Maryland Online Data Privacy Act
The Maryland Online Data Privacy Act (MODPA) was passed by the legislature on April 6, 2024, and went into effect October 1, 2025. The law sets a high bar for privacy protections with a scoping threshold equal to just .56% of the state’s population, few entity-level exemptions, a ban on processing sensitive personal information unless strictly necessary, protections for minors up to age 18, and unique minimization and data protection assessment obligations.
What you need to know about the MODPA:
MODPA applies to entities that:
- Conduct business or provides products or services to residents of Maryland (consumers), and
- During the preceding calendar year controlled or processed the PI of either:
- 35,000 unique residents, excluding PI solely used for completing payment transactions; or
- 10,000 unique residents and derived at least 20% of gross revenue from the sale of PI.
Exempt Entities Include:
- State government entities;
- Non-profits that process data solely for
- Assisting law enforcement investigating insurance fraud; or
- Assisting first responders in responding to catastrophic events.
- GLBA-covered entities;
- National securities associations that are registered under the SEC Act or registered futures associations under the Commodity Exchange Act.
Exempt Data: MODPA exempts a long list of personal information, including but not limited to:
- Protected Health Information under HIPAA;
- Data collected by or for certain insurance companies;
- GLBA-covered data;
- Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
- Various forms of credit data regulated by the Fair Credit Reporting Act; and
- Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act.
Exempt Use Cases: The MODPA is not applicable in some circumstances, such as:
- Processing PI in an employment or commercial (B2B) context;
- Processing PI for emergency contact purposes; and
- Processing PI of another individual in relation to the provision of benefits.
In addition, MODPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:
- Product recalls;
- Identifying and repairing technical errors that impair existing or intended functionality; and
- Performing internal operations.
Key Components of MODPA
MODPA covers “personal data,” also called personal information or PI, which it defines as: “any information that is linked or reasonably linkable to an identified or identifiable individual.”
The definition exempts de-identified information and information made publicly available by government records, the media, or the consumer.
MODPA’s definition of sensitive PI consists of
- Racial or ethnic origin;
- Consumer Health Data (new trend)
- Any PI used to identify a consumer’s physical or mental health status, including gender affirming treatment or reproductive/sexual health care.
- Religious beliefs;
- Sex life or sexual orientation;
- Status as transgender or nonbinary;
- National origin
- Citizenship or immigration status;
- PI about a known child;
- Precise geolocation data; and
- Genetic or biometric data.
MODPA bans the processing or selling the personal data of a consumer where the controller knows, or should know, that the consumer is under the age of 18 for the purposes of targeted advertising.
Additionally, the law bans the collecting, processing, or sharing sensitive personal information—including information collected from a known child—unless the processing is strictly necessary to provide or maintain a specific product or service requested by the consumer.
Where a controller processes de-identified data, MODPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with MODPA by not re-identifying the data.
Unlike many other state privacy laws, MODPA does not differentiate between de-identified and pseudonymous data. The impact of this is unknown.
Maryland goes a step further than requiring consent for processing sensitive PI, banning the collection, processing, or sharing of sensitive PI unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.”
Maryland bans the sale of sensitive PI and the sale of PI of those under 18, however, the definition of sale could be read to add a consent exception. “Sale” excludes the disclosure of PI at the consumer’s direction. The practical application of this is arguably that consent is received as a form of “direction” by the consumer, though the rules on data minimization (see below) may still apply.
Additionally, where processing is not necessary or compatible with the purpose for collection, organizations must obtain consumers’ consent for the processing.
A privacy notice must include:
- Categories of PI processed, including sensitive PI;
- Purpose for processing PI;
- The categories of third parties with which PI is shared (at a level of detail that enables consumers to understand the business model or processing conducted by each);
- The categories of PI shared with third parties, including sensitive PI;
- The methods for a consumer to exercise their rights (see below), revoke consent, and appeal a decision on their rights request;
- An active email address or other electronic method for a consumer to contact the company.
Maryland defines ‘sale’ to include exchange for monetary or other valuable consideration.
There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to a third party to provide a product or service requested by the consumer, where the consumer directs the controller to disclose the PI, disclosures to processors for limited purposes; the disclosure of PI to an affiliate, the disclosure of PI that had been intentionally made available to the public, and the disclosure of PI as part of a merger or bankruptcy.
The Maryland Attorney General (AG), via the Division of Consumer Protection, has sole enforcement authority. Under MODPA the AG has discretion to decide whether to provide a 60-day cure period and an opportunity for the business to cure the alleged violation(s), which sunsets April 1, 2027. Penalties may include injunctive relief (the company must stop certain behaviors) and/or civil penalties, with fines up to $10,000 for initial violations and up to $25,000 for each repeat violation.
Privacy Rights
The privacy rights created under MODPA generally align with those provided under other state laws. If the MODPA law applies to your business, you must allow consumers to:
- Right to know whether a business is processing your PI;
- Right to access PI;
- Right to correct inaccuracies in PI;
- Right to delete PI about them;
- Right to obtain a copy of PI (data portability);
- Obtain a list of categories of third parties to which the controller has either:
- Disclosed the consumer’s PI, or
- Disclosed any consumer PI if the controller does not maintain this information in a format specific to the consumer.
- Right to opt out of the sale of PI, processing for targeted advertising, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.
Maryland requires that businesses respond to individual rights requests within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once a year. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.
The appeals process must be conspicuously available to consumers and similar to the process for submitting an initial privacy rights request. In Maryland, businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide an online mechanism for the consumer to contact the AG to submit a complaint.
Universal Opt Out
It is unclear whether MODPA requires controllers to recognize universal opt-out signals. The law appears to make it optional, however, there is some belief this was a drafting error and that it may be intended to be required. Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their PI, to websites through their web browser or other technologies.
Privacy Impact Assessments
Maryland requires that covered organizations conduct data protection impact assessments, or privacy impact assessments (PIAs), for certain high-risk processing.
MODPA requires assessments for processing that presents a heightened risk of harm, including:
- Use of algorithms;
- Processing for targeted advertising;
- Processing sensitive data;
- Selling PI;
- Processing for the purpose of profiling if it presents a ‘reasonably foreseeable risk’ of
- Unfair or deceptive treatment of unlawful disparate impact on consumers;
- Financial, physical, or reputational injury to consumers;
- Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
- Other substantial injury.
Vendor Contracts
Maryland requires that organizations have a contract in place with vendors that dictates obligations with respect to processing PI. Contracts must include:
- Instructions for processing PI;
- The nature and purpose of processing;
- Type of data that is subject to processing;
- The duration of processing;
- The rights and obligations of both parties;
- A duty of confidentiality for individuals who process the PI;
- Obligation to establish, implement, and maintain data security practices that protect the confidentiality, integrity, and accessibility of personal information;
- Obligation to stop processing PI at the request of the controller due to a consumer’s authenticated request;
- Obligation to delete or return all PI at the controller’s direction or when it has completed the services, unless retention of the PI is required by law;
- Obligation to make available all information necessary to demonstrate the vendor’s compliance with its obligations;
- Compliance with audits by the controller or independent auditor;
- Provide the opportunity for the controller to object to any sub-processors; and
- Pass along the same obligations to any subcontractors in a written contract.
Data Minimization
MODPA limits the collection of PI “to what is adequate, relevant and reasonably necessary to provide or maintain a product or service requested by the consumer to whom the data pertains.” This sets a higher bar than other state laws in that most require collection be limited to the purpose listed in the privacy notice, not limited to the purpose of providing a requested product or service.
Additionally, the collection of sensitive PI must be limited to scenarios where it is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.
