Maryland Online Data Protection Act: First Look & Summary

The Maryland governor signed a comprehensive data privacy law on May 9, 2024, called the Maryland Online Data Protection Act (MODPA).

It features a broad legal threshold, strict data processing requirements, and unique provisions regarding data minimization and the collection and processing of sensitive personal information.

In this guide, I’ll walk you through each part of this law, its requirements, how it impacts business and consumers, and more.

Table of Contents

What Is the Maryland Online Data Protection Act (MODPA)?
MODPA Key Terms and Definitions
What Does the Maryland Online Data Protection Act Cover?
Requirements of the Maryland Online Data Protection Act
Maryland’s Data Privacy Law vs. Other States: Similarities and Differences
How Will Consumers Be Impacted by the MODPA?
Who Does the MODPA Apply To?
How Will Businesses Be Impacted by the MODPA?
Who Must Comply With Maryland’s New Data Privacy Law?
How Can Businesses Prepare for the MODPA?
How Will the MODPA Be Enforced?
Fines and Penalties Under the Maryland Online Data Protection Act
How Will Termly Help with MODPA Compliance?
Are There Other Privacy Related Laws in Maryland?
Summary

What Is the Maryland Online Data Protection Act (MODPA)?

The Maryland Online Data Protection Act, or MODPA, is the state’s first consumer data privacy law to regulate how controllers and processors handle personal data and gives Maryland residents various rights and controls over that information.

Maryland is the 16th state in the US to pass a comprehensive data privacy law.

It also outlines the penalties for violating the law, giving enforcement authority to the Maryland Attorney General.

MODPA Effective Date

The Maryland Online Data Protection Act is scheduled to take effect on October 1, 2025.

MODPA Key Terms and Definitions

To help you understand the details of Maryland’s new privacy law, I’ve compiled some of the key terms and provided the definitions as they appear in the text of the law below:

Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer for a particular purpose. It includes (I) a written statement; (II) a written statement by electronic means; or (III) any other unambiguous affirmative action.
- It does not include (I) acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information; (II) hovering over, muting, pausing, or closing a piece of content; or (III) agreement obtained through the use of dark patterns.
Consumer: An individual who is a resident of the state.
- It does not include (I) an individual acting in a commercial or employment context; or (II) an individual acting as an employee, an owner, a director, an officer, or a contractor of a company, a partnership, a sole proprietorship, a nonprofit organization, or a governmental unit whose communications or transactions with a controller occur only within the context of the individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or governmental unit.
Control: (1) Ownership of or the power to vote more than 50% of the outstanding shares of any class of voting security of a business; (2) any manner of control over the election of a majority of the directors of a business, or individuals exercising similar functions; or (3) the power to exercise a controlling influence over the management of a business.
Controller: A person that, alone or jointly with others, determines the purpose and means of processing personal data.
Personal data: Any information that is linked or can be reasonably linked to an identified or identifiable consumer.
- It does not include (I) de-identified data; or (II) publicly available information.
Process: An operation or set of operations performed by manual or automated means on personal data. It includes collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.
Processor: A person that processes personal data on behalf of a controller.
Sensitive data: Personal data that includes:
- (1) Data revealing (I) racial or ethnic origin; (II) religious beliefs; (III) consumer health data; (IV) sex life; (V) sexual orientation; (VI) status as transgender or nonbinary; (VII) national origin; or (VIII) citizenship or immigration status.
- (2) Genetic data or biometric data.
- (3) Personal data of a consumer that the controller knows or has reason to know if a child; or
- (4) Perceive geolocation data.

What Does the Maryland Online Data Protection Act Cover?

The MODPA covers the personal information of residents of Maryland.

However, it also exempts several categories of data, some of which include:

Protected health information under the Health Insurance Portability Accountability Act (HIPAA)
Patient-identifying information
Personal data regulated by the Family Educational Rights and Privacy Act (FERPA)
Emergency contact information when used for an emergency

Requirements of the Maryland Online Data Protection Act

In the following section, I summarize some of the main requirements outlined by Maryland’s new data privacy law.

