Maryland's Online Data Privacy Act (MODPA) — Complete Guide U.S. state privacy law has moved fast over the past four years — and Maryland has moved faster than most. With MODPA now in effect and enforcement authority sitting with the Maryland Attorney General, businesses that assumed their GDPR or CCPA programs would carry them through are discovering otherwise.

This guide gives legal teams, compliance professionals, and businesses operating in Maryland a clear, practical breakdown of what MODPA requires, who it covers, and what you need to do now.

TL;DR

  • MODPA took effect October 1, 2025; enforcement covers processing activities from April 1, 2026
  • Applicability thresholds — 35,000 consumers or 10,000 consumers + 20% revenue from data sales — are lower than Virginia's and Colorado's thresholds
  • Sensitive data cannot be sold under any circumstances — consent does not override this ban
  • Nonprofits are covered, with only two narrow exceptions
  • Child protections extend to age 18, not 13
  • The cure period expires April 1, 2027

What Is MODPA and Why It Matters

Maryland's Online Data Privacy Act (Senate Bill 541, Chapter 455) was signed into law on May 9, 2024. It takes effect October 1, 2025, but per session-law Section 2, the core processing obligations do not apply to activities before April 1, 2026. Those are three distinct dates — don't treat them interchangeably when planning your compliance timeline.

MODPA stands apart from most comparable state laws in three concrete ways:

  • Outright ban on selling sensitive data — As Manatt noted in October 2025, MODPA is the first state privacy law to prohibit this sale under any circumstances, even with consumer consent
  • Data minimization that applies regardless of consent — most laws let consent override collection limits; MODPA does not
  • Nonprofit coverage — nearly every other state privacy law broadly exempts nonprofits; MODPA does not

Three ways MODPA differs from other state privacy laws comparison infographic

Enforcement runs through the Maryland Consumer Protection Act. The Attorney General's Consumer Protection Division classifies MODPA violations as consumer harm — unfair, abusive, or deceptive trade practices.

That classification matters. It puts MODPA non-compliance directly in the AG's existing enforcement pipeline, alongside the same conduct that draws active investigations and civil penalties under the Consumer Protection Division's core mandate.

Who Must Comply: Scope, Thresholds, and Exemptions

Applicability Thresholds

MODPA applies to any person conducting business in Maryland or targeting Maryland residents who meets either of these thresholds in the preceding calendar year:

  1. Controlled or processed personal data of at least 35,000 Maryland consumers (excluding payment-transaction-only data)
  2. Controlled or processed data of at least 10,000 consumers while deriving more than 20% of gross revenue from selling personal data

Virginia's CDPA and Colorado's Privacy Act both use a 100,000-consumer primary threshold. MODPA's lower bar captures many mid-sized businesses, nonprofits, and regional organizations that are exempt elsewhere.

Who Is Exempt

Exemptions are largely data-level, not entity-level:

Category Exemption Type
State and local government Entity-level
Financial institutions / GLBA-regulated data Entity + data-level
HIPAA-protected health information Data-level
FERPA-regulated student data Data-level
FCRA-regulated activity Activity-level
De-identified data Data-level
Employee and B2B data Excluded from "consumer" definition

The Nonprofit Question

Unlike virtually every other state privacy law, MODPA includes nonprofits. The only carve-outs apply to organizations processing data solely to assist law enforcement in insurance fraud investigations or to support first responders in catastrophic events.

Universities, health systems, and most large nonprofits serving Maryland residents are covered. If your organization assumed a broad nonprofit exemption applies, it does not.

MODPA's Key Requirements: Sensitive Data, Consumer Rights, and Data Minimization

Data Minimization

Controllers must limit personal data collection to what is "reasonably necessary and proportionate" to provide the specific product or service a consumer requested. This standard applies even when the consumer has consented to broader collection — there is no consent exception to the minimization rule.

Baker Donelson confirmed in September 2025 that the AG has not issued guidance defining "reasonably necessary and proportionate," which means businesses must interpret the standard conservatively until enforcement patterns emerge.

