Guides

Maryland Online Data Privacy Act: 101 – What You Need to Know

Scott Dooley
4 min read · Jan 14, 2026 Last updated: January 1, 2026

Maryland enacted its Online Data Privacy Act in May 2024, with the law taking effect on October 1 2025. Often described as a “new paradigm” for US privacy law, MODPA introduces stricter data minimization requirements and prohibits the sale of sensitive data outright.

What Is MODPA?

The Maryland Online Data Privacy Act (MODPA) grants Maryland residents rights over their personal data and establishes obligations for businesses that collect and process that data. The law is notably stricter than most other state privacy laws, with requirements that go beyond the typical opt-in/opt-out framework.

Enforcement is handled by the Maryland Attorney General. There is no private right of action.

Does It Apply to Your Business?

MODPA applies to organizations that meet at least one of two thresholds:

Threshold 1: Process the personal data of at least 35,000 Maryland consumers annually. Personal data processed solely for payment transactions is excluded.

Threshold 2: Derive 20% or more of gross revenue from selling the personal data of at least 10,000 Maryland consumers.

These thresholds are lower than most state privacy laws. California, Virginia, and Colorado use a 100,000-consumer threshold. Only Delaware, New Hampshire, and Rhode Island have similarly low thresholds.

Nonprofits

Unlike most state privacy laws, MODPA includes nonprofit organizations with only narrow exceptions for first responders and organizations supporting law enforcement fraud investigations.

Key Consumer Rights

Maryland residents have the following rights:

  • Right to confirm whether a business is processing their personal data
  • Right to access their personal data
  • Right to correct inaccuracies
  • Right to delete their personal data
  • Right to obtain a portable copy of their data
  • Right to opt out of targeted advertising
  • Right to opt out of the sale of personal data
  • Right to opt out of profiling for decisions with legal or significant effects

What Makes MODPA Different

MODPA introduces requirements not found in other state privacy laws:

Strict data minimization. Controllers may only collect personal data that is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.” Collection for other purposes is prohibited, not merely discouraged.

Sensitive data prohibition. Unlike other states that use consent frameworks, MODPA prohibits the sale of sensitive data outright. Processing sensitive data is only permitted when “strictly necessary” for the requested service.

Enhanced minor protections. MODPA bans selling or using personal data of individuals under 18 for targeted advertising if the controller “knew or should have known” the person was a minor. This is stricter than the “willful disregard” standard in most other states.

Sensitive Data

MODPA’s sensitive data categories include:

  • Health data
  • Biometric data
  • Sexual orientation
  • Children’s data
  • Precise geolocation data

The “strictly necessary” standard for processing sensitive data is more restrictive than the consent-based approaches used elsewhere.

Business Obligations

Covered entities must:

  • Limit data collection to what is reasonably necessary and proportionate for the requested service
  • Implement reasonable data security measures
  • Provide clear privacy notices
  • Conduct data protection assessments for high-risk processing

Enforcement and Penalties

The Maryland Attorney General has exclusive enforcement authority.

A limited cure period exists until April 1 2027. Penalties include:

  • Up to $10,000 per violation
  • Up to $25,000 per repeated violation

Key Dates

  • May 9 2024: MODPA signed into law
  • October 1 2025: MODPA took effect
  • April 1 2026: Law begins applying to processing activities
  • April 1 2027: Cure period expires

Where to Find Official Resources

Getting Started

MODPA’s stricter requirements may require businesses to adjust practices that comply with other state laws. Review your data collection against the “reasonably necessary and proportionate” standard. Audit any processing of sensitive data to ensure it meets the “strictly necessary” threshold.

The prohibition on selling sensitive data and the enhanced minor protections may require changes to advertising and data sharing practices.

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts

Popular posts on Measured Collective

  1. Rhode Island Data Transparency and Privacy Protection Act: 101 – What You Need to Know
  2. California CCPA/CPRA: 101 – What You Need to Know
  3. Connecticut Data Privacy Act: 101 – What You Need to Know
  4. Virginia Consumer Data Protection Act: 101 – What You Need to Know
  5. Australia Privacy Act 1988: 101 – What You Need to Know

Start learning today

Essentials GDPR Course

UK GDPR awareness training for your team

GDPR Refresher

Keep your GDPR knowledge sharp

PECR for Marketers

ePrivacy compliance for marketing teams

Free GDPR Basics

100% free introduction to GDPR