Understanding the Maryland Online Data Privacy Act (MODPA)

Maryland Online Data Privacy Act (SB 541) is one of the latest additions to the US privacy law catalog. The law has stricter requirements and an expanded scope that deserves extra caution despite compliance with other state privacy laws.

Official text: SB 541

Effective date: October 1, 2025

Maryland legislature passed their privacy regulation in April. The governor approved the bill in May, bringing forward a new phase of digital privacy for Maryland residents. Akin to other privacy laws, MODPA grants its people the right to access, correct, delete, portability, and opt-out. 

It also emphasizes privacy-by-design principles such as data minimization and purpose limitation. Businesses must recognize global opt-out signals from consumers.

How does MODPA compare with other laws? 

Although Maryland privacy law shares similarities with most US state privacy laws, it also highlights unique provisions such as the prohibition of geofence and restricted disclosure of covered health data. 

The law also has stricter data minimization requirements, especially regarding sensitive data processing. Furthermore, businesses should refrain from processing the personal data of teenagers under 18 years of age for targeted advertising or sales. 

MODPA prohibits the sale of sensitive data regardless of consent from consumers.

The scope of Maryland privacy law is not based on a revenue threshold but rather on a numerical one. Let us explore who it covers and what it covers.

The Maryland privacy law applies to those persons conducting business in Maryland or targeting their products toward the residents and met the following criteria in the previous year:

• Controlled or processed the personal data of at least 35,000 consumers except for completing payment transactions.

• Controlled or processed the personal data of at least 10,000 consumers and gained more than 20% of gross revenue from selling personal data.

Under the Maryland Online Data Privacy Act, a consumer is a resident of Maryland and excludes persons acting in certain capacities.

Maryland privacy law is subject to certain statutory exemptions resembling other US privacy laws.

Here is an outline of the exempted entities:

• State entities or instrumentalities such as regulatory, administrative, and judicial authorities, boards, bureaus, etc.
• Registered National Security Associations
• Entities subject to Gramm-Leach-Bliley Act
• Non-profit bodies that process/share personal data to assist enforcement agencies in investigating insurance-related offenses or the first responders in responding to catastrophic events.

This means that there is no blanket exemption for non-profit organizations.

Other than entity-level exemptions, Maryland privacy law also provides exemptions for certain categories of data, such as information covered by HIPAA, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, etc. 

Additionally, the law excludes patient-identifying information, information used to protect human subjects, information collected or maintained in the context of job applications, emergency contact information, etc.

Maryland privacy law defines personal data as “ any information that can be linked or reasonably linked to an identified or identifiable consumer.” This means that information such as an address, email ID, cookie ID, etc are personal data.

That said, there are also exemptions to the definition of personal data. Publicly available information and de-identified data do not fall into this category. 

Publicly available information includes any information that

• the government has lawfully released to the public
• the controller reasonably believes a consumer or mass media has lawfully made available to the public
• has been obtained from the person to whom the consumer disclosed the information without restricting it to a specific audience.

What is sensitive personal data under MODPA? 

Even though Maryland’s privacy law intends to protect personal data in general, it offers heightened protection to sensitive data. Therefore, understanding what falls under this category is crucial for MODPA compliance.

Sensitive data includes the following:

1. Personal data revealing:
   • Racial/ethnic origin
   • Religious beliefs
   • Consumer health data
   • Sex life
   • Sexual orientation
   • Status as transgender or non-binary
   • National origin
   • Citizenship or immigration status

2. Genetic/biometric data
3. Personal data of a known child ( under 13 years of age)
4. Precise geolocation data (within 1750 ft)

Compared to other privacy laws, the Maryland Online Data Privacy Act takes a stricter approach toward sensitive data processing. Businesses must refrain from collecting, processing, or sharing sensitive data unless necessary. Listen to what the law says in this excerpt from the latest  MODPA legal text. 

We will revisit this topic later in the article.

Following the established data privacy principles, transparency is a significant obligation of businesses under the Maryland privacy law.

Businesses must provide a meaningful and accessible privacy notice containing the following information:

• Categories of personal data processed, including sensitive data
• Purpose of processing
• How to exercise consumer rights, including the process for appeal
• Categories of third parties with whom the personal data is shared along with details of the business model or the processing conducted by them
• The categories of personal data, including sensitive data shared with third parties
• An active email address or other online mechanisms to contact the business
• Whether the personal data will be used for targeted advertising, profiling, or sale and the method to opt-out.

Building on what we discussed, Maryland’s privacy law imposes stricter requirements for businesses that might require deviations from the current data processing practices.

Data minimization requirements

Businesses must limit the collection of personal data to what is necessary and proportionate to provide a specific product or service requested by the consumer.

Furthermore, businesses cannot collect, process, or transfer personal data or publicly available information that would result in discrimination unless it is for a justifiable cause, such as to prevent discrimination.

Purpose limitation

MODPA requires businesses not to process personal data for any purpose other than what was disclosed to consumers unless their consent is obtained.

Consent requirements and revocation of consent

Remember from before how businesses require consent to process personal data for any purpose other than the disclosed one? That’s not all. Let us unveil the specifics of consent requirements under MODPA.

