MODPA Compliance Checklist: Maryland Privacy

Maryland Online Data Privacy Act (MODPA) compliance starts with a question other states do not force as sharply: can you justify every category of data you collect as reasonably necessary to the specific product or service the consumer requested? Because MODPA imposes hard data minimization under Md. Code Ann., Commercial Law section 14-4607(B), and bans selling sensitive data outright under section 14-4607(A), a compliance program that merely copies a Virginia or Connecticut template will not pass. As of 2026, MODPA is the strictest comprehensive state privacy law in the country.

This page is a practical checklist for covered businesses. It is general information, not legal advice. The headline obligations are a strict-necessity minimization analysis, a sensitive-data ban on sale plus a strict-necessity gate, strong minor protections, a compliant privacy notice, a universal opt-out mechanism, data protection assessments, and processor contracts. Enforcement runs through the Consumer Protection Division with penalties up to $10,000 per violation and no guaranteed cure.

Jurisdiction scope: This covers Maryland's Online Data Privacy Act (Md. Code Ann., Com. Law Title 14, Subtitle 46). It is general legal information, not legal advice.

Step 1: Confirm whether MODPA applies to you

Start with the applicability test in section 14-4602. MODPA applies to a person that conducts business in Maryland or produces products or services targeted to Maryland residents and that, during the preceding calendar year, met one of two data thresholds.

The first trigger is controlling or processing the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely to complete a payment transaction. The payment carve-out means routine checkout data does not, by itself, push a merchant over the line.

The second trigger is controlling or processing the personal data of at least 10,000 consumers while deriving more than 20 percent of gross revenue from the sale of personal data. There is no dollar-revenue floor, so the 35,000-consumer threshold reaches well into mid-size and smaller businesses. Then check the exemptions in section 14-4603, which carve out state and local government bodies, certain financial institutions or data subject to the Gramm-Leach-Bliley Act, and data-level exemptions for HIPAA-protected health information, FCRA, FERPA, and similar regimes.

Step 2: Run the strict-necessity data minimization analysis

This is the step that separates MODPA from every other state. Under section 14-4607(B)(1)(i), you must limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain the specific product or service requested by the consumer.

Build a data inventory and, for each category you collect, write down the requested product or service it supports and why it is reasonably necessary to that service. Categories that exist only to enrich profiles, fuel unrelated marketing, or feed data sales are the ones most exposed under this standard.

Do not rely on consent to rescue over-collection. Section 14-4607(A) bars collecting personal data for the sole purpose of content personalization or marketing without consent, but the minimization duty in section 14-4607(B) runs independently. A consent box does not let you collect more than the requested service needs. If a category fails the necessity test, the fix is to stop collecting it, not to disclose it more prominently. For why this standard is stricter than other states, see what MODPA is.

Step 3: Lock down sensitive data and never sell it

Identify all sensitive data you handle. Under section 14-4601, sensitive data includes data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, and citizenship or immigration status, plus genetic or biometric data, the personal data of a known child, and precise geolocation data.

For each item, apply section 14-4607(A): you may collect, process, or share it only where strictly necessary to provide or maintain a specific product or service requested by the consumer, and only with the consumer's consent. Build a consent flow that meets the section 14-4601 definition of consent, which excludes broad terms of use, dark patterns, and passive actions, and provide a revocation mechanism at least as easy as the one used to grant consent under section 14-4607(B)(1)(iii).

Then enforce the absolute rule: do not sell sensitive data. Section 14-4607(A) bars it entirely, with no consent exception. Map your data-sharing arrangements against the section 14-4601 definition of a sale, which covers exchanging personal data to a third party for monetary or other valuable consideration. Also watch the consumer health data rules in section 14-4604, including geofencing limits within 1,750 feet of mental health and reproductive or sexual health facilities.

Step 4: Apply the minor-data rules

MODPA's minor protections are strict and depend on a low knowledge standard. Under section 14-4607(A), you may not process the personal data of a consumer you knew or should have known is at least 13 and under 18 for targeted advertising, and you may not sell that consumer's data without consent.

