What You Need To Know About Maryland’s New Privacy Law

On October 1, 2025, Maryland will roll out one of the most comprehensive state privacy laws to date, the Maryland Online Data Privacy Act (MODPA). Following new privacy laws this summer in Tennessee and Minnesota, MODPA stands out as more than just another entry in the state-level wave.

Unlike many states that build on existing frameworks, MODPA draws heavily from the proposed American Data Privacy and Protection Act (ADPPA) while pushing beyond its federal predecessor. It sets a high bar with strict data minimization rules, a ban on sensitive data sales, stronger protections for minors, and new civil rights safeguards limiting discriminatory uses of personal information.

In this blog, we’ll walk you through the key provisions of MODPA, highlight how it differs from other state laws, and outline what your organization should do to prepare for compliance.

Understanding the MODPA

Signed into law by Governor Wes Moore on May 9, 2024, the Maryland Online Data Privacy Act (MODPA) grants familiar consumer rights found across other state laws, including the ability to access, correct, delete, and port personal data, as well as opt out of targeted advertising, data sales, and certain types of profiling.

While MODPA aligns with core obligations seen in other state laws, such as conducting data protection assessments for high-risk processing and maintaining clear privacy notices, its combination of strict minimization standards, categorical bans, and youth protections distinguish it as a stand out among state privacy laws.

Why MODPA stands out:

• Strict data minimization: Controllers may collect or process personal data only when reasonably necessary to provide or maintain a product or service requested by the consumer. For sensitive data—health, biometric, sexual orientation, children’s data, and precise geolocation—the threshold is even higher: processing is permitted only when strictly necessary for the requested service.
• Absolute ban on sensitive data sales: Unlike other state laws that rely on opt-in/opt-out frameworks, MODPA prohibits the sale of sensitive data outright.
• Transparency beyond categories: Organizations must disclose specific third-party recipients of personal data, rather than just the types of data shared, giving consumers a clearer understanding of where their information goes.
• Enhanced protections for minors: Data belonging to individuals under 18 cannot be sold or used for targeted advertising if the business knows—or should know—the consumer’s age.
• Civil rights safeguards: MODPA prohibits processing personal or publicly available data in ways that unlawfully discriminate in access to goods, services, or opportunities.

We’ll break down these provisions further and explore the scope of the law next.

Scope of Application

The Maryland Online Data Privacy Act (MODPA) applies to businesses operating in Maryland or offering products or services to Maryland residents if they meet at least one of the following thresholds in a calendar year:

• They control or process the personal data of 35,000 or more consumers, excluding data processed solely for completing a payment transaction,
  or
• They control or process the personal data of 10,000 or more consumers and derive 20% or more of their gross revenue from the sale of personal data.

Who is a Consumer?
MODPA defines a consumer as an individual who is a resident of Maryland. The definition does not include individuals acting in a commercial or employment context, meaning employees of companies or government entities are generally not considered consumers under the law.

Exemptions
MODPA includes several carve-outs similar to those seen in other state laws:

• Financial institutions and affiliates subject to the Gramm-Leach-Bliley Act (GLBA)
• Data covered under HIPAA, FERPA, or the Maryland Insurance Article
• Nonprofits that process or share personal data solely to assist law enforcement in investigating insurance fraud or to help first responders respond to catastrophic events

Unlike some other state laws, MODPA does not broadly exempt institutions of higher education and has a more targeted nonprofit exemption. Organizations should consult legal counsel to determine whether they qualify for any exemptions under MODPA.

Rights Granted to Consumers 

The Maryland Online Data Privacy Act (MODPA) provides consumers with a comprehensive set of rights to control their personal data:

1. Right to Access: Consumers can confirm whether a business is processing their personal data and request access to that data, subject to certain limitations.
2. Right to Deletion: Consumers can request deletion of their personal data, whether provided directly or collected by the business, with limited exceptions.
3. Right to Correction: Consumers may request corrections to inaccurate personal data, taking into account the nature of the information and how it is used.
4. Right to Data Portability: Consumers can request a copy of the personal data they have provided to a business in a portable and usable format, subject to reasonable limitations.
5. Right to Opt-Out: Consumers can opt out of the sale of their personal data, its use for targeted advertising, or profiling in connection with automated decision-making.

Importantly, covered businesses must act in a timely manner: they generally have 45 days to respond to requests, with a limited extension where reasonably necessary.

Third-Party Disclosure 

In addition to these core rights, MODPA allows consumers to know not only the categories of personal data being shared but also the categories of third parties receiving that data. This provision sets Maryland apart from most other state privacy laws, which typically stop at disclosing only the types of data collected or shared. Currently, only a handful of states provide consumers with a similar level of transparency into who is receiving their information.

Complying with Opt-Out Requests
Unlike other state laws, MODPA does not allow businesses to reject opt-out requests on the basis of suspected fraud, so all valid requests must be honored promptly.

Sensitive Data and Minor Protections
The law requires businesses to obtain consent before processing sensitive personal data, such as health, biometric, or precise geolocation information. If the sensitive data is not required to fulfill a specific request from the consumer, it may not be collected at all. Sensitive data also cannot be sold.

Protections are stronger for minors: businesses may not sell the personal data of individuals under 18, nor use it for targeted advertising, if they know or should reasonably know the consumer’s age.

Key Obligations for Businesses Under Maryland’s Privacy Law

Businesses operating in Maryland or providing products or services to Maryland residents must take several critical steps to ensure compliance. MODPA imposes obligations on both controllers and processors of personal data.

