Maryland Online Data Privacy Act: What Businesses Must Do
A practical guide to the Maryland Online Data Privacy Act (MODPA) for businesses: who it covers, strict data minimization rules, consumer rights, compliance requirements, and how it compares to other state privacy laws.
Last updated: 2026-02-07
Your marketing agency collects browsing behavior, purchase history, and demographic profiles on tens of thousands of Maryland residents. Under most state privacy laws, you would just need to let consumers opt out. Under Maryland's law, you may not be allowed to collect much of that data in the first place. The Maryland Online Data Privacy Act (MODPA), signed into law in May 2024 with an effective date of October 1, 2025, is one of the strictest state privacy laws in the country. Its aggressive data minimization requirements go further than almost any other state, limiting not just how businesses use data, but whether they can collect it at all.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Maryland Online Data Privacy Act (S.B. 541, Chapter 349, 2024 Maryland Laws), as of the date of publication.
Does MODPA Apply to Your Business?
MODPA applies to entities that conduct business in Maryland or provide products or services targeted to Maryland residents and meet one of two processing thresholds:
- Process the personal data of at least 35,000 Maryland consumers during a calendar year (excluding data processed solely to complete a payment transaction), OR
- Process the personal data of at least 10,000 Maryland consumers AND derive more than 20% of gross revenue from the sale of personal data.
There is no revenue threshold. A startup making $200,000 a year could fall under MODPA if it processes data on 35,000 Maryland consumers through its website or app. This is a lower volume threshold than many states -- California's CCPA/CPRA requires 100,000 consumers, and Connecticut's CTDPA currently requires 100,000 (dropping to 35,000 in July 2026).
Practical example: A SaaS app that serves customers nationwide and tracks user behavior with analytics tools could easily hit the 35,000-consumer mark if it has a meaningful user base in Maryland. A small e-commerce store with 5,000 Maryland customers would likely fall below the threshold and be exempt.
Who is exempt? MODPA exempts state and local government entities, nonprofits, higher education institutions, and certain regulated entities and data types, including data governed by HIPAA, GLBA, FCRA, FERPA, and the Driver's Privacy Protection Act. It also exempts insurance companies and financial institutions already regulated under Maryland insurance law.
The law applies to controllers (businesses that determine the purpose and means of processing) and imposes obligations on processors (third-party vendors) through contractual requirements.
Important timing note: MODPA's general provisions take effect on October 1, 2025, but the provisions related to processing obligations -- including data minimization, purpose limitation, and processing restrictions -- do not take effect until April 1, 2026. Businesses have a staggered compliance timeline.
What Rights Do Maryland Consumers Have?
MODPA grants Maryland residents a set of privacy rights broadly consistent with other state laws, but with a few notable distinctions tied to the law's data minimization philosophy.
Right to Access. Consumers can confirm whether a business is processing their personal data and obtain a copy of that data.
Right to Correction. Consumers can request correction of inaccurate personal data.
Right to Deletion. Consumers can request deletion of their personal data. The scope of this right is broad, covering data provided by the consumer and data obtained from other sources.
Right to Data Portability. Consumers can obtain their data in a portable, readily usable format to transmit to another controller.
Right to Opt Out of Sale. Consumers can opt out of the sale of their personal data. MODPA defines "sale" as the exchange of personal data for monetary consideration.
Right to Opt Out of Targeted Advertising. Consumers can opt out of the processing of personal data for purposes of targeted advertising.
Right to Opt Out of Profiling. Consumers can opt out of profiling in furtherance of automated decisions that produce legal or similarly significant effects.
Businesses must respond to consumer requests within 45 days, with one possible extension of 15 days if reasonably necessary (with notice to the consumer). This is a shorter extension window than most other states, which typically allow a 45-day extension.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Confirm processing and obtain a copy of data |
| Correction | ✅ | Fix inaccurate personal data |
| Deletion | ✅ | Delete personal data from all sources |
| Portability | ✅ | Obtain data in a portable format |
| Opt-out of sale | ✅ | Stop the sale of personal data |
| Opt-out of targeted ads | ✅ | Stop processing for targeted advertising |
| Opt-out of profiling | ✅ | Stop profiling with legal/significant effects |
| Non-discrimination | ✅ | Cannot penalize consumers for exercising rights |
What Your Business Must Do
MODPA's obligations go beyond the standard "respond to requests and update your privacy policy" requirements. The data minimization provisions, in particular, require a fundamentally different approach to data collection.
Data minimization is mandatory. This is where MODPA diverges from most other state privacy laws. Starting April 1, 2026, businesses may only collect personal data that is reasonably necessary and proportionate to provide the product or service the consumer requested. You cannot collect data "just in case" or for secondary purposes without a clear, disclosed justification. If a customer signs up for a newsletter, you can collect their email address -- but collecting their date of birth, location, and browsing history alongside it may violate the law unless you can demonstrate those are reasonably necessary.
Purpose limitation is strict. You must not process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the data was collected. This is a meaningful constraint that prohibits the common practice of collecting data for one purpose and repurposing it for another.
Restrictions on sensitive data. MODPA prohibits the sale of sensitive data entirely. Sensitive data includes racial or ethnic origin, religious beliefs, health information, sexual orientation, gender identity, and data about children under 18. Unlike some states that allow the processing of sensitive data with consumer consent, MODPA bans the sale of sensitive data outright -- no consent can override this prohibition.
Publish a clear privacy notice. Your privacy notice must disclose the categories of personal data processed, the purposes of processing, how consumers can exercise their rights, the categories of data shared with third parties, and the third-party categories. It must also provide contact information and describe your appeal process.
