Maryland Online Data Protection Act: First Look & Summary

By: Anokhy Desai CIPP/US, CIPT, CIPM Anokhy Desai CIPP/US, CIPT, CIPM | Updated on: June 7, 2024

Generate a Free Privacy Policy
Maryland-Online-Data-Protection-Act-MODPA-01

The Maryland governor signed a comprehensive data privacy law on May 9, 2024, called the Maryland Online Data Protection Act (MODPA).

It features a broad legal threshold, strict data processing requirements, and unique provisions regarding data minimization and the collection and processing of sensitive personal information.

In this guide, I’ll walk you through each part of this law, its requirements, how it impacts business and consumers, and more.

Table of Contents
  1. What Is the Maryland Online Data Protection Act (MODPA)?
  2. MODPA Key Terms and Definitions
  3. What Does the Maryland Online Data Protection Act Cover?
  4. Requirements of the Maryland Online Data Protection Act
  5. Maryland’s Data Privacy Law vs. Other States: Similarities and Differences
  6. How Will Consumers Be Impacted by the MODPA?
  7. Who Does the MODPA Apply To?
  8. How Will Businesses Be Impacted by the MODPA?
  9. Who Must Comply With Maryland’s New Data Privacy Law?
  10. How Can Businesses Prepare for the MODPA?
  11. How Will the MODPA Be Enforced?
  12. Fines and Penalties Under the Maryland Online Data Protection Act
  13. How Will Termly Help with MODPA Compliance?
  14. Are There Other Privacy Related Laws in Maryland?
  15. Summary

What Is the Maryland Online Data Protection Act (MODPA)?

The Maryland Online Data Protection Act, or MODPA, is the state’s first consumer data privacy law to regulate how controllers and processors handle personal data and gives Maryland residents various rights and controls over that information.

Maryland is the 16th state in the US to pass a comprehensive data privacy law.

It also outlines the penalties for violating the law, giving enforcement authority to the Maryland Attorney General.

MODPA Effective Date

The Maryland Online Data Protection Act is scheduled to take effect on October 1, 2025.

MODPA Key Terms and Definitions

To help you understand the details of Maryland’s new privacy law, I’ve compiled some of the key terms and provided the definitions as they appear in the text of the law below:

What Does the Maryland Online Data Protection Act Cover?

The MODPA covers the personal information of residents of Maryland.

However, it also exempts several categories of data, some of which include:

  • Protected health information under the Health Insurance Portability Accountability Act (HIPAA)
  • Patient-identifying information
  • Personal data regulated by the Family Educational Rights and Privacy Act (FERPA)
  • Emergency contact information when used for an emergency

Requirements of the Maryland Online Data Protection Act

In the following section, I summarize some of the main requirements outlined by Maryland’s new data privacy law.

Lawful Basis for Processing Data

Under the MODPA, controllers must limit data collection to what is reasonably necessary and proportionate to provide or maintain products or services as requested by the consumer.

The phrasing used in this part of the law differs from other state-level privacy laws, as it depends on the good or service and not only the purpose of data processing.

Controller Limitations on Data Processing

The MODPA limits controllers from processing certain types of personal data.

For example, unless collecting or processing data is strictly necessary to provide or maintain a specific product or service as requested by a consumer, controllers cannot:

  • Sell sensitive data
  • Process data of a consumer under the age of 18 for targeted advertising
  • Sell personal data of a consumer under the age of 18
  • Discriminate against a consumer for exercising their rights
  • Process data for purposes that are not reasonably necessary or are incompatible with the disclosed purposes for which personal data is processed (unless consent is obtained)

Contractual Obligations Between Controllers and Processors

Data controllers that use a data processor must enter into a contract that outlines the instructions for the data processing, the nature and purpose of the processing, the types of data processes and for how long, and the rights and obligations of both parties.

The contract must also outline these requirements for the processor:

  • Subject all involved parties to a duty of confidentiality regarding the data.
  • Establish, implement, and maintain security practices to protect the confidentiality, integrity, and accessibility of the personal data.
  • Require the processor to stop processing the data at the controller’s request following a consumer request.
  • At the controller’s direction, the processor must delete or return all data unless a law requires retention.
  • Upon the controller’s request, require the processor to make all data available in their possession to demonstrate compliance with the MODPA.
  • After allowing the controller to object, engage a subcontractor to assist with processing the personal data following a contract meeting these guidelines.
  • Require the processor to cooperate with assessments by the controller or an independent assessor to assess the processor’s policies and technical measures.
  • On request, the processor must provide the controller with an assessment report as MODPA requires.

