Maryland Data Privacy Laws: MODPA Consumer Rights Guide (2026)

Maryland's Online Data Privacy Act (MODPA), codified at Md. Code, Com. Law §§ 14-4601 to 14-4614 and effective October 1, 2025, governs how businesses collect and share personal data about Maryland residents. MODPA bans the sale of sensitive personal data entirely, requires data minimization regardless of consumer consent, and protects all consumers under 18 from data sales and targeted advertising.

Maryland has one of the strongest data privacy laws in the United States. The Maryland Online Data Privacy Act (MODPA), signed by Governor Wes Moore on May 9, 2024, and effective October 1, 2025, goes further than most state privacy laws in several important ways. It prohibits the sale of sensitive data entirely. It restricts data collection itself rather than relying on consent-based processing. And it extends protections to all consumers under 18, not just children under 13.

MODPA is codified as Subtitle 46 of the Maryland Commercial Law Article, Md. Code, Com. Law §§ 14-4601 to 14-4614 (Chapter 455 of the 2024 Maryland Laws). The bill passed the Maryland Senate 46-0 and the House of Delegates 103-33, with strong bipartisan support. Enforcement by the Maryland Attorney General began on April 1, 2026.

Maryland's privacy framework extends beyond MODPA. It also includes a data breach notification law, a genetic information privacy act, a medical records confidentiality statute, a children's design code, and federal overlay from HIPAA, COPPA, GLBA, and the TAKE IT DOWN Act. This guide covers the full framework as of May 2026.

What Is the Maryland Online Data Privacy Act (MODPA)?

The MODPA is Maryland's comprehensive consumer data privacy law, codified at Md. Code, Com. Law §§ 14-4601 through 14-4614. It was introduced as Senate Bill 541 during the 2024 Regular Session by Senators Gile, Hester, Augustine, Feldman, Beidle, and Ellis. The companion bill in the House was HB 567.

The law regulates how data controllers and processors handle the personal data of Maryland residents. It establishes consumer rights, business obligations, and enforcement mechanisms that in several respects exceed the protections found in California, Virginia, Colorado, and other states with comprehensive privacy laws.

What makes MODPA stand out nationally is its approach to three key areas: data minimization, sensitive data, and children's privacy. Each of these areas sets a higher bar than comparable laws in other states.

Who Must Comply with MODPA?

MODPA applies to entities that conduct business in Maryland or produce products or services targeted to Maryland residents and meet one of two thresholds:

1. Control or process the personal data of at least 35,000 Maryland consumers during a calendar year (excluding data processed solely for payment transactions), OR
2. Control or process the personal data of at least 10,000 Maryland consumers AND derive more than 20% of gross revenue from the sale of personal data.

These thresholds are lower than those in most other states. Virginia, for comparison, uses a 100,000-consumer threshold. Maryland's lower bar means more businesses fall under the law's requirements.

Who Is Exempt from MODPA?

MODPA includes both entity-level and data-level exemptions.

Entity-Level Exemptions:

• Maryland state and local government agencies
• Registered national securities and futures associations
• Financial institutions regulated under the Gramm-Leach-Bliley Act (GLBA)
• Nonprofit organizations that exclusively serve law enforcement agencies or first responders in responding to catastrophic events

Data-Level Exemptions (exempt even when held by covered entities):

• Protected health information under HIPAA
• Data governed by the Gramm-Leach-Bliley Act
• Data regulated under the Fair Credit Reporting Act (FCRA)
• Data covered by the Driver's Privacy Protection Act
• Data subject to the Family Educational Rights and Privacy Act (FERPA)
• Data processed under the Farm Credit Act and Airline Deregulation Act
• Employee and contractor data processed in the employment context

Importantly, nonprofits are generally not exempt from MODPA. If a nonprofit meets the data processing thresholds and is not specifically excluded under the law enforcement or first responder exception, it must comply.

