Maryland Online Data Privacy Act: an overview

The Maryland Online Data Privacy Act takes effect on October 1, 2025. It includes stricter privacy compliance requirements than other US states and impacts businesses that operate in Maryland.
Maryland Online Data Privacy Act: an overview
Resources / Blog / Maryland Online Data Privacy Act: an overview
Published by Usercentrics
17 mins to read
Jun 28, 2024
Start scan

Maryland became the eighteenth state in the United States with a consumer privacy bill (Senate Bill 541) with the Maryland Online Data Privacy Act (MODPA) when the governor signed it into law on May 9, 2024. MODPA goes into effect on October 1, 2025, but it will not have any effect on or application to any personal data processing activities until April 1, 2026.

The comprehensive data privacy law is notable for including stricter requirements than other states in the US.

We look at the Maryland data privacy law, who it applies to, whose personal data it protects, and its requirements for compliance.

What is the Maryland Online Data Privacy Act?

The Maryland Online Data Privacy Act (MODPA) aims to protect the privacy and personal data of Maryland residents by regulating its collection, processing, and use. The law requires businesses that operate in Maryland or provide products or services to its residents to comply with various obligations if they handle the personal data of a significant number of residents, referred to as “consumers” under the law.

The Maryland privacy law defines a consumer as an individual who is a resident of the state. The definition specifically excludes individuals who are acting:

  • in a commercial or employment context
  • as an employee, owner, director, officer, or contractor of a commercial or nonprofit entity and whose communications of transactions with the data controller
  • occur only in the context of their role within the entity

Maryland follows a similar approach to other US states that have consumer privacy laws by using an opt-out consent model. Businesses must clearly explain what personal data they collect and why they collect it, any third parties they share it with, and how consumers can opt out of its collection and processing for certain purposes. However, they do not need to get prior consent from users for collection and processing of their personal data under most circumstances.

Definitions under the Maryland Online Data Privacy Act

The Maryland privacy law defines key terms related to what data it protects and data processing activities.

Personal data under MODPA

The Maryland data privacy law defines personal data as “any information that is linked or can be reasonably linkable to an identified or identifiable consumer.” The definition does not include de-identified data or publicly available information.

Unlike some other US state-level data privacy laws, MODPA does not provide specific examples of what constitutes personal data. Common types that businesses collect include name, phone number, email address, Social Security number, or driver’s license number.

Sensitive data under MODPA

Sensitive data means personal data that includes:

  • racial or ethnic origin
  • religious beliefs
  • consumer health data
  • sex life and sexual orientation
  • status as transgender or non binary
  • national origin
  • citizenship or immigration status
  • genetic or biometric data
  • personal data collected from a known child (under 13 years of age)
  • precise geolocation data that can accurately identify a consumer’s specific location within a radius of 1,750 feet or 533.4 meters

Controller under MODPA

Controller means “a person that, alone or jointly with others, determines the purpose and means of processing personal data.“

A controller, also known as a “data controller” under some laws, is responsible for ensuring the protection and proper use of personal data. They must follow the legal requirements under MODPA to safeguard this data.

Processor under MODPA

The Maryland privacy law defines a processor as “a person that processes personal data on behalf of a controller.”

A “person” can refer to an individual, a company, or any organization. Under MODPA, such entities must fulfill the responsibilities assigned to processors.

Sale of personal data under MODPA

Sale of personal data means “the exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration.“

Sale does not include disclosure of personal data:

  • to a processor that processes the personal data on the controller’s behalf, if limited to the purposes of processing
  • to a third party for the purposes of providing a product or service the consumer has affirmatively requested
  • to the controller’s affiliate, including transfer of personal data
  • where the consumer directs the controller to disclose it or intentionally uses the controller to interact with a third party
  • that the consumer intentionally made available to the general public through a mass media channel not restricted to a specific audience
  • to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction including transfer of personal data

Targeted advertising under MODPA

Targeted advertising means “displaying advertisements to a consumer or on a device identified by a unique identifier, where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated websites or online applications that are unaffiliated with each other, in order to predict the consumer’s preferences or interests.”

