What to Know About Maryland's Consumer Data Privacy Act
BY COLLEEN M. ARACRI, ESQ.
THE MARYLAND ONLINE DATA PRIVACY ACT of 2024 (MODPA) represents a significant step in the state’s approach to consumer data protection. While Maryland’s privacy law aligns with several existing state privacy frameworks, it imposes additional restrictions that warrant close attention from businesses and legal practitioners alike. MODPA would take effect on October 1, 2025, however, it will not “have any effect on or application to any personal data processing activities before April 1, 2026.”
For Maryland attorneys advising businesses, compliance with MODPA will require proactive steps to align data collection, processing, and protection measures with the new law’s provisions.
Scope and Applicability of MODPA
MODPA applies to any entity or person who conducts business in Maryland or provides services or products targeted to Maryland residents and, during the immediately preceding calendar year, controlled or processed the personal data of at least 35,000 Maryland consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or controlled or processed the personal data of at least 10,000 Maryland consumers and derives more than 20% of their gross revenue from the sale of personal data.
MODPA’s triggering scenarios are significantly lower than most other state consumer privacy laws. MODPA defines personal data as information that is connected or reasonably connectable to an identified or identifiable individual, excluding de-identified data and publicly available information.
Certain entities, such as state agencies, nonprofit organizations assisting in law enforcement investigations, and institutions regulated by federal laws such as HIPAA and the Gramm-LeachBliley Act, are exempt from MODPA’s requirements. However, businesses outside these exemptions must prepare for compliance to avoid potential penalties.
Key Provisions of MODPA
MODPA introduces robust consumer rights, restrictions on data processing, and enhanced compliance obligations.
Maryland residents will have several rights over their personal data, including the ability to access information on whether a business processes their personal data, request corrections to
inaccurate personal data, delete their personal data, and obtain a copy of their personal data in a portable, machine-readable format.
Consumers will also have the right to opt out of targeted advertising, profiling, and the sale of personal data. Businesses must establish mechanisms to process and respond to consumer requests within 45 days, with a possible extension of another 45 days if necessary.
MODPA imposes strict data minimization and purpose limitation requirements. Businesses may only collect, process, and store personal data that is necessary and proportionate to provide a requested product or service. Any additional use of personal data beyond the original purpose requires explicit consumer consent. These provisions will require businesses to reevaluate their data collection practices and limit unnecessary data storage.
The law introduces heightened protections for sensitive personal data, which includes race, ethnicity, religious beliefs, sexual orientation, gender identity, citizenship status, consumer health data, precise geolocation data within 1,750 feet, and biometric and genetic data. Businesses cannot process sensitive data even with consumer consent unless it is strictly necessary to fulfill a specific consumer request.
MODPA prohibits businesses from selling personal data or using it for targeted advertising for consumers under 18 years old. This provision exceeds the protections under federal laws such as the Children’s Online Privacy Protection Act, which primarily focuses on children under thirteen. Additionally, the law includes a unique restriction on geofencing, prohibiting businesses from using geolocation data to track consumers within 1,750 feet of healthcare facilities related to reproductive, sexual, or mental health.
MODPA incorporates entity-level and data-level exemptions to its regulations. At the entity level, exemptions cover administrative, advisory, regulatory, executive, appointive, legislative, or judicial bodies or instrumentalities of the state of Maryland, nonprofit organizations aiding law enforcement investigations, national securities associations under the Securities Exchange Act of 1934 or registered futures associations under the Commodity Exchange Act, and financial institutions regulated by the Gramm-Leach-Bliley Act. Moreover, MODPA's data-level exemptions align with federal laws like HIPAA, the Common Rule, the Fair Credit Reporting Act, the Drivers Privacy Protection Act, and others.
Businesses must provide clear and accessible privacy notices that include the categories of personal data collected and processed, the purpose of data processing, consumer rights and how to exercise them, the categories of third parties with whom data is shared, whether personal data is used for targeted advertising or profiling, and an easy-to-use opt-out mechanism for data sales and advertising. Additionally, MODPA requires businesses to recognize global opt-out signals, such as the Global Privacy Control, by October 25, 2025.
MODPA will be enforced by the Maryland Attorney General, treating violations as unfair or deceptive trade practices under the Maryland Consumer Protection Act. In cases involving violations that occur up to April 1, 2027, the attorney general can issue a notice allowing a 60 day window for remediation. Failure
to address the issue within this period may lead to enforcement action by the attorney general. Penalties for violations can reach $10,000 per incident and up to $25,000 for repeat offenses.
Compliance Strategies for Businesses
With MODPA’s effective date approaching, Maryland attorneys should advise clients to take several steps to ensure compliance. Businesses should conduct a thorough audit of their data collection and processing practices to determine what personal data they collect, how the data is processed and shared, and whether data processing aligns with the new data minimization and purpose limitation requirements.
With MODPA set to take effect on October 1, 2025, Maryland attorneys must prepare their clients for compliance with this comprehensive privacy law.
Privacy policies should be updated to meet MODPA’s disclosure requirements and provide transparent opt-out mechanisms for consumers. Businesses must also develop internal processes to verify and respond to consumer requests within forty-five days, recognize and honor global opt-out signals, and ensure consumers can easily correct, delete, or obtain their data. Given MODPA’s prohibition on the sale and unnecessary processing of sensitive data, businesses should identify and segregate sensitive data and limit processing strictly to consumer-requested services.
Since MODPA emphasizes data security, businesses should implement technical and administrative safeguards to protect consumer data and establish vendor contracts that require third parties to adhere to Maryland’s privacy standards. Legal teams should educate employees on the requirements of MODPA, particularly those handling consumer data and privacy-related inquiries.
Looking Ahead
With MODPA set to take effect on October 1, 2025, Maryland attorneys must prepare their clients for compliance with this comprehensive privacy law. By focusing on data minimization, consumer rights, and enhanced privacy practices, businesses can navigate MODPA’s requirements effectively and mitigate enforcement risks. The evolving privacy landscape requires ongoing legal guidance, ensuring that businesses comply with the law while fostering consumer trust through responsible data practices. For Maryland attorneys, staying ahead of these regulatory changes will be crucial in advising clients on best practices and helping them avoid costly penalties in the years to come.