Some help with legal information about GDPR and other privacy laws

Privacy laws

Maryland Online Data Privacy Act

Maryland Online Data Privacy Act: An Overview

Maryland Online Data Privacy Act (MODPA) was enacted on May 9, 2024. MODPA (Senate Bill 541) goes into effect on October 1, 2025. 

Despite similarities with several other state laws, the MODPA includes stricter requirements than other states in the US. Notably, the law has a broad scope with lower application thresholds than most other state regulations. It also differs in areas such as those pertaining to sensitive data, consumer health data, minors’ data, and anti-discrimination measures. The MODPA also sets a different standard of data minimization relative to other state data privacy laws.

Read this blog to learn more about the Maryland Online Data Privacy Act, to whom it applies, and its differences from other state-level data privacy laws.

What Is the Maryland Online Data Privacy Act?

The Maryland Online Data Privacy Act, effective October 1, 2025, establishes data protection rights for Maryland residents by regulating data collection, processing, and use. The law sets stricter requirements for companies around data collection, especially related to consent, universal opt-out mechanisms, sensitive data, and children’s data. It also emphasizes privacy-by-design principles such as data minimization and purpose limitation.

Maryland follows a similar approach to other US states by using an opt-out consent model. Businesses can collect and process consumer personal data without data subjects’ prior consent. However, if businesses want to use consumer data for sale, targeted advertising, or profiling, they must clearly explain what personal data they collect and why they collect it, any third parties they share the data with, and get explicit user consent. Consumers have the right to opt out of data collection and processing for sale, targeted advertising, or profiling.

The Maryland privacy law defines a consumer as an individual who is a resident of the state and is not acting in a commercial or employment context, as an employee, owner, director, officer, or contractor of a commercial or nonprofit entity, or performs only their role within the company.

The Maryland Online Data Privacy Act becomes effective October 1, 2025.

However, the MODPA will not apply to data processing activities until April 1, 2026. 

Who Has to Comply with the Maryland Online Data Privacy Act?

The MODPA applies to a person or an entity that conducts business in the state or provides products or services that are targeted to residents of the state, and during the preceding calendar year:

  • Controlled or processed personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or
  • Controlled or processed personal data of at least 10,000 consumers and derived more than twenty percent (20%) of its gross revenue from the sale of personal data.

Exemptions to the MODPA

In line with most other state-level data privacy laws, the MODPA comprises several exemptions from the law, including:

  • State entities or instrumentalities, including, but not limited to, regulatory, administrative, advisory, executive, and judicial bodies.
  • Registered National Security Associations.
  • Entities subject to Gramm-Leach-Bliley Act.
  • Non-profit bodies that process or share personal data to assist enforcement agencies in investigating insurance-related offenses or the first responders in responding to catastrophic events.

In contrast to most other state-level data privacy laws, the MODPA does not include an exemption for institutions of higher education and non-profit organizations.

Maryland privacy law also provides exemptions for certain categories of data, including:

  • Protected health information under the Health Insurance Portability and Accountability Act (HIPPA).
  • Identifiable private information that is collected or used in the protection and research of human subjects.
  • Patient safety work product that is created and used for patient safety improvement.
  • Information regulated by the Federal Driver's Privacy Act, Family Educational Rights and Privacy Act, Farm Credit Act, Federal Fair Credit Reporting Act, Airline Deregulation Act, and the Insurance Article.
  • Information used for emergency contacts, administrating benefits and by individuals applying to or employed by a controller. 

The distinguishes between roles and responsibilities of controllers and processors:

  • Under the MODPA, a controller is defined as "a person that, alone or jointly with others, determines the purpose and means of processing personal data."
  • A processor is defined as "a person that processes personal data on behalf of a controller."

Enforcement and Penalties Under the MODPA

The MODPA is enforced by the Consumer Division of Maryland, supervised by the Attorney General.

Violations under the law are considered unfair, abusive, or deceptive trade practices under the Consumer Protection Act, and could lead to penalties. The penalties could reach up to $10,000 for a single violation and up to $25,000 for subsequent violations, depending on several factors, such as the number of violations, complexity, likelihood of injury to the public, etc.

The Consumer Division could provide businesses with a 60-day cure period before initiating legal action to resolve the violation and avoid penalties.

The law does not give consumers a private right of action to directly sue a controller in the event of a violation of these rights.