Consumer Rights Under MODPA

MODPA grants Maryland residents a comprehensive set of privacy rights. These rights allow consumers to understand and control how businesses collect, use, and share their personal data.

Right to Confirm and Access

Consumers have the right to confirm whether a controller is processing their personal data. If processing is occurring, the consumer can access that data and understand how it is being used.

Right to Correct

Consumers can request that a controller correct inaccuracies in their personal data. This right helps ensure that businesses maintain accurate records about consumers.

Right to Delete

Consumers may request deletion of personal data that a controller holds about them. This applies to data the consumer provided directly as well as data obtained from other sources.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable and readily usable format. This allows consumers to move their data to a different service provider.

Right to Opt Out

Consumers have the right to opt out of the processing of personal data for:

• Targeted advertising based on activities tracked across different businesses, websites, or applications
• Sale of personal data to third parties
• Profiling that produces legal or similarly significant effects

Right to Obtain a List of Third-Party Recipients

Consumers can request a list of the categories of third parties to whom a controller has disclosed their personal data. This transparency right helps consumers understand the full scope of data sharing.

Non-Discrimination

Businesses cannot discriminate against consumers who exercise their privacy rights. A business cannot deny goods or services, charge different prices, or provide a different level of quality because a consumer made a privacy request.

How to Exercise Your Rights

Controllers must provide mechanisms for consumers to submit requests. When a consumer submits a request, the controller must respond within 45 days. This period can be extended by an additional 45 days when reasonably necessary given the complexity of the request.

If a controller declines a request, the consumer may appeal the decision. If the appeal is denied, the consumer can file a complaint with the Maryland Attorney General's Consumer Protection Division. The AG's office accepts privacy complaints through its online consumer protection portal at oag.maryland.gov.

Universal Opt-Out Signals

MODPA addresses universal opt-out preference signals. Controllers may either provide a clear and conspicuous link on their website for exercising opt-out rights, or recognize an opt-out preference signal such as the Global Privacy Control (GPC). Controllers that already recognize opt-out signals approved by other states are considered compliant with Maryland's requirement.

Data Minimization: MODPA's Strictest Requirement

MODPA's data minimization standard is arguably the most significant feature of the law. It sets a higher bar than every other U.S. state privacy law and, in some respects, approaches the European Union's GDPR in strictness.

Under MODPA (Md. Code, Com. Law § 14-4603), controllers must limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer. This restriction applies regardless of whether the consumer has given consent.

This is a fundamental departure from how most state privacy laws work. In most states, businesses can collect data for any disclosed purpose as long as the consumer is informed. MODPA restricts the collection itself. Even if a consumer agrees to broader data collection, the business cannot collect more than what is reasonably necessary.

For sensitive personal data, the standard is even stricter. Controllers cannot process sensitive data unless it is strictly necessary to provide or maintain a product or service the consumer specifically requested. The word "strictly" raises the bar above the general "reasonably necessary" standard.

Controllers should be prepared to document their reasoning for data collection decisions. The Maryland Attorney General may request this documentation during investigations, and controllers must be able to explain why the data they collect meets the necessity standard.

Sensitive Data Protections: The Outright Sale Ban

MODPA takes a fundamentally different approach to sensitive data than other state privacy laws. Rather than allowing businesses to process sensitive data with consumer opt-in consent, MODPA prohibits the sale of sensitive personal data entirely, regardless of whether the consumer consents.

This is the strongest sensitive data protection in any U.S. state privacy law. In Virginia, Colorado, Connecticut, and other states, businesses can process and sell sensitive data as long as they obtain affirmative opt-in consent from the consumer. Maryland eliminates even that option.

What Qualifies as Sensitive Data Under MODPA?

