Maryland Online Data Privacy Act 

Who does the Maryland Online Data Privacy Act (MODPA) exempt? 

MODPA exempts the following institutions and types of data:

• State agencies, including regulatory, administrative, advisory, executive, legislative, and judicial bodies.
• National securities associations registered under the Federal Securities Exchange Act of 1934.
• Registered futures associations designated under the Federal Commodity Exchange Act.
• Financial institutions and their affiliates regulated under the Gramm-Leach-Bliley Act.
• Nonprofits that process or share personal data solely for assisting:
  • Law enforcement in investigating insurance-related crimes.
  • First responders in responding to catastrophic events.
• Protected health information under HIPAA.
• Patient-identifying information as per federal law.
• Identifiable private information used for federal human subjects protection.
• Information used in human subjects research following specific guidelines and regulations.
• Patient safety work product created for patient safety improvement.
• Information used for public, community, or population health activities as authorized by HIPAA.
• Personal information used by consumer reporting agencies as regulated by the Federal Fair Credit Reporting Act.
• Personal data processed in compliance with federal acts like the Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, and Farm Credit Act.
• Data processed by air carriers under the Federal Airline Deregulation Act.
• Data used by insurance entities regulated under the Insurance Article.
• Controllers and processors that comply with the verifiable parental consent requirements of COPPA are considered compliant with the parental consent requirements of MODPA for data concerning children.

What are the requirements for businesses under the Maryland Online Data Privacy Act (MODPA)? 

As a controller, you cannot do any of the following:

• Collect personal data for marketing without consent.
• Collect, process, or share sensitive data without consent, unless it's strictly necessary to provide a specific service requested by the consumer.
• Sell sensitive data.
• Process personal data in ways that violate state or federal anti-discrimination laws.
• Use personal data for targeted advertising if you know or should know the consumer is between 13 and 18 years old without the consumer’s permission.
• Sell personal data if you know or should know the consumer is between 13 and 18 years old without the consumer’s permission.
• Treat consumers differently if they exercise their rights under the law, such as denying services, charging different prices, or offering lower quality goods or services.
• Use personal data in a way that unfairly discriminates based on race, color, religion, national origin, sex, sexual orientation, gender identity, or disability unless it's for specific purposes like self-testing to prevent discrimination, diversifying your customer base, or for private clubs.
• Process data for unrelated purposes without consent:

Your duties as a controller under the Maryland Online Data Privacy Act are as follows: 

• Provide clear and accessible privacy notices detailing your data processing activities. Your privacy policy has to include the following:
  • Categories of personal data you process.
  • The purpose for processing the data.
  • How consumers can exercise their rights, including appeals and revoking consent.
  • Categories of third parties you share data with, explained in a way that consumers can understand.
  • An active email address or online mechanism for contacting you.
• Establish secure and reliable methods for consumers to exercise their rights.
• Conduct regular data protection assessments for processing activities that present a heightened risk of harm to consumers. These activities include:
  • Processing personal data for targeted advertising.
  • Selling personal data.
  • Processing sensitive data.
  • Profiling that poses risks such as unfair treatment, unlawful disparate impact, financial or reputational injury, offensive intrusion on privacy, or other substantial injury.
• If you are working with data processors any activity must be governed by contracts that outline data processing procedures and ensure compliance with MODPA.
• Implement and maintain reasonable administrative, technical, and physical data security practices.
• Limit the collection of personal data to what is necessary for the purposes disclosed to the consumer.
• Provide an easy way for consumers to revoke their consent for data processing, as easy as it was to give consent. Stop processing personal data within 15-30 days after receiving a revocation request.
• If you sell personal data or use it for targeted advertising or profiling, clearly disclose this and explain how consumers can opt out. Display this information prominently and use simple, clear language.
• Provide a clear link on your website for consumers to opt out of targeted advertising or the sale of personal data. By October 1, 2025, allow consumers to opt out using a preference signal sent by a platform or technology indicating their intent. 
• Recognize opt-out signals approved by other states as compliant.

Under the Maryland Online Data Privacy Act (MODPA) if you are a data processor you must enter into a binding contract with controllers detailing data processing instructions, nature, purpose, type of data, duration, and both parties' obligations. In addition to this, you must ensure confidentiality, implement robust data security practices, and stop processing data upon a controller's request. 

You are also required to delete or return personal data at the end of the service unless legally required to retain it, provide compliance information to controllers, engage subcontractors only with prior notice and under a contract, and allow assessments of their data practices. 

Last but not least, you have to follow the controller's instructions, assist with consumer rights requests and data security, and provide information for data protection assessments.

What are the consumer rights under the Maryland Online Data Privacy Act (MODPA)? 

Maryland’s data privacy law gives consumers the following rights: 

• The right to access 
• The right to correction
• The right to deletion
• The right to data portability
• The right to opt out of the processing of personal data for purposes of:
  • targeted advertising;
  • the sale of personal data; or
  • profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Also, under the MODPA, a consumer is allowed to designate an authorized agent by an

internet link or a browser setting, browser extension, global device setting, or other similar technology, indicating their to opt out of the processing of their personal data.

How to respond to consumer requests under the Maryland Online Data Privacy Act (MODPA)? 

You have to respond to consumer requests within 45 days, with a possible extension of another 45 days if it is reasonably necessary to complete the request based on the complexity and number of the consumer’s requests, as long as you inform the consumer of the extension and the reason for the extension within the initial 45–day response period.

Information that you provide to a consumer in response to a consumer request has to be free of charge once during any 12–month period, and if the requests from a consumer are “manifestly unfounded, excessive, technically infeasible, or repetitive,” you have the option to either “charge the consumer a reasonable fee to cover the administrative costs of complying with the request,” or “decline to act on the request.” If you choose the second option you have to demonstrate that the consumer’s request is manifestly unfounded, excessive, technically infeasible, or repetitive in nature.

In addition to these, you have to establish a process for a consumer to appeal your refusal to act on their request within a reasonable period after they have received your decision. The appeal process has to be conspicuously available and similar to the process for submitting consumer requests. You have 60 days after receiving an appeal to inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions you made. If you deny an appeal, you have to provide the consumer with an online mechanism, if available, through which the consumer may contact the enforcement authority in order to submit a complaint. 

Maryland Online Data Privacy Act (MODPA) enforcement and penalties

The Maryland Online Data Privacy Act (MODPA) is enforced by the Division of Consumer Protection, which operates under the Office of the Attorney General of Maryland. The Division is tasked with investigating potential violations of the Act, issuing cease and desist orders to halt unlawful activities, and initiating legal proceedings to uphold the law's provisions. Additionally, the Attorney General has the authority to seek civil penalties and other remedies to ensure adherence to MODPA regulations.

Before initiating an action against a controller, the Division may allow for a 60 day cure period. 

Under the Maryland Consumer Protection Act, violations of the MODPA are considered unfair, abusive, or deceptive trade practices and are subject to a penalty of up to $10,000 for each violation. For subsequent violations, penalties can reach up to $25,000 per violation.

Data Subject Rights - GDPR vs. Maryland Online Data Privacy Act (MODPA)

FAQs about the Maryland Online Data Privacy Act (MODPA)