Use CookieScript Consent Management Platform (CMP) to comply with the law and avoid penalties. In 2024, CookieScript was nominated as the best CMP on G2, a peer-review website for compliance with privacy laws in the USA, Europe, and other countries.

Register for free Show pricing plans

Consumer Rights under the Maryland Online Data Privacy Act

Consumers have several rights under the MODPA to protect their personal data, including:

  • Right to access: Consumers can confirm whether the controller is processing their personal data and can access their data, with some exceptions.
  • Right to correction: Consumers have the right to correct any inaccuracies in their personal data, considering the nature of the personal data and purposes of processing.
  • Right to delete: Consumers can request controllers to delete any personal data provided by, or obtained about, them, unless the law requires the personal data to be retained.
  • Right to data portability: Consumers can obtain a copy of their personal data in a ready usable format, with some exceptions.
  • Right to obtain information: If the controller does not provide the categories of third parties with whom the personal data is shared in a specific format, consumers have the right to obtain such a list of categories of third parties.
  • Right to opt out: Consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling.

Controllers’ Obligations Under the Maryland Online Data Privacy Act

To comply with the MODPA, controllers must follow these requirements:

Privacy notice: Provide consumers with a reasonably accessible, clear, and meaningful privacy notice about the controller’s practices regarding consumer data and consumer rights. The privacy notice must, among other things, disclose:

  • The categories of personal data the controller processes.
  • The purpose for processing personal data.
  • The categories of all third parties to which the controller discloses the personal data, if any.
  • How consumers may exercise their privacy rights and appeal the controller's decisions.
  • An active email address or other online mechanism to contact the controller.
  • Other data, such as the effective date of the privacy notice, etc.

Data minimization: Limit the collection of personal data to what is necessary and proportionate to provide a specific product or service requested by the consumer.

In addition, businesses cannot collect, process, or transfer personal data or publicly available information that would discriminate against consumers unless it is for a justifiable cause.

Purpose limitation: Do not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains user consent.

Sensitive data processing: While user consent is required for processing sensitive data under the MODPA, the law also sets additional requirements for sensitive data processing.

Businesses cannot collect, process, or share sensitive data except to perform a consumer’s request or to provide a specific product or service requested by the consumer, even if a consumer granted user consent.

The sale of sensitive data is also prohibited by law.

Consumer health data requirements: The Maryland privacy law restricts a person from giving employees or contractors access to consumer health data except when there is a duty of confidentiality.

Consent requirements: The MODPA requires an opt-out consent model, meaning that businesses can collect and process consumer personal data without needing data subjects’ prior consent. However, in the case for sale, targeted advertising, or profiling of consumer data, businesses need to get explicit user consent, that is a freely given, specific, informed, and unambiguous agreement to processing personal data for a specific purpose.

Businesses must obtain user consent from parents or legal guardians to collect and process a child's data if the child is known to be under 13 years of age.

Note that accepting general terms of use does not constitute valid consent, and consent obtained through dark patterns also does not constitute valid consent.

Businesses are also obliged to provide a mechanism for a consumer to revoke consent to process personal data that is equally easy as the mechanism to give consent.

The MODPA does not permit businesses to use the personal data of consumers under 18 for targeted advertising or the sale of personal data.

Non-discrimination: Controllers must process data in a non-discriminatory manner as defined by the law. Not discriminate against a consumer if the consumer chooses to opt out of the processing.

Processor contracts: Controllers must enter into a contract with any processor that governs the processor's data processing procedures for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the manner in which the processor must assist the controller on behalf of the controller’s instructions.

Under the contract, processors are required to:

  • Implement reasonable security practices for personal data.
  • Respond according to consumers' rights requests, like stopping processing data, deleting data, or providing data collected.
  • Cooperate with the controller's requests for processor information.
  • Obtain controller consent to engage subcontractors.

Data Protection Assessments: The MODPA requires controllers to conduct data protection assessments (DPIA) for "data processing activities that present a heightened risk of harm to a consumer, including an assessment for each algorithm that is used." Such a heightened risk of harm includes:

  • The processing of personal data for purposes of targeted advertising.
  • The processing of personal data for purposes of profiling presents a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical, or reputational harm.
  • The sale of personal data.
  • The processing of sensitive data.
  • The selling of personal data.
  • Any other action that includes substantial harm to consumers.

