Maryland Data Privacy Laws: MODPA Consumer Rights Guide (2026)

Maryland has one of the strongest data privacy laws in the United States. The Maryland Online Data Privacy Act (MODPA), signed by Governor Wes Moore on May 9, 2024, and effective October 1, 2025, goes further than most state privacy laws in several important ways. It prohibits the sale of sensitive data entirely. It restricts data collection itself rather than relying on consent-based processing. And it extends protections to all consumers under 18, not just children under 13.

MODPA is codified as Chapter 455 of the 2024 Maryland Laws, amending the Maryland Commercial Law Article. The bill passed the Maryland Senate 46-0 and the House of Delegates 103-33, with strong bipartisan support. Enforcement by the Maryland Attorney General began on April 1, 2026.

This guide covers every aspect of Maryland's data privacy framework as of 2026, including the MODPA's consumer rights, business obligations, enforcement structure, and the separate data breach notification law.

What Is the Maryland Online Data Privacy Act (MODPA)?

The MODPA is Maryland's comprehensive consumer data privacy law. It was introduced as Senate Bill 541 during the 2024 Regular Session by Senators Gile, Hester, Augustine, Feldman, Beidle, and Ellis. The companion bill in the House was HB 567.

The law regulates how data controllers and processors handle the personal data of Maryland residents. It establishes consumer rights, business obligations, and enforcement mechanisms that in several respects exceed the protections found in California, Virginia, Colorado, and other states with comprehensive privacy laws.

What makes MODPA stand out nationally is its approach to three key areas: data minimization, sensitive data, and children's privacy. Each of these areas sets a higher bar than comparable laws in other states.

Who Must Comply with MODPA?

MODPA applies to entities that conduct business in Maryland or produce products or services targeted to Maryland residents and meet one of two thresholds:

1. Control or process the personal data of at least 35,000 Maryland consumers during a calendar year (excluding data processed solely for payment transactions), OR
2. Control or process the personal data of at least 10,000 Maryland consumers AND derive more than 20% of gross revenue from the sale of personal data.

These thresholds are lower than those in most other states. Virginia, for comparison, uses a 100,000-consumer threshold. Maryland's lower bar means more businesses fall under the law's requirements.

Who Is Exempt from MODPA?

MODPA includes both entity-level and data-level exemptions.

Entity-Level Exemptions:

• Maryland state and local government agencies
• Registered national securities and futures associations
• Financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA)
• Nonprofit organizations that exclusively serve law enforcement agencies or first responders in responding to catastrophic events

Data-Level Exemptions (exempt even when held by covered entities):

• Protected health information under HIPAA
• Data governed by the Gramm-Leach-Bliley Act
• Data regulated under the Fair Credit Reporting Act (FCRA)
• Data covered by the Driver's Privacy Protection Act
• Data subject to the Family Educational Rights and Privacy Act (FERPA)
• Data processed under the Farm Credit Act and Airline Deregulation Act
• Employee and contractor data processed in the employment context

Importantly, nonprofits are generally not exempt from MODPA. If a nonprofit meets the data processing thresholds and is not specifically excluded under the law enforcement or first responder exception, it must comply.

Consumer Rights Under MODPA

MODPA grants Maryland residents a comprehensive set of privacy rights. These rights allow consumers to understand and control how businesses collect, use, and share their personal data.

Right to Confirm and Access

Consumers have the right to confirm whether a controller is processing their personal data. If processing is occurring, the consumer can access that data and understand how it is being used.

Right to Correct

Consumers can request that a controller correct inaccuracies in their personal data. This right helps ensure that businesses maintain accurate records about consumers.

Right to Delete

Consumers may request deletion of personal data that a controller holds about them. This applies to data the consumer provided directly as well as data obtained from other sources.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable and readily usable format. This allows consumers to move their data to a different service provider.