Lawful Basis for Processing Data

Under the MODPA, controllers must limit data collection to what is reasonably necessary and proportionate to provide or maintain products or services as requested by the consumer.

The phrasing used in this part of the law differs from other state-level privacy laws, as it depends on the good or service and not only the purpose of data processing.

Controller Limitations on Data Processing

The MODPA limits controllers from processing certain types of personal data.

For example, unless collecting or processing data is strictly necessary to provide or maintain a specific product or service as requested by a consumer, controllers cannot:

Sell sensitive data
Process data of a consumer under the age of 18 for targeted advertising
Sell personal data of a consumer under the age of 18
Discriminate against a consumer for exercising their rights
Process data for purposes that are not reasonably necessary or are incompatible with the disclosed purposes for which personal data is processed (unless consent is obtained)

Contractual Obligations Between Controllers and Processors

Data controllers that use a data processor must enter into a contract that outlines the instructions for the data processing, the nature and purpose of the processing, the types of data processes and for how long, and the rights and obligations of both parties.

The contract must also outline these requirements for the processor:

Subject all involved parties to a duty of confidentiality regarding the data.
Establish, implement, and maintain security practices to protect the confidentiality, integrity, and accessibility of the personal data.
Require the processor to stop processing the data at the controller’s request following a consumer request.
At the controller’s direction, the processor must delete or return all data unless a law requires retention.
Upon the controller’s request, require the processor to make all data available in their possession to demonstrate compliance with the MODPA.
After allowing the controller to object, engage a subcontractor to assist with processing the personal data following a contract meeting these guidelines.
Require the processor to cooperate with assessments by the controller or an independent assessor to assess the processor’s policies and technical measures.
On request, the processor must provide the controller with an assessment report as MODPA requires.

Data Protection Assessments

According to the MODPA, controllers must conduct and document data protection assessments for each processing activity that presents a heightened risk of harm to consumers, including:

Processing data for targeted advertising
Selling personal data
Processing sensitive data
Processing data for profiling

The assessment must weigh the benefits that may flow from the processing against the potential risks to consumers’ rights and the necessity and proportionality of the processing.

It must also factor in the following:

The use of de-identified data
The reasonable expectations of consumers
The context of the processing
The relationship between the controller and the consumer whose data is processed

Maryland’s law allows a controller to use a single data protection assessment to comply with another law if it’s reasonably similar in scope to the MODPA.

Data Security Requirements

The MODPA requires data controllers to establish, implement, and maintain reasonable administrative, technical, and physical security measures to protect the collected personal data.

The measures must consider the volume and nature of the data being collected and stored and protect its confidentiality, integrity, and accessibility.

Verifiable Consumer Requests

Under the MODPA, businesses must establish in their privacy policy one or more ways for consumers to submit verifiable requests to act on their privacy rights, taking into consideration:

The ways consumers normally interact with the controller
The need for secure and reliable communication
The ability of the controller to verify the consumer’s identity

The law lists the following methods as a way to satisfy this legal requirement:

Providing a conspicuous, clearly labeled link on the website
On or before October 1, 2025, allow consumers to use a universal opt-out mechanism to follow through on their rights

Universal Opt-Out Mechanisms

The MODPA requires businesses to honor user requests to opt out of data processing through universal opt-out mechanisms (UOOM), like Global Privacy Control (GPC), by October 1, 2025.

Specifically, the law authorizes consumers to use an internet link, browser setting, browser extension, or other similar global device setting or technology to indicate their opt-out intent.

