Maryland will soon have some of the strictest data protection and privacy requirements in the nation after the Maryland Online Data Privacy Act of 2024 (MODPA) was signed into law by Gov. Wes Moore last week. The law expands the scope of businesses’ personal data protection obligations and consumer privacy rights, offering protections that are aligned with contemporary concerns about data privacy and consumer autonomy.

The MODPA goes into effect Oct. 1, 2025 and has a cure period that extends through April 1, 2026. Most enforcement efforts will only apply to prospective actions occurring after the cure period ends.

Here's what businesses need to know about the law.

Who Must Comply with MODPA?

Individuals or businesses processing personal data, called “controllers,” are subject to MODPA if they:

• conduct business in Maryland; or
• produce services and products targeted to Maryland residents if, during the prior calendar year, they
• controlled or processed the personal data of at least 35,000 consumers (for a reason other than solely for the purpose of completing a payment transaction); or
• controlled or processed the personal data of 10,000 consumers and derive at least 20% of their gross revenue from the sale of personal data.

The MODPA does not apply to government agencies or any other business that are otherwise excluded under preemption if they are subject to federal certain federal privacy laws, such as HIPAA, FERPA and Gramm-Leach Bliley. MODPA does not apply to nonprofit businesses that handle personal data solely for the purposes of assisting (1) law enforcement agencies in investigating fraud or criminal acts or (2) first responders in responding to catastrophic events. The statute does not, however, provide a larger exemption for other nonprofit organizations operating in Maryland.

Important carveouts of MODPA include a definition of “consumer” that expressly excludes Maryland residents that are acting in a commercial or employment context. This means businesses are not subject to the law if they are handling personal information strictly in a business-to-business context. Similarly, employers do not have to extend privacy rights in the employment context. In the United States, only California’s Consumer Privacy Rights Act (CPRA) goes as far as extending its privacy protections to the employment context while the European Union’s General Data Protection Regulation and other international laws do extend privacy rights to employees and other workers.

What Data is Protected?

The MODPA protects the “personal data” and “sensitive data” of consumers. “Personal data” is defined as any information that is linked, or can reasonably be linked, to an identified or identifiable consumer, excluding de-identified data and publicly available information. “Sensitive data” expressly includes data revealing:

• racial, national, or ethnic origin;
• religious beliefs;
• sex life and consumer health data, including gender-affirming treatment, reproductive and sexual health care;
• sexual orientation and transgender or nonbinary status;
• citizenship or immigration status;
• genetic or biometric data;
• data that the controller knows or has reason to know belongs to a child; and
• precise geolocation data, excluding data this is contents of communications or data generated by, or connected to, a utility company or an advanced utility metering infrastructure system.

Notably, “biometric data” includes a fingerprint, a voiceprint, and eye retina or iris image, and any other unique biological characteristics that can be used to uniquely authenticate a consumer’s identity. However, biometric data expressly excludes a photograph, an audio or video recording, or any data generated from a photo, video, or audio recording, unless the data is generated to identify a specific consumer.

Consumer Privacy Rights

Applicable controllers will be required to recognize certain privacy rights for Marylanders, including the right to receive a privacy notice that is reasonably accessible, clear and meaningful. MODPA also requires that consumers be given clear methods for accessing, correcting, deleting, and opting out of controllers processing their personal data, especially in contexts like targeted advertising, the sale of personal data or profiling that could have significant effects on consumers. Marylanders also will have the right to challenge decisions being made based on their personal data or withdrawing consent to further data processing.

The Consumer Privacy Notice

The required privacy notice must outline what personal data is being collected, including any sensitive data, the reasons for its collection and how it will be used. It must also explain how consumers can exercise their privacy rights, Furthermore, the notice must disclose third parties with whom the data is shared, ensuring transparency about the nature of these disclosures. In addition, it should provide a direct way for consumers to contact the controller, typically through an email address or another online platform. This ensures consumers have the necessary information to manage their personal data effectively and understand their rights under the law.

MODPA also establishes a comprehensive and stringent data protection framework for all entities handling personal data. These requirements include:

• Data minimization, or limiting personal data collection to what is necessary and proportionate to maintain or provide the requested service;
• Establishing and maintaining robust administrative, technical and physical data security practices appropriate to the volume and nature of the personal data processed;
• Providing consumers with an effective and easy mechanism for consumers to revoke consent;
• Conducting and documenting regular data protection assessments for each of the controller’s processing activities that occur after Oct. 1, 2025 that present a heightened risk of harm to a consumer, like with the sale of personal data, use of sensitive personal data or using personal data in profiling consumers;
• Requiring controllers to enter into binding contracts with any processor (defined as a third party processing personal data on behalf of the controller), to require that the processor treat the personal data with confidentiality, adhere to outlined data processing instructions including processing scope and duration, flow-down data security requirement and cooperation with controller conducting data protection assessments;
• Prohibiting the handling of personal data solely for content personalization or marketing, without explicit consent from the consumers whose personal data is collected;
• Prohibiting the handling of sensitive data, unless it is strictly necessary to provide or maintain a specific product or service requested by the consumer and the consumer provides consent;
• Prohibiting the processing of personal data for targeted advertising or the sale of such data for consumers who are known to be between 13 and 18 years old without consent; and
• Not discriminating against consumers exercising their privacy rights under the law, which includes not altering pricing or the quality of goods and services offered based on a consumer’s decision to allow personal data processing.

Enforcement

Enforcement of MODPA will be handled by the Division of Consumer Protection of the Office of the Attorney General under the framework of the Maryland Consumer Protection Act. Violations will be treated as unfair, abusive or deceptive trade practices, subjecting businesses to penalties such as fines of up to $10,000 per violation and up to $25,000 for each subsequent violation, injunctions, and potentially compensatory damages to consumers.

MODPA, however, expressly excludes any consumer private right of action. The attorney general’s office does have discretion, however, to first issue a notice of violation instead of moving straight to enforcement actions. As a part of its investigative power into MODPA compliance, the attorney general’s office can also require that controllers make available documentation of the required data protection assessments.

Next Steps for Businesses

While there is still some time before MODPA will go into effect or before businesses can be subject to enforcement activity for violations, businesses would be prudent to seek legal counsel without delay to begin assessing what changes, if any, need to be made to their consumer data privacy and protection practices to comply. Businesses that have already gone through similar compliance exercises for other comprehensive data privacy laws, like California’s CPRA or the EU’s GDPR, will have an easier path.

Stay tuned for future blog posts discussing other recently enacted state privacy legislation and how businesses operating nationally and internationally can balance the ever-growing landscape of data privacy compliance obligations.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]