What You Need to Know About Maryland’s New Data Privacy Law

The Maryland Online Data Privacy Act (MODPA), effective as of Oct. 1 and enforceable beginning April 2026, marks a significant development in consumer data privacy regulation for businesses and consumers. MODPA strengthens consumers’ privacy rights and requires qualifying businesses operating in Maryland to responsibly manage and safeguard sensitive consumer data.

Maryland’s new law is a major step in the evolution of consumer data protection, giving the state’s residents clear enforceable rights while imposing obligations on businesses that are, in some cases, the most expansive in the nation.

MODPA’s requirements

MODPA is a comprehensive state privacy law that regulates how businesses collect, process, use and share personal data of Maryland residents. MODPA went into effect Oct. 1 but only applies to companies’ personal data processing activities occurring after April 2026. The six-month delay is to provide businesses with a grace period to review and adjust their data practices, ensuring a smoother transition for compliance with MODPA. 

Businesses that operate within Maryland or target Maryland residents and that process the personal data of at least 35,000 Maryland residents annually or at least 10,000 Maryland residents and derive more than 20% of their gross revenue from the sale of personal data must comply with MODPA. For example, businesses that engage in e-commerce and retailers that collect names, addresses and payment information would need to comply with MODPA. Subscription services businesses like streaming platforms that keep consumer login, billing or preference details must also comply with MODPA. Certain entities are exempt from complying with MODPA, including state entities or instrumentalities, registered national security associations and nonprofit bodies that share personal data to aid enforcement agencies with responding to emergencies or catastrophic events.

Once a business falls within MODPA’s scope, the law regulates how it collects, processes, uses and shares personal data. In doing so, companies must adhere to MODPA’s framework to protect against the improper processing of personal data. 

Under MODPA, personal data refers to any information that can be “linked or reasonably linked to an identified or identifiable consumer.” Examples of personal data include information relating to an individual’s address, email information or cookie ID. In contrast, publicly available information, including a government report lawfully released to the public, is not protected under MODPA. 

Additionally, in order to adequately safeguard against the improper processing of personal data, companies should alter their data processing practices to ensure that the data collection remains proportional to the intended purpose and obtain clear, affirmative consent from consumers before using their personal data for any purpose beyond those initially disclosed.

The expansion of consumer rights under MODPA

Under MODPA, a consumer is considered any individual who is a resident of Maryland but excludes persons acting in a commercial or employment context. Further, any individual who acts as an employee, owner or director of a business entity is also excluded from qualifying as a consumer under MODPA.

MODPA also establishes affirmative rights for consumers. Affirmative rights means that consumers will have more control over how their personal data is used, processed and maintained. For example, under MODPA, consumers can now request copies of their personal data and that businesses delete their consumer data unless retention of that data is legally required. 

Consumers also now have the right to correct inaccuracies within their personal data and can opt out of having their personal data processed and used for targeted advertising. This means that consumers can refuse to permit companies to use their personal information to show them targeted ads based on their browsing history, interests or other personal data. Consumers can also opt out of AI-driven profiling. This is particularly important because it helps give consumers transparency and control over how automated systems use their personal data and allows them to assert their privacy rights against potential biases that exist within automated systems.

Data Privacy

Cold War-Era California Law Snags Companies That Use Common Website Tracking

by Erin Doyle and Jackie Cooney

August 18, 2025

Lawmakers considering CIPA update for the internet age

Read moreDetails

How MODPA compares to current state privacy laws

MODPA differs from other state privacy laws in a few ways. First, before MODPA, Maryland followed industry standards regarding data minimization, which allowed for businesses to collect data that was “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected.” This industry standard is considered permissive because it allows companies to collect data for any disclosed purpose as long as they tell consumers about that purpose and how the collection is necessary for it. In practice, under most state laws, an online retailer could get away with collecting all location data that is designed to improve customer experience. With MODPA, however, the standard for data minimization has become stricter and must be, “reasonably necessary and proportionate to maintain or provide a product or service requested by the consumer.”

