The Maryland Online Data Privacy Act (MODPA), which will be enforced starting April 1, 2026, is Maryland’s comprehensive consumer‑privacy law for businesses that collect or process personal data of Maryland residents. It closely resembles other state‑level privacy statutes but adds several stricter rules around sensitive data, consent, and automated decision‑making that business owners should understand.

Who MODPA applies to

MODPA covers any business that, in the prior year:

  • Controls or processes personal data of at least 35,000 Maryland consumers (excluding pure payment‑transaction data), or
  • Processes data of at least 10,000 consumers and derives more than 20% of gross revenue from selling personal data.

Exemptions include state and local governments, certain financial institutions under GLBA, and data already regulated by HIPAA, FERPA, and other sector‑specific laws. Since this is a consumer privacy law, employee data, de-identified data and B2B related data are not covered.

Large non-profits such as universities and health systems are covered, which is unique among many state consumer privacy laws, although the processing of certain kinds of data by these entities may be exempt.

Core consumer rights

Under MODPA, Maryland residents have the right to:

  • Access the personal data a business holds about them.
  • Correct inaccurate personal data.
  • Delete personal data collected from or about them.
  • Obtain a copy of their data in a portable, commonly used format.
  • Opt out of the sale of their data, targeted advertising, and certain profiling activities.

Businesses must respond to these requests within a set timeframe (typically 45–60 days, with possible extension) and cannot discriminate against consumers who exercise their rights (e.g., denying service or charging higher prices).

Strict limits on data collection and sensitive data

MODPA requires solid data minimization practices to be maintained.  Businesses may only collect personal data that is reasonably necessary and proportionate to provide or maintain a requested product or service.

Key requirement: sensitive data may be processed only when strictly necessary to deliver a specific service or product requested by the consumer, and cannot be sold at all, even with consent.

“Sensitive data” includes:

  • Race, ethnicity, religion, health status, gender‑affirming or reproductive care, sexual orientation, sex life, transgender or non-binary status, biometrics, precise geolocation, data from known children, and certain immigration or citizenship information.

“Children’s Data” applies to minors under 18

Maryland’s new law broadens the range of minors’ data that must receive added protection.  Under MODPA, Controllers may not process or sell the personal data of a consumer for the purposes of targeted advertising where the controller knows, or should know, the consumer is under 18.  This places Maryland’s law at the high end of the age range of who is considered a “minor” among U.S. data protection laws.

Consent, privacy notices, and universal optout mechanisms

Businesses must obtain consent before collecting or processing personal data beyond what is strictly necessary, and for any further processing that differs from the original purpose. Consumers must be able to withdraw consent easily, and businesses must stop processing within 30 days of withdrawal.

Privacy notices must clearly disclose:

  • Categories of personal and sensitive data collected.
  • Purposes for processing.
  • Categories of third parties with whom data is shared.
  • How consumers can exercise their rights, including the use of universal opt‑out mechanisms, for sale, targeted advertising, and profiling.

MODPA joins 11 other states that now require businesses to honor “universal opt‑out mechanisms” (such as browser‑based signals like Global Privacy Control), easing compliance for multi‑state operators.

Security, risk assessments, and enforcement

Controllers must implement reasonable administrative, technical, and physical security measures to protect personal data and conduct data protection assessments (DPAs) for high‑risk processing, including:

  • Selling personal data.
  • Targeted advertising.
  • Processing sensitive data.
  • Profiling or algorithmic decision‑making that could cause substantial consumer harm.

Enforcement rests with the Maryland Attorney General, who can issue a notice of violation and allow a 60‑day cure period before seeking civil penalties of up to $10,000 for the first violation and $25,000 for subsequent violations. There is no private right of action, so only the state may enforce the law.

Practical takeaways for business owners

  • Map where you collect, store, and share Maryland residents’ data, especially sensitive categories.
  • Ensure your children’s data protections are now triggered up to age 18.
  • Update privacy notices, including those at the point of collection, and consent collection mechanisms.
  • Honor universal opt‑out mechanisms in addition to your own preference management documentation.
  • Build or refine procedures for handling consumer rights requests and withdrawing consent within the required timelines.
  • Conduct or refresh security assessments for any processing that includes targeted advertising, data sales, and algorithm‑driven decisions.

MODPA will require meaningful changes to data‑handling practices for many businesses, but it fortunately also offers a relatively clear framework aligned with broader U.S. state‑privacy trends.

Media Contact

Holland Goodrow

Marketing Communications Manager
hgoodrow@potomaclaw.com

Practice Areas

Recent News

Jump to Page

By using this site, you agree to our updated Privacy Policy and our Terms of Use