Maryland Online Data Privacy Act Presents New and Expanded Compliance Requirements for Businesses

23 JANUARY 2025 | ZAC SOTO
- Access, correct, delete, and export their personal data.
- Opt out of the sale of personal data, targeted advertising, and profiling.
Notable Unique Elements:
Lower Applicability Thresholds
- Process the personal data of at least 35,000 consumers annually (excluding data collected or processed solely for completing payment transactions); or
- Process the data of at least 10,000 consumers while deriving more than 20% of their gross revenue from selling personal data.
Expanded Definitions of Certain Regulated Data Categories
- Biometric Data: Whereas most state privacy laws limit the definition of “biometric data” to measurements of biological characteristics that are actually used or intended to be used to identify individuals, MODPA Includes information that can be used identify individuals, whether or not such information is actually used to identify individuals.
- Consumer Health Data: MODPA’s definition of “consumer health data” covers data revealing physical or mental health status, including information about gender-affirming care, reproductive health, or even general fitness habits. This is broader than that found in similar regulations in other states, which tend to define the term more narrowly (such as Connecticut, which only includes information that is used to provide diagnoses, or Washington, which includes information that is “reasonably linkable” to a consumer’s health).
- Requiring contractual obligations regarding MODPA compliance and data confidentiality for employees contractors processing such data;
- Restrictions on using geofencing to collect or track health data near healthcare facilities; and
- Prohibition on selling consumer health data without consumer consent. Notably, this prohibition on sales absent consumer consent could be read to conflict with the blanket ban on selling sensitive personal date even where such consumer consent is obtained. As a result, compliance with the broader, more restrictive blanket ban is likely the wisest route absent further guidance on this point.
- Sensitive Personal Data: Finally, MODPA’s definition of “sensitive personal data” encompasses genetic and biometric data (even if not used for identification), national origin, and personal data of children under 13, which constitutes a broader range of information classified as “sensitive” and requiring increased protections than is found in other, similar state regulations.
New Data Minimization Rules
- Strict Limits on Sensitive Data Processing, Regardless of Consumer Consent: Whether or not consumer consent has been obtained, sensitive personal can only be processed if it is “strictly necessary” to provide a specific product or service requested by the consumer.
- Prohibition on Selling Sensitive Data: Regardless of whether or not consumer consent has been obtained, businesses cannot sell sensitive personal data, provided that limited exceptions are available where a consumer has directed disclosure of such information as part of a transaction with a third party, as such consumer directed disclosures are exempt from MODPA’s definition of “sale”.
- Restrictions on Data Collection: Finally, regardless of consumer consent, personal data collection must be limited to what is “reasonably necessary and proportionate” to deliver a requested product or service. Unlike other state laws, MODPA does not allow broader data collection for disclosed purposes or general internal processing for product or service development.
Protecting Minors’ Data
MODPA prohibits selling the personal data of any Maryland resident that a business knows or should have known is under 18. Such data is also prohibited from use for targeted advertising purposes. This rule may require businesses to implement age verification mechanisms to ensure compliance.
Data Protection Assessments
- Targeted advertising;
- Selling personal data;
- Processing sensitive personal data; and
- Profiling that could result in unfair treatment, injury, or intrusion.
Importantly, MODPA uniquely requires businesses to conduct data protection assessments for each algorithm they use.
Enforcement and Penalties
Maryland Online Data Privacy Act Presents New and Expanded Compliance Requirements for Businesses