Data Protection Assessments

According to the MODPA, controllers must conduct and document data protection assessments for each processing activity that presents a heightened risk of harm to consumers, including:

  • Processing data for targeted advertising
  • Selling personal data
  • Processing sensitive data
  • Processing data for profiling

The assessment must weigh the benefits that may flow from the processing against the potential risks to consumers’ rights and the necessity and proportionality of the processing.

It must also factor in the following:

  • The use of de-identified data
  • The reasonable expectations of consumers
  • The context of the processing
  • The relationship between the controller and the consumer whose data is processed

Maryland’s law allows a controller to use a single data protection assessment to comply with another law if it’s reasonably similar in scope to the MODPA.

Data Security Requirements

The MODPA requires data controllers to establish, implement, and maintain reasonable administrative, technical, and physical security measures to protect the collected personal data.

The measures must consider the volume and nature of the data being collected and stored and protect its confidentiality, integrity, and accessibility.

Verifiable Consumer Requests

Under the MODPA, businesses must establish in their privacy policy one or more ways for consumers to submit verifiable requests to act on their privacy rights, taking into consideration:

  • The ways consumers normally interact with the controller
  • The need for secure and reliable communication
  • The ability of the controller to verify the consumer’s identity

The law lists the following methods as a way to satisfy this legal requirement:

  • Providing a conspicuous, clearly labeled link on the website
  • On or before October 1, 2025, allow consumers to use a universal opt-out mechanism to follow through on their rights

Universal Opt-Out Mechanisms

The MODPA requires businesses to honor user requests to opt out of data processing through universal opt-out mechanisms (UOOM), like Global Privacy Control (GPC), by October 1, 2025.

Specifically, the law authorizes consumers to use an internet link, browser setting, browser extension, or other similar global device setting or technology to indicate their opt-out intent.

Maryland’s Data Privacy Law vs. Other States: Similarities and Differences

Several other U.S. states have data privacy laws in place besides Maryland, including:

  • California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
  • Colorado Privacy Act (CPA) — currently in force
  • Connecticut Data Privacy Act (CTDPA) — currently in force
  • Delaware Personal Data Privacy Act (DPDPA) — effective Jan. 1, 2025
  • Florida Digital Bill of Rights (FDBR) — currently in force
  • Indiana Consumer Data Protection Act (Indiana CDPA) — effective Jan. 1, 2026
  • Iowa Consumer Data Protection Act (Iowa CDPA) — effective Jan. 1, 2025
  • Kentucky Consumer Data Protection Act (KCDPA) — effective Jan. 1, 2026
  • Minnesota Consumer Data Privacy Act (MCDPA) — effective Jul. 31, 2025
  • Montana Consumer Data Privacy Act (MCDPA) — effective Oct. 1, 2024
  • New Hampshire Data Privacy Law (NHDPL) — effective Jan. 1, 2025
  • New Jersey Data Privacy Act (NJDPA) — effective Jan. 15, 2025
  • Oregon Consumer Privacy Act (OCPA) — currently in force
  • Tennessee Information Protection Act (TIPA) — effective July 1, 2025
  • Texas Data Privacy and Security Act (TDPSA) — currently in force
  • Utah Consumer Privacy Act (UCPA) — currently in force
  • Virginia Consumer Data Protection Act (VCDPA) — currently in force

You can compare the MODPA to these other privacy laws in the table below.

State Law Opt-in consent for certain types of data processing Opt-out consent for certain types of data processing Must present users with a privacy policy (or notice) Requires Data Protection Assessments Outlines Contractual Obligation with Third-Party Processors Allows for civil lawsuits or private right of action Must honor Global Privacy Controls/browser privacy settings
MODPA
CCPA/CPRA
CPA
CTDPA
DPDPA
FDBR
Indiana CDPA
Iowa CDPA
KCDPA
MN CDPA
MT CDPA
NHDPL
NJDPA
OCPA
TIPA
TDPSA
UCPA
VCDPA

How Will Consumers Be Impacted by the MODPA?

The MODPA impacts consumers by giving them the following rights over their personal data:

  • Confirm if a controller is processing their data
  • Access the data
  • Correct inaccuracies in the data
  • Require a controller to delete the data
  • Obtain a portable copy of their personal data
  • Obtain a list of the third parties their data is disclosed to
  • Opt out of data processing for targeted advertising
  • Opt out of the sale of their data
  • Opt out of profiling

Who Does the MODPA Apply To?

The MODPA applies to residents of the state of Maryland; however, it does not apply to people in Maryland acting in an employment or commercial context.

How Will Businesses Be Impacted by the MODPA?

Beyond the MODPA requirements previously covered in this guide, the law also impacts businesses’ privacy and cookie policies.

