Maryland Online Data Privacy Act

Read Time: 5 minutes

Key Takeaways: On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act (“MODPA”) into law. The MODPA contains unique provisions concerning data minimization, sensitive data, and health data. The MODPA will become effective on October 1, 2025, but will not apply to any personal data processing activities before April 1, 2026.

Applicability and Scope

MODPA applies to businesses operating within Maryland or offering goods or services to its residents, provided the business:

  • during a calendar year, controls or processes personal data of at least 35,000 Maryland consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • derives more than 20% of gross revenue from the sale of personal data and processes or controls the personal data of at least 10,000 Maryland consumers.

Like all other state laws except for the California Consumer Privacy Act (“CCPA”), “consumer” does not include employees or business-to-business contacts. MODPA does not include an exemption for non-profits or higher education institutions but does exempt entities subject to the Gramm-Leach-Bliley Act (“GLBA”) and data subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Requirements

Maryland’s law includes a few key differences from previously enacted state privacy laws:

  • Data minimization:
    • Controllers must limit the collection of personal data to what is reasonably necessary and proportionate to provide and maintain a specific product or service requested by the consumer, unless the controller obtains the consumer's consent.
    • If a third party uses or shares a consumer’s information in a manner “inconsistent with promises made to the consumer at the time of collection of the information,” the third party must provide the consumer with notice of the new or changed practice before using or sharing the information.
    • Controllers may not collect, process, or transfer personal data or publicly available data that unlawfully discriminates in, or otherwise unlawfully makes unavailable, the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability.
  • Sensitive data:
    • Sensitive data and personal data of a consumer who the controller knows or has reason to know is under the age of 18 may not be collected, processed, or shared unless strictly necessary to provide or maintain a specific product or service requested by the consumer. “Sensitive data” is personal data that reveals racial or ethnic origin, religious beliefs, personal data of a child under the age of 13, sex life or sexual orientation, certain consumer health data not subject to HIPAA, biometric or genetic data, precise geolocation data (within a radius of 1,750 feet), status as transgender or nonbinary, national origin, and citizenship or immigration status. “Biometric data” is broadly defined to include data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer’s identity.
    • The sale of sensitive data is prohibited, unless the sale is necessary to provide or maintain a specific product or service requested by the consumer. A “sale” of data is the exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration.
  • Health data:
    • Consumer health data may not be accessed by employees or contractors unless the employee or contractor is subject to a contractual duty of confidentiality and may be accessed by a processor only if the processor is bound to the same obligations the controller has under the law.
    • The use of a geofence to identify, track, collect data from, or send notification to a consumer within 1,750 feet of a mental health, reproductive, or sexual health facility is prohibited.

Like many other state laws, the MODPA requires controllers to conduct a data protection assessment prior to processing personal data for targeted advertising, processing sensitive data, selling personal data, or processing for profiling, if the profiling presents an unreasonably foreseeable risk of unfair, abusive, or deceptive treatment unlawful disparate impact, financial, reputational, or physical injury, or a physical or other intrusion into a consumer’s private affairs, or processing that presents a heightened risk of harm.

Consumer Rights

Maryland consumers have the following privacy rights:

  • Right to know and access personal data processed by a controller;
  • Right to correct inaccurate personal data;
  • Right to delete personal data;
  • Right to obtain a copy of the consumer’s personal data;
  • Right to obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data or a list of the categories of third parties to which the controller has disclosed any consumer’s personal data if the controller does not maintain this information in a format specific to the consumer; and
  • Right to opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling that has certain significant consequences.

The MODPA requires controllers to honor requests sent through universal opt-out mechanisms (“UOOMs”).

Enforcement

The MODPA will not apply to any personal data processing activities before April 1, 2026. MODPA violations will be considered unfair, abusive, or deceptive trade practices under Maryland’s Consumer Protection Act, and violations will be enforced by the Maryland Division of Consumer Protection of the Office of the Attorney General. The MODPA contains a discretionary 60-day cure period for alleged violations that sunsets on April 1, 2027. The MODPA does not specifically provide consumers with a private right of action, but it also does not prevent consumers from pursuing remedies provided by other laws.

If you have questions about your compliance with the MODPA, please contact one of the specialists in our Data Privacy and Security practice area.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

View All Insights
A close-up view of a modern bridge against a clear sky. The bridge features a sleek, curved design with an underside illuminated by warm sunlight, creating a contrast of light and shadow. The railing and cables are visible, adding to the architectural det
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.