The definition excludes:

  • ads based on the context of a consumer’s current search query, visit to the website, or online app
  • ads based on a consumer’s activities within a controller’s own websites or online apps
  • ads directed to a consumer in response to the consumer’s request for information or feedback
  • processing of personal data solely to measure or report ad frequency, performance, or reach

Consent under MODPA

The Maryland data privacy law defines consent as “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer for a particular purpose. , including a statement written by electronic means or any other unambiguous affirmative action by the consumer.”

Consent includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

The definition under MODPA specifically excludes:

  • acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
  • hovering over, muting, pausing, or closing a given piece of content
  • consent obtained through the use of dark patterns

Who must comply with the Maryland Online Data Privacy Act?

The Maryland privacy law applies to businesses that either operate in Maryland or target its residents with products or services. Specifically, it applies to businesses that, during the preceding calendar year:

  • controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed only for completing a payment transaction
    or
  • controlled or processed the personal data of at least 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data

MODPA applies to businesses that meet the above requirements, regardless of where the business itself is located. The number of consumers threshold is low compared to some other US states’ compliance thresholds, but this is because Maryland’s population is only a little over 6.2 million people (compared to California, which has nearly 40 million residents).

Exemptions to Maryland Online Data Privacy Act compliance

MODPA exempts certain entities from complying, including:

  • state agencies or political subdivisions
  • national securities associations under the Federal Securities Exchange Act or registered futures associations under the Federal Commodity Exchange Act
  • financial institutions or affiliates subject to the Gramm-Leach-Bliley Act
  • nonprofit controllers that process or share personal data solely for the purpose of assisting law enforcement agencies investigating criminal or fraudulent acts
  • relating to insurance and first responders who are responding to catastrophic events

Unlike the Texas Data Privacy and Security Act (TDPSA) and Nebraska Data Privacy Act (NDPA), there are no exemptions for small businesses under the Maryland privacy law.

Data that is exempt from the law includes:

  • protected healthcare-related information
  • patient-identifying information
  • research data
  • data created for or collected under several federal laws, including, among others:
    • Health Insurance Portability and Accountability Act (HIPAA)
    • Fair Credit Reporting Act (FCRA)
    • Driver’s Privacy Protection Act
    • Family Educational Rights and Privacy Act (FERPA)
    • Farm Credit Act (FCA)
    • Airline Deregulation Act

Consumer rights under the Maryland Online Data Privacy Act

Consumers have several rights under MODPA to protect their personal data and control how it’s used.

  • Right to access: consumers can confirm whether or not the controller is processing their personal data and can access their data, with some exceptions
  • Right to correction: consumers have the right to correct any inaccuracies in their personal data, considering the nature of the personal data and purposes of processing
  • Right to deletion: consumers can request controllers to delete any personal data provided by, or obtained about, them, unless the law requires the personal data to be retained
  • Right to data portability: consumers can obtain a copy of their personal data in a ready usable format, with some exceptions
  • Right to information: consumers can obtain a list of categories of third parties to whom the controller has disclosed their, or any consumer’s, personal data
  • Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale or use for targeted advertising or profiling
    MODPA does not give consumers a private right of action to directly sue a controller in the event of a violation of these rights.

Controllers’ obligations under the Maryland Online Data Privacy Act

Controllers have several obligations under the Maryland Online Data Privacy Act to ensure the protection of consumers’ personal data.

Consumer rights requests under MODPA

Controllers must notify consumers about:

  • their rights under the law
  • how they can exercise these rights
  • contact details for the controller
  • how to appeal a decision if a consumer request is rejected

This information is typically included in a privacy notice or policy, which the Maryland privacy law requires controllers to publish.

