May 21, 2026

Maryland’s New Privacy Era: Is Your Business Ready for MODPA?

online privacy

Maryland’s New Privacy Era: Is Your Business Ready for MODPA?

By Corporate Associate Katelynn Brennan and Counsel Michael Antone

The Maryland Online Data Privacy Act (“MODPA”), Md. Code Ann., Com. Law §§ 14-4601 through 14-4615, officially went into effect on October 1, 2025, and after a brief grace period allowing businesses to adjust to the new compliance regime, and became fully enforceable for activities conducted after April 1, 2026. MODPA is arguably one of the most stringent in the country because of its low threshold for covered businesses and its enforcement mechanisms.

For businesses that may have built their data privacy framework on the California Consumer Privacy Act, as expanded by the California Privacy Rights Act (“CCPA/CPRA”) and the European Union’s General Data Protection Regulation (“GDPR”) or are implementing a data privacy framework, it may be necessary to revisit that framework in view of MODPA.

 

The MODPA Threshold: Does It Apply To Your Business?

MODPA likely applies to your business if you do business in Maryland or with Maryland consumers and, during the past year (1) controlled or processed the personal data of at least 35,000 Maryland consumers; or (2) controlled or processed the personal data of at least 10,000 Maryland consumers while deriving at least 20% of your gross revenue from the sale of personal data.

Note that the threshold of 35,000 Maryland consumers is significantly lower than the thresholds found in other states, including the CCPA/CPRA, meaning that many small or mid-sized businesses may now be under the regulatory microscope for the first time.

 

What Does MODPA Mean For Your Business?

MODPA reflects a broader national trend toward more strict data privacy regulations, particularly with regard to the broad definition of “personal data,” enhanced protections for sensitive data and children’s privacy, and data minimization:

  • Personal Data: MODPA defines “personal data” as any information that is linked or can be reasonably linked to an identifiable consumer, which broadly includes almost any information a business could have regarding a consumer, and excludes only publicly available information, deidentified data, and information regarding people who are acting in a commercial or employment context.
  • Sensitive Data: MODPA imposes heightened restrictions on “sensitive data,” which includes precise geolocation data, children’s data, genetic or biometric data, or data revealing certain characteristics (race, religion, sexual orientation, etc.).
  • Children’s Privacy: While the GDPR and the CCPA/CPRA generally protect consumers under the age of 16 and require opt-in consent for targeted advertising and the sale of children’s data, MODPA sets a new national standard by extending such protection to all consumers under 18 and bans targeted advertising and the sale of children’s data. This applies if the business knows or should have known the consumer was under the age of 18, effectively requiring rigorous data segmenting.
  • Data Minimization: Unlike other privacy laws that allow broad collection practices, with appropriate disclosure and consent from the consumer, MODPA expressly limits collection of personal data to that which is reasonably necessary and proportionate to the purpose. The concept of reasonably necessary and proportionate is yet to be developed, but it could significantly curtail current business practices that rely heavily on advertising technologies, behavioral analytics, or broad data retention practices.
  • Binding Contracts: MODPA requires binding contracts between controllers (entities that determine why and how personal data is handled) and processors (entities that handle personal data on behalf of the controller).
  • Reasonable Safeguards: MODPA requires the implementation of reasonable administrative, technical, and physical security safeguards, and provides consumer rights, including the right to access, correct, delete, and obtain copies of personal data to opt out of certain processing activities.

 

The Enforcement Sting: The Maryland Consumer Protection Act

One of the most significant aspects of MODPA is its enforcement mechanism. While MODPA does not expressly provide consumers a right to bring lawsuits for violations of the law, it does provide that any violation of the law constitutes an unfair, abusive, or deceptive trade practice subject to enforcement and penalties under the Maryland Consumer Protection Act, Commercial Law Art. Md. Ann. Code, §§ 13-101 et seq., which can carry significant civil penalties and may be enforced by the Maryland Attorney General.

 

MODPA Compliance

Companies that do business in Maryland or target Maryland consumers should

  • (a) conduct a data audit (to understand whose data they are storing or processing and whether it qualifies as sensitive data or children’s data under MODPA’s broad definitions),
  • (b) review data collection practices to ensure you are only collecting the information that is reasonable necessary for the stated business purpose,
  • (c) update your consumer-facing privacy notices to expressly disclose the consumer rights provided under MODPA,
  • (d) provide a clear mechanism for consumers to exercise them, and
  • (e) review any vendor contracts to ensure that any third parties handling Maryland consumer data on your behalf are bound by compliant data processing agreements.

 

If you have any questions regarding MODPA and your business’ compliance with MODPA, please feel free to contact our attorneys for legal counsel tailored to your business’ unique needs.

Tags:

 Recent Highlights

View All