Maryland
What Is MODPA? Maryland Online Data Privacy Act
The Maryland Online Data Privacy Act (MODPA) is Maryland's comprehensive consumer data privacy law, codified at Md. Code Ann., Commercial Law Title 14, Subtitle 46 (sections 14-4601 through 14-4614). It was enacted in the 2024 session as Senate Bill 541 and House Bill 567, signed by Governor Wes Moore on May 9, 2024, and took effect October 1, 2025. As of 2026, it is widely regarded as the strictest comprehensive state privacy law in the United States because it caps data collection at what is reasonably necessary to deliver the service a consumer asks for, bars the sale of sensitive data outright, and tightly limits how sensitive data can be processed at all.
The Consumer Protection Division of the Maryland Office of the Attorney General enforces MODPA, and a violation is treated as an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act (Title 13). Civil penalties run up to $10,000 per violation and up to $25,000 for repeat violations under section 13-410, and there is no private right of action.
Jurisdiction scope: This covers Maryland's Online Data Privacy Act (Md. Code Ann., Com. Law Title 14, Subtitle 46). It is general legal information, not legal advice.
What MODPA is: statute, enactment, and effective date
The Maryland Online Data Privacy Act is Maryland's first comprehensive consumer data privacy law. It is codified in the Commercial Law Article at Title 14, Subtitle 46, running from section 14-4601 through section 14-4614. The definitions that drive the rest of the subtitle sit at section 14-4601, applicability is at section 14-4602, and the entity and data exemptions follow at section 14-4603.
The law was enacted during the 2024 regular session as companion bills Senate Bill 541 (Chapter 455) and House Bill 567 (Chapter 454). Governor Wes Moore signed it on May 9, 2024. By the terms of the Act, MODPA took effect October 1, 2025, giving covered businesses just under eighteen months to prepare.
As of 2026, MODPA is fully operative. Every business that meets the applicability thresholds in section 14-4602 must honor consumer rights requests, respect opt-out signals, follow the strict data minimization rule, limit how it handles sensitive data, and maintain a compliant privacy notice. For the full set of controller and processor obligations, see the Maryland data privacy laws parent page.
Why MODPA is the strictest state privacy law
Most state privacy laws follow a similar template borrowed from Virginia and Connecticut. Maryland broke from that template in several ways that, taken together, make MODPA the most restrictive comprehensive privacy law in the country as of 2026. The differences are not cosmetic. They change what a business is allowed to do with data even when a consumer has agreed.
The headline change is hard data minimization. Under section 14-4607(B)(1)(i), a controller or processor must limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain the specific product or service requested by the consumer. Other states tie minimization to the purposes a business discloses to consumers, which lets a business expand collection simply by disclosing more. Maryland ties the limit to the service the consumer actually requested, so a business cannot collect more than that even with consent.
MODPA also restricts sensitive data more tightly than any other state. Under section 14-4607(A), a controller may not collect, process, or share sensitive data except where strictly necessary to provide or maintain a specific product or service requested by the consumer, and only with the consumer's consent. Most states allow sensitive data processing with opt-in consent alone. Maryland adds the strict-necessity gate on top of consent.
Finally, section 14-4607(A) flatly prohibits selling sensitive data. There is no consent exception. Where other states let a consumer opt out of sensitive data sales or require opt-in, Maryland removes the option entirely.
Hard data minimization, explained
The data minimization rule is the single most consequential feature of MODPA. Section 14-4607(B)(1)(i) is short, but its effect is large. It says collection must be limited to what is reasonably necessary and proportionate to provide or maintain the specific product or service the consumer requested.
The key phrase is "specific product or service requested by the consumer." That standard is not pegged to what a business wants to do, or even to what a business discloses in its privacy notice. It is pegged to the service the consumer came for. A weather app that asks for a contact list, or a flashlight app that asks for location history, would struggle to show that collection is reasonably necessary to the requested function.
Crucially, consent does not unlock more collection. Under section 14-4607(A), a controller may not collect personal data for the sole purpose of content personalization or marketing without consent, but the section 14-4607(B) minimization duty runs independently of consent. A business cannot present a consent box and then collect well beyond what the requested service needs. This is the structural reason MODPA is stricter than every other state framework as of 2026.
Sensitive data: strict necessity and a sale ban
MODPA treats sensitive data with unusual caution. Section 14-4601 defines sensitive data to include personal data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, and citizenship or immigration status, plus genetic or biometric data, the personal data of a known child, and precise geolocation data. The same subtitle separately defines consumer health data and adds geofencing limits around health facilities under section 14-4604.
For all of that data, section 14-4607(A) sets two gates. First, the controller may collect, process, or share sensitive data only where it is strictly necessary to provide or maintain a specific product or service requested by the consumer. Second, even then it must obtain the consumer's consent. Both gates apply together.
