MODPA Consumer Rights: Maryland Data Privacy

The Maryland Online Data Privacy Act (MODPA) gives Maryland residents the right to confirm whether a business is processing their personal data, access it, correct inaccuracies, delete it, obtain a portable copy, and opt out of targeted advertising, the sale of their data, and certain profiling. Consumers can also obtain a list of the categories of third parties to which their data has been disclosed. These rights live at Md. Code Ann., Commercial Law section 14-4605 and took effect October 1, 2025.

What makes Maryland's protections stronger than other states is not only the list of rights but the underlying duties: a hard data minimization rule, a strict-necessity gate on sensitive data, an outright ban on selling sensitive data, and strong protections for consumers under 18. As of 2026, a controller generally must respond to a rights request within 45 days, and a universal opt-out mechanism must be honored. Enforcement runs through the Consumer Protection Division of the Office of the Attorney General, with no private right of action.

Jurisdiction scope: This covers Maryland's Online Data Privacy Act (Md. Code Ann., Com. Law Title 14, Subtitle 46). It is general legal information, not legal advice.

The full set of MODPA consumer rights

MODPA lists the consumer rights in section 14-4605(B). A Maryland resident has the right to confirm whether a controller is processing the consumer's personal data and to access that data, unless doing so would require disclosing a trade secret. These two rights let a consumer see whether and how a business holds their information.

The consumer also has the right to correct inaccuracies in their personal data, considering the nature of the data and the purposes of processing, and the right to require a controller to delete personal data provided by or obtained about the consumer unless retention is required by law. Deletion under MODPA reaches data the business obtained from other sources, not just data the consumer handed over.

Section 14-4605(B)(5) adds a portability right. Where processing is carried out by automatic means, the consumer may obtain a copy of their personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance.

The right to a list of categories of third parties

One of MODPA's most useful transparency rights is the right to learn where a consumer's data has gone. Under section 14-4605(B)(6), a consumer may obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data. If the controller does not keep that information in a consumer-specific format, it may instead provide a list of the categories of third parties to which it has disclosed any consumer's personal data.

This is a category-level disclosure. A controller reports groups such as advertising partners, analytics vendors, or data brokers rather than every named recipient. It still gives consumers a structured view of data flows that older privacy frameworks did not provide.

The privacy notice supports this right. Under section 14-4607(D), the notice must describe the categories of third parties with which the controller shares personal data with enough detail for a consumer to understand what type of entity each third party is and, to the extent possible, how each may process the data.

Opt-out rights and the universal opt-out mechanism

Section 14-4605(B)(7) gives consumers the right to opt out of three things: the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. The sale definition in section 14-4601 is broad, covering the exchange of personal data to a third party for monetary or other valuable consideration, with limited carve-outs.

Maryland requires businesses to honor a universal opt-out signal. Under section 14-4607(F)(3), as of October 1, 2025 a controller must let a consumer opt out of targeted advertising or any sale of personal data through an opt-out preference signal sent by a platform, technology, or mechanism, such as Global Privacy Control. Section 14-4607(F)(5) bars a default setting that opts a consumer out, so the signal must reflect the consumer's affirmative choice. A controller that recognizes signals approved by other states is considered compliant under section 14-4607(G).

Consumers do not have to act alone. Under section 14-4606, a consumer may designate an authorized agent, including through a browser setting, browser extension, or global device setting, to opt out on the consumer's behalf. A controller may not require authentication of an opt-out request under section 14-4605(E)(6).

How the data minimization rule protects consumers

Maryland protects consumers before they ever file a request, through its data minimization rule. Under section 14-4607(B)(1)(i), a controller may collect personal data only to the extent reasonably necessary and proportionate to provide or maintain the specific product or service requested by the consumer. This is the single biggest reason MODPA gives Maryland residents more protection than residents of other states.

The standard is tied to the service the consumer asked for, not to whatever purposes a business chooses to disclose. A business cannot bury broad collection in a privacy policy and call it compliant. If the data is not reasonably necessary to the requested function, collecting it is not permitted.

Consent does not change this. Section 14-4607(A) bars collecting personal data for the sole purpose of content personalization or marketing without consent, but the minimization duty in section 14-4607(B) does not have a consent override. A business cannot use a consent box to justify collecting more than the requested service needs. For the broader picture of why this makes MODPA the strictest state law, see what MODPA is.

Sensitive data and the sale ban that protect consumers

MODPA gives consumers unusually strong control over sensitive data. Under section 14-4601, sensitive data includes data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, and citizenship or immigration status, plus genetic or biometric data, the personal data of a known child, and precise geolocation data.

For that data, section 14-4607(A) lets a controller collect, process, or share it only where strictly necessary to provide a requested product or service, and only with consent. Both conditions apply, so a business cannot process sensitive data simply because a consumer clicked a consent box if the processing is not strictly necessary to the requested service.

The strongest protection is the sale ban. Under section 14-4607(A), a controller may not sell sensitive data at all, with no consent exception. A Maryland consumer's sensitive data therefore cannot be sold by a covered business, a protection that goes further than any opt-out or opt-in right available in other states.

Protections for consumers under 18

MODPA carries strong protections for minors that operate without the consumer having to file anything. Under section 14-4607(A), where a controller knew or should have known that a consumer is at least 13 and under 18, it may not process that consumer's personal data for targeted advertising, and it may not sell that consumer's personal data without consent.

The knew-or-should-have-known standard is broader than an actual-knowledge test. It reaches a business that has reason to know it serves a teen audience, even without confirming each user's age. The protection also covers the full 13-to-17 band, above the under-13 floor of the federal Children's Online Privacy Protection Act.

For known children under 13, sensitive data treatment also applies because the personal data of a known child is itself sensitive data under section 14-4601, and controllers that comply with COPPA verifiable parental consent are treated as compliant with parental consent obligations under section 14-4603(C).

Response deadlines, appeals, and enforcement

A controller must establish a secure and reliable method for consumers to exercise their rights under section 14-4605(C), and may not require a consumer to create a new account to do so under section 14-4607(F)(2). The controller must respond to a rights request within 45 days under section 14-4605(E)(2), with one additional 45-day extension where reasonably necessary, provided the consumer is told of the extension and the reason within the first 45 days.

If a controller declines to act, it must inform the consumer within 45 days and provide instructions on how to appeal under section 14-4605(E)(3). The appeal process must be conspicuously available, and the controller has 60 days after receiving an appeal to respond in writing under section 14-4605(F)(3). If the appeal is denied, the controller must provide an online way to submit a complaint to the Consumer Protection Division.

Enforcement is the Division's job under section 14-4613. A violation is an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act, carrying civil penalties up to $10,000 per violation and up to $25,000 for repeat violations under section 13-410. There is no private right of action, so consumers cannot sue a business directly under MODPA, though section 14-4613(B) preserves other remedies that may exist under separate law. The MODPA compliance checklist covers the controller-side obligations behind these rights.

Related guides

• Maryland data privacy laws parent hub
• What is MODPA?
• MODPA compliance checklist
• State data privacy law comparison
• What is the CCPA?

Sources