How Will the MODPA Affect My Privacy Policy?

The MODPA requires businesses to present consumers with a privacy policy that includes:

  • The categories of personal data processed, including sensitive data.
  • The purpose of the processing.
  • How a consumer can act on their privacy rights and appeal a controller’s decision based on their request or revoke consent.
  • The categories of the third parties that data gets shared with, with a level of detail the consumer can understand, including the type of, the business model of, or processing conducted by each third party.
  • The categories of personal data, including sensitive data, shared with third parties.
  • An active email address or other online mechanisms that contact the controller.

Businesses that sell personal data to third parties, process data for targeted advertising, or partake in profiling must disclose this in their privacy policy and explain how consumers can exercise their rights to opt out of such processing.

It must also establish one or more secure, reasonable methods for individuals to submit verifiable consumer requests to follow through on their privacy rights.

How Will the MODPA Affect My Cookie Policy?

The MODPA affects cookie policies because of the notification requirements outlined by the law and the opt-out rights granted to consumers.

Businesses covered by this law must ensure their cookie policy is up-to-date, accurate, and linked in the privacy policy so consumers are adequately informed about all cookies that may get placed on their browsers.

You must also provide a way for Maryland consumers to opt out of cookies if they collect data you sell, sensitive data, or are used for targeted advertising.

Who Must Comply With Maryland’s New Data Privacy Law?

Businesses must comply with the MODPA if they conduct business in the state or provide products and services that are targeted to residents of the state and meet either of the following thresholds in a calendar year:

  • Controls or processes the personal data of at least 35,000 consumers (excluding payment transactions) or
  • Controls or processes the personal data of at least 100,000 consumers and derives more than 20% of gross annual revenue from the sale of the data.

Unlike several other U.S. state laws, the MODPA has no monetary threshold.

Who Is Exempt From the MODPA?

The following entities are exempt from the requirements of Maryland’s new data privacy law:

  • Political subdivisions of the state
  • National securities associations registered under the Federal Securities Exchange Act of 1934 (SEA)
  • Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
  • Nonprofit controllers that process data solely to assist law enforcement agencies in investigating criminal or fraudulent acts relating to insurance or first responders responding to catastrophic events

How Can Businesses Prepare for the MODPA?

To prepare for the MODPA, businesses should plan to update their privacy and cookie policies to ensure they meet all notification requirements described by the law.

Websites should also have at least one or more secure, reliable methods for consumers to submit requests to follow through on their privacy rights, like posting a Data Subject Access Request (DSAR) form.

Businesses that process data presenting a heightened risk to consumers must perform data protection assessments.

Data controllers who work with processors must also implement and sign contracts that outline all requirements described in the law.

How Will the MODPA Be Enforced?

The Maryland Attorney General has the authority to enforce the MODPA and retains the discretion to provide entities with a 60-day cure period.

The cure period sunsets after April 1, 2027.

Violating the MODPA will be considered an unfair, abusive, or deceptive trade practice.

Fines and Penalties Under the Maryland Online Data Protection Act

Fines for violating the MODPA could reach as high as $10,000 per incident.

However, consumers do not have a private right of action.

How Will Termly Help with MODPA Compliance?

To help simplify compliance with the MODPA, Termly’s Privacy Policy Generator will include all clauses required by the law before it enters into effect in 2025.

Our generator asks you simple questions about your business and makes a comprehensive, unique policy based on your answers.

Termly also offers a Consent Management Platform (CMP) that can be configured to meet the opt-out requirements described in the MODPA.

It comes with a free DSAR form, so your users can securely submit verified requests to exercise their rights.

While the MODPA is the first law of its kind in the state, Maryland has a few other privacy-related laws in place, including:

  • Section 14–350 of the Maryland Code (the Personal Information Protection Act): Describes the data breach notification laws in the state, imposing obligations on businesses that collect personal information and experience a breach.
  • Medical Records Statute of the Maryland Code: Requires all medical information to remain confidential and gives individuals a right to private action.

Summary

If your business is subject to following the Maryland Online Data Protection Act, you can prepare for compliance by:

  • Updating your privacy and cookie policies to meet all notification requirements.
  • Present your users with one or more secure ways to submit requests to follow through on their rights.
  • Perform data protection assessments if processing activities present a heightened consumer risk.
  • Use compliant contracts with any data processors you work with.

Use Termly’s privacy policy generator and CMP to simplify your compliance process.

Anokhy Desai CIPP/US, CIPT, CIPM
More about the author

Written by Anokhy Desai CIPP/US, CIPT, CIPM

Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author

Related Articles

Explore more resources