Skip to content

Maryland Online Data Privacy Act Presents New and Expanded Compliance Requirements for Businesses

23 JANUARY 2025 | ZAC SOTO

On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA), making Maryland the 18th state to enact comprehensive privacy legislation. MODPA introduces stricter rules for businesses that collect, process, or disclose personal data. The Act takes effect on October 1, 2025, but does not apply to activities before April 1, 2026. Although several elements of MODPA align with other comprehensive state privacy laws, other unique elements of MODPA potentially broaden its applicability to more businesses and impose more stringent standards and restrictions on data processing activities.
Consumer Rights and Business Obligations
Similar to other state privacy laws, MODPA grants consumers the right to:
  • Access, correct, delete, and export their personal data.
  • Opt out of the sale of personal data, targeted advertising, and profiling.
The Act also requires businesses (controllers) to post privacy policies, conduct data privacy impact assessments, and prohibits discrimination against consumers who exercise the above rights regarding their data.
However, while MODPA shares many common elements with other state laws, it introduces unique provisions that could create new challenges for compliance.

Notable Unique Elements:

Lower Applicability Thresholds

MODPA applies to businesses operating in Maryland or targeting Maryland residents if they meet either of these criteria:
  1. Process the personal data of at least 35,000 consumers annually (excluding data collected or processed solely for completing payment transactions); or
  2. Process the data of at least 10,000 consumers while deriving more than 20% of their gross revenue from selling personal data.
This threshold of 35,000 individuals is significantly lower than the thresholds for applicability found in similarly populous states, which typically require data collection from 100,000 or more consumers.

Expanded Definitions of Certain Regulated Data Categories

MODPA’s definitions of biometric, consumer health, and sensitive personal data differ from other states, broadening what qualifies as “sensitive.”
  • Biometric Data: Whereas most state privacy laws limit the definition of “biometric data” to measurements of biological characteristics that are actually used or intended to be used to identify individuals, MODPA Includes information that can be used identify individuals, whether or not such information is actually used to identify individuals.
  • Consumer Health Data: MODPA’s definition of “consumer health data” covers data revealing physical or mental health status, including information about gender-affirming care, reproductive health, or even general fitness habits.  This is broader than that found in similar regulations in other states, which tend to define the term more narrowly (such as Connecticut, which only includes information that is used to provide diagnoses, or Washington, which includes information that is “reasonably linkable” to a consumer’s health).
MODPA also introduces specific requirements for handling consumer health data, such as:
  • Requiring contractual obligations regarding MODPA compliance and data confidentiality for employees contractors processing such data;
  • Restrictions on using geofencing to collect or track health data near healthcare facilities; and
  • Prohibition on selling consumer health data without consumer consent. Notably, this prohibition on sales absent consumer consent could be read to conflict with the blanket ban on selling sensitive personal date even where such consumer consent is obtained.  As a result, compliance with the broader, more restrictive blanket ban is likely the wisest route absent further guidance on this point.
  • Sensitive Personal Data: Finally, MODPA’s definition of “sensitive personal data” encompasses genetic and biometric data (even if not used for identification), national origin, and personal data of children under 13, which constitutes a broader range of information classified as “sensitive” and requiring increased protections than is found in other, similar state regulations.
These broad definitions mean more data will be subject to strict requirements, and businesses should revise existing policies and practices designed to comply with other state laws in order to comply with MODPA as well.

New Data Minimization Rules

MODPA imposes more stringent data minimization requirements regarding the collection or processing of both personal data and sensitive personal data than other state privacy laws or, in some cases, the European Union’s GDPR.
  • Strict Limits on Sensitive Data Processing, Regardless of Consumer Consent: Whether or not consumer consent has been obtained, sensitive personal can only be processed if it is “strictly necessary” to provide a specific product or service requested by the consumer.
  • Prohibition on Selling Sensitive Data: Regardless of whether or not consumer consent has been obtained, businesses cannot sell sensitive personal data, provided that limited exceptions are available where a consumer has directed disclosure of such information as part of a transaction with a third party, as such consumer directed disclosures are exempt from MODPA’s definition of “sale”.
  • Restrictions on Data Collection: Finally, regardless of consumer consent, personal data collection must be limited to what is “reasonably necessary and proportionate” to deliver a requested product or service.  Unlike other state laws, MODPA does not allow broader data collection for disclosed purposes or general internal processing for product or service development.

