On May 9, 2024, Governor Wes Moore signed the Maryland Online Data Privacy Act (MODPA), making Maryland the seventeenth state to enact a comprehensive data privacy law. While similar in certain respects to most Virginia Model privacy laws, MODPA deviates significantly in several important ways. The law takes effect October 1, 2025, but it does not apply to any personal data processing activities before April 1, 2026.
MODPA applies to anyone who does business in Maryland or produces products or services targeting Maryland residents and controls or processes the data of either:
-
35,000 or more Maryland consumers or
-
Ten thousand or more Maryland consumers while deriving over 20% of their gross revenue from the sale of personal data.
Maryland's law contains several data-level exemptions common to other states' privacy laws, including exemptions for health data protected by the Health Insurance Portability and Accountability Act (HIPAA), personal data regulated by the Fair Credit Reporting Act (FCRA), and personal data processed in the employment context. The law also provides entity-level exemptions for entities regulated by the Gramm-Leach-Bliley Act (GLBA) and certain non-profit organizations processing data to assist law enforcement.
MODPA grants consumers many rights found in other Virginia Model statutes, including the right to confirm whether a business is collecting their data, the right to access data a business has collected about them, the right to have that data deleted, the right to correct inaccuracies, the right to data portability, and the right opt out of the processing of their personal data for targeted advertising or sales.
MODPA does not create a private right of action. Instead, the law grants sole enforcement authority to Maryland's Division of Consumer Protection in the Office of the Attorney General. The law contains a discretionary 60-day right to cure that expires April 1, 2027.
While MODPA shares certain similarities with other Virginia Model state laws, its deviations from that norm are significant and include more robust data minimization requirements and enhanced protections for sensitive data, health data, and children's data.
Companies should evaluate whether they will be subject to MODPA. While the law is not yet enforceable, businesses should start planning for future compliance.