The Maryland Online Data Privacy Act (“MODPA”) — A Summary of What Businesses Should Know featured image

The Maryland Online Data Privacy Act (“MODPA”) — A Summary of What Businesses Should Know

by John DiGiacomo

Partner

Internet Law

On May 9, 2024, Maryland passed a comprehensive consumer data privacy statute called the Maryland Online Data Privacy Act (“MODPA”). The nominal effective date for MODPA is October 1, 2025. However, section 14-6414, Sec. 2 states that MODPA will not “have any effect on or application to any personal data processing activities before April 1, 2026.”

Covered businesses

MODPA applies to businesses and entities that conduct business in Maryland or that target Maryland residents with services or products AND that, during the preceding calendar year, either:

  • Controlled or processed the personal data of at least 35,000 Maryland consumers (excluding data solely collected or processed for completing a payment transaction) OR
  • Controlled or processed the personal data of at least 10,000 Maryland consumers AND derived more than 20 percent of their gross revenue from the sale of personal data

Unlike similar statutes, there are relatively few exemptions for business types. For example, MODPA applies to non-profit organizations (with a couple of very limited exceptions), and there are no exemptions for industries like insurance companies, utilities, and airlines.

Data Exemptions

Like many of these consumer data protection statutes, significant amounts of data are exempt from coverage of MODPA. These include exemptions for data collected and processed when the person is acting in an employment or commercial capacity. MODPA also does not apply to dis-aggregated data, publicly available data, etc.

MODPA also excludes coverage for data protected by other statutes such as health-related data processed under statutes like the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act and others.

What Obligations Does the MODPA Impose?

MODPA uses the standard framework that focuses on “controllers” and “processors” of personal data. A “controller” is defined as a “person that, alone or jointly with others, determines this purpose and means of processing personal data.” A “processor” is defined as a person “that processes personal data on behalf of a controller.” Further, “to process data” is defined as “an operation or set of operations performed by manual or automated means on personal data” and “includes collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.” “Personal data” is any data, alone or in combination, that can be used to identify a unique individual. A subcategory of personal data is called “sensitive data,” which includes information revealing matters like race, sex, biometric data, and geolocation data.

Obligations imposed by MODPA include:

  • Duty to provide consumers with “reasonably accessible, clear, and meaningful privacy notices,” including requests for consents and opt-outs for certain types of processing — the required notices are basically what is required under similar statutes
  • Limit the collection of personal data to what is reasonably necessary and proportionate
  • Process personal data only for stated business purposes and only as reasonably necessary unless the consumer has consented
  • Provide a mechanism by which consumers can revoke consent and exercise other rights granted by MODPA (such as correcting or deleting data held by the controller)
  • Not sell personal data of a person under 18 without consent from a parent or guardian — applies where the controller knew or should have known the consumer is under 18
  • Collect, process, or share sensitive data only where strictly necessary
  • Not sell sensitive data — regardless of consumer consent
  • Not discriminate or retaliate
  • Have appropriated cybersecurity protocols and procedures
  • Have an active email or other method for a consumer to contact the controller
  • Establish an internal appeal mechanism
  • Perform data protection assessments

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Does the AI-Copyright Legal Fight Represent a National Security Threat?

Copyright

The holders of copyrights for newspapers, magazines, books, and other publications are involved in numerous legal battles with owners of AI modules over alleged copyright infringement. The plaintiff copyright owners claim that the AI large language modules have been trained on huge quantities of copyrighted materials without permission and — most importantly — without payment. […]

Read more about Does the AI-Copyright Legal Fight Represent a National Security Threat?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Corporate

The owners of most small, closely-held businesses negotiate and sign some form of an “Owner’s Agreement.” An important part of such Agreements is the “Buy-Sell” provisions. These are often some of the most difficult to negotiate. The gist of the buy-sell part of the Owners’ Agreement is to establish the rules for what happens if […]

Read more about How Does Buy-Sell Insurance Work For An Owners’ Agreement?

Status on Social Media Moderation Statutes and Cases

Status on Social Media Moderation Statutes and Cases

Internet Law

Social media content moderation by technology platforms was one of the “hot” legal topics in 2023-2024. Three States — California, Texas, and Florida — passed different statutes to either require more content moderation (California) or to limit such moderation (Texas and Florida). All the statutes, in one way or another, demanded more transparency and information […]

Read more about Status on Social Media Moderation Statutes and Cases

Put Revision Legal on your side