Protecting Minors’ Data

MODPA prohibits selling the personal data of any Maryland resident that a business knows or should have known is under 18. Such data is also prohibited from use for targeted advertising purposes. This rule may require businesses to implement age verification mechanisms to ensure compliance.

Data Protection Assessments

Businesses must regularly conduct assessments of activities that present a “heightened risk of harm” to consumers. These include:
  1. Targeted advertising;
  2. Selling personal data;
  3. Processing sensitive personal data; and
  4. Profiling that could result in unfair treatment, injury, or intrusion.

Importantly, MODPA uniquely requires businesses to conduct data protection assessments for each algorithm they use.

Enforcement and Penalties

The Maryland Attorney General and the Division of Consumer Protection have exclusive enforcement authority. Regarding alleged violations prior on or prior to April 1, 2027, violators will have 60 days to address such alleged violations, after which penalties of up to $10,000 per violation (a $25,000 for subsequent violations) may be imposed. No private right of action is available under MODPA.
MODPA’s unique provisions will require several businesses to expand their data privacy policies and practices beyond compliance with existing legal regimes. Review of existing policies and preemptive planning with certified information privacy professionals and legal counsel is recommended for businesses processing Maryland consumer data in order to avoid unnecessary business disruption or significant penalties for noncompliance.

Maryland Online Data Privacy Act Presents New and Expanded Compliance Requirements for Businesses

23 JANUARY 2025 | ZAC SOTO

On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA), making Maryland the 18th state to enact comprehensive privacy legislation. MODPA introduces stricter rules for businesses that collect, process, or disclose personal data. The Act takes effect on October 1, 2025, but does not apply to activities before April 1, 2026. Although several elements of MODPA align with other comprehensive state privacy laws, other unique elements of MODPA potentially broaden its applicability to more businesses and impose more stringent standards and restrictions on data processing activities.
Consumer Rights and Business Obligations
Similar to other state privacy laws, MODPA grants consumers the right to:
  • Access, correct, delete, and export their personal data.
  • Opt out of the sale of personal data, targeted advertising, and profiling.
The Act also requires businesses (controllers) to post privacy policies, conduct data privacy impact assessments, and prohibits discrimination against consumers who exercise the above rights regarding their data.
However, while MODPA shares many common elements with other state laws, it introduces unique provisions that could create new challenges for compliance.

Notable Unique Elements:

Lower Applicability Thresholds

MODPA applies to businesses operating in Maryland or targeting Maryland residents if they meet either of these criteria:
  1. Process the personal data of at least 35,000 consumers annually (excluding data collected or processed solely for completing payment transactions); or
  2. Process the data of at least 10,000 consumers while deriving more than 20% of their gross revenue from selling personal data.
This threshold of 35,000 individuals is significantly lower than the thresholds for applicability found in similarly populous states, which typically require data collection from 100,000 or more consumers.

Expanded Definitions of Certain Regulated Data Categories

MODPA’s definitions of biometric, consumer health, and sensitive personal data differ from other states, broadening what qualifies as “sensitive.”
  • Biometric Data: Whereas most state privacy laws limit the definition of “biometric data” to measurements of biological characteristics that are actually used or intended to be used to identify individuals, MODPA Includes information that can be used identify individuals, whether or not such information is actually used to identify individuals.
  • Consumer Health Data: MODPA’s definition of “consumer health data” covers data revealing physical or mental health status, including information about gender-affirming care, reproductive health, or even general fitness habits.  This is broader than that found in similar regulations in other states, which tend to define the term more narrowly (such as Connecticut, which only includes information that is used to provide diagnoses, or Washington, which includes information that is “reasonably linkable” to a consumer’s health).
MODPA also introduces specific requirements for handling consumer health data, such as:
  • Requiring contractual obligations regarding MODPA compliance and data confidentiality for employees contractors processing such data;
  • Restrictions on using geofencing to collect or track health data near healthcare facilities; and
  • Prohibition on selling consumer health data without consumer consent. Notably, this prohibition on sales absent consumer consent could be read to conflict with the blanket ban on selling sensitive personal date even where such consumer consent is obtained.  As a result, compliance with the broader, more restrictive blanket ban is likely the wisest route absent further guidance on this point.
  • Sensitive Personal Data: Finally, MODPA’s definition of “sensitive personal data” encompasses genetic and biometric data (even if not used for identification), national origin, and personal data of children under 13, which constitutes a broader range of information classified as “sensitive” and requiring increased protections than is found in other, similar state regulations.
These broad definitions mean more data will be subject to strict requirements, and businesses should revise existing policies and practices designed to comply with other state laws in order to comply with MODPA as well.

