Maryland recently joined the growing number of states enacting comprehensive consumer data privacy laws with the passage of the Maryland Online Data Privacy Act (MODPA).  

Despite similarities with several other state laws–including role definitions and exemptions for certain types of businesses and data–the MODPA is not a carbon-copy of other state laws. Most significantly, it has a broad scope with lower application thresholds than most other state regulations. As a result, organizations that already follow the data privacy laws of other states will need to carefully evaluate their data processing activities to ensure compliance with the Maryland law.  

Additionally, the MODPA features a different standard of data minimization relative to other state data privacy laws. Interestingly, the law has stringent requirements on a range of processing activities regardless of consumer consent. This move aligns with a growing sentiment that transparency and consent are not adequate to provide the highest level of privacy since many people do not have time to read notices.  

What Is the Maryland Online Data Privacy Act? 

The MODPA gives Maryland residents more control over how companies collect and use their personal data online. With an effective date of October 1, 2025, the new law establishes data protection rights and requires companies that track or target the state’s residents to meet stricter requirements around data collection—especially related to data minimization, consent, universal opt-out mechanisms, sensitive data, and children’s data. However, MODPA will not apply to companies’ data processing activities until April 1st, 2026.  

While it is an opt-out law (meaning consumers have the right to opt-out of processing data for certain purposes) Maryland’s privacy act is already known in the data privacy world as more stringent than many other state laws.  

Difference #1: Who Must Comply With the Maryland Privacy Law 

Maryland’s privacy law applies to anyone who conducts business in the state, as well as those who provide services or products targeted to residents of Maryland and during the prior calendar year either:  

• Controlled or processed the personal data of at least 35,000 consumers, with the exception of personal data collected or processed solely for completing a payment transaction, or:  
• Controlled or processed the personal data of at least 10,000 consumers and derived more than 20 percent of its gross revenue from the sale of personal data.  

Notably, the threshold for applicability, both in terms of the number of consumers and the amount of revenue earned from the sale of data, is lower than in other states. Because 35,000 consumers is a smaller percentage (0.56%) of Maryland’s population than it is in other states, it will likely be applicable to more companies doing business in Maryland than in states such as Colorado (with a threshold percentage of 1.72%), Oregon (2.35%), or its neighbor, Delaware (3.43%).   

Despite the broader scope, Maryland follows other state laws in its definition of controllers and processors. A controller is a person who determines the purpose and means of processing personal data–either alone or jointly with others. A processor is a person that processes personal data on behalf of a controller.   

It also has similar exemptions as other laws, including state and local agencies, courts, and certain types of businesses subject to related federal laws. Certain data is exempt from MODPA requirements, including specified health and financial data. 

Difference #2: MODPA’s Requirements of Controllers 

With controller requirements and restrictions, the MODPA gets tricky. It differs from other state laws in a few key areas.  

In Maryland, controllers are restricted from the collection, processing, and sharing of sensitive data, except where it’s strictly necessary to provide or maintain a specific product or service requested by the consumer.  

What’s more, controllers are banned altogether from selling sensitive data, which is defined as data that reveals: 

• Racial or ethnic origin. 
• Religious beliefs.  
• Consumer health data.  
• Sex life.  
• Sexual orientation.  
• Status as a transgender or nonbinary.  
• National origin.  
• Citizenship or immigration status. 

Sensitive data also comprises genetic data or biometric data, personal data of a consumer the controller knows to be a child, and precise geolocation data.   

Controllers are not allowed to: 

• Process personal data in violation of state or federal laws that prohibit unlawful discrimination. 
• Discriminate against a consumer for exercising their rights. 
• Collect, process, or transfer personal data or publicly available data in a way that unlawfully discriminates or makes unavailable the equal enjoyment of goods or services based on race, color, religion, national origin, sex, sexual orientation, gender identity, or disability, unless it meets certain exemption requirements. 

Related to processing the data of children, controllers cannot process or sell the personal data of a consumer for targeted advertising if the consumer is under the age of 18 if the controller “knew or should have known” the consumer’s age.  

In addition to the laundry list of restrictions, controllers are required to:  

• Limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer. 
• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. 
• Provide an effective mechanism for a consumer to revoke consent that is at least as easy as the mechanism by which the consumer provided consent. 

They also must provide consumers with a privacy notice that outlines their collection practices, provides an active email address or other online mechanism consumers can use to contact the controller, and discloses certain processing activities. 