The sale ban is the sharpest line. Section 14-4607(A) provides that a controller may not sell sensitive data, with no consent carve-out. For a business that monetizes data, this removes an entire revenue path that remains available, with consumer choice, in other states.
Strong protections for minors
MODPA includes some of the strongest teen protections in any state privacy law. Under section 14-4607(A), where a controller knew or should have known that a consumer is at least 13 years old and under the age of 18, it may not process that consumer's personal data for targeted advertising, and it may not sell that consumer's personal data without consent.
The "knew or should have known" standard is broader than the actual-knowledge standard that some states use. It reaches businesses that look the other way about a young audience. The protection also covers the full 13-to-17 band, above the under-13 line that the federal Children's Online Privacy Protection Act addresses.
The result is that a business cannot run targeted advertising against Maryland teenagers it has reason to know are under 18, and cannot sell their data, regardless of whether a parent or the teen clicked through a consent flow for general use. The MODPA consumer rights guide covers how these protections interact with the rights consumers can exercise.
Enforcement, penalties, and the timeline that matters
The Consumer Protection Division of the Office of the Attorney General enforces MODPA. Under section 14-4613, a violation of the subtitle is an unfair, abusive, or deceptive trade practice under Title 13 of the Commercial Law Article and is subject to the enforcement and penalty provisions of that title, except section 13-408 (which covers private restitution actions). That carve-out is one reason MODPA has no private right of action.
Penalties come from the Maryland Consumer Protection Act. Under section 13-410, a violation can carry a civil penalty of up to $10,000 per violation, rising to up to $25,000 for each repeat of the same violation.
Two dates matter for the enforcement runway. The law took effect October 1, 2025. Separately, the Act provides that the limitations and exemptions section, section 14-4612, applies only prospectively and has no application to processing activities before April 1, 2026. A discretionary cure period also exists under section 14-4614: for violations occurring on or before April 1, 2027, the Division may, if it finds a cure possible, issue a notice and allow at least 60 days to cure, but the cure is at the Division's discretion, not a guaranteed grace period.
MODPA vs. CCPA: the key differences
Companies that operate nationally often compare Maryland's MODPA with California's law. The state data privacy law comparison page covers the broader multistate picture, but several differences from California's CCPA stand out.
| Feature | Maryland MODPA | California CCPA/CPRA |
|---|---|---|
| Coverage threshold | 35,000 consumers, or 10,000 plus 20% of revenue from data sales; no dollar floor (section 14-4602) | $25M revenue, 100,000 consumers, or 50% revenue from data sales |
| Data minimization | Hard limit: only what is reasonably necessary to the requested service, consent cannot expand it (section 14-4607(B)) | Tied to disclosed purposes; broader |
| Sensitive data | Strict-necessity plus consent to process; selling sensitive data banned outright (section 14-4607(A)) | Right to limit use; opt-out model, no sale ban |
| Minor protections | No targeted ads or data sale for known under-18 consumers, knew-or-should-have-known standard (section 14-4607(A)) | Opt-in to sell for under-16 |
| Private right of action | None (section 14-4613) | Limited, for certain data breaches |
The most consequential difference is data minimization. California ties limits to disclosed purposes, which a business can expand by disclosing more. Maryland ties the limit to the specific service the consumer requested and makes consent unable to widen it, a structurally stricter rule.
The sensitive data treatment also diverges sharply. California gives consumers a right to limit the use of sensitive personal information through an opt-out. Maryland requires strict necessity plus consent to process sensitive data at all and bans selling it outright under section 14-4607(A).
Related guides
- Maryland data privacy laws parent hub
- MODPA consumer rights
- MODPA compliance checklist
- State data privacy law comparison
- What is the CCPA?
Sources
Sources and References
- Maryland HB 567 (Chapter 454, 2024): Maryland Online Data Privacy Act (Enacted Text)(mgaleg.maryland.gov).gov
- Maryland SB 541 (Chapter 455, 2024): Maryland Online Data Privacy Act (Enacted Text)(mgaleg.maryland.gov).gov
- Md. Code Ann., Com. Law section 14-4602: Applicability Thresholds(mgaleg.maryland.gov).gov
- Md. Code Ann., Com. Law section 14-4607: Controller Duties (Data Minimization, Sensitive Data, Minors)(mgaleg.maryland.gov).gov
- Md. Code Ann., Com. Law section 14-4613: Enforcement (Maryland Consumer Protection Act)(mgaleg.maryland.gov).gov
- Maryland General Assembly: SB 541 (2024) Bill Detail(mgaleg.maryland.gov).gov
- Md. Code Ann., Com. Law section 13-410: Civil Penalty (Consumer Protection Act)(mgaleg.maryland.gov).gov
- Maryland Office of the Attorney General: Consumer Protection Division(marylandattorneygeneral.gov).gov