Maryland’s Data Privacy Law vs. Other States: Similarities and Differences

Several other U.S. states have data privacy laws in place besides Maryland, including:

California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
Colorado Privacy Act (CPA) — currently in force
Connecticut Data Privacy Act (CTDPA) — currently in force
Delaware Personal Data Privacy Act (DPDPA) — effective Jan. 1, 2025
Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
Indiana Consumer Data Protection Act (Indiana CDPA) — effective Jan. 1, 2026
Iowa Consumer Data Protection Act (Iowa CDPA) — effective Jan. 1, 2025
Kentucky Consumer Data Protection Act (KCDPA) — effective Jan. 1, 2026
Montana Consumer Data Privacy Act (MCDPA) — effective Oct. 1, 2024
New Hampshire Data Privacy Law (NHDPL) — effective Jan. 1, 2025
New Jersey Data Privacy Act (NJDPA) — effective Jan. 15, 2025
Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
Tennessee Information Protection Act (TIPA) — effective July 1, 2025
Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
Utah Consumer Privacy Act (UCPA) — currently in force
Virginia Consumer Data Protection Act (VCDPA) — currently in force

You can compare the MODPA to these other privacy laws in the table below.

State Law	Opt-in consent for certain types of data processing	Opt-out consent for certain types of data processing	Must present users with a privacy policy (or notice)	Requires Data Protection Assessments	Outlines Contractual Obligation with Third-Party Processors	Allows for civil lawsuits or private right of action	Must honor Global Privacy Controls/browser privacy settings
MODPA	✓	✓	✓	✓	✓		✓
CCPA/CPRA	✓	✓	✓	✓	✓	✓	✓
CPA		✓	✓	✓	✓		✓
CTDPA		✓	✓	✓	✓		✓
DPDPA	✓	✓	✓	✓	✓		✓
FDBR		✓	✓	✓	✓
Indiana CDPA		✓	✓	✓	✓
Iowa CDPA		✓	✓		✓
KCDPA	✓	✓	✓	✓	✓
MCDPA		✓	✓	✓	✓		✓
NHDPL	✓	✓	✓	✓	✓		✓
NJDPA	✓	✓	✓	✓	✓		✓
OCPA		✓	✓	✓	✓		✓
TIPA	✓	✓	✓	✓	✓
TDPSA		✓	✓	✓	✓		✓
UCPA		✓	✓		✓
VCDPA		✓	✓	✓	✓

How Will Consumers Be Impacted by the MODPA?

The MODPA impacts consumers by giving them the following rights over their personal data:

Confirm if a controller is processing their data
Access the data
Correct inaccuracies in the data
Require a controller to delete the data
Obtain a portable copy of their personal data
Obtain a list of the third parties their data is disclosed to
Opt out of data processing for targeted advertising
Opt out of the sale of their data
Opt out of profiling

Who Does the MODPA Apply To?

The MODPA applies to residents of the state of Maryland; however, it does not apply to people in Maryland acting in an employment or commercial context.

How Will Businesses Be Impacted by the MODPA?

Beyond the MODPA requirements previously covered in this guide, the law also impacts businesses’ privacy and cookie policies.

How Will the MODPA Affect My Privacy Policy?

The MODPA requires businesses to present consumers with a privacy policy that includes:

The categories of personal data processed, including sensitive data.
The purpose of the processing.
How a consumer can act on their privacy rights and appeal a controller’s decision based on their request or revoke consent.
The categories of the third parties that data gets shared with, with a level of detail the consumer can understand, including the type of, the business model of, or processing conducted by each third party.
The categories of personal data, including sensitive data, shared with third parties.
An active email address or other online mechanisms that contact the controller.

Businesses that sell personal data to third parties, process data for targeted advertising, or partake in profiling must disclose this in their privacy policy and explain how consumers can exercise their rights to opt out of such processing.

It must also establish one or more secure, reasonable methods for individuals to submit verifiable consumer requests to follow through on their privacy rights.

How Will the MODPA Affect My Cookie Policy?

The MODPA affects cookie policies because of the notification requirements outlined by the law and the opt-out rights granted to consumers.

