Maryland Online Data Privacy Act

What you need to know about the MODPA:

To Whom Does MODPA Apply?

MODPA applies to entities that:

  1. Conduct business or provides products or services to residents of Maryland (consumers), and
  2. During the preceding calendar year controlled or processed the PI of either:
    1. 35,000 unique residents, excluding PI solely used for completing payment transactions; or
    2. 10,000 unique residents and derived at least 20% of gross revenue from the sale of PI.
When Does MODPA NOT Apply?

Exempt Entities: Exempt entities include:

  • State government entities;
  • Non-profits that process data solely for
    • Assisting law enforcement investigating insurance fraud; or
    • Assisting first responders in responding to catastrophic events.
  • GLBA-covered entities;
  • National securities associations that are registered under the SEC Act or registered futures associations under the Commodity Exchange Act.

Exempt Data:  MODPA exempts a long list of personal information, including but not limited to:

  • Protected Health Information under HIPAA;
  • Data collected by or for certain insurance companies;
  • GLBA-covered data;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act.

Exempt Use Cases: The TMODPA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;
  • Processing PI for emergency contact purposes; and
  • Processing PI of another individual in relation to the provision of benefits.

In addition, MODPA specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of MODPA

What Constitutes Personal Information under MODPA?

MODPA covers “personal data,” also called personal information or PI, which it defines as: “any information that is linked or reasonably linkable to an identified or identifiable individual.”

The definition exempts de-identified information and information made publicly available by government records, the media, or the consumer. However, like Oregon pseudonymous data is not excluded. Therefore, pseudonymization practices, the separating of data from additional information needed to make it identifiable to a specific individual and subjecting it to appropriate technical and organizational measures to ensure it remains unable to be attributed to an identified or identifiable individual, are insufficient and said data is covered as PI.

What Constitutes Sensitive PI?

MODPA’s definition of sensitive PI consists of

  • Racial or ethnic origin;
  • Consumer Health Data (new trend)
    • Any PI used to identify a consumer’s physical or mental health status, including gender affirming treatment or reproductive/sexual health care.
  • Religious beliefs;
  • Sex life or sexual orientation;
  • Status as transgender or nonbinary;
  • National origin
  • Citizenship or immigration status;
  • PI about a known child;
  • Precise geolocation data; and
  • Genetic or biometric data.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified information/data, MODPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with MODPA by not re-identifying the data.

MODPA does not address pseudonymous data, as described above. The impact of this is unknown and will depend on an organization’s business practices.

Is Consent Needed to Process Sensitive PI?

Instead of requiring consent, Maryland bans the collection, processing, or sharing of sensitive PI unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.” The goal of which is to limit the opportunities for businesses to collect sensitive PI at all.

Is Consent Needed for Any Other Processing?

Maryland bans the sale of sensitive PI and the sale of PI of those under 18, however, the definition of sale could be read to add a consent exception. “Sale” excludes the disclosure of PI at the consumers direction. The practical application of this is arguably that consent is received as a form of “direction” by the consumer, though the rules on data minimization (see below) may still apply.

There is also an argument that there’s a consent requirement related to targeted advertising to minors under 18, albeit a far weaker one. This is because “targeted advertising” excludes such ads directed to a consumer in response to the consumer’s “request for information or feedback.” An argument could be that by requesting information about a product or service, the consumer (under 18) is essentially consenting to targeted advertising where the information is given as part of an advertisement. This is a nebulous argument and far weaker than the one for sale of sensitive PI.


What Needs to Be Included in the Privacy Notice?

A privacy notice must include:

  • Categories of PI processed, including sensitive PI;
  • Purpose for processing PI;
  • The categories of third parties with which PI is shared (at a level of detail that enables consumers to understand the business model or processing conducted by each);
  • The categories of PI shared with third parties, including sensitive PI;
  • The methods for a consumer to exercise their rights (see below), revoke consent, and appeal a decision on their rights request;
  • An active email address or other electronic method for a consumer to contact the company.
What Constitutes “Sale” of PI?

Maryland defines ‘sale’ to include exchange for monetary or other valuable consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to a third party to provide a product or service requested by the consumer, disclosures to processors for limited purposes; the disclosure of PI to an affiliate, the disclosure of PI that had been intentionally made available to the public, and the disclosure of PI as part of a merger or bankruptcy.

How Will MODPA Be Enforced?

The Maryland Attorney General (AG), via the Division of Consumer Protection, has sole enforcement authority. Under MODPA the AG has discretion to decide whether to provide a 60-day cure period and an opportunity for the business to cure the alleged violation(s), which sunsets April 1, 2027. Penalties may include injunctive relief (the company must stop certain behaviors) and/or civil penalties, with fines up to $10,000 for initial violations and up to $25,000 for each repeat violation.

Data Privacy is Just Good Business