Difference #3: Privacy Impact Assessments 

Maryland’s privacy act requires controllers to conduct privacy impact assessments on a regular basis for each data activity that presents a heightened risk of harm to a consumer, “including an assessment for each algorithm that is used.” This is an example of another industry best practice in the U.S. becoming a legal requirement. Companies who have not yet come across this practice will now need to incorporate it into their data privacy practices to ensure compliance in Maryland.  

Activities that present a risk of heightened risk of harm are defined as:  

• Processing personal data for targeted advertising or selling personal data.  
• Processing sensitive data.  
• Processing data if there’s a risk of unfair, abusive, or deceptive treatment or if it will have an unlawful disparate impact, financial, physical, reputational, or other substantial injury to a consumer. 
• Any activity that intrudes on the solitude or seclusion of a consumer. 

MODPA outlines specific requirements and factors to consider in the assessment, such as the company’s use of de-identified data, reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumer. 

Notably, these assessments only apply to processing activities that occur on or after October 1, 2025.  

Difference #4: The Penalties for Violating the MODPA Are Much Steeper  

A violation of the bill is considered an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act (MCPA). 

There is a cure period of 60 days, during which controllers and processors may have the opportunity to cure the violation before the state takes action. The operative word is may. The Office of the Attorney General must first determine if a cure is possible by taking into consideration factors such as the number of violations, size, and complexity of the controller or processor, the likelihood of injury to the public, and other determinants. The cure period sunsets April 1, 2027. 

The Maryland Office of the Attorney General's Consumer Protection Division enforces the MCPA, which has fines of up to $10,000 per violation or $25,000 for each repetition of the same violation. Violators of the MCPA can also face criminal penalties, including a misdemeanor conviction resulting in a fine up to $1,000 and/or imprisonment up to one year, in addition to any civil penalties.  The penalties are significantly higher than in other state laws, which have been approved steadily with $7,500 penalties per violation. Though the MODPA becomes effective on October 1, 2025, it will not apply to personal data processing activities that would invoke these penalties before April 1, 2026. 

What’s Similar: Consumer Data Rights Provided by the MODPA 

Consumer rights provided by Maryland’s privacy law are on track with other state laws. The MODPA grants consumers the following rights to:  

• Confirm whether a controller is processing their personal data.  

• Access personal data collected. 
• Correct inaccuracies in their personal data. 
• Obtain a copy of the personal data in a portable and readily usable format that provides easy transmission to another controller.  
• Obtain a list of the categories of third parties to which the controller has disclosed their personal data or a list of third parties to which the controller has disclosed personal data “if the controller does not maintain this information in a format specific to the consumer.” 
• Opt out of the processing of personal data for targeted advertising; the sale of personal data; profiling, if the data is used to make decisions that produce legal or other significant effects 

Delaware and Oregon also allow consumers to obtain a list of third parties or third-party categories to which their data was disclosed. Maryland’s law differs slightly in that if a controller does not maintain that information in a format specific to the consumer, they can get a list of categories of third parties to which the controller has disclosed any consumer’s personal data. 

Compliance With the Maryland Online Data Privacy Act 

Compliance with the MODPA may require significant effort from companies, particularly if they’re new to the data privacy law realm.  

Because the law has strict data minimization requirements, restrictions around sensitive data and children’s data, mandated privacy impact assessments, and hefty penalties for violations, it’s critical to start planning for its effective date now. Even organizations that have implemented compliance programs for other state laws need to carefully review their data practices against these specific provisions. 

Investing in a comprehensive compliance solution, like Osano’s data privacy platform, can help efficiently implement consumer privacy rights, consumer’s consent preferences, and more.  

Frequently Asked Questions 

What Is the Maryland Online Data Privacy Act’s Effective Date?  

The MODPA takes effect October 1, 2025, and will apply to personal data processing activities after April 1, 2026. 

What Does the MODPA Say About Universal Opt-Out Mechanisms (UOOMs)?  

Companies have two options to comply with the law, with the first including a clear and conspicuous link on their website that allows them to opt out of the sale of personal data or targeted advertising. The second option is to allow consumers to opt out of targeted advertising and the sale of their personal data through a universal opt-out preference signal by Oct. 1, 2025.  

What Are the Penalties for Violating the Maryland Data Privacy Act?  

Violations can result in fees up to $10,000 per violation, with repeated violations potentially incurring fees up to $25,000 per violation. 

Does the MODPA Include a Cure Period?  

There is a limited right to cure period that sunsets April 1, 2027. However, the Attorney General is tasked with considering if a violation can be cured and whether to provide the cure period.