Maryland General Assembly Passes Maryland Online Data Privacy Act (MODPA)

The Maryland General Assembly approved the Maryland Online Data Privacy Act, which will place strict responsibilities on businesses starting in late 2025. While it shares similarities with laws in other US states, this act stands out because it includes new requirements for minimizing data that haven't been seen in other state legislations.

The Maryland Online Data Privacy Act (MODPA) is the state's comprehensive consumer data privacy law. It grants consumers the usual privacy rights, while placing strict restrictions on businesses regarding the collection and use of data. This law takes effect on October 1, 2025.

Applicability:

If your business operates in Maryland or targets Maryland consumers from outside the state, the Maryland Online Data Privacy Act (MODPA) likely applies to you. There are two main criteria:

  • If your business processes the data of at least 35,000 Maryland consumers.
  • If your business processed the data of at least 10,000 Maryland consumers and earned at least 20% of its revenue from selling consumer data.

For example, even if you're a small business using tools like Google Analytics or Meta Pixel and collect data from 35,000 Maryland residents, you'll need to comply with this law.

However, if your company is already subject to specific privacy laws like HIPAA or GLBA, you may be exempt from certain aspects of other state privacy laws.

What is personal data according to Maryland's privacy law?

Personal data refers to any information that could identify a person, either directly or indirectly. The law goes a step further by defining sensitive personal data, which includes:

  • Information revealing racial or ethnic origin.
  • Religious beliefs.
  • Consumer health data.
  • Status as transgender or nonbinary.
  • National origin.
  • Citizenship or immigration status.
  • Children's data.
  • Biometric data.
  • Precise geolocation data.

Under the Maryland Online Data Privacy Act (MODPA), there are specific regulations governing the handling of sensitive personal information.

Consumer rights under Maryland Online Data Privacy Act (MODPA)

  • They have the right to know how their data is being processed.
  • They can access their data.
  • They have the right to data portability.
  • Consumers can request the deletion of their data.
  • They can correct any inaccuracies in their data.
  • Consumers can opt out of their data being sold or processed for targeted advertising or profiling.

These requests can be made at any time, and businesses must comply within 45 days after verifying the requestor's identity. Importantly, unlike in other states, Maryland consumers have the right to appeal if their privacy request is denied. It's the responsibility of the data controller to establish an appeals mechanism.

What are the Maryland data minimization principles?

Maryland Online Data Privacy Act (MODPA) imposes strict data minimization requirements on businesses, including:

  • Prohibiting the sale of sensitive data.
  • Restricting the collection and processing of sensitive data to what is strictly necessary for providing a service (e.g., health data for fitness apps, sexual data for dating apps).
  • Prohibiting the processing of personal data of individuals under 18 years of age.
  • Limiting the processing of personal data to what is necessary for disclosed purposes unless explicit consent is obtained.
  • Ensuring that personal data processing is kept to a minimum, only processing what is reasonably necessary.

These requirements align with the data minimization principles of the EU's GDPR and other global data protection laws, but they differ from the practices seen in other US state laws. This approach is not typical in the American data privacy and protection landscape.

Privacy notice to comply with the MODPA:

It needs to contain at least the following:

  • Categories of data you process.
  • Purposes for processing.
  • Details on who you share data with.
  • Categories of data shared with third parties.
  • Information on consumer rights and how to exercise them.
  • Contact information for the data controller.
  • Details on selling data or processing for targeted advertising and how consumers can opt out.

It's crucial to ensure your privacy notice is accurate and up-to-date, reflecting the principles of data minimization and purpose limitation. Providing incorrect information about your processing purposes could make your data processing unlawful.

Data Protection Assessments

While conducting data protection assessments is a good practice for any business concerned about data privacy, they are specifically required for certain activities under the Maryland Online Data Privacy Act (MODPA). These include:

  • Selling personal data.
  • Processing data for targeted advertising.
  • Handling sensitive data.
  • Processing data for profiling that poses a risk to consumers.

You must conduct an assessment for each of these risky processing activities. However, it's important to note that this requirement doesn't apply to processing activities that occurred before October 1, 2025.

Enforcement and penalties

The Maryland Online Data Privacy Act (MODPA) is enforced by the Division. If they discover a violation, they'll provide the controller with a minimum of 60 days to address it. Failure to rectify the violation within this timeframe can result in penalties of USD 7,500 per violation.