Right to Opt Out

Consumers have the right to opt out of the processing of personal data for:

• Targeted advertising based on activities tracked across different businesses, websites, or applications
• Sale of personal data to third parties
• Profiling that produces legal or similarly significant effects

Right to Obtain a List of Third-Party Recipients

Consumers can request a list of the categories of third parties to whom a controller has disclosed their personal data. This transparency right helps consumers understand the full scope of data sharing.

Non-Discrimination

Businesses cannot discriminate against consumers who exercise their privacy rights. A business cannot deny goods or services, charge different prices, or provide a different level of quality because a consumer made a privacy request.

How to Exercise Your Rights

Controllers must provide mechanisms for consumers to submit requests. When a consumer submits a request, the controller must respond within 45 days. This period can be extended by an additional 45 days when reasonably necessary given the complexity of the request.

If a controller declines a request, the consumer may appeal the decision. If the appeal is denied, the consumer can file a complaint with the Maryland Attorney General's Consumer Protection Division.

Universal Opt-Out Signals

MODPA addresses universal opt-out preference signals. Controllers may either provide a clear and conspicuous link on their website for exercising opt-out rights, or recognize an opt-out preference signal such as the Global Privacy Control (GPC). Controllers that already recognize opt-out signals approved by other states are considered compliant with Maryland's requirement.

Data Minimization: MODPA's Strictest Requirement

MODPA's data minimization standard is arguably the most significant feature of the law. It sets a higher bar than every other U.S. state privacy law and, in some respects, even the European Union's [General Data Protection Regulation (GDPR)](https://commission.europa.eu/law/law-topic/data-protection_en).

Under MODPA, controllers must limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer. This restriction applies regardless of whether the consumer has given consent.

This is a fundamental departure from how most state privacy laws work. In most states, businesses can collect data for any disclosed purpose as long as the consumer is informed. MODPA restricts the collection itself. Even if a consumer agrees to broader data collection, the business cannot collect more than what is reasonably necessary.

For sensitive personal data, the standard is even stricter. Controllers cannot process sensitive data unless it is strictly necessary to provide or maintain a product or service the consumer specifically requested. The word "strictly" raises the bar above the general "reasonably necessary" standard.

Controllers should be prepared to document their reasoning for data collection decisions. The Maryland Attorney General may request this documentation during investigations, and controllers must be able to explain why the data they collect meets the necessity standard.

Sensitive Data Protections: The Outright Sale Ban

MODPA takes a fundamentally different approach to sensitive data than other state privacy laws. Rather than allowing businesses to process sensitive data with consumer opt-in consent, MODPA prohibits the sale of sensitive personal data entirely, regardless of whether the consumer consents.

This is the strongest sensitive data protection in any U.S. state privacy law. In Virginia, Colorado, Connecticut, and other states, businesses can process and sell sensitive data as long as they obtain affirmative opt-in consent from the consumer. Maryland eliminates even that option.

What Qualifies as Sensitive Data Under MODPA?

MODPA defines sensitive personal data broadly. The following categories are classified as sensitive:

• Biometric data (sensitive regardless of whether it is used for identification purposes)
• Genetic data (sensitive regardless of use)
• Consumer health data, including any information about a person's health status, conditions, or treatment
• Precise geolocation data
• Data revealing race or ethnicity
• Data revealing religious beliefs
• Data revealing sexual orientation, sex life, or transgender/nonbinary status
• Data revealing citizenship or immigration status
• Data revealing national origin
• Personal data of a known child under 13

Several of these categories are broader than definitions used in other states. For example, most state laws only classify biometric data as sensitive when it is used for identification. MODPA classifies it as sensitive regardless of how it is used. Similarly, MODPA's definition of consumer health data covers any health "status," while most states limit the definition to diagnosed conditions.

Exceptions to the Sensitive Data Sale Ban

The prohibition on selling sensitive data has limited exceptions:

• Disclosures directed by the consumer to a specific third party
• Disclosures that are strictly necessary to provide a product or service the consumer requested

Outside of these narrow exceptions, the sale of sensitive data is prohibited under all circumstances.

