The Maryland Online Data Privacy Act (MODPA), signed into law by Governor Wes Moore on May 9, 2024, marks Maryland’s entry into the growing list of U.S. states with comprehensive data privacy legislation. Effective October 1, 2025, this law introduces robust protections for Maryland residents by regulating how businesses collect, use, and share personal data. A key aspect of MODPA is its consumer-centric approach, which prioritizes individual privacy rights over corporate interests.
MODPA Overview
The Maryland Online Data Privacy Act is a forward-thinking piece of legislation designed to protect Maryland residents’ personal data. The law will be fully implemented by October 1, 2025, with its universal opt-out mechanism becoming operational on April 1, 2026. This act aims to limit excessive data collection practices, restrict the sale of sensitive information, and empower consumers with greater control over their personal data.
Key Features:
- Effective Dates: The primary provisions of the MODPA will be effective starting October 1, 2025. However, businesses and consumers will need to prepare for the universal opt-out mechanism, which will come into effect on April 1, 2026.
- Enforcement: The enforcement of the MODPA falls under the jurisdiction of the Maryland Office of the Attorney General’s Consumer Protection Division. Notably, the act does not grant consumers the right to pursue private legal action against violators.
Essential Provisions
MODPA applies to businesses and organizations, known as “controllers,” that operate in Maryland or provide goods and services to Maryland residents. The law is triggered if a business meets one of two thresholds:
- Controls or processes personal data of at least 35,000 Maryland consumers.
- Controls or processes personal data of at least 10,000 Maryland consumers and derives more than 20% of its gross revenue from the sale of personal data.
This dual-threshold approach ensures that a wide range of businesses fall under the law’s purview, particularly those profiting from personal data.
MODPA Applicability
The MODPA targets a wide range of entities, from small businesses to large corporations, provided they meet specific criteria. The law’s applicability hinges on the volume of data processed and the revenue derived from data sales.
Applicability Criteria:
- Thresholds:
- Entities that control or process the personal data of at least 35,000 Maryland residents.
- Entities that control or process the personal data of 10,000 Maryland residents and generate more than 20% of their gross revenue from the sale of such data.
- Exemptions:
- Certain organizations are exempt from the MODPA, including state and local government agencies, financial institutions governed by the Gramm-Leach-Bliley Act, and non-profits assisting in law enforcement efforts.
- The act also excludes data types covered by other specific regulations, such as de-identified data and health information protected under HIPAA.
Consumer Rights Under MODPA
The MODPA grants Maryland residents several fundamental rights regarding their personal data, aligning closely with other state data privacy laws while introducing some unique features.
Consumer Rights:
- Right to Access: Consumers can request a copy of the personal information collected about them by businesses.
- Right to Correct: Consumers can ask businesses to correct inaccuracies in their personal data.
- Right to Delete: Consumers have the right to request the deletion of their personal data, except where retention is mandated by law.
- Right to Data Portability: Consumers can obtain their data in a format that is easily transferable to other services.
- Right to Know: Consumers can request information about third parties with whom their data has been shared.
- Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Businesses must respond to these requests within 45 days. If a request is denied, businesses are required to provide an appeals process and an online mechanism for filing complaints with the Consumer Protection Division.
Obligations for Controllers and Processors
Under the MODPA, both controllers and processors have specific responsibilities to ensure compliance with the law and protect consumer data.
Controller Obligations:
-
- Data Collection and Use:
Data collection must be limited to what is necessary for delivering a product or service. Explicit consent is required for any additional data collection.
Controllers must implement reasonable administrative, technical, and physical measures to safeguard data.
- Disclosure and Transparency:
Controllers must disclose if they sell personal data or use it for targeted advertising. They must also provide a clear privacy notice outlining their data processing practices.
- Sensitive Data Restrictions:
The MODPA prohibits the sale of sensitive data, including health information and biometric data. Processing such data is restricted to what is necessary for providing a requested service.
- Data Protection Impact Assessments:
Controllers must conduct assessments for data processing activities that present significant risks to consumer privacy. Assessments must be conducted on or after October 1, 2025, and can be based on assessments required by similar laws.
- Universal Opt-Out Mechanism (UOOM):
Controllers must implement a UOOM, allowing consumers to communicate their data preferences across multiple sites. Maryland permits the use of UOOMs approved by other states.
Processor Obligations:
Processors must have a contract with controllers that includes provisions for data security, consumer rights fulfillment, and impact assessments. They must cooperate with controllers to ensure compliance with MODPA requirements.
Enforcement & Penalties
Enforcement of the MODPA is under the purview of the Maryland Attorney General’s Consumer Protection Division. Companies are given 60 days to address any violations after receiving a notice. Non-compliance can result in civil penalties and other legal actions.
Enforcement Details:
- Notice and Cure Period: Upon receiving a notice of violation, entities have 60 days to address the issue. The Attorney General considers various factors, including the number of violations and the size of the entity, before deciding whether to grant the opportunity to cure.
- Penalties: Violations can result in civil penalties up to $10,000 per instance, or $25,000 for repeated offenses. The Attorney General may also seek injunctive relief and attorney’s fees.
The Universal Opt-Out Mechanism (UOOM)
Starting in April 2026, Maryland residents will have access to a Universal Opt-Out Mechanism (UOOM), allowing them to automatically opt out of data collection and sales across multiple websites. This feature significantly reduces the burden on consumers, who would otherwise need to manually submit opt-out requests to individual businesses.
Frequently Asked Questions
- What is the Maryland Online Data Privacy Act?
The MODPA is a data privacy law that regulates how businesses collect, process, and use personal data, granting consumers rights to access, correct, delete, and control their data.
- When do the provisions of the MODPA take effect?
The main provisions take effect on October 1, 2025. The universal opt-out mechanism will be implemented starting April 1, 2026.
- Who must comply with the MODPA?
The act applies to businesses processing the personal data of at least 35,000 Maryland residents or 10,000 Maryland residents with significant revenue from data sales.
- What rights do consumers have under the MODPA?
Consumers have right to access, correct, delete, and obtain their data, as well as opt out of data sales and targeted advertising.
- How does enforcement work under the MODPA?
Enforcement is handled by the Maryland Attorney General’s Consumer Protection Division, which can impose penalties and seek other legal remedies for violations.
Wrapping Up
The Maryland Online Data Privacy Act is a significant step forward in protecting consumer privacy in the digital age. While the law imposes new obligations on businesses, it also empowers Maryland residents with robust rights to control their personal data. As the law comes into effect, consumers and businesses alike need to understand their rights and responsibilities under MODPA.
If you are a Maryland resident, familiarize yourself with these rights and be proactive in exercising them to safeguard your personal information. For businesses, now is the time to review and update your data privacy practices to ensure compliance with MODPA and avoid potential penalties.