A data protection assessment should weigh the benefits of the processing activity with potential risks to consumers. When performing the DPIA, the controller should consider the use of de-identified data, the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumer.

Data security practices: Implement security measures at physical, administrative, and technical levels to safeguard the confidentiality and integrity of personal data maintained by businesses. These measures must be proportionate to the nature and volume of the stored consumer data.

Allow for universal opt-out mechanisms: The MODPA sets an obligation for controllers to provide mechanisms for consumers to opt out of the sale of personal data, targeted advertising, and profiling. Businesses must recognize universal opt-out mechanisms such as Global Privacy Control.

Consumer request mechanisms: Provide at least one consumer request mechanism and establish a process for consumers to appeal against their decision. The response period for consumer appeal is 60 days.

According to MODPA, businesses must respond to consumer requests within 45 days of receipt. If necessary, after informing the consumer, this can be extended to another 45 days.

The consumer request should be fulfilled free of charge once a year. If the request is excessive or not feasible technically, businesses can deny the request or charge a fee.

A Quick Checklist for MODPA Compliance

  • Provide reasonably accessible, clear, and meaningful privacy notice.
  • Get explicit user consent for sale, targeted advertising, or profiling of consumer data.
  • Obtain user consent from parents or legal guardians for a known child under 13 years of age.
  • Limit the collection of personal data to what is required to provide the specific product or service requested by the consumer.
  • Do not collect, process, or share sensitive data unless it is necessary to provide a specific product or service requested by the consumer.
  • Do not sell sensitive data.
  • Do not sell or use the personal data of consumers under 18 for targeted advertising.
  • Do not use the personal data for any purpose other than the disclosed one without the consumer’s consent.
  • Do not share consumer health data without a duty of confidentiality.
  • Do not discriminate against the consumers.
  • Establish convenient consumer request mechanisms and respond promptly.
  • Recognize global opt-out signals.
  • Enter into contracts with processors and third parties.
  • Conduct data protection impact assessments.
  • Implement security measures at physical, administrative, and technical levels to protect personal data.
  • Provide at least one consumer request mechanism and respond to consumer requests within 45 days.

Frequently Asked Questions

Does Maryland have a data privacy law?

The comprehensive privacy law of Maryland, the Maryland Online Data Privacy Act, will become effective on October 1, 2025. The law will regulate the collection, processing, and use of Maryland residents’ data and take a strict approach towards data privacy principles such as data minimization and purpose limitation. If you provide goods or services for Maryland residents and collect their data, you must comply with the MODPA. Use CookieScript CMP to comply with the law.

What Is the Maryland Online Data Privacy Act?

With an effective date of October 1, 2025, the Maryland Online Data Privacy Act is the data privacy law that establishes data protection rights for Maryland residents by regulating data collection, processing, and use and sets requirements for companies around data management. Use CookieScript CMP to comply with the MODPA and other data privacy laws. In 2024, it was ranked the best CMP on G2.

When will the Maryland Online Data Privacy Act go into effect?

The MODPA goes into effect on October 1, 2025. Use CookieScript CMP to comply with the MODPA and avoid penalties. In 2024, it was ranked the best CMP on G2. It is also a Google-certified CMP.

What are the penalties for violating the Maryland Online Data Privacy Act?

The penalties for the violation of the MODPA could reach up to $10,000 for a single violation and up to $25,000 for subsequent violations, depending on several factors, such as the number of violations, complexity, likelihood of injury to the public, etc. Use CookieScript CMP to comply with the MODPA and avoid penalties.

How to comply with the Maryland Online Data Privacy Act?

To comply with the MODPA, follow this checklist: provide a privacy notice, get explicit user consent, limit data collection, do not collect, process, share, or sell sensitive data, do not discriminate against the consumers, establish consumer request mechanisms and respond to the request, recognize global opt-out signals, enter into contracts with processors and third parties, conduct data protection impact assessments, and others. Use CookieScript CMP to comply with the MODPA and avoid penalties.

Can I sell personal data under Maryland privacy law?

The Maryland Online Data Privacy Act prohibits the sale of sensitive data. Furthermore, the purpose limitation means that businesses cannot collect personal data for any purpose other than providing the product or service that the consumer requested. Use CookieScript CMP to comply with the NJDPA and avoid penalties. In 2024, it was ranked the best CMP on G2. It is also a Google-certified CMP.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.