Maryland Online Data Privacy Act Sent to Governor for Signature
On April 6, 2024, the Maryland legislature sent SB0541 / HB0567, also known as the Maryland Online Data Privacy Act (MODPA) of 2024 to the state governor for signature.
The law bears many similarities to other US consumer privacy laws, such as Connecticut’s, Delaware’s, and Oregon’s, but it stands out by creating stricter requirements for data minimization, data selling, and including precise geolocation data in the list of sensitive personal information, which is similar to California’s CPRA.
If signed by Governor Wes Moore, MODPA will become effective October 1, 2025, and will be enforced April 1, 2026.
MODPA will be the 16th U.S. state to pass a consumer privacy law. Alongside HB0603, also known as the Maryland Kids Code, it will create privacy protections for both adults and children in the state. The Maryland Kids Code is also awaiting the Governor's signature and if passed will become effective October 1, 2024, with data protection impact assessments effective April, 2026.
Short Summary of the Maryland Online Data Privacy Act
- Proposed Effective Date: October 1, 2025, with application on processing activities starting April 1, 2026.
- Applicability: The Act applies to any person that conducts business in Maryland or provides products or services targeted to Maryland residents and, in the preceding calendar year, either controlled or processed the personal data of at least 35,000 consumers or controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of gross revenue from the sale of personal data.
- Controller Obligations:
- Establish secure methods for consumers to exercise their rights.
- Do not collect personal data solely for content personalization or marketing without consent.
- Limit collection to what is necessary for the services requested by the consumer.
- Do not process personal data for secondary purposes without consumer consent.
- Implement reasonable data security practices.
- Provide mechanisms for consumers to revoke consent.
- Do not sell sensitive personal data.
- Consumer Rights
- Confirm if a controller is processing their personal data
- Access, correct inaccuracies, and delete their personal data
- Obtain their personal data in a portable format
- Receive a list of third parties their data is shared with
- Opt out of data processing for targeted advertising, sale of personal data, or profiling
- Enforcement Authority: Attorney General.
- Penalties: $ 10,000 for each violation and $25,000 for each subsequent violation. Penalties can also include fines, injunctions, or other legal remedies.