Sensitive Data Restrictions

MODPA defines sensitive data to include:

  • Biometric and genetic data
  • Consumer health data
  • Precise geolocation (within 1,750 feet)
  • Data of known children
  • Information revealing racial or ethnic origin, religious beliefs, sexual orientation, gender identity, citizenship or immigration status, or status as transgender or nonbinary

Two distinct rules apply to sensitive data:

  1. Processing sensitive data requires it to be "strictly necessary" to deliver a requested service
  2. Selling sensitive data is categorically prohibited — no consent mechanism overrides this ban

Heightened Protections for Minors

Controllers may not process personal data for targeted advertising or sell personal data when they knew or should have known the consumer is at least 13 and under 18. COPPA's federal threshold is under 13 — Maryland's under-18 standard is substantially stricter and applies a constructive knowledge test, not just actual knowledge.

Consumer Rights

Consumers have the right to:

  • Access — confirm whether their data is being processed and receive a copy
  • Correct — fix inaccurate personal data
  • Delete — request removal of their data
  • Port — obtain a copy in a portable format
  • Opt out — of targeted advertising, data sales, and profiling through solely automated decisions

Response timeline: Controllers must respond within 45 days, extendable by another 45 days where reasonably necessary. One free response per 12-month period is required. An appeals mechanism must also be available.

MODPA consumer rights five categories with 45-day response timeline infographic

Consent and Withdrawal

These consumer rights place corresponding obligations on controllers. Three rules govern consent and its withdrawal:

  • Opt-in consent is required before processing data beyond its original disclosed purpose or before processing sensitive data
  • Consent withdrawal must be as easy as the original consent mechanism
  • Controllers must stop processing within 30 days of receiving a withdrawal request

Universal Opt-Out Signals

By October 1, 2025, controllers must recognize and honor browser- or device-level opt-out preference signals. The statute doesn't name the Global Privacy Control explicitly, but GPC is the functional equivalent. A conspicuous web-link opt-out is also required.

As IAPP reported in July 2025, 12 states had universal opt-out requirements in effect or enacted as of that date, making multi-state compliance more manageable for businesses already honoring GPC elsewhere.

Organizational Obligations: Notices, Assessments, and Security

Privacy Notices

Controllers must publish a "reasonably accessible, clear, and meaningful" privacy notice covering:

  • All categories of personal and sensitive data collected
  • The purposes for processing each category
  • Categories of third parties receiving the data
  • Whether data is sold or used for targeted advertising
  • Instructions for exercising consumer rights, including an active email or online contact method

Plain language is required. Buried disclosures in dense terms-of-service language will not satisfy this standard.

Data Protection Assessments (DPAs)

A DPA is required before beginning or continuing any processing activity presenting heightened risk, including:

  • Selling personal data
  • Targeted advertising
  • Processing sensitive data
  • Profiling that could cause substantial harm
  • Processing that intrudes on consumers' solitude or private affairs

MODPA goes further than most state laws by explicitly requiring a separate assessment for each algorithm used in high-risk processing contexts. DPAs are confidential, but the AG's Consumer Protection Division may require their production — so they need to be both complete and defensible.

Security Requirements

Controllers must implement "reasonable administrative, technical, and physical" security measures appropriate to the volume and nature of data they process. In practice, regulators and courts evaluate reasonableness against factors like:

  • Access controls and authentication protocols
  • Encryption of sensitive data in transit and at rest
  • Documented incident response plans
  • Periodic risk assessments tied to changes in data volume or processing scope
  • Employee training on data handling obligations

Organizations that need help translating this standard into defensible controls can work with Prudential Associates, whose certified team conducts NIST CSF-based security assessments and Data Protection Impact Assessments scoped specifically to MODPA requirements.

Processor Contracts

A written data processing agreement is mandatory for every controller-processor relationship. The agreement must cover:

  • Processing instructions and scope
  • Confidentiality obligations
  • Security measures
  • Audit rights
  • Subcontractor requirements
  • Obligations to assist with consumer rights requests

Controllers remain responsible for processor compliance. A vendor's non-compliance is your liability. Understanding that liability is part of what makes MODPA's enforcement framework — covered in the next section — worth reviewing carefully.

MODPA Enforcement: Penalties and the Cure Period

Enforcement Authority

The Maryland Attorney General has exclusive enforcement power. MODPA expressly excludes the MCPA's private right of action provision (§13-408), so individual consumers cannot sue — only the state can bring enforcement actions.