MODPA requires the purpose for the data collection to be related to the consumer-requested product, thereby narrowing the potentially justifiable reasons for data collection. Under this law, that same online retailer from above would need to show that the personal data being collected relates to the product or service the consumer initially sought from the retailer. In other words, MODPA no longer allows companies to process unlimited data for their own intended purposes and instead focuses on providing data collection as a service to benefit consumers.

MODPA also provides stronger protection of children’s data in comparison to other state privacy laws. MODPA, like many other state privacy laws, prohibits the sale of children’s personal information. However, MODPA goes a step further, expanding a business’s potential liability and stating that the obligations imposed by the statute apply when a company “knows or should have reasonably known that a consumer is under 18.” MODPA also bans targeted advertising toward children. This approach is more aggressive than the current industry standard, which requires companies to have actual knowledge of a minor’s age, as opposed to constructive knowledge.

MODPA defines consumer health data as any personal data used to identify a consumer’s physical or mental health status and includes “gender-affirming care treatment or reproductive or sexual health care.” MODPA also includes unique and innovative provisions to protect consumer health data. For example, MODPA restricts geofence use within 1,750 feet of mental, sexual or reproductive health facilities to prevent the tracking of consumer health data. 

Connecticut and Washington have also passed similar provisions that restrict the use of geofences for tracking consumer health data. MODPA also limits access to consumer health data by allowing only employees or contractors with a duty of confidentiality to handle such information. This approach is similar to Washington’s My Health My Data Act in defining and protecting consumer health data, but MODPA goes a step further because it also applies the broad protection of consumer health data to include a “consumer’s health status with no requirement of a condition or diagnosis.”

How can businesses prepare for MODPA?

Given the comprehensive nature of MODPA’s reforms for consumers, it is critical that businesses prepare now. Businesses should first determine if they are governed by MODPA, and if so, establish an implementation plan to comply with MODPA’s requirements before enforcement begins April 1, 2026.

As a result of MODPA going into effect:

1. Businesses are now limited to collecting only data that is “strictly necessary.” Although “strictly necessary” is not defined, MODPA states that data collected must be proportional to what is needed to maintain a specific product or service requested by the consumer.
2. Businesses are required to notify consumers if the usage or sharing of their consumer data changes. The notification must be in a manner that enables consumers to access, correct, delete or opt out of the new use of their personal data.
3. Businesses must update their privacy risk assessments regarding sensitive protected information processes to comply with MODPA. In other words, businesses should be prepared to document all their current uses of sensitive protected information and also train teams on how to handle this information in a way that complies with MODPA.
4. Businesses will be banned from selling sensitive data related to a consumer’s racial or ethnic background, religious beliefs, sexual orientation, citizenship or immigration status. In fact, businesses are only permitted to collect and process sensitive data when it is strictly necessary to provide a product or service requested by the consumer.
5. Businesses must identify third-party risks when dealing with sensitive protected information. In other words, businesses should review contracts with third parties to ensure that the sale of sensitive protected information aligns with MODPA’s requirements.
6. As of Oct. 1, businesses are required to have “clear and conspicuous opt-out links” on their websites that allow consumers to choose whether to decline targeted advertising and data sales.

Enforcement and penalties

As a result of these new protections, businesses will likely need to adjust or update their policies to ensure compliance. Failure to comply could result in fines of up to $10,000 per violation and $25,000 for repeated violations. Businesses are given some leeway and have up to 60 days to rectify violations at the discretion of the Maryland Attorney General’s Office but only until April 1, 2027.

MODPA represents a landmark step in consumer data protection and gives Maryland residents clear, enforceable rights while imposing stringent obligations on businesses. Since this law has now taken effect, businesses should review practices, assess risks and implement systems that safeguard consumer information. By prioritizing transparency and accountability, MODPA transforms the collection of personal data from a largely unregulated commodity into a protected consumer asset.