Businesses covered by this law must ensure their cookie policy is up-to-date, accurate, and linked in the privacy policy so consumers are adequately informed about all cookies that may get placed on their browsers.

You must also provide a way for Maryland consumers to opt out of cookies if they collect data you sell, sensitive data, or are used for targeted advertising.

Who Must Comply With Maryland’s New Data Privacy Law?

Businesses must comply with the MODPA if they conduct business in the state or provide products and services that are targeted to residents of the state and meet either of the following thresholds in a calendar year:

Controls or processes the personal data of at least 35,000 consumers (excluding payment transactions) or
Controls or processes the personal data of at least 100,000 consumers and derives more than 20% of gross annual revenue from the sale of the data.

Unlike several other U.S. state laws, the MODPA has no monetary threshold.

Who Is Exempt From the MODPA?

The following entities are exempt from the requirements of Maryland’s new data privacy law:

Political subdivisions of the state
National securities associations registered under the Federal Securities Exchange Act of 1934 (SEA)
Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
Nonprofit controllers that process data solely to assist law enforcement agencies in investigating criminal or fraudulent acts relating to insurance or first responders responding to catastrophic events

How Can Businesses Prepare for the MODPA?

To prepare for the MODPA, businesses should plan to update their privacy and cookie policies to ensure they meet all notification requirements described by the law.

Websites should also have at least one or more secure, reliable methods for consumers to submit requests to follow through on their privacy rights, like posting a Data Subject Access Request (DSAR) form.

Businesses that process data presenting a heightened risk to consumers must perform data protection assessments.

Data controllers who work with processors must also implement and sign contracts that outline all requirements described in the law.

How Will the MODPA Be Enforced?

The Maryland Attorney General has the authority to enforce the MODPA and retains the discretion to provide entities with a 60-day cure period.

The cure period sunsets after April 1, 2027.

Violating the MODPA will be considered an unfair, abusive, or deceptive trade practice.

Fines and Penalties Under the Maryland Online Data Protection Act

Fines for violating the MODPA could reach as high as $10,000 per incident.

However, consumers do not have a private right of action.

How Will Termly Help with MODPA Compliance?

To help simplify compliance with the MODPA, Termly’s Privacy Policy Generator will include all clauses required by the law before it enters into effect in 2025.

Our generator asks you simple questions about your business and makes a comprehensive, unique policy based on your answers.

Termly also offers a Consent Management Platform (CMP) that can be configured to meet the opt-out requirements described in the MODPA.

It comes with a free DSAR form, so your users can securely submit verified requests to exercise their rights.

While the MODPA is the first law of its kind in the state, Maryland has a few other privacy-related laws in place, including:

Section 14–350 of the Maryland Code (the Personal Information Protection Act): Describes the data breach notification laws in the state, imposing obligations on businesses that collect personal information and experience a breach.
Medical Records Statute of the Maryland Code: Requires all medical information to remain confidential and gives individuals a right to private action.

Summary

If your business is subject to following the Maryland Online Data Protection Act, you can prepare for compliance by:

Updating your privacy and cookie policies to meet all notification requirements.
Present your users with one or more secure ways to submit requests to follow through on their rights.
Perform data protection assessments if processing activities present a heightened consumer risk.
Use compliant contracts with any data processors you work with.

Use Termly’s privacy policy generator and CMP to simplify your compliance process.

More about the author

Written by Anokhy Desai CIPP/US, CIPT, CIPM

Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author

CAN-SPAM Act: CAN-SPAM Laws and Compliance Guide

Do Not Track Disclosures

Can I Copy Terms and Conditions?

6-Step OCPA Compliance Requirements Checklist

6 Step TDPSA Compliance Requirements Checklist

Nebraska Data Privacy Act: First Look & Summary

6-Step UCPA Compliance Requirements Checklist

6-Step FDBR Compliance Requirements Checklist

Which Laws Does Termly Cover?