Partner
On May 9, 2024, Maryland passed a comprehensive consumer data privacy statute called the Maryland Online Data Privacy Act (“MODPA”). The nominal effective date for MODPA is October 1, 2025. However, section 14-6414, Sec. 2 states that MODPA will not “have any effect on or application to any personal data processing activities before April 1, 2026.”
Covered businesses
MODPA applies to businesses and entities that conduct business in Maryland or that target Maryland residents with services or products AND that, during the preceding calendar year, either:
Unlike similar statutes, there are relatively few exemptions for business types. For example, MODPA applies to non-profit organizations (with a couple of very limited exceptions), and there are no exemptions for industries like insurance companies, utilities, and airlines.
Data Exemptions
Like many of these consumer data protection statutes, significant amounts of data are exempt from coverage of MODPA. These include exemptions for data collected and processed when the person is acting in an employment or commercial capacity. MODPA also does not apply to dis-aggregated data, publicly available data, etc.
MODPA also excludes coverage for data protected by other statutes such as health-related data processed under statutes like the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act and others.
What Obligations Does the MODPA Impose?
MODPA uses the standard framework that focuses on “controllers” and “processors” of personal data. A “controller” is defined as a “person that, alone or jointly with others, determines this purpose and means of processing personal data.” A “processor” is defined as a person “that processes personal data on behalf of a controller.” Further, “to process data” is defined as “an operation or set of operations performed by manual or automated means on personal data” and “includes collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.” “Personal data” is any data, alone or in combination, that can be used to identify a unique individual. A subcategory of personal data is called “sensitive data,” which includes information revealing matters like race, sex, biometric data, and geolocation data.
Obligations imposed by MODPA include:
One of the most operationally significant obligations under MODPA is the requirement to conduct data protection assessments. Controllers must conduct a data protection assessment for each of the following categories of processing activities: (1) processing personal data for targeted advertising; (2) selling personal data; (3) processing sensitive data; (4) using personal data for profiling where the profiling presents a reasonably foreseeable risk of harm to consumers; and (5) any processing that presents a heightened risk of harm to consumers.
The data protection assessment must identify and weigh the benefits of the processing against its risks to consumers. The assessment should document the purpose of the processing, the data involved, the potential harms, and the measures taken to mitigate those harms. MODPA specifies that data protection assessments are protected from disclosure under a FOIA or public records request, but controllers must make them available to the Maryland Attorney General upon request as part of an investigation or enforcement action.
For businesses that already conduct Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) under GDPR, the MODPA data protection assessment requirement largely mirrors what GDPR Article 35 requires. Businesses with mature GDPR compliance programs may be able to adapt existing DPIA documentation to satisfy MODPA requirements, though the specific triggering conditions and documentation requirements differ somewhat.
Like other state data privacy statutes, MODPA distinguishes between data controllers (who determine the purpose and means of processing) and data processors (who process data on behalf of controllers). The distinction has significant practical implications: processors are required to process data only on behalf of, and in accordance with the documented instructions of, the controller.
MODPA requires controllers to enter into data processing agreements with processors. These agreements must specify the nature and purpose of processing, the type of data involved, the duration of processing, and the rights and obligations of both parties. The agreement must also require the processor to: delete or return personal data at the controller’s direction at the conclusion of the relationship; assist the controller in meeting its obligations under MODPA; allow audits; and ensure that subprocessors are subject to the same obligations.
Businesses that provide SaaS and other technology services to Maryland-regulated controllers will need to ensure their standard customer agreements include MODPA-compliant processor terms. Many businesses in the technology sector already maintain GDPR-compliant DPA templates; updating these templates to include state-specific references and obligations from MODPA, VCDPA, CPA, and other applicable state statutes is a straightforward process.
MODPA is enforced exclusively by the Maryland Attorney General’s Consumer Protection Division. Unlike the GDPR and unlike some proposed federal privacy legislation, MODPA does not provide consumers with a private right of action to sue controllers or processors directly. This means that enforcement is dependent on the AG’s office prioritizing data privacy enforcement.
Violations of MODPA are treated as violations of Maryland’s Consumer Protection Act (CPA), Md. Comm. Law Code § 13-301 et seq. Under the CPA, the AG may seek injunctive relief, restitution, and civil penalties of up to $10,000 per violation. For willful violations, penalties can be significantly higher. The CPA also authorizes the AG to seek attorneys’ fees and costs in successful enforcement actions.
Businesses preparing for MODPA compliance should note that the AG has broad investigative authority, including the power to issue civil investigative demands (CIDs) requiring the production of documents and information relevant to an investigation. A business that has conducted thorough data protection assessments, maintained detailed compliance records, and established robust consumer request procedures will be much better positioned to respond to a CID than one that has not.
Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?