On May 9, 2024, Maryland passed its version of a comprehensive consumer data privacy statute called the Maryland Online Data Privacy Act (“MODPA”). Like all similar statutes, the purpose of the MODPA is to protect consumer data that is collected from online businesses and websites used for various purposes, such as completing sales transactions and engaging in targeted advertising. The MODPA uses the standard framework of imposing obligations on businesses that collect and process data and by granting a number of “data rights” to consumers. In this article, the Consumer Data Privacy and Compliance Attorneys at Revision Legal provide an overview of what consumers should know about the MODPA and what rights are protected for residents of Maryland.

Enforcement

The MODPA becomes fully operative on April 1, 2026. Section 14-6414, Sec. 2.

The MODPA will be enforced by the Consumer Protection Division of the Maryland Attorney General’s Office. The MODPA does not create a new enforcement mechanism but rather makes a violation of the MODPA equivalent to a violation of Maryland’s deceptive trade practices statutes. Md. Comm. Law Code, Section 13-301 et seq. Under those statutes, consumers can file complaints with the Consumer Protection Division for investigation and punishment. Consumers have no private right of action under the MODPA.

Meaning of “Personal Data”

Under the MODPA, “personal data” is effectively any data or information that can be used singularly or in combination with other data to identify a specific consumer. Thus, a consumer’s name, address, or social security number are types of “personal data.” Like similar statutes, the MODPA exempts certain categories of data, such as de-identified data or data that is publicly available.

Like similar statutes, the MODPA creates a subcategory of “personal data” that is called “sensitive data,” which is given higher protection. Sensitive data includes information about a consumer’s race or ethnic origin, religious beliefs, sexual orientation, etc. Sensitive data also include genetic data, biometric data, and precise geolocation data.

Rights Granted

The MODPA is probably the most consumer-protective data privacy statute enacted in the United States so far. Maryland consumers are protected by some very strong statutory prohibitions on what data controllers and processors can do. For example, controllers of consumer personal data are prohibited from selling or sharing “sensitive data” and cannot even “collect, process, or share” such sensitive data except where the collection or processing is “strictly necessary” to provide or maintain a “specific product or service” for the consumer. Another example is the sale or sharing of personal data regarding children, which is banned, and the processing of such data is prohibited for purposes of targeted advertising.

Maryland consumers are also protected by various rights granted with respect to their personal data. The rights granted are similar to the rights granted by similar statutes. These include the rights to:

• Know if a controller is collecting and processing personal data
• Know the categories of third parties to which a controller has disclosed personal data
• Access any such data
• Obtain copies of their data in a portable and usable format (where data is collected/processed through automated methods)
• Correct inaccuracies
• To require deletion of personal data — obtained from any source — unless retention is required by law
• Opt out of collection and processing of personal data for the purposes of targeted advertising, the sale/sharing of personal data, and profiling
• Consent – and withdraw consent – to the sale and processing of data under certain conditions
• Internal appeal mechanisms and procedures if a controller does not take action on a consumer’s requests (such as to delete data)
• Receive an active email address or other online mechanisms to contact the controller
• Receive a reasonably accessible, clear, and meaningful privacy notice from a controller collecting and/or processing personal data disclosing various information such as that data is being collected, what data is being collected, the business purposes for which the data is collected, etc.
• And more

How Maryland Consumers Can Exercise Their Rights Under MODPA

The MODPA grants Maryland consumers a robust set of data rights, but exercising those rights requires consumers to understand how to make requests and what to expect from businesses in response. Under MODPA, consumers exercise their rights by submitting requests directly to the data controller — the business or entity that controls the collection and processing of the consumer’s personal data.

Controllers are required to establish clear mechanisms by which consumers can submit requests. At minimum, controllers must provide either an active email address or another readily accessible online mechanism for receiving requests. When you submit a request to access, correct, delete, or opt out of processing, the controller has 45 days to respond — with a possible 45-day extension if the controller notifies you of the need for additional time.

If a controller denies your request, they must provide you with a reason for the denial and an explanation of how to appeal the decision. Controllers are required to establish an internal appeals process, and if the appeal is denied, consumers can submit a complaint to the Consumer Protection Division of the Maryland Attorney General’s Office. While the MODPA does not provide consumers with a private right of action to sue controllers directly, the AG’s enforcement authority can result in substantial civil penalties that incentivize compliance.

MODPA’s Child Protection Provisions

The MODPA includes particularly strong protections for children’s data, which are more stringent than those found in most comparable state statutes. Controllers are prohibited from selling the personal data of a consumer under 18 years of age without first obtaining consent from the consumer’s parent or legal guardian — and this prohibition applies whenever the controller knew or should have known that the consumer was under 18.

For targeted advertising, controllers cannot process the personal data of a consumer under 18 for targeted advertising purposes, regardless of consent. This prohibition aligns MODPA with the federal Children’s Online Privacy Protection Act (COPPA), which applies to children under 13, but extends the protection to teenagers aged 13 to 17 — a population that has historically fallen into a regulatory gap between COPPA’s protections and the general adult privacy framework.

Additionally, the MODPA prohibits controllers from using the personal data of minors to engage in profiling where the profiling could result in reasonably foreseeable harm to the minor. This provision addresses concerns about algorithmic systems that target children with content related to self-harm, eating disorders, or other harmful behaviors — a concern that has driven significant state legislative activity in recent years.

Practical Tips for Maryland Consumers

Given the scope of rights available under the MODPA, Maryland consumers should be aware of several practical steps they can take to protect their privacy:

• Review privacy notices — under MODPA, controllers must provide clear and meaningful privacy notices; take time to read the privacy policy of any app, website, or service you use, particularly to understand what data is collected, why it is collected, and whether it is sold or shared
• Exercise opt-out rights proactively — MODPA gives you the right to opt out of the sale of your personal data and the processing of your data for targeted advertising; look for opt-out mechanisms in the privacy settings or cookie preference centers of websites you use regularly
• Submit access requests to understand your data footprint — requesting a copy of the data a controller holds about you can reveal surprising information; controllers are required to respond within 45 days
• Delete data you no longer want shared — the right to deletion under MODPA is broad; controllers must delete personal data obtained from any source unless retention is required by law
• File complaints for violations — if a controller fails to respond to your request or violates MODPA in other ways, file a complaint with the Maryland Attorney General’s Consumer Protection Division

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.