Children's Data Protections

MODPA provides some of the strongest children's data protections in any U.S. state privacy law. The protections extend to all consumers under 18, not just children under 13 as defined by the federal Children's Online Privacy Protection Act (COPPA).

Protections for Consumers Under 18

MODPA prohibits businesses from:

• Selling the personal data of any consumer the business knows or should reasonably know is under 18
• Using personal data for targeted advertising directed at any consumer the business knows or should reasonably know is under 18

These prohibitions apply regardless of consumer or parental consent. Unlike most state privacy laws that offer an opt-out or opt-in mechanism for minors' data, MODPA flatly bans these practices for anyone under 18.

The "Should Have Known" Standard

MODPA uses a "knew or should have known" standard for determining whether a consumer is a minor. This is significantly more protective than the "actual knowledge" standard used in most other states.

Under the "should have known" standard, a controller cannot simply ignore indicators that a user is under 18. If contextual signals, user behavior, or available information would lead a reasonable business to conclude a user is a minor, the protections apply. This effectively requires controllers to implement some form of age assurance or verification mechanism.

Children Under 13

Personal data of a known child under 13 is automatically classified as sensitive data under MODPA. This triggers the strictest data minimization standard ("strictly necessary") and the outright ban on data sales.

Parents and legal guardians may exercise data privacy rights on behalf of children under 13.

Business Obligations Under MODPA

Controllers subject to MODPA must meet several requirements beyond responding to consumer rights requests.

Privacy Notice Requirements

Controllers must provide consumers with a clear and accessible privacy notice that includes:

• The categories of personal data collected
• The purposes for processing personal data
• How consumers can exercise their privacy rights, including the appeal process
• The categories of personal data shared with third parties
• The categories of third parties that receive personal data

Data Protection Assessments

MODPA requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers. These assessments are required for:

• Processing personal data for targeted advertising
• Selling personal data
• Processing personal data for profiling
• Processing sensitive data
• Any processing that presents a heightened risk of harm

Maryland's requirement goes further than most states by explicitly requiring that assessments include an evaluation of each algorithm used in the processing activity. This algorithmic assessment requirement is unique among U.S. state privacy laws.

The Attorney General may request these assessments during investigations.

Controller-Processor Contracts

Processing must be governed by a written contract between the controller and processor. The contract must outline the instructions for processing, the nature and purpose of the processing, the type of data subject to processing, and the duration of the relationship.

Processors must assist controllers in meeting their obligations, including responding to consumer rights requests, ensuring security of data processing, and conducting data protection assessments.

Enforcement and Penalties

The Maryland Attorney General has exclusive enforcement authority over MODPA. The Consumer Protection Division of the Office of the Attorney General handles investigations and enforcement actions.

There is no private right of action. Consumers cannot sue businesses directly for MODPA violations. Instead, they must file complaints with the Attorney General's office.

Enforcement Timeline

MODPA became effective on October 1, 2025, but enforcement did not begin until April 1, 2026. This six-month grace period allowed businesses to implement compliance measures before facing potential enforcement action.

Cure Period

For violations that occur before April 1, 2027, the Attorney General may provide a 60-day cure period. During this window, the controller or processor can cure the violation and provide a written statement confirming the cure before the Attorney General pursues penalties.

The cure period is not automatic. The Attorney General has discretion to determine whether a violation is curable, considering factors including:

• The number of violations
• The size and complexity of the controller or processor
• The likelihood of injury to the public
• Whether the violation appears intentional

After April 1, 2027, the cure period expires entirely. The Attorney General can then pursue enforcement immediately without offering an opportunity to cure.

