In April of 2024, Maryland 🦀 passed its own Online Consumer Data Privacy Law (MODPA). This brief overview will provide a baseline for Maryland businesses understand the critical elements of MODPA.
Understanding the Maryland Data Privacy Law (MODPA)
Who is Subject to MODPA?
The Maryland Data Privacy Law (MODPA) applies to businesses operating in Maryland or those offering services to Maryland residents. MODPA applies if, in the previous year, a business
- Controlled or processed the personal data of at least 35,000 Maryland consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
- Controlled or processed the personal data of at least 10,000 Maryland consumers and derives more than 20% of their gross revenue from the sale of personal data.
This threshold is notably lower than many other state laws, including neighboring Virginia. This implicates businesses who were otherwise excluded from other state privacy laws.
Exemptions to Consider
Certain entities are exempt from MODPA, including state bodies, non-profits aiding law enforcement, national securities associations, and financial institutions governed by the Gramm-Leach-Bliley Act.
Definition of a Consumer
MODPA defines a consumer as a Maryland resident acting in an individual context (i.e. outside of employment or business purposes).
What Constitutes ‘Personal Data’?
Personal data under MODPA includes any information that can be linked to an identifiable individual, excluding anonymized or publicly available data. This includes emails, names, addresses, social security numbers, identification numbers, and many other pieces of data that can identify a person.
Sensitive Data under MODPA
MODPA treats all genetic or biometric data as “sensitive,” a distinction from other states. “Sensitive Personal Data” includes data related to an individual’s race, religious beliefs, sex life or orientation, genetic or biometric data, Consumer Health Data, or precise (within 1,750 feet) geolocation. The Act would also ban the sale of any personal data about individuals who are under the age of 18.
Children’s Data and MODPA
MODPA mirrors the proactive standards set by the Children’s Online Privacy Protection Act, which mandates that businesses ensure their websites do not unintentionally cater to children under 13. Specifically, the law prohibits the sale of personal data from individuals under the age of 18 without explicit consent, requiring businesses to either implement robust age-verification processes or completely cease processing data from minors.
This change compels businesses in Maryland to critically assess and modify their data handling practices to prevent legal repercussions and protect children’s privacy.
Obligations for Data Controllers
MODPA has a significant emphasis on data minimization. Data controllers must limit data collection, prevent unauthorized data usage, ensure robust data security practices, avoid selling sensitive data, and maintain transparency with privacy notices. A notable aspect of MODPA is its strict prohibition against selling sensitive data, underscoring its stringent privacy standards.
For all personal data, businesses must limit the collection of personal data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.” In comparison, most other state privacy laws limit collection to what is “reasonably necessary” for the processing purposes disclosed in their privacy notices. MODPA’s obligation centers on the consumer’s specific, affirmative request, and not the business’s public disclosure. This will require businesses to re-evaluate their data collection processes.
Consumer Rights Afforded by MODPA
MODPA grants several rights to consumers, including data access, correction, deletion, portability, and opt-outs from targeted advertising and data sales. There are also profiling that significantly affects consumers legally or similarly.
Enforcement and Penalties
Enforcement of MODPA lies solely with the Maryland Attorney General. Companies have a 60-day period to rectify any issues of a violation after notification of their noncompliance. After 60 days, the MD Attorney General can take action and apply penalties up to $25,000 per violation.
Compliance Timelines
MODPA goes into effect October 1, 2025, with a grace period until April 1, 2026, for data processing activities.
***
Does your business need help understanding how the Maryland Data Privacy Law applies to you? Get in contact— we can help.