Maryland Passes Data Privacy Law (MODPA); Who It Affects and How

In April of 2024, Maryland ūü¶Ä passed its own Online Consumer Data Privacy Law (MODPA). This brief overview will provide a baseline for Maryland businesses understand the critical elements of MODPA.

Understanding the Maryland Data Privacy Law (MODPA)

Who is Subject to MODPA?

The Maryland Data Privacy Law (MODPA) applies to businesses operating in Maryland or those offering services to Maryland residents. MODPA applies if, in the previous year, a business

  • Controlled or processed the personal data of at least¬†35,000¬†Maryland consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
  • Controlled or processed the personal data of at least 10,000 Maryland consumers and derives more than 20% of their gross revenue from the sale of personal data.

This threshold is notably lower than many other state laws, including neighboring Virginia. This implicates businesses who were otherwise excluded from other state privacy laws.

Exemptions to Consider

Certain entities are exempt from MODPA, including state bodies, non-profits aiding law enforcement, national securities associations, and financial institutions governed by the Gramm-Leach-Bliley Act.

Definition of a Consumer

MODPA defines a consumer as a Maryland resident acting in an individual context (i.e. outside of employment or business purposes).

What Constitutes ‘Personal Data’?

Personal data under MODPA includes any information that can be linked to an identifiable individual, excluding anonymized or publicly available data. This includes emails, names, addresses, social security numbers, identification numbers, and many other pieces of data that can identify a person.

Sensitive Data under MODPA

MODPA treats all genetic or biometric data as “sensitive,” a distinction from other states. ‚ÄúSensitive Personal Data‚ÄĚ includes data related to an individual’s race, religious beliefs, sex life or orientation, genetic or biometric data, Consumer Health Data, or precise (within 1,750 feet) geolocation. The Act would also ban the sale of any personal data about individuals who are under the age of 18.

Children’s Data and MODPA

MODPA mirrors the proactive standards set by the Children’s Online Privacy Protection Act, which mandates that businesses ensure their websites do not unintentionally cater to children under 13. Specifically, the law prohibits the sale of personal data from individuals under the age of 18 without explicit consent, requiring businesses to either implement robust age-verification processes or completely cease processing data from minors.

This change compels businesses in Maryland to critically assess and modify their data handling practices to prevent legal repercussions and protect children’s privacy.

Obligations for Data Controllers

MODPA has a significant emphasis on data minimization. Data controllers must limit data collection, prevent unauthorized data usage, ensure robust data security practices, avoid selling sensitive data, and maintain transparency with privacy notices. A notable aspect of MODPA is its strict prohibition against selling sensitive data, underscoring its stringent privacy standards.

For all personal data, businesses must limit the collection of personal data to what is ‚Äúreasonably necessary¬†and proportionate to provide or maintain a¬†specific product or service requested by the consumer.‚ÄĚ In comparison, most other state privacy laws limit collection to what is “reasonably necessary” for the processing purposes disclosed in their privacy notices. MODPA‚Äôs obligation centers on the consumer‚Äôs specific, affirmative request, and not the business‚Äôs public disclosure.¬†This will require businesses to re-evaluate their data collection processes.

Consumer Rights Afforded by MODPA

MODPA grants several rights to consumers, including data access, correction, deletion, portability, and opt-outs from targeted advertising and data sales. There are also profiling that significantly affects consumers legally or similarly.

Enforcement and Penalties

Enforcement of MODPA lies solely with the Maryland Attorney General. Companies have a 60-day period to rectify any issues of a violation after notification of their noncompliance. After 60 days, the MD Attorney General can take action and apply penalties up to $25,000 per violation.

Compliance Timelines

MODPA goes into effect October 1, 2025, with a grace period until April 1, 2026, for data processing activities.


Does your business need help understanding how the Maryland Data Privacy Law applies to you? Get in contact— we can help.

Leave a Reply

Your email address will not be published. Required fields are marked *

Considering a trademark?