<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Maryland Online Data Privacy Act 

The 18th data privacy law in the United States.

Book a Demo

What is the Maryland Online Data Privacy Act (MODPA)?

The Maryland Online Data Privacy Act (MODPA) is the eighteenth data privacy law to be passed in the United States, set to take effect on October 1, 2025, and signed by the state’s Governor on May 9, 2024. 

Just like with all other consumer privacy laws before it, MODPA aims to protect consumer privacy by setting forth specific requirements for data controllers and processors, granting consumers rights over their personal data, and establishing enforcement mechanisms for non-compliance.

However, unlike some other states, such as Kentucky or Tennessee, it sets out lower thresholds for applicability. 

Find out more about Maryland's data privacy law by getting answers to questions such as:

  • Does MODPA apply to my business?
  • What consumer rights does MODPA grant to residents of Maryland?
  • What are the penalties for violations of the MODPA?

Data Privacy & Web Accessibility Compliance

clym web compliance scanner

 

How does the Maryland Online Data Privacy Act (MODPA) define Personal Information and what are other key definitions? 

Under the Maryland Online Data Privacy Act “personal data” is “any information that is linked or can be reasonably linked to an identified or identifiable consumer,” which excludes de-identified data or publicly available information. The Act also defines ‘sensitive data’ as “personal data that includes data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or non-binary, national origin, or citizenship or immigration status; genetic data or biometric data; personal data of a consumer that the controller knows or has reason to know is a child; or precise geolocation data.”

‘Biometric data’ under MODPA means “data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer’s identity” that includes “a fingerprint, a voice print, an eye retina or iris image, and any other unique biological characteristics that can be used to uniquely authenticate a consumer’s identity,” but excludes “a digital or physical photograph, an audio or video recording, or any data generated from a digital or physical photograph or an audio or video recording, unless the data is generated to identify a specific consumer.”

A ‘consumer’ is defined as an individual who is a resident of Maryland acting in a personal context which does not include individuals acting in a commercial or employment context, ‘child’ has the meaning stated in the COPPA, and ‘consent’ means “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer for a particular purpose, including a written statement, a written statement by electronic means, or any other unambiguous affirmative action. Consent however does not include “acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information; hovering over, muting, pausing, or closing a piece of content; or agreement obtained through the use of dark patterns.”

Under Maryland’s privacy law, a data controller and a data processor have the same meanings as with other consumer laws, namely, a controller is “a person that, alone or jointly with others, determines the purpose and means of processing personal data,” and a processor is understood as “a person that processes personal data on behalf of a controller.”

Last but not least, the ‘sale of personal data’ under Maryland’s data privacy law is defined as “the exchange of personal data by a controller, a processor, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration” that does not include certain types of disclosures as follows: 

  • “the disclosure of personal data to a processor that processes personal data on behalf of a controller if limited to the purposes of the processing;
  • the disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer;
  • the disclosure or transfer of personal data to an affiliate of the controller for the purpose of providing a product or service affirmatively requested by the consumer;
  • the disclosure of personal data where the consumer:
    • directs the controller to disclose the personal data; or
    • intentionally uses the controller to interact with a third party;
  • the disclosure of personal data that the consumer:
    • intentionally made available to the general public through a channel of mass media; and
    • did not restrict to a specific audience; or 
  • the disclosure or transfer of personal data to a third party as an asset that is part of an actual or proposed merger, acquisition, bankruptcy, or other transaction where the third party assumes control of all or part of the controller’s assets.”

 

Who does the Maryland Online Data Privacy Act (MODPA) apply to?

Maryland's privacy law applies to businesses that conduct business in Maryland or target products or services to Maryland residents and who

  • during the preceding calendar year, controlled or processed the personal data of at least 35,000 consumers (excluding personal data controlled or processed solely for payment transactions) or 
  • controlled or processed the personal data of at least 10,000 consumers and derived over 20% of their gross revenue from the sale of personal data.

Who does the Maryland Online Data Privacy Act (MODPA) exempt? 

