Partner
On May 9, 2024, Maryland became the latest U.S. State to enact a comprehensive consumer data privacy statute called the Maryland Online Data Privacy Act (“MODPA”). Technically, MODPA goes into effect on October 1, 2025. However, the true effective date of the statute is April 1, 2026.
From a review of MODPA and comparison to similar statutes enacted in various States, it is fair to say that MODPA is very strongly protective of consumers personal data. Indeed, there is a good argument that MODPA is more protective of consumers than even the California version (which is generally considered the most protective data privacy statute).
As one example, MODPA applies to persons that conduct business in Maryland or provide products/services targeted to residents of Maryland and that:
In contrast, the California Data Privacy Act applies to any business meeting any of these thresholds:
As can be seen, MODPA will cover many more businesses — and protect much more consumer data — than even the California data privacy statute. It should be noted that the Maryland statute continues the trend of excluding data that is used only for payment processing.
In addition, unlike most of these data privacy statutes, not-for-profit organizations are NOT exempt from coverage of the MODPA unless they are not-for-profit organizations that collect personal data to assist law enforcement (in certain circumstances) or to assist first responders in responding to catastrophic events.
The most consumer-protective provisions of the MODPA are contained in Section 14-4607 concerning what controllers of consumer personal data can and cannot do. For example, MODPA states that controllers “may not” “sell sensitive data” or “collect, process, or share” sensitive data except where the collection or processing is “strictly necessary” to provide or maintain a “specific product or service” for the consumer. So far, that is the highest level of protection provided by any of these statutes for consumers’ “sensitive data.”
MODPA also offers the strongest protection for the personal data of children. With respect to “personal data” — a broader category of personal data — MODPA bans the sale of personal data for any consumer if the controller knows (or has reason to know) that the consumer is under the age of 18. Further, for those under the age of 18, MODPA bans the processing of personal data for the purposes of targeted advertising.
MODPA also adds an important protection for consumers participating in bona fide loyalty, rewards, premium features, discounts or club card programs. Generally, all of the consumer data privacy statutes provide an exemption such programs. MODPA also exempts such programs “… provided that the selling of personal data is not a condition of participation in the program.”
These and other examples demonstrate that MODPA is probably the strongest of the data protection statutes enacted to date.
Maryland Online Data Privacy Act § 14-4607 imposes a flat prohibition on the sale of sensitive data — full stop. This stands in contrast to California’s CCPA/CPRA framework, which requires that businesses provide a clear “Do Not Sell or Share My Sensitive Personal Information” link and honor opt-out requests, but does not ban the sale of sensitive data outright. Under MODPA, a controller cannot sell sensitive data regardless of consent, and cannot process sensitive data unless the processing is strictly necessary to provide the specific product or service the consumer requested. The “strictly necessary” standard is a meaningful limitation — it forecloses data monetization strategies that are routine under other state statutes.
Sensitive data under MODPA includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, gender identity, immigration status, genetic or biometric data, precise geolocation data (within 1,750 feet), personal data of a known child, and financial data. The breadth of this category means that a wide range of digital health, wellness, and social platforms will face compliance obligations that go well beyond what is required in other states.
MODPA’s prohibition on the sale or processing for targeted advertising of personal data where the controller knows or has reason to know the consumer is under age 18 is significantly broader than the federal Children’s Online Privacy Protection Act (COPPA), which covers children under 13. Maryland’s age threshold doubles COPPA’s protection. Controllers operating platforms that may be used by teenagers must audit their data practices for the 13-17 age cohort, not just children under 13. This will require age-verification mechanisms or conservative assumptions about user age that may affect how many platforms approach age-gating for Maryland residents.
With the true effective date of April 1, 2026 now passed, covered businesses must have their MODPA compliance programs fully operational. Key compliance obligations include: (1) maintaining a clear and accessible privacy notice disclosing the categories of personal and sensitive data collected, processed, and sold; (2) implementing mechanisms for consumers to exercise access, correction, deletion, and portability rights; (3) providing opt-out rights for targeted advertising, profiling, and the sale of personal data; (4) obtaining affirmative opt-in consent before processing sensitive data; (5) conducting and documenting data protection assessments for processing activities that present a heightened risk to consumers; and (6) establishing written data processing agreements with processors.
Enforcement authority under MODPA rests with the Maryland Attorney General. The Act does not create a private right of action. Civil penalties can be substantial, and the AG’s office has indicated it intends to enforce the statute actively. Businesses with any Maryland consumer presence should engage data privacy counsel immediately to evaluate their compliance status and close any gaps before enforcement actions begin.
MODPA’s loyalty program provision addresses a gap that has been exploited under other statutes: conditioning participation in a rewards program on the consumer’s agreement to have their personal data sold. MODPA permits loyalty and rewards programs to process personal data, but only if the sale of personal data is not a condition of participation. Businesses operating loyalty programs that monetize member data through third-party sales must restructure those programs to comply with MODPA before enrolling Maryland residents, or risk enforcement action by the Attorney General.
Contact The Consumer Data Privacy and Compliance Attorneys At Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?