Maryland Online Data Privacy Act – Why & How To Comply?
Summary
Failing to comply could result in substantial fines and legal consequences that can significantly harm your brand. Act now to understand MODPA requirements and protect your business from penalties.
Have you heard about the Maryland Online Data Privacy Act (MODPA)?
It is a new law passed in Maryland that gives people more control over their personal data and sets clear rules for how businesses can collect, use, and share that information. If you run a company that operates in Maryland or serves Maryland residents, this law might apply to you.
In this guide, we’ll explain what MODPA is all about, who needs to follow it, what rights it gives to consumers, and what happens if a business doesn’t comply.
We’ll also share practical tips and solutions to help businesses stay on the right side of the law.
Read on to get a clear and easy understanding of what is the Maryland Consumer Data Protection Act and how it may impact you or your business.
What is the Maryland Online Data Privacy Act (MODPA)?
Maryland became the 17th U.S. state to pass comprehensive privacy legislation with the enactment of the Maryland Online Data Privacy Act (MODPA).
The Maryland Legislature approved the MODPA on April 6, 2024, and the governor signed it into law on May 9, 2024. The law focuses on how organizations collect, use, and share users’ personal data.
Organizations subject to MODPA will be required to update their state compliance programs in accordance with the legislation, which takes effect on October 1, 2025.
Despite its enactment on October 1, 2025, the Maryland Consumer Data Protection Act will not apply to any personal data processing activities before April 1, 2026.
MODPA also completely bans the sale of sensitive personal data, with no exceptions. This makes it stand out from other state privacy laws in the U.S., which usually allow some exceptions.
This law outlines the regulations governing business operations in Maryland, including the types of data that can be collected and the penalties for violating these rules. They can be fined up to $10,000 per violation and $25,000 for repeat violations.
MODPA is similar to other state laws like the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act (CPA), but it includes unique features such as stricter data minimization rules that set it apart.
Once the law starts, businesses must be more careful with the data they collect. They need to tell people what data they’re collecting and why they’re collecting it, and get explicit permission when required.
The law gives Maryland residents essential rights. They can ask to see what data a company has about them, ask for changes, or ask the company to delete it. This empowers consumers and gives them control over their data.
Who Must Comply With the Maryland Consumer Data Protection Act?
Your business needs to comply with the Maryland Consumer Data Protection Act if you operate in Maryland or offer products or services targeted to Maryland residents.
You need to comply if you’re business:
- Process the personal data of at least 35,000 Maryland consumers (excluding data processed solely for payment transactions)
- Process the data of at least 10,000 consumers while deriving over 20% of its gross revenue from the sale of personal data.
MODPA does not cover the following types of information because they are already protected under other laws:
- Health information is protected by HIPAA.
- Information used for public health purposes under HIPAA or related laws.
- Patient-identifying information under federal drug and alcohol treatment laws.
- Personal data used in research involving human subjects.
- Data is used to improve patient safety.
- Credit information is covered by the Fair Credit Reporting Act.
- Data protected by laws like the Driver’s Privacy Act, FERPA (education records), the Farm Credit Act, the Airline Deregulation Act, and Insurance regulations.
- Information used for emergency contacts, employee benefits, or by job applicants and employees of a company.
What are the Consumer Rights Under the MODPA Law
MODPA grants consumers a range of individual rights, similar to those provided under other U.S. state data privacy laws. These rights include:
- Right to Know: Consumers can confirm whether a company is processing their personal data.
- Right to Access: Consumers have the right to obtain a copy of their personal data.
- Rectification: If visitors encounter any inaccuracies, they can reach out to edit or correct them. Such inaccuracies, for instance, could be fixing a typo in the spelling of their name or alterations to their address.
- Right to Deletion: Consumers have the right to ask a controller to erase any personal data a controller holds about them.
- Data Portability: If processing is carried out by automated means, consumers can obtain their data in a commonly used format.
- Third-Party Disclosure: Consumers can request a list of categories of third parties to whom their data has been disclosed.
- Right to Opt-Out: Consumers can opt out of processing for targeted advertising, sale of personal data, or profiling involving automated decisions that significantly affect them.
But as a business owner, how can you make sure consumers can exercise their rights and that you’re fully compliant with the Maryland Data Privacy requirements? Let’s explore this in detail.
How Businesses Can Comply With Maryland Law Regulations
To comply with the Maryland Online Data Privacy Act, you must follow these requirements, including:
- Creating a Privacy Policy that aligns with MODPA.
- Update your cookie policy so that Maryland residents are well-informed and aware of how to exercise their right to opt out to any cookies implemented for personalized ads.
- Carrying out a Data Protection Assessment and documenting the outcomes.
- Ensure data minimization, which means collecting only that data that is necessary and stated for the purpose.
- Avoid excessive data collection and duplication.
Businesses should also offer at least two ways for consumers to exercise their privacy rights.
Data subject access request (DSAR) form for users so that they can submit a request for access to, or control over, the personal data a business holds about them.
A cookie consent banner allows users to choose whether their personal data is collected through cookies, especially for tracking or personalized advertising. Or an active email address where users can request access to, or deletion of, their personal data.
It’s also essential to prepare the site for Universal Opt-Out Mechanisms (UOOM) like GPC, and allow users to exercise their rights in a verifiable opt-out option.
With the WPLP Compliance Platform, you can create the necessary legal pages for your website. Further, you can display a cookie banner to everyone visiting your website so they can make a decision whether to accept or reject the cookies.
Let’s take a close look at the requirements and how to achieve them.