Controllers must establish at least one or more secure and reliable methods for consumers to exercise their rights under the law. Consumers should not be required to create a new account to verify identity or to exercise a right, but they can be required to use an existing account to do so.

Controllers have 45 days to respond to consumer requests, with a possible extension of another 45 days if reasonably necessary to comply based on the complexity of and number of the consumer’s requests. If the controller needs an extension, it must inform the consumer within the initial 45-day period and provide a reason for the extension. If the controller cannot reasonably verify the consumer’s identity, it can make additional verification requests or decline the consumer’s request. If the consumer declines, it must notify the consumer of its decision and the reasons for decline within 45 days from the receipt of the request. The controller must inform the consumer of how to appeal the decision. Controllers must respond to appeals within 60 days of receiving an appeal.

If a controller denies an appeal, it must give the consumer an online mechanism to submit a complaint with the Consumer Protection Division of the Attorney General’s office.

Purpose limitation under MODPA

The law requires controllers to disclose the purposes for which they are collecting personal data and places limitations on data processing activities.
Controllers must limit the personal data they collect to only what is “reasonably necessary and proportionate” to provide and maintain a specific product or service that the consumer requests.

Data security under MODPA

Controllers must protect the confidentiality, integrity, and accessibility of consumers’ personal data. The Maryland data privacy law mandates that they establish, implement, and maintain reasonable administrative, technical, and physical security practices that are appropriate to the volume and nature of the personal data being processed. Controllers must also reduce reasonably foreseeable risk of harm to consumers that may arise as a result of data processing activities.

Data protection assessments under MODPA

The Maryland privacy law requires controllers to conduct and document data protection assessments for processing activities that present a “heightened risk of harm” to consumers, such as:

  • for the purposes of targeted advertising
  • for sale
  • for the processing of sensitive data
  • for purposes of profiling, if the profiling results in a reasonably foreseeable risk to consumers of:
    • unfair, abusive, or deceptive treatment
    • having an unlawful disparate impact
    • financial, physical, or reputational injury
    • physical or other intrusion into private affairs
    • other substantial injury

A data protection assessment, also known as a data protection impact assessment, is required only for processing activities that occur on or after the law’s effective date of October 1, 2025.

The Attorney General can request the controller to disclose a data protection assessment during its investigations into any alleged violations.

Data processing agreement (DPA) under MODPA

Controllers and processors must enter into contracts that contain provisions governing data processing procedures. This contract is known as a “data processing agreement” under privacy laws such as the European Union’s General Data Protection Regulation (GDPR) and the Virginia Consumer Data Protection Act (VCDPA).

It must clearly outline, among other requirements:

  • instructions for processing data
  • nature and purpose of processing
  • type of data subject to processing
  • duration of processing
  • rights and obligations of both parties
  • requirements that the processor:
    • is subject to a duty of confidentiality with respect to the personal data
    • must protect the confidentiality of personal data by establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices
    • must stop processing data when requested by the controller
    • must delete or return of data after processing completion
    • share with the controller all information necessary to demonstrate its compliance with the DPA

Processors must also assist controllers in meeting their duties related to the Maryland privacy law, including responding to consumer rights requests, conducting and documenting data protection assessments, and security of personal data processing.

If a processor fails to comply with the controller’s instructions with respect to specific processing of personal data, it is considered to be a controller under MODPA.

Consent requirements under MODPA

Like most other US state-level consumer privacy laws, MODPA follows an opt-out model, meaning that in most cases businesses can collect and process data without prior consumer consent. However, controllers cannot process personal data without consumer consent for a purpose that is neither “reasonably necessary, nor compatible with” the purposes disclosed to consumers. Consumers must have the option to revoke consent after it is given, and the procedure to do so must be as easy as the procedure by which they gave consent.

