Maryland
Maryland Online Data Privacy Act (MODPA)
| Passed | May 9, 2024 |
| Effective Date | Oct 1, 2025 |
| Who it applies to |
Entities that: 1) Control or process personal data of 35,000+ Maryland consumers, excluding payment transaction-only data, or 2) Control/process 10,000+ consumers' data and derive 20%+ gross revenue from the sale of personal data. Exempt entities include government agencies, financial institutions subject to GLBA, certain nonprofits assisting law enforcement or first responders, educational institutions governed by FERPA, and data covered by HIPAA, FCRA, DPPA, or classified as de-identified. |
| Penalties | The Maryland Attorney General’s Consumer Protection Division has exclusive enforcement authority under MODPA, with penalties of up to $10,000 per violation and $25,000 for repeat violations; while a 60-day cure period may be granted at the AG’s discretion, there is no private right of action—though other legal remedies remain available. |
What’s notable about it:
Maryland sets some of the strongest limits on data collection and use, requiring personal data to be collected only if it’s reasonably necessary for a product or service the consumer specifically requests. Sensitive data like health, biometric, location, and data about minors can only be used if strictly necessary, and its sale is completely banned.
The law uniquely requires third parties to notify consumers if they use their data in ways that differ from original promises. It also mandates detailed risk assessments for high-risk activities, including assessments of algorithms, and requires businesses to honor universal opt-out mechanisms, including those approved by other states.
Maryland’s definition of sensitive data is broader than many states, covering items such as gender identity, genetic data, and precise geolocation. Additionally, it prohibits targeted advertising and the sale of minors’ data when the controller knows or should know the consumer is under 18, an unusually strict standard.
Finally, Maryland’s law includes novel civil rights protections prohibiting unlawful discrimination using both personal and publicly available data, a feature uncommon among state privacy laws.