Controllers’ Responsibilities
Controllers—entities that determine the purposes and means of processing personal data—are required to:

• Limit Data Collection: Collect only personal data that is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer. Processing beyond this purpose generally requires consumer consent. Sensitive data, including health information, biometrics, and precise geolocation, is subject to stricter limitations.
• Transparency and Privacy Notices: Provide an easily accessible and clear privacy notice that includes:
  • Categories of personal data processed, including sensitive data
  • Purposes for processing personal data
  • Categories of personal data shared with third parties, including sensitive data
  • Methods for consumers to exercise their rights and appeal decisions
  • A direct email address or other online contact method
  • Disclosure if the controller sells personal data or uses it for targeted advertising or profiling
• Data Security Practices: Implement reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of personal data.
• Consumer Rights Fulfillment: Ensure timely response to consumer requests to confirm processing, access, correct, delete, or port data, and to opt out of the sale of personal data, profiling, or targeted advertising. Controllers must respond within 45 days, with an extension allowed if necessary, and provide an appeals process.
• Revoking Consent: Provide consumers a mechanism to revoke consent that is at least as easy as the process used to give consent. Processing must cease as soon as possible, but no later than 30 days after revocation.
• Data Protection Assessments (DPAs): Conduct assessments for processing activities that present a heightened risk of harm to consumers. This includes processing for targeted advertising, sale of personal data, handling sensitive data, and profiling that could result in unfair, abusive, or harmful impacts. DPAs must consider the necessity and proportionality of the processing activity.
• Non-Discrimination/ Civil Rights Protections: MODPA includes a civil rights provision derived from the ADPPA that prohibits controllers from collecting, processing, or sharing personal or publicly available data in ways that unlawfully discriminate in access to goods or services based on race, color, religion, national origin, sex, sexual orientation, gender identity, or disability. 
• Special Protections for Minors: Controllers may not sell the personal data of individuals under 18 or use it for targeted advertising if they know, or reasonably should know, the consumer is a minor.
• Sensitive Data Handling: Controllers must ensure that sensitive data—including racial or ethnic origin, health data, biometrics, sexual orientation, or data of minors—is collected, processed, or shared only when strictly necessary to provide or maintain a requested product or service.
• Third-Party Use: Controllers must provide notice to consumers if a third party uses their personal data in a manner inconsistent with the original promises at the time of collection, enabling consumers to exercise their rights.

Processors’ Responsibilities
Processors—entities that handle personal data on behalf of a controller—are required to:

• Data Processing Agreements: Maintain binding contracts with controllers that clearly define the scope of processing, data involved, and obligations regarding security and consumer rights.
• Assist with Compliance: Support controllers in fulfilling consumer rights requests, conducting DPAs, and maintaining secure processing practices.
• Implement Security Measures: Maintain appropriate technical and organizational safeguards tailored to the sensitivity of the data processed.

Both controllers and processors should be aware that failure to comply with these requirements can lead to enforcement by the Maryland Attorney General and potential penalties.

Enforcement of MODPA

The Maryland Online Data Privacy Act (MODPA) vests exclusive enforcement authority with the Consumer Protection Division of the Maryland Attorney General’s Office. MODPA does not provide a private right of action, meaning only the Attorney General can initiate enforcement. For more on the growing role of public–private partnerships in privacy enforcement, see our series Privacy Enforcement and Litigation in 2025: What Every Business Needs to Know.

When the Attorney General identifies a potential violation, they may issue a notice of violation to the controller or processor. Upon receiving the notice, the entity generally has 60 days to cure the violation, provided this cure period applies. Notably, the cure period expires on April 1, 2027, after which the Attorney General may proceed with enforcement immediately without offering an opportunity to cure.

If violations remain unaddressed, courts may impose civil penalties of up to $10,000 per violation, and up to $25,000 per violation for repeated offenses. Courts may also grant injunctive relief and award attorney’s fees to ensure compliance.

How DataGrail Can Help

DataGrail is built to take the complexity out of compliance and help your team stay ahead of requirements like those in the MODPA. Here’s how:

• Automate Consumer Rights Requests: With DataGrail’s Request Manager, you can fulfill access, deletion, and opt-out requests on time, every time. MODPA has strict deadlines and no fraud exception for opt-outs, and DataGrail ensures these requests are handled efficiently across all systems and vendors and among other major laws like the CCPA and GPDR, without added burden.
• Maintain a Compliant Data Inventory: MODPA’s strict data minimization rules and transparency requirements demand real-time visibility into your personal data. DataGrail’s Live Data Map gives you an accurate, automated inventory of personal data collection, processing, and sharing—including sensitive data—helping you stay compliant while reducing reliance on spreadsheets and manual processes.
• Simplify Consent and Opt-Out Management: DataGrail’s Consent solution enables you to automate consent collection and honor opt-outs across channels—including Global Privacy Control (GPC) signals required under MODPA. This ensures consumers can easily exercise their rights while reducing the operational burden on your team.
• Effortless Data Protection Assessments: With DataGrail, you can create, update, and maintain DPAs in real time. Continuous monitoring of your data and vendors ensures MODPA compliance is always within reach.

By using DataGrail, your business can stay ahead of privacy laws, reduce risk, and maintain trust with your customers.

Request a demo here.   

Want to learn more? Check out our Guide to State Privacy Laws to discover how state  regulations will impact your business and ensure your compliance strategy is up to date. 

Additionally, join Privacy Basecamp, our exclusive Slack community of privacy professionals, to connect, share resources, and discuss best practices in privacy management. Stay updated on the latest state privacy legislation and engage with experts in the field.

Interested in seeing the platform? Request a demo here.