On May 9, 2024, Governor Wes Moore signed into law the Maryland Online Data Privacy Act of 2024 (“MODPA”). MODPA will take effect on October 1, 2025, but will not apply to personal data processing activities occurring before April 1, 2026. MODPA is the latest in a series of state data privacy laws that impose comprehensive obligations on businesses that collect, process, or sell personal data of consumers and otherwise meet certain jurisdictional thresholds.
While MODPA is generally similar to the nearly twenty other US state privacy laws in terms of its key definitions, consumer rights, and controller obligations, it has some unique thresholds and requirements that distinguish it from other state laws and will require many businesses and non-profit organizations to carefully re-evaluate their privacy compliance practices.
Jurisdictional Thresholds that are Lower than Most Other States
MODPA applies to entities that conduct business in Maryland or target Maryland residents with their products or services, and that either (A) control or process the personal data of at least 35,000 consumers, or (B) control or process the personal data of at least 10,000 consumers and derive more than 20% of gross revenue from the sale of personal data.
Because MODPA’s thresholds are generally lower than most other states, entities that have thus far avoided compliance with other state comprehensive privacy laws may need to comply with MODPA. For instance, Maryland’s 20% gross revenue requirement is generally lower than the counterpart threshold levels found in other US state privacy laws. And while Maryland's low numeric threshold generally aligns with the threshold established in Delaware’s Personal Data Privacy Act, Maryland’s population is nearly six times larger than the population of Delaware.
Exceptions
MODPA does not apply to individuals in commercial or employment contexts, and it exempts certain governmental entities and types of data, such as data subject to HIPAA, financial institutions under the Gramm-Leach-Bliley Act, and data used for certain research and public health purposes. Unlike some other state laws, MODPA does not include an entity-level exemption for higher education institutions or HIPAA-covered entities.
With the passage of MODPA, Maryland joins a growing group of states (including New Jersey, Colorado, Delaware, and Oregon) who have chosen not to include a broad exemption for nonprofit organizations under their respective state privacy laws. Under MODPA, only nonprofit organizations that process or share personal data to assist law enforcement or first responders are exempt.
Consumer Rights
MODPA grants consumers the right to confirm if their data is being processed, access their data, correct inaccuracies, delete their data, obtain a copy of their data, and opt out of certain processing activities, such as targeted advertising, the sale of personal data, or profiling. When a consumer invokes one of their rights under MODPA, the applicable controller must respond to the consumer’s request within 45 days, with a possible extension of an additional 45 days.
Notably, however, when a consumer revokes consent for a controller to process their data, MODPA requires the controller to stop processing the consumer’s data as soon as possible, but in no event later than 30 days after revocation of consent. This 30-day requirement is unique to MODPA among the US state privacy laws.
Heightened Data Minimization Standards and Other Restrictions on Controllers
MODPA requires controllers to adhere to data minimization principles that are more restrictive than those in other states that have adopted comprehensive privacy laws, and possibly even more restrictive than data minimization principles established in the European Union under the General Data Protection Regulation. Consistent with other state laws that include data minimization requirements, controllers subject to MODPA can only collect personal data that is “reasonably necessary and proportionate” for the requested service or product. But controllers may not process sensitive data concerning consumers, even if the consumer has consented to that processing, unless it is “strictly necessary” to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains. Moreover, MODPA defines “sensitive data” broadly to include racial, ethnic, religious, health, sexual orientation, transgender or nonbinary status, national origin, citizenship status, genetic and biometric data, children's data, and precise geolocation data. These rigorous standards will have implications for entities that wish to, for example, collect and process geolocation data or data that reveals a consumer’s race or ethnicity, but may not meet the “strictly necessary” standard. Unfortunately, MODPA does not provide any additional guidance as to the meaning of “reasonably necessary and proportionate” or “strictly necessary,” for data minimization purposes. Affected entities will thus need to carefully track how Maryland state regulators and courts define those key phrases in the context of MODPA.
Other MODPA restrictions include prohibitions on the sale of personal data, as well as the use of personal data for targeted advertising, if the consumer is under 18 years old. Controllers are likewise prohibited from selling sensitive data or using it for targeted advertising.
Controllers must also post privacy policies and conduct data privacy impact assessments and are prohibited from discriminating against consumers who exercise their rights under MODPA.
Enforcement
MODPA will be enforced by the Maryland Division of Consumer Protection under the Attorney General (“Division”), and violations will be treated as unfair, abusive, or deceptive trade practices under the Maryland Consumer Protection Act. Notably, MODPA does not provide a specific private right of action for consumers, but instead allows the Division to issue a notice of violation, subject to at least a 60-day cure period before an enforcement action is initiated. Given the comparatively low thresholds and strict nature of some of MODPA’s provisions, many entities will likely need to lean on the 60-day cure period.
Next Steps
While this alert flags many of the most critical aspects of MODPA, there are other important nuances that may affect your organization.
