18 years old.
Business Obligations Under Maryland Online Data Privacy Act
MODPA imposes several obligations on businesses that fall within its scope:
Privacy Notices
Controllers must provide clear, accessible privacy notices that include:
- Categories of personal data collected (including sensitive data)
- Purposes for processing personal data
- Categories of third parties with whom data is shared
- Whether personal data is sold or used for targeted advertising
- How consumers can exercise their rights
- Contact information (such as an email address) for consumers
Data Minimization
Controllers must limit collection to personal data that is “reasonably necessary and proportionate” for providing the specific product or service requested by the consumer. This “reasonably necessary” standard is stricter than most other state privacy laws.
Security Safeguards
Controllers must implement and maintain reasonable administrative, technical and physical data security practices to protect personal data.
Consent and Opt-Out Mechanisms
- Controllers must obtain valid consent for processing beyond what’s necessary for the requested transaction
- Provide a clear, conspicuous, and easy way for consumers to revoke consent
- Cease processing within 30 days of consent revocation
- By October 1, 2025, controllers must respond to universal opt-out preference signals (UOOMs) for sale/targeted advertising
Data Protection Assessments
Controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, such as:
- Targeted advertising
- Sale of personal data
- Profiling that creates legal or significant effects
- Processing of sensitive data
These assessments must be conducted for processing activities beginning on or after October 1, 2025, and made available to the Maryland Attorney General upon request.
Contracts with Processors
Controllers must establish written contracts with data processors that:
- Clearly outline the processing instructions
- Establish processor obligations for security, confidentiality, and deletion
- Require processors to assist controllers in fulfilling MODPA obligations
Unlike some privacy laws that only impose obligations on processors through contracts, MODPA directly imposes privacy and security duties on processors.
Prohibited Practices
MODPA explicitly prohibits several practices:
Sensitive Data Restrictions
Controllers cannot collect, use, or share sensitive data unless “strictly necessary” to provide a service specifically requested by the consumer. Sensitive data includes:
- Health data
- Genetic or biometric data
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Sexual or reproductive health data
- Citizenship or immigration status
- Children’s data
- Precise geolocation
Ban on Selling Sensitive Data
MODPA expressly prohibits selling a consumer’s sensitive data, regardless of circumstances.
Protection for Minors
Controllers cannot sell or use personal data for targeted advertising if they know or should know the consumer is under 18 years old.
Health Facility Geofencing Prohibition
Using geofence targeting within 1,750 feet of any mental health or reproductive health care facility is unlawful in identifying or tracking consumers or their health data.
Enforcement and Penalties
Maryland Attorney General Enforcement
The Maryland Attorney General’s Office (Consumer Protection Division) has exclusive enforcement authority. Under MODPA, there is no private right of action, meaning consumers cannot directly sue businesses for violations.
Notice and Cure Period
Before initiating an enforcement action, the Attorney General must provide a notice of violation. Businesses then have 60 days to cure the violation.
Potential Penalties
- Courts may impose fines of up to $10,000 per violation
- Repeated violations can carry penalties of up to $25,000 per violation
- Violations are treated as unfair or deceptive trade practices under Maryland’s Consumer Protection Act
How Maryland Online Data Privacy Act Compares to Other State Privacy Laws
MODPA shares similarities with other state privacy laws but has some key differences:
Stricter Data Minimization
MODPA’s “reasonably necessary for a specific purpose” requirement is more stringent than requirements in many other states.
Enhanced Protections for Sensitive Data
The “strictly necessary” standard for collecting sensitive data is more restrictive than most U.S. privacy laws.
Direct Processor Obligations
Unlike CCPA (where processor obligations are largely contractual), MODPA imposes privacy and security duties directly on processors.
Preparing for Maryland Online Data Privacy Act Compliance
To prepare for the October 1, 2025 compliance deadline, businesses should:
- Determine applicability: Assess whether your business meets MODPA’s thresholds for Maryland consumers and data sales.
- Data inventory: Map your data collection, use, and sharing practices involving Maryland residents.
- Update privacy notices: Revise your privacy policy to address MODPA’s specific disclosure requirements.
- Implement consumer rights mechanisms: Develop processes to handle access, deletion, correction, portability, and opt-out requests.
- Review data practices: Evaluate your data minimization practices, especially regarding sensitive data.
- Update vendor contracts: Ensure processor agreements meet MODPA requirements.
- Conduct data protection assessments: Begin documenting assessments for high-risk processing activities.
- Prepare for universal opt-out mechanisms: Plan technology implementations to recognize and honor opt-out preference signals.
The Maryland Online Data Privacy Act represents a significant shift in privacy requirements for businesses operating in Maryland. With its broader application, stricter data minimization standards, and enhanced protections for sensitive data and minors, MODPA sets a high bar for data privacy compliance.
Businesses should start preparing now to meet the October 1, 2025 deadline. By taking a proactive approach to compliance, companies can avoid potential penalties and build trust with Maryland consumers through responsible data practices.
Disclaimer: This blog post is for informational purposes only and does not constitute legal advice. Consult with qualified legal counsel regarding your specific situation and compliance requirements.
