Maryland Online Data Privacy Act
The Maryland Online Data Privacy Act is among the strictest U.S. privacy laws, requiring data collection to be strictly necessary, banning sales of sensitive data, and prohibiting targeted ads and data sales involving minors under 18. It is enforced by the Maryland Attorney General.
Maryland Online Data Privacy Act
The Maryland Online Data Privacy Act (MODPA), enacted as Senate Bill 541 and House Bill 567, is Maryland's comprehensive consumer privacy statute. It took effect on October 1, 2025. MODPA is among the strictest U.S. state privacy laws, with aggressive data minimization rules and sweeping protections for sensitive data and minors that go well beyond the common state model.
Who It Applies To
MODPA applies to persons that conduct business in Maryland or provide products or services targeted to Maryland residents and that, during the prior year, controlled or processed the personal data of either 35,000 or more consumers (excluding data used only for payment), or 10,000 or more consumers while deriving more than 20 percent of gross revenue from the sale of personal data. The thresholds are low, broadening coverage. HIPAA and Gramm-Leach-Bliley data are exempt.
Key Requirements
MODPA's defining feature is strict data minimization: controllers may only collect personal data that is reasonably necessary and proportionate to provide or maintain the specific product or service requested by the consumer. Critically, collection or processing of sensitive data is prohibited unless strictly necessary to provide the requested product or service. The sale of sensitive data is banned outright. Controllers may not sell the data of, or use targeted advertising directed at, consumers known to be under 18. Consumers retain rights to access, correct, delete, port, and opt out. Universal opt-out signals must be honored and data protection assessments are required.
Penalties for Non-Compliance
The Maryland Attorney General enforces the law through the Consumer Protection Division; there is no private right of action. Violations are unfair or deceptive trade practices, carrying penalties of up to 10,000 dollars per violation and up to 25,000 dollars for repeat violations. A cure period was available until April 1, 2027.
How to Comply
Reassess data collection against the strict necessity standard, not just notice and consent. Eliminate sales of sensitive data and any targeted advertising or data sales involving minors under 18. Publish an accurate privacy notice, honor consumer requests and universal opt-out signals, and maintain documented data protection assessments.
Relationship to Other Laws
Maryland represents a meaningful shift from the notice-and-consent model toward strict, GDPR-style data minimization. Because collection of sensitive data is limited to what is strictly necessary and the sale of sensitive data is banned outright, organizations cannot rely on consent to justify broad sensitive-data practices as they can in most other states. The prohibition on targeted advertising and data sales involving anyone under 18 is among the strongest minor protections in the country. Maryland should be treated as a high-water mark when designing data collection and advertising practices.
Operational Mechanics
Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.