Maryland recently joined a national trend of states enacting comprehensive privacy laws. On October 1, 2025, the Maryland Online Data Privacy Act (“MODPA”) went into effect, with enforcement to begin on April 1, 2026.  The Act introduces obligations for those who process consumer data and creates rights for Maryland consumers.

Who does the Maryland Online Data Privacy Act Apply to?

MODPA imposes obligations on entities that:

1. process personal data (“Controllers”);
2. conduct business in the state of Maryland; or
3. provide products or services targeted to Maryland residents

if, within a calendar year the entity:

• controls or processes personal data of at least 35,000 Maryland consumers; or
• controls or processes personal data of 10,000 Maryland consumers and derives more than 20% gross revenue from the sale of personal data

The scope of MODPA captures a wide range of entities, including businesses in all sectors that market goods and services to Maryland consumers, such as healthcare providers, nursing homes, property management companies, and other businesses that collect personal data from consumers on a large scale, such as through intake forms or applications. Additionally, not-for-profit organizations are subject to the law with very few exceptions – and often meet the 35,000 threshold through a combination of services and donors.

What obligations are imposed by MODPA?

MODPA applies to the processing and use of “personal data” which is any information that is “linked or can be reasonably linked to an identified or identifiable consumer” and requires entities subject to the law to:

• “limit the collection of personal data to what is reasonably necessary and proportionate” to provide or maintain a specific product or service
• establish, implement, and maintain reasonable administrative, technical and physical data security practices
• provide an effective mechanism for a consumer to revoke consent and stop processing the consumer’s personal data within 30 days when consent is revoked
• restrict the collection, processing, and sharing of sensitive data unless it is strictly necessary to provide or maintain a specific product or service requested by the consumer
  
  • “sensitive data” is defined as personal data that reveals racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, immigration status, genetic or biometric data, and personal data of a consumer that the controller knows or has reason to know is a child
• enable consumers to opt out of targeted advertising and the sale of personal data via an opt-out preference signal
• provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice

MODPA also outright prohibits:

• the use of a geofence within 1,750 feet of a mental health, reproductive or sexual health facility for the purpose of identifying, tracking, or collecting data from consumers; and
• the sale of sensitive data.

What rights does MODPA create for consumers?

Under MODPA, Maryland consumers, acting in their personal capacity, have the right to:

• confirm whether an entity is processing the consumer’s personal data
• access, correct inaccuracies, and request deletion of the consumer’s personal data*
• obtain a copy of the personal data
• opt out of the processing of personal data for purposes of targeted advertising, sale, or profiling.

Entities have 45 days to respond to consumer requests and shall provide the information free of charge once in any 12-month period.

*unless the retention of the personal data is required by law

Enforcement

The Maryland Office of the Attorney General, Consumer Protection Division is tasked with enforcing MODPA – there is no private right of action. The law went into effect on October 1, 2025, with enforcement set to begin on April 1, 2026. The Attorney General will only be applying the law to processing activities that occur after April 1 and may provide 60 days to cure initial infractions. Starting April 1, 2027, the law will be fully enforced under the Maryland Consumer Protection Act.

Violations of the Maryland Consumer Protection Act carry substantial financial penalties, up to $10,000 for initial violations and $25,000 for repeated violations.

Next Steps for Businesses

• Identify whether your organization falls under the scope of MODPA
• Review your organization’s data collection policies and practices for compliance with MODPA
• Revise your Privacy Notice to include all MODPA-required information
• Confirm that the appropriate opt-out infrastructure is in place
• Conduct a Data Protection Assessment for any data processing activities that present a “heightened risk of harm” to consumers
• Implement security measures to protect the confidentiality, integrity, and accessibility of personal data within your organization

For questions about the Maryland Online Data Privacy Act, contact an RKW attorney.