1. Privacy Policy that aligns with MODPA
Businesses that collect personal data are required to include the following in their privacy policy under Maryland law regulations:
- The types of personal data being collected.
- The purpose for collecting this data.
- Any third parties with whom the data is shared.
- How consumers can opt out of the collection and processing of their personal data for specific purposes.
To help you create legal pages for your website, you can use the WPLP Compliance Platform privacy policy generator.
It offers 35+ legal templates such as Privacy Policies, Disclaimers, Terms and Conditions, and more within a few minutes that are designed to comply with such laws.
The wizard helps you create one by answering a few easy questions on your website.
You can place the legal pages wherever you want by using the page ID. See what the generated page looks like.
2. User Consent using Cookie banner
Under the Maryland Online Data Protection Act (MODPA), businesses must obtain explicit consent from consumers before processing or selling sensitive personal information.
In addition to consent for sensitive data, you should also notify users about cookies and tracking on your website. MODPA encourages transparency in all forms of data collection.
You can add a cookie consent banner using the Cookie Consent Management feature in the WPLP Compliance Platform, which:
- Displays a geo-targeted banner to Maryland users
- Block cookies until consent is given
- Stores consent logs for audit purposes
This dual-layered consent mechanism ensures you’re fully compliant with MODPA’s strict requirements for both sensitive data and general tracking technologies.
The Consent Management Platform is a Google-certified WordPress plugin that helps organizations stay compliant with international privacy laws, including GDPR, CCPA, LGPD, Quebec Law 25, and others.
The tool ensures that websites collect and manage user consent in a legal and transparent manner. As data privacy legislation requires websites to notify users about their data-processing activities, this tool is a necessity for ethical data handling.
More importantly, the platform follows the opt-out measures outlined in the MODPA legislation.
Please take a look at what it looks like in the screenshot below.
3. Data Protection Assessments (DPAs)
Under MODPA, businesses are required to perform Data Protection Assessments (DPAs) for specific activities that pose a risk of harm to consumers.
Unlike other U.S. state consumer privacy laws that use non-exhaustive lists, Maryland Online Data Protection Act compliance takes a more definitive approach by specifying exactly which activities require a DPA. These include:
- The sale of personal data.
- The processing of sensitive data.
- The use of personal data for targeted advertising.
- The use of profiling, but only when it presents reasonably foreseeable risks as defined in the Act.
Maryland Data Privacy Law further reinforces the data minimization principle, requiring controllers to evaluate the necessity and proportionality of the data processing in relation to its intended purpose.
Additionally, the Act mandates that businesses perform and document DPAs on a regular basis for each algorithm used in processing activities that carry a heightened risk to consumers. This ensures ongoing accountability and transparency in how automated decision-making tools affect individuals.
4. Data minimization and purpose limitation
While many state privacy laws require businesses to limit personal data collection to what is necessary, relevant, and reasonably needed for disclosed purposes, Maryland sets a higher standard.
Under MODPA, organizations must limit the collection and processing of personal data to only what is reasonably necessary to provide or maintain a specific product or service explicitly requested by the consumer.
For sensitive personal information, the requirement is even stricter. Businesses may only collect or process such data when it is strictly necessary to provide or maintain the requested product or service.
This strong emphasis on data minimization enhances consumer protection and promotes responsible data handling.
Maryland Law Penalties and Fines for Non-Compliance
A violation of MODPA regulations is treated as an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act (MCPA).
Businesses may have a 60-day window to fix the issue before the state takes action, but this is not guaranteed.
The Attorney General’s Office will decide if a fix is possible, based on factors like the number of violations, the size and complexity of the business, and the risk to the public. This 60-day cure period will end on April 1, 2027.
The Maryland Attorney General’s Consumer Protection Division enforces the MCPA, which allows fines of up to $10,000 per violation and $25,000 for repeat violations.
These penalties are higher than in many other states, where similar laws set fines around $7,500 per violation. Although MODPA takes effect on October 1, 2025, penalties will not apply to data processing activities that happen before April 1, 2026.
FAQ
The Maryland Data Privacy Act (MODPA) is Maryland’s comprehensive data privacy law that comes into effect on October 1, 2025. It gives residents control over their data and creates legal obligations on businesses that collect and process personal data.
MODPA regulations cover businesses that engage in Maryland and process personal data belonging to:
35,000 or more consumers per year (excluding data about payment only), or 10,000 or more consumers, and receives 20% or more of gross revenue from selling consumers’ personal data.
Businesses can be subject to a civil penalty of up to $10,000 for a violation and $25,000 for repeat violations, and legal action can be taken against them by the attorney general of Maryland.
To comply with the Maryland Online Data Privacy Act, businesses should have a cookie consent banner and a revised privacy policy on their website.
Conclusion
The Maryland Online Data Privacy Act (MODPA) is a significant step toward protecting consumer privacy in the digital age. Companies that collect, use, or share personal data from Maryland residents will need to begin preparing to comply with the law and strategizing to meet it before it becomes effective on October 1, 2025.
It is a priority for organizations to understand their legal obligations better, update their policies, and develop best practices for data governance to avoid expensive and avoidable violations while protecting the trust of their users.
We recommend using WPLP Compliance Platform to generate privacy policies, consent banners, and more right inside WordPress to begin meeting the Maryland Consumer Data Protection Act.
If you like this blog, you can consider reading
- Connecticut Data Privacy Act (CTDPA) – A Complete Overview
- Montana Consumer Data Privacy Act (MCDPA) – How To Comply?
- Michigan Personal Data Privacy Act – How to Comply
Need help complying with the MODPA? Simplify the process with the WPLP Compliance Platform.