The Maryland Online Data Privacy Act (MODPA), passed in 2024, positions Maryland among the leading states implementing comprehensive consumer privacy protections. With an effective date of October 1, 2025, this law sets detailed rules for how businesses collect, process, and store personal data online.
If your organization operates in Maryland or offers goods and services to Maryland residents, compliance planning needs to start now. In this guide, we’ll explore who must comply, the consumer rights introduced by MODPA, key compliance requirements, and how Maryland’s approach compares to other state laws.
Looking for other state-specific guides? Check out our articles on the Colorado Privacy Act, Indiana Consumer Data Protection Act, and Iowa Consumer Data Protection Act for a full U.S. privacy law picture.
What Is the Maryland Online Data Privacy Act (MODPA)?
The Maryland Online Data Privacy Act creates a robust framework to safeguard Maryland residents’ personal information. It covers personal data collected online and includes heightened protections for sensitive data categories.
Unlike older privacy statutes, MODPA reflects modern concerns like profiling and targeted advertising, requiring companies to honor universal opt-out mechanisms (UOOMs) such as browser-based privacy signals like Global Privacy Control (GPC).
The statutory language in the Maryland General Assembly code outlines the full scope of obligations, including definitions of controllers and sensitive data categories.
Maryland Online Data Privacy Act Effective Date
The Maryland Online Data Privacy Act effective date is October 1, 2025. This gives businesses just over a year to align their data governance practices with MODPA’s requirements.
Applicability: Who Must Comply with Maryland’s MODPA?
MODPA applies to businesses (including nonprofits in certain cases) that:
- Control or process the personal data of at least 35,000 Maryland residents annually, excluding data processed solely for payment transactions; or
- Handle personal data of 10,000 or more Maryland residents and derive at least 20% of revenue from selling personal data.
Exemptions include:
- Data covered by HIPAA or GLBA (confirming the Maryland Online Data Privacy Act HIPAA exemption).
- Financial institutions under federal regulations.
- De-identified and publicly available data.
Key Rights for Maryland Consumers under the MODPA
Maryland residents gain several new privacy rights under MODPA, including:
- Right to Access: Know what personal data is collected and how it’s used.
- Right to Deletion: Request deletion of personal data.
- Right to Data Portability: Obtain a copy of their data in a usable format.
- Right to Correction: Fix inaccuracies in personal information.
- Right to Opt-Out: Decline processing for targeted advertising, sale of data, or profiling for significant decisions.
Notable requirement: Businesses must honor Universal Opt-Out Mechanisms (UOOMs) such as the Global Privacy Control (GPC) signal, aligning Maryland with stricter states like Colorado.
MODPA Requirements for Businesses & Data Controllers
Organizations subject to the Maryland data privacy law must implement several measures:
- Transparency: Publish clear, accessible privacy notices explaining data collection, purpose, and consumer rights.
- Consent for Sensitive Data: Obtain explicit opt-in consent before processing sensitive information, including precise geolocation, health details, and biometric data.
- Privacy Impact Assessments (PIAs): Required for activities involving high-risk processing, including profiling and targeted advertising.
- Data Minimization: Collect only what is necessary for stated purposes.
- Processor Contracts: Establish agreements that specify responsibilities and compliance obligations.
Maryland businesses must also remain aware of Maryland’s one-party consent law for recordings and the state’s data breach notification rules, which mandate timely disclosure after breaches.
Enforcement and Penalties under Maryland Privacy Law
Enforcement authority rests with the Attorney General, who provides compliance and penalty guidance through official Consumer Protection resources. There is no private right of action, so consumers cannot sue businesses directly for violations.
Penalties:
- Civil fines of up to $10,000 per violation, capped at $25,000 for repeat offenses in the same case.
- No permanent cure period is included, making proactive compliance critical.
How MODPA Compares to Other State Privacy Laws
Maryland’s MODPA is one of the most consumer-friendly laws in the U.S., featuring stricter data minimization requirements and mandatory PIAs for profiling—requirements not always present in states like Iowa or Utah. Businesses familiar with Colorado’s universal opt-out mandate will find similar obligations here.
For a multi-state compliance strategy, review our Colorado Privacy Act guide and Indiana CDPA analysis.
FAQ: Maryland Online Data Privacy Act
What companies are covered by the Maryland MODPA?
Businesses processing personal data for 35,000+ Maryland residents or 10,000 residents if deriving 20%+ revenue from selling data.
How can Maryland residents exercise their privacy rights?
Through designated request methods detailed in privacy notices; businesses must respond within 45 days.
What are the required business practices under MODPA?
Publish transparent policies, conduct Privacy Impact Assessments, honor UOOMs, and secure consumer consent for sensitive data processing.
What are Privacy Impact Assessments (PIAs) under MODPA and when are they required?
PIAs evaluate risks of high-impact processing such as profiling and targeted ads; they are required before engaging in these activities.
How does MODPA address universal opt-out mechanisms (UOOMs)?
Businesses must recognize and honor signals like Global Privacy Control (GPC), allowing consumers to opt out via browser settings.
Final Thoughts
The Maryland Online Data Privacy Act introduces some of the strongest obligations in the U.S., particularly around data minimization and profiling risk assessments. With its effective date approaching, businesses should:
- Audit data practices and third-party vendor relationships.
- Update privacy notices and build opt-out workflows that recognize UOOMs.
- Prepare PIAs for high-risk activities.
For deeper reading, consult the Maryland General Assembly code for legal requirements, explore the Attorney General’s Consumer Protection resources for enforcement guidance, and use this Osano analysis for actionable compliance tips.
Disclaimer
This article is provided for informational purposes only and does not constitute legal advice. Reading this content does not create an attorney-client relationship. A qualified legal professional should be consulted for guidance specific to your organization’s situation and compliance obligations.