New Data Minimization Rules

MODPA imposes more stringent data minimization requirements regarding the collection or processing of both personal data and sensitive personal data than other state privacy laws or, in some cases, the European Union’s GDPR.
  • Strict Limits on Sensitive Data Processing, Regardless of Consumer Consent: Whether or not consumer consent has been obtained, sensitive personal can only be processed if it is “strictly necessary” to provide a specific product or service requested by the consumer.
  • Prohibition on Selling Sensitive Data: Regardless of whether or not consumer consent has been obtained, businesses cannot sell sensitive personal data, provided that limited exceptions are available where a consumer has directed disclosure of such information as part of a transaction with a third party, as such consumer directed disclosures are exempt from MODPA’s definition of “sale”.
  • Restrictions on Data Collection: Finally, regardless of consumer consent, personal data collection must be limited to what is “reasonably necessary and proportionate” to deliver a requested product or service.  Unlike other state laws, MODPA does not allow broader data collection for disclosed purposes or general internal processing for product or service development.

Protecting Minors’ Data

MODPA prohibits selling the personal data of any Maryland resident that a business knows or should have known is under 18. Such data is also prohibited from use for targeted advertising purposes. This rule may require businesses to implement age verification mechanisms to ensure compliance.

Data Protection Assessments

Businesses must regularly conduct assessments of activities that present a “heightened risk of harm” to consumers. These include:
  1. Targeted advertising;
  2. Selling personal data;
  3. Processing sensitive personal data; and
  4. Profiling that could result in unfair treatment, injury, or intrusion.

Importantly, MODPA uniquely requires businesses to conduct data protection assessments for each algorithm they use.

Enforcement and Penalties

The Maryland Attorney General and the Division of Consumer Protection have exclusive enforcement authority. Regarding alleged violations prior on or prior to April 1, 2027, violators will have 60 days to address such alleged violations, after which penalties of up to $10,000 per violation (a $25,000 for subsequent violations) may be imposed. No private right of action is available under MODPA.
MODPA’s unique provisions will require several businesses to expand their data privacy policies and practices beyond compliance with existing legal regimes. Review of existing policies and preemptive planning with certified information privacy professionals and legal counsel is recommended for businesses processing Maryland consumer data in order to avoid unnecessary business disruption or significant penalties for noncompliance.

Maryland Online Data Privacy Act Presents New and Expanded Compliance Requirements for Businesses

23 JANUARY 2025 | ZAC SOTO

On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA), making Maryland the 18th state to enact comprehensive privacy legislation. MODPA introduces stricter rules for businesses that collect, process, or disclose personal data. The Act takes effect on October 1, 2025, but does not apply to activities before April 1, 2026. Although several elements of MODPA align with other comprehensive state privacy laws, other unique elements of MODPA potentially broaden its applicability to more businesses and impose more stringent standards and restrictions on data processing activities.
Consumer Rights and Business Obligations
Similar to other state privacy laws, MODPA grants consumers the right to:
  • Access, correct, delete, and export their personal data.
  • Opt out of the sale of personal data, targeted advertising, and profiling.
The Act also requires businesses (controllers) to post privacy policies, conduct data privacy impact assessments, and prohibits discrimination against consumers who exercise the above rights regarding their data.
However, while MODPA shares many common elements with other state laws, it introduces unique provisions that could create new challenges for compliance.

Notable Unique Elements:

Lower Applicability Thresholds

MODPA applies to businesses operating in Maryland or targeting Maryland residents if they meet either of these criteria:
  1. Process the personal data of at least 35,000 consumers annually (excluding data collected or processed solely for completing payment transactions); or
  2. Process the data of at least 10,000 consumers while deriving more than 20% of their gross revenue from selling personal data.
This threshold of 35,000 individuals is significantly lower than the thresholds for applicability found in similarly populous states, which typically require data collection from 100,000 or more consumers.