MODPA defines sensitive personal data broadly at Md. Code, Com. Law § 14-4601. The following categories are classified as sensitive:

• Biometric data (sensitive regardless of whether it is used for identification purposes)
• Genetic data (sensitive regardless of use)
• Consumer health data, including any information about a person's health status, conditions, or treatment
• Precise geolocation data
• Data revealing race or ethnicity
• Data revealing religious beliefs
• Data revealing sexual orientation, sex life, or transgender/nonbinary status
• Data revealing citizenship or immigration status
• Data revealing national origin
• Personal data of a known child under 13

Several of these categories are broader than definitions used in other states. For example, most state laws only classify biometric data as sensitive when it is used for identification. MODPA classifies it as sensitive regardless of how it is used. Similarly, MODPA's definition of consumer health data covers any health "status," while most states limit the definition to diagnosed conditions.

Exceptions to the Sensitive Data Sale Ban

The prohibition on selling sensitive data has limited exceptions:

• Disclosures directed by the consumer to a specific third party
• Disclosures that are strictly necessary to provide a product or service the consumer requested

Outside of these narrow exceptions, the sale of sensitive data is prohibited under all circumstances.

Children's Data Protections

MODPA provides some of the strongest children's data protections in any U.S. state privacy law. The protections extend to all consumers under 18, not just children under 13 as defined by the federal Children's Online Privacy Protection Act (COPPA).

Protections for Consumers Under 18

MODPA prohibits businesses from:

• Selling the personal data of any consumer the business knows or should reasonably know is under 18
• Using personal data for targeted advertising directed at any consumer the business knows or should reasonably know is under 18

These prohibitions apply regardless of consumer or parental consent. Unlike most state privacy laws that offer an opt-out or opt-in mechanism for minors' data, MODPA flatly bans these practices for anyone under 18.

The "Should Have Known" Standard

MODPA uses a "knew or should have known" standard for determining whether a consumer is a minor. This is significantly more protective than the "actual knowledge" standard used in most other states.

Under the "should have known" standard, a controller cannot simply ignore indicators that a user is under 18. If contextual signals, user behavior, or available information would lead a reasonable business to conclude a user is a minor, the protections apply. This effectively requires controllers to implement some form of age assurance or verification mechanism.

Children Under 13

Personal data of a known child under 13 is automatically classified as sensitive data under MODPA. This triggers the strictest data minimization standard ("strictly necessary") and the outright ban on data sales.

Parents and legal guardians may exercise data privacy rights on behalf of children under 13.

Business Obligations Under MODPA

Controllers subject to MODPA must meet several requirements beyond responding to consumer rights requests.

Privacy Notice Requirements

Controllers must provide consumers with a clear and accessible privacy notice that includes:

• The categories of personal data collected
• The purposes for processing personal data
• How consumers can exercise their privacy rights, including the appeal process
• The categories of personal data shared with third parties
• The categories of third parties that receive personal data

Data Protection Assessments

MODPA requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers. These assessments are required for:

• Processing personal data for targeted advertising
• Selling personal data
• Processing personal data for profiling
• Processing sensitive data
• Any processing that presents a heightened risk of harm

Maryland's requirement goes further than most states by explicitly requiring that assessments include an evaluation of each algorithm used in the processing activity. This algorithmic assessment requirement is unique among U.S. state privacy laws.

The Attorney General may request these assessments during investigations.

Controller-Processor Contracts

Processing must be governed by a written contract between the controller and processor. The contract must outline the instructions for processing, the nature and purpose of the processing, the type of data subject to processing, and the duration of the relationship.

Processors must assist controllers in meeting their obligations, including responding to consumer rights requests, ensuring security of data processing, and conducting data protection assessments.

