The Maryland Online Data Privacy Act took effect on October 1 2025, though it does not apply to processing activities that occurred before April 1 2026. MODPA introduces stricter requirements than most other state privacy laws, with higher penalties for repeated violations.
How MODPA Enforcement Works
The Maryland Attorney General has exclusive enforcement authority under MODPA. Consumers cannot bring private lawsuits for violations.
A limited cure period exists until April 1 2027. After that date, the Attorney General can pursue enforcement immediately.
Penalties include:
- Up to $10,000 per violation
- Up to $25,000 per repeated violation
The higher penalty tier for repeated violations is notable and not found in most other state privacy laws.
Enforcement Status
As of January 2026, the Maryland Attorney General has not publicly announced enforcement actions under MODPA. The law only began applying to processing activities on April 1 2026, providing limited time for violations to accumulate.
Formal enforcement is expected to begin after the April 2027 cure period expires.
What Makes MODPA Enforcement Different
MODPA’s stricter substantive requirements create more potential violation categories than other state laws:
Data minimization violations. MODPA’s “reasonably necessary and proportionate” standard is stricter than the general minimization principles in other states. Collection of data beyond what is needed for the requested service is itself a violation.
Sensitive data prohibition. Most states allow sensitive data processing with consent. MODPA prohibits selling sensitive data entirely and only permits processing when “strictly necessary.” Any sale of health, biometric, or children’s data violates the law.
Minor protections. MODPA bans targeted advertising using minor data if the controller “knew or should have known” the individual was under 18. This is a lower bar than the “willful disregard” standard elsewhere.
Repeated violation penalties. The $25,000 per-violation penalty for repeated violations creates escalating consequences for ongoing non-compliance.
Expected Focus Areas
Based on MODPA’s unique provisions:
Advertising data practices. The sensitive data sale prohibition and minor advertising restrictions will likely attract attention, particularly for businesses that have not adjusted from other states’ consent-based approaches.
Over-collection. The strict data minimization standard means businesses collecting data beyond immediate service needs may face enforcement, even if such practices comply with other state laws.
Nonprofit compliance. MODPA covers most nonprofits, which may be less prepared for privacy compliance than for-profit businesses.
What This Means for Your Organization
MODPA may require compliance changes beyond what other state laws demand. Businesses should:
- Audit data collection against the “reasonably necessary and proportionate” standard
- Stop any sales of sensitive data categories
- Review targeted advertising practices involving minors
- Implement stricter controls on sensitive data processing
Compliance with other state privacy laws may not be sufficient for Maryland. The stricter standards require specific attention.