Penalty Structure

Violations constitute an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act, with penalties under MCPA §13-410:

  • Up to $10,000 per violation
  • Up to $25,000 for each subsequent violation of the same type

With large consumer databases, per-violation fines compound fast. A database of 50,000 affected consumers could generate up to $500 million in initial exposure under base-rate calculations — before subsequent-violation multipliers apply.

MODPA penalty structure showing per-violation and subsequent violation fine amounts

The Cure Period

For violations occurring on or before April 1, 2027, the Consumer Protection Division may issue a notice of violation if it determines a cure is possible. If a notice is issued, controllers have at least 60 days to cure.

Three important qualifications:

  1. The cure opportunity is discretionary — the Division may issue notice, not must
  2. It applies only to violations on or before April 1, 2027
  3. After that date, the AG may proceed directly to enforcement with no cure period

Organizations that have not completed a data inventory, mapped processing activities, and implemented required consent mechanisms before April 2027 will face enforcement with no opportunity to cure first.

Practical Compliance Steps

Step 1 — Determine whether MODPA applies to you

Run the threshold analysis before assuming you're out of scope. The 35,000-consumer primary threshold captures many businesses that are exempt under Virginia or Colorado law. Account for the nonprofit inclusion and limited entity-level exemptions.

Step 2 — Map and classify your data

Build a complete data inventory focused on:

  • Sensitive data categories (health, biometric, geolocation, children's data)
  • Data used for targeted advertising or profiling
  • Data sold to third parties

This inventory is the foundation for every other compliance obligation.

Step 3 — Update collection practices, notices, and consent workflows

  • Align data collection with the "reasonably necessary and proportionate" minimization standard
  • Rewrite privacy notices to meet MODPA's plain-language disclosure requirements
  • Replace blanket consents with specific, purpose-limited consent workflows for sensitive data

Step 4 — Build opt-out infrastructure

Implement recognition of universal opt-out signals (GPC) plus a conspicuous web-link opt-out. Confirm your systems can halt processing within 30 days of a consent withdrawal request.

Step 5 — Conduct DPAs and strengthen security

Complete Data Protection Assessments for all high-risk processing activities before those activities begin, including a separate assessment for each algorithm used:

  • Document the purpose, necessity, and risk profile of each processing activity
  • Assess each profiling algorithm independently — MODPA treats these as distinct assessments
  • Pair DPAs with a security program that meets the law's "appropriate" safeguards standard

Prudential Associates offers MODPA-specific compliance assessments, vulnerability assessments, and Data Protection Impact Assessments for organizations that need outside support at this stage.

Completing these five steps before MODPA's effective date puts your organization in a defensible position — both with Maryland's Attorney General and with the consumers whose data you process.

Frequently Asked Questions

What is MODPA and when does it take effect?

MODPA is Maryland's comprehensive consumer privacy law, signed May 9, 2024. It took effect October 1, 2025, but processing obligations only apply to activities occurring on or after April 1, 2026. Activities before that date are not covered.

What are MODPA's data minimization requirements?

Controllers may only collect personal data that is "reasonably necessary and proportionate" to provide the specific product or service a consumer requested. This standard applies even when the consumer has consented to broader collection: there is no consent carve-out.

What is the cure period under MODPA?

For violations occurring on or before April 1, 2027, the AG's Consumer Protection Division may issue a notice and provide at least 60 days to cure. After April 1, 2027, no statutory cure period applies and the AG may proceed directly to enforcement.

What would count as a MODPA violation?

Common violations include:

  • Collecting more data than necessary for the stated purpose
  • Selling sensitive data, even with consumer consent
  • Failing to honor consumer rights requests within 45 days
  • Not conducting required Data Protection Assessments
  • Lacking adequate security measures

All are treated as unfair or deceptive trade practices under Maryland law.

Does MODPA apply to nonprofits?

Yes. MODPA covers nonprofits with only two narrow exceptions: organizations processing data solely to assist law enforcement investigating insurance fraud, or to support first responders in catastrophic events. Universities, health systems, and most large nonprofits are covered.

How does MODPA compare to other state privacy laws?

MODPA ranks among the strictest U.S. state privacy laws. Its outright ban on selling sensitive data, data minimization standard that applies regardless of consent, nonprofit inclusion, and under-18 child protections all exceed what comparable laws in Virginia, Colorado, and most other states require.