Penalty Amounts

MODPA violations are treated as unfair, abusive, or deceptive trade practices under the Maryland Consumer Protection Act. Penalties follow the Consumer Protection Act's framework:

Violation Type	Maximum Penalty	Notes
First violation	Up to $10,000	Per violation
Repeat violation	Up to $25,000	Per subsequent violation of the same type
Criminal penalties	Possible	Under MCPA's criminal provisions for willful violations

These penalties are notably higher than the $7,500 per-violation cap in Virginia and many other states.

Maryland Data Breach Notification Law

Separate from MODPA, Maryland's data breach notification law under the Maryland Personal Information Protection Act (PIPA), codified at Md. Code Com. Law 14-3504, requires businesses to notify consumers and the Attorney General when personal information is compromised.

What Triggers Notification

Notification is required when there has been an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Good faith acquisitions by employees for business purposes are excluded from the definition of a breach.

A business must conduct a reasonable and prompt investigation after discovering a breach to determine whether personal information has been or will likely be misused.

Personal Information Covered

The law covers a consumer's first name or initial plus last name combined with any of the following:

• Social Security number
• Driver's license or state identification number
• Financial account number, credit card, or debit card number combined with any required security code
• Individual taxpayer identification number
• Passport number or other government-issued identification number
• Health information
• Biometric data (fingerprints, voice prints, retina or iris images)
• Online account credentials (username or email with password or security question answers)

Notification Timeline and Requirements

Businesses must notify affected consumers within 45 days of discovering the breach. The notification must include:

• A description of the categories of information compromised
• Contact information for the business, including a toll-free phone number
• Consumer reporting agency contact information
• Contact information for the Federal Trade Commission and the Maryland Attorney General
• Identity theft prevention and mitigation resources

Attorney General Notification

Before sending notification to consumers, a business must notify the Maryland Office of the Attorney General. This pre-notification requirement ensures the AG's office is aware of the breach before consumers receive notice.

Methods of Notice

Notice may be provided through:

• Written mail to the consumer's most recent address
• Telephone to the most recent phone number
• Email (if the consumer consented to electronic communications or the business primarily operates online)
• Substitute notice (email, website posting, and statewide media notification) when the cost exceeds $100,000 or more than 175,000 individuals are affected

Security Requirements

PIPA also requires businesses that own or license personal information to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and the size of the business.

How MODPA Compares to Other State Privacy Laws

Maryland's MODPA stands apart from other comprehensive state privacy laws in several important ways:

Feature	Maryland (MODPA)	Virginia (VCDPA)	California (CCPA/CPRA)	Colorado (CPA)
Effective date	Oct. 1, 2025	Jan. 1, 2023	Jan. 1, 2020	July 1, 2023
Consumer threshold	35,000	100,000	Revenue-based	100,000
Sensitive data sale	Banned entirely	Opt-in consent	Opt-in consent	Opt-in consent
Data minimization	Mandatory (regardless of consent)	Adequate and relevant	Reasonably necessary	Adequate, relevant, limited
Minor protection age	Under 18	Under 13 (COPPA) + 16 (social media)	Under 16	Under 13
Minor standard	"Should have known"	Actual knowledge	Actual knowledge	Actual knowledge
Penalty (per violation)	$10,000 / $25,000 repeat	$7,500	$2,500 / $7,500 intentional	$20,000
Cure period	60 days (until April 2027)	30 days	None	60 days (expired Jan. 2025)
Private right of action	No	No	Yes (data breaches)	No
Nonprofits covered	Generally yes	No	Yes	No
Algorithmic assessment	Required	Not specified	Not specified	Not specified

More Maryland Laws

Explore additional Maryland legal guides on Recording Law:

• Maryland Recording Laws
• California Data Privacy Laws
• Virginia Data Privacy Laws
• Colorado Data Privacy Laws
• Connecticut Data Privacy Laws
• Texas Data Privacy Laws
• Delaware Data Privacy Laws
• View All State Data Privacy Laws

The information on this page is for general informational purposes only and does not constitute legal advice. Data privacy laws change frequently. For advice about your specific situation, consult a licensed attorney in Maryland.