The Maryland privacy law differs from many other states when it comes to sensitive data. While most other laws allow controllers to collect or use sensitive data after obtaining explicit consent, under Maryland law a controller is prohibited from:

  • collecting, processing, or sharing sensitive data unless the collection or processing is “strictly necessary” to provide or maintain a specific product or service that the consumer requests
  • selling sensitive data, without exception

There is no option for controllers to obtain consent for these processing activities when it comes to sensitive data.

For children’s data, Maryland aligns with the Children’s Online Privacy Protection Act (COPPA), requiring businesses to obtain consent from a parent or guardian before processing data of children under 13 years old.

Controllers also must clearly inform consumers about data processing activities and provide options to opt out of sale of personal data and its use for targeted advertising or profiling.

Consumer health data requirements under MODPA

The Maryland data privacy law places several restrictions on the handling of consumer health data specifically. Consumer health data under the law means “personal data that a controller uses to identify a consumer’s physical or mental health status” and includes data related to gender-affirming care treatment or reproductive or sexual health care.

The MODPA prohibits a person from:

  • providing access to consumer health data to an employee or contractor unless the employee or contractor has a duty of confidentiality under a contract or under the law, or confidentiality is a condition of employment
  • providing access to consumer health data to a processor unless they enter into a DPA as required by the law
  • using a geofence to establish a virtual boundary within 1,750 feet (533.4 meters) of a mental health facility or reproductive or sexual health facility to identify, track, or collect data from or to send notifications to consumers regarding consumer health data

The use of the word “person” means the restrictions on consumer health data are not limited to businesses or controllers but apply to any individual or entity that has access to consumer health data or uses geofencing technology. This is similar to the Washington My Health My Data Act, which regulates consumer health data exclusively and places restrictions on the use of geofencing technology by “any person.”

As consumer health data falls into the category of sensitive data as defined by the law, there is a blanket prohibition on its sale. The collection or processing of consumer health data is also prohibited unless strictly necessary to provide or maintain a specific product or service requested by the consumer.

Nondiscrimination under MODPA

MODPA prevents controllers from discriminating against consumers who exercise their privacy rights. This includes prohibiting them from denying goods or services, charging different prices, or offering lower quality based on consumers’ decisions about their personal data. For example, businesses must still grant access to their website even if consumers opt out of data collection, processing, or sale.

While essential or necessary cookies might be required for some website features to function properly, declining these cookies does not count as discrimination under MODPA.

Additionally, controllers must comply with state and federal discrimination laws, ensuring their data processing practices do not violate these laws.

Privacy notice under MODPA

Controllers must publish an accessible, clear, and meaningful privacy notice that informs consumers about:

  • categories of personal data processed, including sensitive data, if any
  • purposes for processing personal data
  • how consumers may exercise their rights, including how they can appeal the controller’s decision regarding a request or how they can revoke consent
  • categories of personal data, including sensitive data, shared with third parties, if any
  • categories of third parties who receive personal data, including the type of, business model of, or processing conducted by each third party, if any
  • an active email address or other online method to contact the controller

The privacy notice or privacy policy must be easily accessible to consumers, typically published on the controller’s website. It’s common to include a link in the website’s footer to make it easy to locate from any page.

Controllers that sell personal data or process it for targeted advertising or profiling must disclose this in the privacy policy and inform consumers about how to exercise their right to opt out of sale or processing.

Universal opt-out signals under MODPA

MODPA, like the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), Colorado Privacy Act, and Texas Data Protection and Security Act (TDPSA), includes provisions for universal opt-out signals like the Global Privacy Control (GPC). These signals enable consumers to use browser settings or extensions to set their privacy preferences once, and apply these preferences across all websites and online services they access. It should be noted, however, that not all data privacy laws consider browser settings to constitute valid consent where it’s required.

Businesses must honor GPC signals indicating a user’s preference to opt out of data processing activities such as targeted advertising or the sale of personal data. Controllers that recognize opt-out signals approved by other states are considered compliant with Maryland’s universal opt-out signal requirements.