23 JANUARY 2025 | ZAC SOTO
- Access, correct, delete, and export their personal data.
- Opt out of the sale of personal data, targeted advertising, and profiling.
Notable Unique Elements:
Lower Applicability Thresholds
- Process the personal data of at least 35,000 consumers annually (excluding data collected or processed solely for completing payment transactions); or
- Process the data of at least 10,000 consumers while deriving more than 20% of their gross revenue from selling personal data.
Expanded Definitions of Certain Regulated Data Categories
- Biometric Data: Whereas most state privacy laws limit the definition of “biometric data” to measurements of biological characteristics that are actually used or intended to be used to identify individuals, MODPA Includes information that can be used identify individuals, whether or not such information is actually used to identify individuals.
- Consumer Health Data: MODPA’s definition of “consumer health data” covers data revealing physical or mental health status, including information about gender-affirming care, reproductive health, or even general fitness habits. This is broader than that found in similar regulations in other states, which tend to define the term more narrowly (such as Connecticut, which only includes information that is used to provide diagnoses, or Washington, which includes information that is “reasonably linkable” to a consumer’s health).
- Requiring contractual obligations regarding MODPA compliance and data confidentiality for employees contractors processing such data;
- Restrictions on using geofencing to collect or track health data near healthcare facilities; and
- Prohibition on selling consumer health data without consumer consent. Notably, this prohibition on sales absent consumer consent could be read to conflict with the blanket ban on selling sensitive personal date even where such consumer consent is obtained. As a result, compliance with the broader, more restrictive blanket ban is likely the wisest route absent further guidance on this point.
- Sensitive Personal Data: Finally, MODPA’s definition of “sensitive personal data” encompasses genetic and biometric data (even if not used for identification), national origin, and personal data of children under 13, which constitutes a broader range of information classified as “sensitive” and requiring increased protections than is found in other, similar state regulations.
New Data Minimization Rules
- Strict Limits on Sensitive Data Processing, Regardless of Consumer Consent: Whether or not consumer consent has been obtained, sensitive personal can only be processed if it is “strictly necessary” to provide a specific product or service requested by the consumer.
- Prohibition on Selling Sensitive Data: Regardless of whether or not consumer consent has been obtained, businesses cannot sell sensitive personal data, provided that limited exceptions are available where a consumer has directed disclosure of such information as part of a transaction with a third party, as such consumer directed disclosures are exempt from MODPA’s definition of “sale”.
- Restrictions on Data Collection: Finally, regardless of consumer consent, personal data collection must be limited to what is “reasonably necessary and proportionate” to deliver a requested product or service. Unlike other state laws, MODPA does not allow broader data collection for disclosed purposes or general internal processing for product or service development.
Protecting Minors’ Data
MODPA prohibits selling the personal data of any Maryland resident that a business knows or should have known is under 18. Such data is also prohibited from use for targeted advertising purposes. This rule may require businesses to implement age verification mechanisms to ensure compliance.
Data Protection Assessments
- Targeted advertising;
- Selling personal data;
- Processing sensitive personal data; and
- Profiling that could result in unfair treatment, injury, or intrusion.
Importantly, MODPA uniquely requires businesses to conduct data protection assessments for each algorithm they use.
Enforcement and Penalties
Maryland Online Data Privacy Act Presents New and Expanded Compliance Requirements for Businesses

23 JANUARY 2025 | ZAC SOTO
- Access, correct, delete, and export their personal data.
- Opt out of the sale of personal data, targeted advertising, and profiling.
Notable Unique Elements:
Lower Applicability Thresholds
- Process the personal data of at least 35,000 consumers annually (excluding data collected or processed solely for completing payment transactions); or
- Process the data of at least 10,000 consumers while deriving more than 20% of their gross revenue from selling personal data.
Expanded Definitions of Certain Regulated Data Categories
- Biometric Data: Whereas most state privacy laws limit the definition of “biometric data” to measurements of biological characteristics that are actually used or intended to be used to identify individuals, MODPA Includes information that can be used identify individuals, whether or not such information is actually used to identify individuals.
- Consumer Health Data: MODPA’s definition of “consumer health data” covers data revealing physical or mental health status, including information about gender-affirming care, reproductive health, or even general fitness habits. This is broader than that found in similar regulations in other states, which tend to define the term more narrowly (such as Connecticut, which only includes information that is used to provide diagnoses, or Washington, which includes information that is “reasonably linkable” to a consumer’s health).
- Requiring contractual obligations regarding MODPA compliance and data confidentiality for employees contractors processing such data;
- Restrictions on using geofencing to collect or track health data near healthcare facilities; and
- Prohibition on selling consumer health data without consumer consent. Notably, this prohibition on sales absent consumer consent could be read to conflict with the blanket ban on selling sensitive personal date even where such consumer consent is obtained. As a result, compliance with the broader, more restrictive blanket ban is likely the wisest route absent further guidance on this point.
- Sensitive Personal Data: Finally, MODPA’s definition of “sensitive personal data” encompasses genetic and biometric data (even if not used for identification), national origin, and personal data of children under 13, which constitutes a broader range of information classified as “sensitive” and requiring increased protections than is found in other, similar state regulations.
New Data Minimization Rules
- Strict Limits on Sensitive Data Processing, Regardless of Consumer Consent: Whether or not consumer consent has been obtained, sensitive personal can only be processed if it is “strictly necessary” to provide a specific product or service requested by the consumer.
- Prohibition on Selling Sensitive Data: Regardless of whether or not consumer consent has been obtained, businesses cannot sell sensitive personal data, provided that limited exceptions are available where a consumer has directed disclosure of such information as part of a transaction with a third party, as such consumer directed disclosures are exempt from MODPA’s definition of “sale”.
- Restrictions on Data Collection: Finally, regardless of consumer consent, personal data collection must be limited to what is “reasonably necessary and proportionate” to deliver a requested product or service. Unlike other state laws, MODPA does not allow broader data collection for disclosed purposes or general internal processing for product or service development.
Protecting Minors’ Data
MODPA prohibits selling the personal data of any Maryland resident that a business knows or should have known is under 18. Such data is also prohibited from use for targeted advertising purposes. This rule may require businesses to implement age verification mechanisms to ensure compliance.
Data Protection Assessments
- Targeted advertising;
- Selling personal data;
- Processing sensitive personal data; and
- Profiling that could result in unfair treatment, injury, or intrusion.
Importantly, MODPA uniquely requires businesses to conduct data protection assessments for each algorithm they use.
Enforcement and Penalties