Expanded Definitions of Certain Regulated Data Categories

MODPA’s definitions of biometric, consumer health, and sensitive personal data differ from other states, broadening what qualifies as “sensitive.”
  • Biometric Data: Whereas most state privacy laws limit the definition of “biometric data” to measurements of biological characteristics that are actually used or intended to be used to identify individuals, MODPA Includes information that can be used identify individuals, whether or not such information is actually used to identify individuals.
  • Consumer Health Data: MODPA’s definition of “consumer health data” covers data revealing physical or mental health status, including information about gender-affirming care, reproductive health, or even general fitness habits.  This is broader than that found in similar regulations in other states, which tend to define the term more narrowly (such as Connecticut, which only includes information that is used to provide diagnoses, or Washington, which includes information that is “reasonably linkable” to a consumer’s health).
MODPA also introduces specific requirements for handling consumer health data, such as:
  • Requiring contractual obligations regarding MODPA compliance and data confidentiality for employees contractors processing such data;
  • Restrictions on using geofencing to collect or track health data near healthcare facilities; and
  • Prohibition on selling consumer health data without consumer consent. Notably, this prohibition on sales absent consumer consent could be read to conflict with the blanket ban on selling sensitive personal date even where such consumer consent is obtained.  As a result, compliance with the broader, more restrictive blanket ban is likely the wisest route absent further guidance on this point.
  • Sensitive Personal Data: Finally, MODPA’s definition of “sensitive personal data” encompasses genetic and biometric data (even if not used for identification), national origin, and personal data of children under 13, which constitutes a broader range of information classified as “sensitive” and requiring increased protections than is found in other, similar state regulations.
These broad definitions mean more data will be subject to strict requirements, and businesses should revise existing policies and practices designed to comply with other state laws in order to comply with MODPA as well.

New Data Minimization Rules

MODPA imposes more stringent data minimization requirements regarding the collection or processing of both personal data and sensitive personal data than other state privacy laws or, in some cases, the European Union’s GDPR.
  • Strict Limits on Sensitive Data Processing, Regardless of Consumer Consent: Whether or not consumer consent has been obtained, sensitive personal can only be processed if it is “strictly necessary” to provide a specific product or service requested by the consumer.
  • Prohibition on Selling Sensitive Data: Regardless of whether or not consumer consent has been obtained, businesses cannot sell sensitive personal data, provided that limited exceptions are available where a consumer has directed disclosure of such information as part of a transaction with a third party, as such consumer directed disclosures are exempt from MODPA’s definition of “sale”.
  • Restrictions on Data Collection: Finally, regardless of consumer consent, personal data collection must be limited to what is “reasonably necessary and proportionate” to deliver a requested product or service.  Unlike other state laws, MODPA does not allow broader data collection for disclosed purposes or general internal processing for product or service development.

Protecting Minors’ Data

MODPA prohibits selling the personal data of any Maryland resident that a business knows or should have known is under 18. Such data is also prohibited from use for targeted advertising purposes. This rule may require businesses to implement age verification mechanisms to ensure compliance.

Data Protection Assessments

Businesses must regularly conduct assessments of activities that present a “heightened risk of harm” to consumers. These include:
  1. Targeted advertising;
  2. Selling personal data;
  3. Processing sensitive personal data; and
  4. Profiling that could result in unfair treatment, injury, or intrusion.

Importantly, MODPA uniquely requires businesses to conduct data protection assessments for each algorithm they use.

Enforcement and Penalties

The Maryland Attorney General and the Division of Consumer Protection have exclusive enforcement authority. Regarding alleged violations prior on or prior to April 1, 2027, violators will have 60 days to address such alleged violations, after which penalties of up to $10,000 per violation (a $25,000 for subsequent violations) may be imposed. No private right of action is available under MODPA.
MODPA’s unique provisions will require several businesses to expand their data privacy policies and practices beyond compliance with existing legal regimes. Review of existing policies and preemptive planning with certified information privacy professionals and legal counsel is recommended for businesses processing Maryland consumer data in order to avoid unnecessary business disruption or significant penalties for noncompliance.