Practical Compliance Checklist

Businesses subject to MODPA should work through the following steps:

1. Determine applicability. Assess whether your data processing volume meets the 35,000-consumer or 10,000-consumer-plus-20%-revenue thresholds.
2. Map your data. Identify all categories of personal data collected, the purpose for each collection, and any third parties who receive the data.
3. Audit for sensitive data. Identify any sensitive data categories in your data inventory. Remove any sales pipelines for sensitive data entirely.
4. Implement data minimization. Review each data collection decision against the "reasonably necessary and proportionate" standard. Document your reasoning.
5. Update your privacy notice. Ensure it includes all required MODPA disclosures, including third-party recipient categories.
6. Build a rights-response process. Set up a mechanism to receive consumer requests and a workflow to respond within 45 days.
7. Conduct data protection assessments. Complete DPAs for all high-risk processing activities and document algorithm-level analysis where applicable.
8. Execute controller-processor contracts. Ensure all data processors have signed MODPA-compliant data processing agreements.
9. Add age signals to your compliance review. If your service could be accessed by minors, implement monitoring for the "should have known" standard.
10. Recognize Global Privacy Control. Configure your website or app to honor opt-out preference signals.

Enforcement and Penalties

The Maryland Attorney General has exclusive enforcement authority over MODPA. The Consumer Protection Division of the Office of the Attorney General handles investigations and enforcement actions.

There is no private right of action. Consumers cannot sue businesses directly for MODPA violations. Instead, they must file complaints with the Attorney General's office.

Enforcement Timeline

MODPA became effective on October 1, 2025, but enforcement did not begin until April 1, 2026. This six-month grace period allowed businesses to implement compliance measures before facing potential enforcement action.

AG Resource Constraints and Enforcement Capacity

Attorney General Anthony Brown has publicly acknowledged staffing limitations. As of early 2026, his office had only one attorney dedicated to privacy enforcement, compared to dedicated teams of multiple attorneys and investigators in states like Connecticut, Delaware, and Oregon. Brown told legislators in February 2025 that "Maryland is slipping behind" on privacy enforcement without dedicated resources.

Brown has backed a proposed data broker tax (HB-1089) that would impose a 6% tax on data broker gross income beginning in the 2027 tax year, with projected revenues of $90-100+ million annually. The proposal would fund a dedicated privacy enforcement unit within the Consumer Protection Division to enforce MODPA, the Age-Appropriate Design Code Act, and related technology, AI, and cybersecurity laws.

As of May 2026, no formal MODPA enforcement actions have been publicly announced. The law entered its first full month of active enforcement in April 2026, and enforcement actions under new privacy laws typically emerge six to eighteen months after the enforcement start date as complaint investigations mature.

Cure Period

For violations that occur before April 1, 2027, the Attorney General may provide a 60-day cure period under Md. Code, Com. Law § 14-4614. During this window, the controller or processor can cure the violation and provide a written statement confirming the cure before the Attorney General pursues penalties.

The cure period is not automatic. The Attorney General has discretion to determine whether a violation is curable, considering factors including:

• The number of violations
• The size and complexity of the controller or processor
• The likelihood of injury to the public
• Whether the violation appears intentional

After April 1, 2027, the cure period expires entirely. The Attorney General can then pursue enforcement immediately without offering an opportunity to cure.

Penalty Amounts

MODPA violations are treated as unfair, abusive, or deceptive trade practices under the Maryland Consumer Protection Act. Penalties follow the Consumer Protection Act's framework:

These penalties are notably higher than the $7,500 per-violation cap in Virginia and many other states.

Maryland Data Breach Notification Law

Separate from MODPA, Maryland's data breach notification law under the Maryland Personal Information Protection Act (PIPA), codified at Md. Code, Com. Law § 14-3504, requires businesses to notify consumers and the Attorney General when personal information is compromised.

What Triggers Notification

Notification is required when there has been an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Good faith acquisitions by employees for business purposes are excluded from the definition of a breach.

A business must conduct a reasonable and prompt investigation after discovering a breach to determine whether personal information has been or will likely be misused.

