Are You Ready for October 1? Maryland’s Data Privacy Law Sets New Standards For Compliance

The Maryland Online Data Privacy Act (MODPA) is just around the corner, and businesses should consider preparing to address novel compliance obligations that also rank among the most stringent to date. 

MODPA takes effect on October 1, 2025 and introduces requirements that break from the approach taken by many other state comprehensive consumer privacy laws. Key features of MODPA include the following:

• Broad Applicability - MODPA sets a lower threshold for compliance than many other statutes, applying to persons who control or process the data of only 35,000 or more Maryland consumers annually, excluding processing solely for payment transactions (or 10,000 consumers if the person derives over 20 percent of gross revenue from data sales). MODPA also applies to most nonprofits, unlike many other state privacy laws.
• Data Minimization Restrictions Based on Product/Service, not Disclosure - MODPA requires that the collection of personal data be reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains. This departs from the approach taken in many other states, which typically limit collection based on the processing purposes disclosed to consumers.
• Strict Limitations on Collecting, Processing, and Sharing Sensitive Data Regardless of Consent - Any collection, processing, or sharing of sensitive data must be strictly necessary to provide or maintain the specific product or service requested by the consumer to whom the data pertains. This is different from the opt-in approach used by many states for processing sensitive data.   
• Ban on Selling Sensitive Data - MODPA also imposes an outright ban on the sale of sensitive data with no opt-in consent alternative.
• Ban on Sale of Minor Data and Targeted ads for Minors - MODPA goes further than other states by prohibiting businesses from selling personal data or engaging in targeted advertising if they know or should have known the consumer is under 18 and by eliminating the opt-in exception.
• Expanded Protections for Consumer Health Data - MODPA adopts a broad definition of “consumer health data” and imposes strict safeguards for processing consumer health data. Specifically, MODPA prohibits (1) giving employees or contractors access to such data unless they are bound by a confidentiality agreement; (2) granting processors access to consumer health data unless the controller–processor relationship complies with MODPA; (3) using geofencing technology within 1,750 feet of a health-care facility to identify, track, collect data from, or send notifications to consumers about their consumer health data; and (4) selling or offering to sell consumer health data without the individual’s consent.

Alleged violations occurring up to April 1, 2027, may be met with a notice of violation and a cure period of at least 60 days, provided the attorney general determines that a cure is achievable after weighing factors such as frequency and potential harm. Following that date, the attorney general may bypass the cure period and proceed straight to enforcement.

See our previous post for more details on MODPA. By considering taking steps now—such as streamlining data-collection, revising privacy notices, putting DPAs in place, and operationalizing opt-out processes—organizations can position themselves for smooth compliance going forward.