MODPA exempts the following institutions and types of data:

  • State agencies, including regulatory, administrative, advisory, executive, legislative, and judicial bodies.
  • National securities associations registered under the Federal Securities Exchange Act of 1934.
  • Registered futures associations designated under the Federal Commodity Exchange Act.
  • Financial institutions and their affiliates regulated under the Gramm-Leach-Bliley Act.
  • Nonprofits that process or share personal data solely for assisting:
    • Law enforcement in investigating insurance-related crimes.
    • First responders in responding to catastrophic events.
  • Protected health information under HIPAA.
  • Patient-identifying information as per federal law.
  • Identifiable private information used for federal human subjects protection.
  • Information used in human subjects research following specific guidelines and regulations.
  • Patient safety work product created for patient safety improvement.
  • Information used for public, community, or population health activities as authorized by HIPAA.
  • Personal information used by consumer reporting agencies as regulated by the Federal Fair Credit Reporting Act.
  • Personal data processed in compliance with federal acts like the Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, and Farm Credit Act.
  • Data processed by air carriers under the Federal Airline Deregulation Act.
  • Data used by insurance entities regulated under the Insurance Article.
  • Controllers and processors that comply with the verifiable parental consent requirements of COPPA are considered compliant with the parental consent requirements of MODPA for data concerning children.

 

What are the requirements for businesses under the Maryland Online Data Privacy Act (MODPA)

As a controller, you cannot do any of the following:

  • Collect personal data for marketing without consent.
  • Collect, process, or share sensitive data without consent, unless it's strictly necessary to provide a specific service requested by the consumer.
  • Sell sensitive data.
  • Process personal data in ways that violate state or federal anti-discrimination laws.
  • Use personal data for targeted advertising if you know or should know the consumer is between 13 and 18 years old without the consumer’s permission.
  • Sell personal data if you know or should know the consumer is between 13 and 18 years old without the consumer’s permission.
  • Treat consumers differently if they exercise their rights under the law, such as denying services, charging different prices, or offering lower quality goods or services.
  • Use personal data in a way that unfairly discriminates based on race, color, religion, national origin, sex, sexual orientation, gender identity, or disability unless it's for specific purposes like self-testing to prevent discrimination, diversifying your customer base, or for private clubs.
  • Process data for unrelated purposes without consent:

Your duties as a controller under the Maryland Online Data Privacy Act are as follows: 

  • Provide clear and accessible privacy notices detailing your data processing activities. Your privacy policy has to include the following:
    • Categories of personal data you process.
    • The purpose for processing the data.
    • How consumers can exercise their rights, including appeals and revoking consent.
    • Categories of third parties you share data with, explained in a way that consumers can understand.
    • An active email address or online mechanism for contacting you.
  • Establish secure and reliable methods for consumers to exercise their rights.
  • Conduct regular data protection assessments for processing activities that present a heightened risk of harm to consumers. These activities include:
    • Processing personal data for targeted advertising.
    • Selling personal data.
    • Processing sensitive data.
    • Profiling that poses risks such as unfair treatment, unlawful disparate impact, financial or reputational injury, offensive intrusion on privacy, or other substantial injury.
  • If you are working with data processors any activity must be governed by contracts that outline data processing procedures and ensure compliance with MODPA.
  • Implement and maintain reasonable administrative, technical, and physical data security practices.
  • Limit the collection of personal data to what is necessary for the purposes disclosed to the consumer.
  • Provide an easy way for consumers to revoke their consent for data processing, as easy as it was to give consent. Stop processing personal data within 15-30 days after receiving a revocation request.
  • If you sell personal data or use it for targeted advertising or profiling, clearly disclose this and explain how consumers can opt out. Display this information prominently and use simple, clear language.
  • Provide a clear link on your website for consumers to opt out of targeted advertising or the sale of personal data. By October 1, 2025, allow consumers to opt out using a preference signal sent by a platform or technology indicating their intent. 
  • Recognize opt-out signals approved by other states as compliant.

Under the Maryland Online Data Privacy Act (MODPA) if you are a data processor you must enter into a binding contract with controllers detailing data processing instructions, nature, purpose, type of data, duration, and both parties' obligations. In addition to this, you must ensure confidentiality, implement robust data security practices, and stop processing data upon a controller's request. 

You are also required to delete or return personal data at the end of the service unless legally required to retain it, provide compliance information to controllers, engage subcontractors only with prior notice and under a contract, and allow assessments of their data practices. 

Last but not least, you have to follow the controller's instructions, assist with consumer rights requests and data security, and provide information for data protection assessments.



What are the consumer rights under the
Maryland Online Data Privacy Act (MODPA)

Maryland’s data privacy law gives consumers the following rights: 

  • The right to access 
  • The right to correction
  • The right to deletion
  • The right to data portability
  • The right to opt out of the processing of personal data for purposes of:
    • targeted advertising;
    • the sale of personal data; or
    • profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

 

Also, under the MODPA, a consumer is allowed to designate an authorized agent by an

internet link or a browser setting, browser extension, global device setting, or other similar technology, indicating their to opt out of the processing of their personal data.

