Discover the essentials of the Maryland Online Data Privacy Act (MODPA) and its impact on businesses. Learn about data minimization principles, consumer rights, compliance requirements, and penalties.
The Maryland General Assembly passed the Maryland Online Data Privacy Act and imposed rigorous duties on businesses starting in late 2025.
Although vastly similar to other US state laws, this one introduces yet-unseen data minimization requirements that are not typical for US state legislators.
Explore more privacy compliance insights and best practices
The Maryland Online Data Privacy Act is the state's comprehensive consumer data privacy law. It grants consumers the usual privacy rights, but it also imposes severe limitations on businesses regarding the data they can collect and process.
It comes into effect on October 1, 2025.
The Maryland comprehensive privacy law will affect many businesses because of its low applicability thresholds.
It applies to all businesses that either conduct business in the state or target Maryland consumers from outside the state and either:
This means that if you are a small business and collect the data of 35,000 Maryland residents using Google Analytics or Meta Pixel, you must comply with this law.
Companies subject to sector-specific privacy laws (HIPAA, GLBA, and others) are exempt from many other state privacy laws.
Personal data is any piece of information that could identify an individual, directly or indirectly.
The law further defines sensitive personal data, which includes:
The MODPA has a special regime for sensitive personal information.
Consumers have the right to:
Consumers can submit requests at any time and businesses are obliged to honor the requests. Businesses have 45 days to respond to a request. Before granting it, they can verify the requester's identity.
Unlike in other states, Maryland consumers have the right to appeal a controller's decision to decline the privacy request. It is incumbent upon the controller to establish an appeals mechanism.
The MODPA prescribes strong data minimization requirements for businesses. These include:
This is in line with the data minimization approach in the GDPR of the EU and other data protection laws worldwide, but differs from the practices established by other US state laws. It is not typical for the American data privacy and protection landscape.
Yes, you need a privacy notice to comply with the MODPA. It needs to contain at least the following:
Keeping in mind the data minimization and purpose limitation requirements, you have to ensure that your privacy notice is up-to-date. If you provide consumers with the wrong information about your processing purposes, processing the data would be unlawful.
Businesses must allow customers to opt out of selling personal data, targeted advertising, and profiling by submitting a consumer request.
In addition, controllers have to provide them with an opt-out link in a conspicuous place on the website, and from January 1, 2025, businesses must honor opt-out signals sent from consumers' browsers.
Service providers are the businesses that process the data on behalf of the controller.
They must not process any data without a written agreement in place. Such an agreement shall contain at least:
Data protection assessments are required in certain cases. They are a good practice for any business that wants to be proactive about data privacy, but they are explicitly required for the following activities:
You have to conduct an assessment for each risky processing activity.
There is a caveat: it is not required for processing activities occurring before October 1, 2025.
The Division enforces the MODPA. If they find that a violation has occurred, they will give the controller a cure period of at least 60 days. If the controller does not remedy the violation within the given timeframe, the penalties are USD 7,500 per violation.