Enforcement of the Maryland Online Data Privacy Act

Violations of the Maryland data privacy law are considered unfair, abusive, or deceptive trade practices under the Maryland Consumer Protection Act, and the Consumer Protection Division of the Attorney General’s Office has exclusive enforcement authority under MODPA. Consumers do not have a private right of action, but MODPA specifically states that they are not prohibited from pursuing any other remedy provided by law.

Under many other state-level data privacy laws, the Attorney General must issue a written notice to the implicated party that details the alleged violations. Under the Maryland privacy law, this written notice is discretionary if the Attorney General considers that the violation can be cured. If the Attorney General issues a written notice of violation, then the controller or processor has a 60-day cure period to address and correct the violations. The cure period sunsets on April 1, 2027.

The Attorney General may consider the following to determine whether to issue notice and give the controller or processor the opportunity to cure the violation:

  • number of violations
  • size and complexity of controller or processor
  • nature and extent of controller’s or processor’s processing activities
  • likelihood of injury to the public
  • safety of persons or property
  • whether human or technical error may have caused the alleged violation
  • the extent of the controller’s or processor’s prior violations of MODPA or similar laws

Penalties under MODPA

Violations of MODPA are subject to the penalties provided under the Maryland Consumer Protection Act and can reach up to USD 10,000 per violation. Repeat violations may cost up to USD 25,000 for each subsequent violation. These amounts are quite high compared to other US state-level privacy law penalties.

With the opt-out consent model, consumers have the right to opt out of data collection and processing for sale, targeted advertising, or profiling. Businesses are required to make these options clearly accessible on their websites, typically in the privacy policy or privacy notice. Upon receiving an opt-out request, controllers must immediately stop processing the consumer’s data for those purposes.

Websites commonly use consent banners with clear links or buttons for opting out. Consent management platforms (CMPs) like Usercentrics CMP automate this process by detecting and managing cookies and tracking technologies in use, enabling blocking of them until consent is given. CMPs also offer transparency about the types of data collected, the purposes of collection, and third parties receiving the data.

Without a unified federal privacy law in the US, businesses must potentially comply with various state laws — depending on the scale of their operations and customer base — in addition to international privacy regulations that could impact their business. CMPs can assist companies with achieving compliance with these laws by providing consent banners that meet state law requirements, like MODPA, and international regulations such as the GDPR.

Check now

Preparing for the Maryland Online Data Privacy Act

The Maryland privacy law takes effect on October 1, 2025, but enforcement actions will not begin until April 1, 2026. This extended timeline gives businesses operating in Maryland more time to prepare for compliance. While MODPA requirements overlap with other state consumer privacy laws, there are also unique elements that businesses must address, such as the complete ban on the sale of sensitive data and strict regulations around consumer health data. Adopting a privacy by design approach can enhance overall organizational operations, not just regulatory compliance.

Businesses must first determine if they meet the MODPA compliance threshold(s). If so, they will need to take steps to provide users with opt-out options and accessible privacy notices. A consent management platform (CMP) like Usercentrics CMP can help manage cookies on websites and apps.

As MODPA comes into force and as it evolves with technological advances and changes in consumer expectations, it’s essential to consult with qualified legal professionals or data privacy experts, such as a Data Protection Officer, to ensure ongoing compliance.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Sep 19, 2024
Sensitive data exposure is a growing concern in the digital age, where personal, business, and classified information can be vulnerable to unauthorized access. Understanding what sensitive data is and how to protect it is crucial for organizations to prevent costly breaches and maintain trust.
Sep 19, 2024
In effect since January 1, 2020, the California Consumer Privacy Act (CCPA) was the first US state-level consumer privacy law. It established consumers’ rights, set obligations for businesses, and influenced subsequent privacy regulations in other states.
Sep 17, 2024
The UCPA provides rights to consumers and places responsibilities on businesses to protect consumer data and use it compliantly. We explore its key provisions and what they mean for both consumers and companies.