Consent must be an affirmative act signifying freely given, specific, informed, and unambiguous agreement to processing personal data for a specific purpose. 

In addition to the above circumstance, businesses should obtain parental consent under COPPA regulations to process a child’s data (under 13 years of age).

Accepting general terms of use instead of specific acceptance does not constitute consent. Do not use dark patterns to obtain consent from consumers.

Moving on to consent revocation, businesses must provide consumers with a convenient mechanism to revoke consent. If a consumer revokes consent, stop further processing of personal data within 30 days of revocation.

Sensitive data processing

MODPA’s approach towards sensitive data processing is more exact than that of other US privacy laws or GDPR. While consent is a condition for processing sensitive data under those laws, Maryland’s legislature deviates from it. Businesses cannot collect, process, or share sensitive data except to fulfill a consumer’s request or to provide a specific product requested by the consumer, regardless of consent. 

You can also not sell sensitive data as it is prohibited by law.

Consumer health data requirements

The Maryland privacy law restricts a person from giving employees or contractors access to consumer health data except when there is a duty of confidentiality.

Geofence restriction

The Maryland Online Data Privacy Act also restricts the establishment of a virtual geographical fence within 1750 ft of a mental, sexual, or reproductive health facility used to identify or track consumer health data or to send health-related notifications to the consumer. 

Consumers under 18 years

The law does not permit businesses to use the personal data of consumers under 18 for targeted advertising or the sale of personal data.

Unlawful discrimination

Do not discriminate against consumers for exercising their rights. This includes denying goods or services, increasing prices, reducing quality, etc. The law also requires adherence to state or federal laws prohibiting unlawful discrimination.

Data security practices

Implement security measures at physical, administrative, and technical levels to safeguard the confidentiality and integrity of personal data maintained by businesses. These measures must be proportionate to the nature and volume of the stored data.

Opt-out mechanisms and recognition of global opt-out signals

Businesses must provide mechanisms for consumers to opt out of the sale of personal data, targeted advertising, and profiling. The law prescribes a clear and conspicuous opt-out link for this purpose. 

Recognize global opt-out signals before October 25, 2025.

Consumer request mechanisms and prompt response

Provide one or more consumer request mechanisms considering various factors such as the usual method of communication, security, reliability, ability to verify the request, etc. The controller should also establish a process for consumers to appeal against their decision.

According to Maryland privacy law, businesses must respond to consumer requests within 45 days of receipt. If necessary, after informing the consumer, this can be extended to another 45 days. The prescribed response period for appeal is 60 days. 

Fulfill the consumer request free of charge once a year. If the request is excessive or not feasible technically, businesses can deny the request or charge a fee. 

Contractual relationship

Have a contractual relationship with processors and third parties who have access to consumers’ personal data. The contract must create a duty of confidentiality between the parties.

In the contract, establish data processing instructions such as the nature of processing, rights and duties of parties, duration of the processing, etc.

Data protection impact assessments

Conduct regular impact assessments for the processing of data with a heightened risk of harm, such as sensitive data or personal data used for profiling or targeted advertising. These impact assessments should determine the benefits and risks of such processing activities.

What are the consumer rights under MODPA?  

MODPA aligns with other privacy laws and regulations regarding consumer rights. The following are the rights of consumers under the law:

Right to confirm and access: The law allows consumers to verify whether businesses are using their personal data and to access it if the data is being processed.

Right to correct: Consumers can correct any inaccuracies in their personal data handled by businesses.

Right to delete: Consumers also have the right to require businesses to delete their personal data, which must be fulfilled if its retention is not required by law.

Right to portability: If personal data is processed by automated means, consumers have the right to obtain a copy of their personal data in a portable, readable, and technically feasible manner.

Right to obtain: If the controller/business does not make available the categories of third parties with whom the personal data is shared in a specific format, consumers can exercise their right to obtain it.

Right to opt-out: The law guarantees consumers the right to opt out of targeted advertising, profiling, and the sale of personal data.

The Consumer Division of Maryland, supervised by the Attorney General, is the enforcement agency of MODPA. Violations under the law are considered unfair, abusive, or deceptive trade practices under the Consumer Protection Act. Before initiating legal action, businesses might get a 60-day cure period depending on several factors, such as the number of violations, complexity, likelihood of injury to the public, etc. 

The division may impose penalties up to $10,000 for a single violation and up to $25,000 for subsequent violations. The law does not mention private rights of action and does not prevent consumers from pursuing any other remedy under the law.

• Limit the collection of personal data to what is required to provide the specific product or service requested by the consumer.
• Do not collect, process, or share sensitive data unless it is necessary to provide a specific product or service requested by the consumer.
• Do not sell sensitive data.
• Do not use the personal data for any purpose other than the disclosed one without the consumer’s consent.
• Provide a clear and accessible privacy notice.
• Have a contractual relationship with processors and third parties.
• Do not share consumer health data without a duty of confidentiality.
• Adhere to the restriction on geofencing.
• Do not sell or use the personal data of consumers under 18 for targeted advertising.
• Establish convenient consumer request mechanisms and respond promptly.
• Recognize global opt-out signals.
• Conduct data protection impact assessments.
• Adhere to COPPA regulations for the processing of children’s personal data (under 13 years of age).
• Do not discriminate against the consumers.