Assess whether your audience includes teenagers. The knew-or-should-have-known standard means you cannot avoid the rule by declining to verify ages when the surrounding facts show a teen audience. If teens are reasonably in your user base, turn off targeted advertising for them and stop any sale of their data absent consent.

For known children under 13, remember that their personal data is itself sensitive data under section 14-4601, so the strict-necessity and consent rules apply. Controllers that meet COPPA verifiable parental consent are treated as compliant with parental consent obligations under section 14-4603(C).

Step 5: Publish a compliant privacy notice

Your privacy notice must meet section 14-4607(D). It must disclose the categories of personal data you process, including sensitive data; your purposes for processing; how a consumer may exercise rights, appeal a decision, or revoke consent; the categories of third parties you share data with, described in enough detail for a consumer to understand each type of entity and how it may process the data; the categories of personal data, including sensitive data, that you share with third parties; and an active email address or online mechanism to contact you.

If you sell personal data or process it for targeted advertising or significant profiling, section 14-4607(E) requires a clear and conspicuous disclosure of that activity and how to opt out, prominently displayed in plain language. The notice must also establish secure and reliable methods for consumers to submit rights requests under section 14-4607(F), and you may not require a consumer to create a new account to exercise a right.

Step 6: Build rights handling and the universal opt-out mechanism

Stand up a process to handle the rights in section 14-4605: confirmation, access, correction, deletion, portability, the list of categories of third parties, and the opt-outs for targeted advertising, sale, and profiling. You must respond within 45 days under section 14-4605(E)(2), with one 45-day extension allowed when you notify the consumer and explain why within the first window.

You must also honor a universal opt-out preference signal. Under section 14-4607(F)(3), as of October 1, 2025 you must let consumers opt out of targeted advertising or any sale through an opt-out preference signal such as Global Privacy Control, and section 14-4607(F)(5) bars using a default setting to opt a consumer out. Recognizing signals approved by other states is treated as compliant under section 14-4607(G).

Finally, build the appeal process required by section 14-4605(F): conspicuously available, with a written response within 60 days, and an online mechanism to submit a complaint to the Consumer Protection Division if you deny the appeal. Consumers may also act through an authorized agent under section 14-4606. The MODPA consumer rights guide covers the consumer side of these requests in detail.

Step 7: Processor contracts and data protection assessments

If you use a processor, section 14-4608 requires a binding contract that sets out processing instructions, the nature and purpose of processing, the type of data, the duration, and the rights and obligations of both parties. The contract must require the processor to keep personnel under a duty of confidentiality, maintain reasonable security, delete or return data at the end of service, assist with consumer rights requests, and allow reasonable assessments.

Section 14-4610 requires you to conduct and document a data protection assessment for processing activities that present a heightened risk of harm to consumers, which generally includes targeted advertising, the sale of personal data, certain profiling, and the processing of sensitive data. Keep these assessments on file because the Consumer Protection Division can require them in an investigation.

Step 8: Plan for enforcement with no guaranteed cure

MODPA is enforced by the Consumer Protection Division of the Office of the Attorney General. Under section 14-4613, a violation is an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act, subject to its enforcement and penalty provisions except section 13-408. Penalties under section 13-410 reach up to $10,000 per violation and up to $25,000 for each repeat of the same violation. There is no private right of action.

Do not count on a cure period. Under section 14-4614, for violations occurring on or before April 1, 2027 the Division may, if it determines a cure is possible, issue a notice and allow at least 60 days to cure, but that opportunity is discretionary and the Division weighs factors such as the number of violations and the likelihood of public injury. Separately, the Act provides that the limitations and exemptions section, section 14-4612, applies only prospectively and has no application to processing activities before April 1, 2026. Because a cure is never guaranteed, build the program to be compliant from the start rather than relying on a chance to fix problems later.

Related guides

• Maryland data privacy laws parent hub
• What is MODPA?
• MODPA consumer rights
• State data privacy law comparison
• What is the CCPA?

Sources