Personal Information Covered

The law covers a consumer's first name or initial plus last name combined with any of the following:

• Social Security number
• Driver's license or state identification number
• Financial account number, credit card, or debit card number combined with any required security code
• Individual taxpayer identification number
• Passport number or other government-issued identification number
• Health information
• Biometric data (fingerprints, voice prints, retina or iris images)
• Online account credentials (username or email with password or security question answers)

Notification Timeline and Requirements

Businesses must notify affected consumers within 45 days of discovering the breach. The notification must include:

• A description of the categories of information compromised
• Contact information for the business, including a toll-free phone number
• Consumer reporting agency contact information
• Contact information for the Federal Trade Commission and the Maryland Attorney General
• Identity theft prevention and mitigation resources

Attorney General Notification

Before sending notification to consumers, a business must notify the Maryland Office of the Attorney General. This pre-notification requirement ensures the AG's office is aware of the breach before consumers receive notice.

Methods of Notice

Notice may be provided through:

• Written mail to the consumer's most recent address
• Telephone to the most recent phone number
• Email (if the consumer consented to electronic communications or the business primarily operates online)
• Substitute notice (email, website posting, and statewide media notification) when the cost exceeds $100,000 or more than 175,000 individuals are affected

Security Requirements

PIPA also requires businesses that own or license personal information to implement and maintain reasonable security procedures and practices appropriate to the nature of the information and the size of the business.

Maryland Age-Appropriate Design Code Act

Maryland's Age-Appropriate Design Code Act (AADC), enacted as HB 603 in May 2024 and effective October 1, 2024, establishes design requirements for online products and services likely to be accessed by children and teens under 18.

Who Must Comply

The AADC applies to businesses that provide online services, products, or features "reasonably likely to be accessed by children." Unlike most age-related laws, the AADC does not require businesses to verify user ages. Instead, businesses must assess whether their service is likely to attract minors based on contextual factors.

Key Requirements

Covered businesses must:

• Complete a Data Protection Impact Assessment (DPIA) for any online product children are likely to use. The deadline for assessments on existing products was April 1, 2026.
• Configure privacy settings to their most protective defaults for child users
• Avoid collecting or sharing personal data not necessary for the service
• Refrain from using design features that could harm minors' physical or mental health

Penalties

Companies can face fines of up to $2,500 per child for each negligent violation and $7,500 per child for each intentional violation. As of May 2026, no legal challenges to the Maryland AADC have been filed, unlike California's similar law, which faced constitutional litigation.

Maryland Genetic Information Privacy Act

Maryland's Genetic Information Privacy Act (GIPA), codified at Md. Code, Com. Law §§ 14-4401 through 14-4410 (effective October 1, 2022), governs direct-to-consumer genetic testing companies and their handling of consumer genetic data.

GIPA requires direct-to-consumer genetic testing companies to:

• Obtain separate, written express consent before collecting, using, or disclosing a consumer's genetic data for any purpose
• Provide clear, complete information about data policies before obtaining consent
• Prohibit disclosure of genetic data to health, life, disability, or long-term care insurers without written consumer consent (Md. Code, Com. Law § 14-4405)
• Implement reasonable security procedures to protect genetic data
• Allow consumers to request deletion of their genetic data and biological samples

The term "direct-to-consumer genetic testing company" covers any entity that offers genetic testing products or services directly to consumers or that collects, uses, or analyzes genetic data from such products. GIPA enforcement is handled by the Maryland Attorney General.

Maryland Confidentiality of Medical Records Act

Maryland's Confidentiality of Medical Records Act, codified at Md. Code, Health-Gen. §§ 4-301 through 4-309, requires health care providers to keep patient medical records confidential. Under § 4-302, providers may only disclose records as permitted by Maryland law or other applicable law.

Permitted disclosures include those authorized by the patient, disclosures required for treatment or payment, public health reporting, and disclosures to law enforcement with proper process. The law operates alongside HIPAA: providers covered by HIPAA must meet both federal and Maryland-specific requirements.