Maryland Online Data Privacy Act (MODPA)
compliant website with Clym

Book a Demo

How to respond to consumer requests under the Maryland Online Data Privacy Act (MODPA)

You have to respond to consumer requests within 45 days, with a possible extension of another 45 days if it is reasonably necessary to complete the request based on the complexity and number of the consumer’s requests, as long as you inform the consumer of the extension and the reason for the extension within the initial 45–day response period.

Information that you provide to a consumer in response to a consumer request has to be free of charge once during any 12–month period, and if the requests from a consumer are “manifestly unfounded, excessive, technically infeasible, or repetitive,” you have the option to either “charge the consumer a reasonable fee to cover the administrative costs of complying with the request,” or “decline to act on the request.” If you choose the second option you have to demonstrate that the consumer’s request is manifestly unfounded, excessive, technically infeasible, or repetitive in nature.

In addition to these, you have to establish a process for a consumer to appeal your refusal to act on their request within a reasonable period after they have received your decision. The appeal process has to be conspicuously available and similar to the process for submitting consumer requests. You have 60 days after receiving an appeal to inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions you made. If you deny an appeal, you have to provide the consumer with an online mechanism, if available, through which the consumer may contact the enforcement authority in order to submit a complaint. 

 

Maryland Online Data Privacy Act (MODPA) enforcement and penalties

The Maryland Online Data Privacy Act (MODPA) is enforced by the Division of Consumer Protection, which operates under the Office of the Attorney General of Maryland. The Division is tasked with investigating potential violations of the Act, issuing cease and desist orders to halt unlawful activities, and initiating legal proceedings to uphold the law's provisions. Additionally, the Attorney General has the authority to seek civil penalties and other remedies to ensure adherence to MODPA regulations.

Before initiating an action against a controller, the Division may allow for a 60 day cure period. 

Under the Maryland Consumer Protection Act, violations of the MODPA are considered unfair, abusive, or deceptive trade practices and are subject to a penalty of up to $10,000 for each violation. For subsequent violations, penalties can reach up to $25,000 per violation.

 

Data Subject Rights - GDPR vs. Maryland Online Data Privacy Act (MODPA)

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

 

FAQs about the Maryland Online Data Privacy Act (MODPA)

What does the Maryland Online Data Privacy Act (MODPA) apply to?

MODPA applies to businesses that conduct business in Maryland or target products or services to Maryland residents and who

  • during the preceding calendar year, controlled or processed the personal data of at least 35,000 consumers (excluding personal data controlled or processed solely for payment transactions) or 
  • controlled or processed the personal data of at least 10,000 consumers and derived over 20% of their gross revenue from the sale of personal data.
What is exempt under Maryland's data privacy law?
The Maryland Online Data Privacy Act exempts the following:
  • State agencies, including regulatory, administrative, advisory, executive, legislative, and judicial bodies.
  • National securities associations registered under the Federal Securities Exchange Act of 1934.
  • Registered futures associations designated under the Federal Commodity Exchange Act.
  • Financial institutions and their affiliates regulated under the Gramm-Leach-Bliley Act.
  • Nonprofits that process or share personal data solely for assisting:
  • Law enforcement in investigating insurance-related crimes.
  • First responders in responding to catastrophic events.
  • Protected health information under HIPAA.
  • Patient-identifying information as per federal law.
  • Identifiable private information used for federal human subjects protection.
  • Information used in human subjects research following specific guidelines and regulations.
  • Patient safety work product created for patient safety improvement.
  • Information used for public, community, or population health activities as authorized by HIPAA.
  • Personal information used by consumer reporting agencies as regulated by the Federal Fair Credit Reporting Act.
  • Personal data processed in compliance with federal acts like the Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, and Farm Credit Act.
  • Data processed by air carriers under the Federal Airline Deregulation Act.
  • Data used by insurance entities regulated under the Insurance Article.
  • Controllers and processors that comply with the verifiable parental consent requirements of COPPA are considered compliant with the parental consent requirements of MODPA for data concerning children.
What are the privacy rights under the Maryland Online Data Privacy Act (MODPA)?

Maryland’s data privacy law gives consumers the following rights: 

  • The right to access 
  • The right to correction
  • The right to deletion
  • The right to data portability
  • The right to opt out of the processing of personal data for purposes of:
    • targeted advertising;
    • the sale of personal data; or
    • profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
What are the penalties for non-compliance with the Maryland Online Data Privacy Act (MODPA)?

Under the Maryland Consumer Protection Act, violations of the MODPA are considered unfair, abusive, or deceptive trade practices and are subject to a penalty of up to $10,000 for each violation. For subsequent violations, penalties can reach up to $25,000 per violation.




illustration of contact means

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596