It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: June 26, 2024
Published: June 25, 2024
Maryland recently joined the growing number of states enacting comprehensive consumer data privacy laws with the passage of the Maryland Online Data Privacy Act (MODPA).
Despite similarities with several other state laws–including role definitions and exemptions for certain types of businesses and data–the MODPA is not a carbon-copy of other state laws. Most significantly, it has a broad scope with lower application thresholds than most other state regulations. As a result, organizations that already follow the data privacy laws of other states will need to carefully evaluate their data processing activities to ensure compliance with the Maryland law.
Additionally, the MODPA features a different standard of data minimization relative to other state data privacy laws. Interestingly, the law has stringent requirements on a range of processing activities regardless of consumer consent. This move aligns with a growing sentiment that transparency and consent are not adequate to provide the highest level of privacy since many people do not have time to read notices.
The MODPA gives Maryland residents more control over how companies collect and use their personal data online. With an effective date of October 1, 2025, the new law establishes data protection rights and requires companies that track or target the state’s residents to meet stricter requirements around data collection—especially related to data minimization, consent, universal opt-out mechanisms, sensitive data, and children’s data. However, MODPA will not apply to companies’ data processing activities until April 1st, 2026.
While it is an opt-out law (meaning consumers have the right to opt-out of processing data for certain purposes) Maryland’s privacy act is already known in the data privacy world as more stringent than many other state laws.
Maryland’s privacy law applies to anyone who conducts business in the state, as well as those who provide services or products targeted to residents of Maryland and during the prior calendar year either:
Notably, the threshold for applicability, both in terms of the number of consumers and the amount of revenue earned from the sale of data, is lower than in other states. Because 35,000 consumers is a smaller percentage (0.56%) of Maryland’s population than it is in other states, it will likely be applicable to more companies doing business in Maryland than in states such as Colorado (with a threshold percentage of 1.72%), Oregon (2.35%), or its neighbor, Delaware (3.43%).
Despite the broader scope, Maryland follows other state laws in its definition of controllers and processors. A controller is a person who determines the purpose and means of processing personal data–either alone or jointly with others. A processor is a person that processes personal data on behalf of a controller.
It also has similar exemptions as other laws, including state and local agencies, courts, and certain types of businesses subject to related federal laws. Certain data is exempt from MODPA requirements, including specified health and financial data.
With controller requirements and restrictions, the MODPA gets tricky. It differs from other state laws in a few key areas.
In Maryland, controllers are restricted from the collection, processing, and sharing of sensitive data, except where it’s strictly necessary to provide or maintain a specific product or service requested by the consumer.
What’s more, controllers are banned altogether from selling sensitive data, which is defined as data that reveals:
Sensitive data also comprises genetic data or biometric data, personal data of a consumer the controller knows to be a child, and precise geolocation data.
Controllers are not allowed to:
Related to processing the data of children, controllers cannot process or sell the personal data of a consumer for targeted advertising if the consumer is under the age of 18 if the controller “knew or should have known” the consumer’s age.
In addition to the laundry list of restrictions, controllers are required to:
They also must provide consumers with a privacy notice that outlines their collection practices, provides an active email address or other online mechanism consumers can use to contact the controller, and discloses certain processing activities.
Maryland’s privacy act requires controllers to conduct privacy impact assessments on a regular basis for each data activity that presents a heightened risk of harm to a consumer, “including an assessment for each algorithm that is used.” This is an example of another industry best practice in the U.S. becoming a legal requirement. Companies who have not yet come across this practice will now need to incorporate it into their data privacy practices to ensure compliance in Maryland.
Activities that present a risk of heightened risk of harm are defined as:
MODPA outlines specific requirements and factors to consider in the assessment, such as the company’s use of de-identified data, reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumer.
Notably, these assessments only apply to processing activities that occur on or after October 1, 2025.
A violation of the bill is considered an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act (MCPA).
There is a cure period of 60 days, during which controllers and processors may have the opportunity to cure the violation before the state takes action. The operative word is may. The Office of the Attorney General must first determine if a cure is possible by taking into consideration factors such as the number of violations, size, and complexity of the controller or processor, the likelihood of injury to the public, and other determinants. The cure period sunsets April 1, 2027.
The Maryland Office of the Attorney General's Consumer Protection Division enforces the MCPA, which has fines of up to $10,000 per violation or $25,000 for each repetition of the same violation.
The penalties are significantly higher than in other state laws, which have been approved steadily with $7,500 penalties per violation. Though the MODPA becomes effective on October 1, 2025, it will not apply to personal data processing activities that would invoke these penalties before April 1, 2026.
Consumer rights provided by Maryland’s privacy law are on track with other state laws. The MODPA grants consumers the following rights to:
Delaware and Oregon also allow consumers to obtain a list of third parties or third-party categories to which their data was disclosed. Maryland’s law differs slightly in that if a controller does not maintain that information in a format specific to the consumer, they can get a list of categories of third parties to which the controller has disclosed any consumer’s personal data.
Compliance with the MODPA may require significant effort from companies, particularly if they’re new to the data privacy law realm.
Because the law has strict data minimization requirements, restrictions around sensitive data and children’s data, mandated privacy impact assessments, and hefty penalties for violations, it’s critical to start planning for its effective date now. Even organizations that have implemented compliance programs for other state laws need to carefully review their data practices against these specific provisions.
Investing in a comprehensive compliance solution, like Osano’s data privacy platform, can help efficiently implement consumer privacy rights, consumer’s consent preferences, and more.
The MODPA takes effect October 1, 2025, and will apply to personal data processing activities after April 1, 2026.
Companies have two options to comply with the law, with the first including a clear and conspicuous link on their website that allows them to opt out of the sale of personal data or targeted advertising. The second option is to allow consumers to opt out of targeted advertising and the sale of their personal data through a universal opt-out preference signal by Oct. 1, 2025.
Violations can result in fees up to $10,000 per violation, with repeated violations potentially incurring fees up to $25,000 per violation.
There is a limited right to cure period that sunsets April 1, 2027. However, the Attorney General is tasked with considering if a violation can be cured and whether to provide the cure period.
To learn about how Osano’s data privacy platform can help your company comply with the MODPA and dozens of other regulations worldwide, schedule a demo today!
Need to wrap your head around more than just Maryland's data privacy law? Check out our guide to learn all the essentials of the U.S.'s state data privacy laws.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.