Respond to consumer requests. Build a documented intake and response process. You have 45 days, extendable by 15 days with notice. If you deny a request, you must explain why and provide an appeal mechanism.
Implement an appeal process. If you deny a consumer request, the consumer can appeal. You must respond to appeals within 45 days. If you deny the appeal, you must inform the consumer about their right to file a complaint with the Maryland Attorney General.
Conduct data protection assessments. MODPA requires assessments for processing that presents a heightened risk of harm, including targeted advertising, the sale of personal data, processing of sensitive data, and profiling.
Establish processor contracts. Written contracts with data processors must specify processing instructions, data confidentiality, deletion/return obligations, and audit rights.
How Is MODPA Enforced?
MODPA is enforced exclusively by the Maryland Attorney General (Division of Consumer Protection). There is no private right of action.
Violations are treated as unfair, abusive, or deceptive trade practices under the Maryland Consumer Protection Act (CPA). The maximum penalty is $10,000 per violation, and the Attorney General can seek $25,000 per violation for pattern or practice violations. The AG can also pursue injunctive relief and recover costs of investigation and litigation.
Cure period: MODPA provides an 18-month cure period from the effective date. Until April 1, 2027, the Attorney General must provide a business with written notice of a violation and allow 60 days to cure the issue before bringing an enforcement action. After April 1, 2027, the cure period expires, and the AG has full discretion to bring enforcement actions without offering a cure opportunity.
Maryland's Attorney General has historically been active on consumer protection matters. While no MODPA-specific enforcement actions have been reported yet (the processing obligations do not take effect until April 2026), businesses should expect the AG's office to treat privacy enforcement seriously, particularly around the data minimization and sensitive data provisions that distinguish MODPA from other state laws.
How MODPA Compares to Other State Laws
MODPA stands out for its strict data minimization approach, its ban on the sale of sensitive data, and its shorter request extension window. Here is how it stacks up.
| Feature | Maryland (MODPA) | California (CCPA/CPRA) | Delaware (DPDPA) | Connecticut (CTDPA) |
|---|---|---|---|---|
| Effective date | Oct 1, 2025 (processing: Apr 1, 2026) | Jan 1, 2020 / Jan 1, 2023 | Jan 1, 2025 | Jul 1, 2023 |
| Consumer threshold | 35K (or 10K + 20% revenue from data sales) | 100K consumers/households | 35K (or 10K + 20% revenue from data sales) | 100K (dropping to 35K in Jul 2026) |
| Revenue threshold | None | $25 million | None | None |
| Data minimization | Strict — collection limited to reasonably necessary | Required but less prescriptive | Required | Required |
| Sensitive data sale | Prohibited entirely | Allowed with opt-out | Consent required | Consent required |
| Max penalty per violation | $10,000 ($25K pattern/practice) | $2,500 ($7,500 intentional) | $10,000 | $5,000 |
| Cure period | 60 days (until Apr 1, 2027) | None | 60 days (until Jan 1, 2026) | Expired Dec 31, 2024 |
| Response extension | 15 days | 45 days | 45 days | 45 days |
| Private right of action | No | Limited (data breaches only) | No | No |
Compared to Delaware's DPDPA, MODPA shares similar thresholds but is stricter on data minimization and outright bans the sale of sensitive data. Compared to Connecticut's CTDPA, MODPA has a shorter extension window for consumer requests (15 vs. 45 days) and takes a harder line on data collection limits. If you already comply with California's CCPA/CPRA, you still need to review your data collection practices -- MODPA's data minimization requirements may require you to stop collecting data that California allows.
Action Checklist for Small Businesses
If MODPA applies to your business, here is your priority list:
- Audit your data collection practices against the data minimization standard. For each category of personal data you collect, ask: is this reasonably necessary to provide the specific product or service the consumer requested? If not, stop collecting it.
- Stop selling sensitive data. If you sell data relating to health, race, religion, sexual orientation, or children, you must stop. There is no consent override for this prohibition.
- Update your privacy notice. Ensure it discloses all required information, including categories of data, purposes, third parties, consumer rights, and appeal instructions.
- Set up a DSAR response process. Create a documented intake, verification, and response procedure. Remember the 45-day deadline with only a 15-day extension -- tighter than most states.
- Review purpose limitation compliance. Ensure you are not repurposing data collected for one purpose to serve another undisclosed purpose.
- Establish processor contracts. Review and update agreements with all third-party vendors that process personal data on your behalf.
- Conduct data protection assessments. Evaluate your targeted advertising, profiling, sensitive data processing, and data sales activities.
- Train your team. Ensure staff handling consumer inquiries understand MODPA's specific requirements, particularly the data minimization obligations and the ban on sensitive data sales.
Key Dates
- October 1, 2025: MODPA general provisions take effect.
- April 1, 2026: Processing obligations (data minimization, purpose limitation) take effect.
- April 1, 2027: 60-day cure period expires. AG gains full enforcement discretion.
References
- Maryland Online Data Privacy Act: S.B. 541, Chapter 349, 2024 Maryland Laws. Full text on Maryland General Assembly site
- Maryland Consumer Protection Act: Md. Code Ann., Com. Law §§ 13-101 et seq.
- Maryland Attorney General, Consumer Protection Division: Official AG website
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Need to get your DSAR process ready for Maryland's tight deadlines? Our DSAR Compliance Guide walks you through intake, verification, and response step by step. Or grab a DSAR Response Template to start responding to requests faster.