Federal Overlay: Laws That Apply Alongside MODPA

Several federal laws apply to Maryland residents and businesses independently of MODPA.

TAKE IT DOWN Act (Pub. L. 119-12)

The TAKE IT DOWN Act, signed by President Trump on May 19, 2025, addresses nonconsensual intimate imagery (NCII), including AI-generated deepfakes. The law's criminal prohibitions took effect immediately upon signing. Platform takedown obligations became enforceable by the FTC on May 19, 2026.

Covered platforms must establish a process allowing victims to request removal of NCII, and must remove the content and all known identical copies within 48 hours of a valid request. Non-compliant platforms face FTC enforcement with civil penalties of up to $53,088 per violation. The FTC sent compliance letters to major platforms including Alphabet, Amazon, Apple, Meta, Microsoft, Snapchat, TikTok, and X in May 2026.

HIPAA

The Health Insurance Portability and Accountability Act governs covered entities (health plans, health care clearinghouses, and health care providers) and their business associates. HIPAA-regulated protected health information (PHI) is generally exempt from MODPA's scope, but businesses handling both HIPAA data and non-HIPAA consumer health data must comply with MODPA for the non-exempt portion.

COPPA

The Children's Online Privacy Protection Act governs collection of personal information from children under 13. MODPA's under-18 protections extend significantly beyond COPPA's scope. Businesses collecting data from users under 13 must comply with both COPPA's parental consent requirements and MODPA's prohibition on selling minors' data.

GLBA

The Gramm-Leach-Bliley Act governs financial institutions' handling of nonpublic personal information. Financial institutions subject to GLBA are entity-exempt under MODPA, but only for data that falls within GLBA's scope. Data outside the GLBA-regulated relationship remains subject to MODPA.

FCRA

The Fair Credit Reporting Act governs consumer reporting agencies and the use of consumer reports. Data regulated under FCRA is data-level exempt under MODPA. Businesses that receive credit data subject to FCRA and also handle other consumer data must apply MODPA to the non-FCRA portion.

FTC Act Section 5

The FTC's unfair or deceptive acts or practices authority under 15 U.S.C. § 45 applies to all businesses in interstate commerce. The FTC has brought enforcement actions against companies for deceptive privacy statements, inadequate data security, and failure to honor opt-out requests, all of which remain relevant for Maryland businesses.

APRA Status

The American Privacy Rights Act (APRA), a proposed federal comprehensive privacy law, passed committee in 2024 but did not receive a full congressional vote. APRA 2.0 was introduced in 2025. As of May 2026, APRA has not become law. Maryland businesses cannot rely on a forthcoming federal law to reduce MODPA compliance obligations.

How MODPA Compares to Other State Privacy Laws

Maryland's MODPA stands apart from other comprehensive state privacy laws in several important ways:

More Maryland Laws

Explore additional Maryland legal guides on Recording Law:

• Maryland Recording Laws
• California Data Privacy Laws
• Virginia Data Privacy Laws
• Colorado Data Privacy Laws
• Connecticut Data Privacy Laws
• Texas Data Privacy Laws
• Delaware Data Privacy Laws
• View All State Data Privacy Laws
• Maryland AI Meeting Recording Laws
• Maryland Alimony Laws
• Maryland At-Will Employment Laws
• Maryland Car Accident Laws
• Maryland Car Seat Laws
• Maryland Child Custody Laws
• Maryland Child Support Laws
• Maryland Common Law Marriage Laws
• Maryland Deepfake Laws
• Maryland Divorce Laws
• Maryland Dog Bite Laws
• Maryland Emancipation Laws
• Maryland Expungement Laws
• Maryland Hit and Run Laws
• Maryland Landlord-Tenant Laws
• Maryland Lemon Laws

In-depth guides

• What Is the MODPA? Maryland Online Data Privacy Act
• MODPA Consumer Rights: Your Data Privacy Rights
• MODPA Compliance Checklist for Businesses (2026)