The Maryland Online Data Privacy Act (MODPA), effective October 1, 2025, is a groundbreaking piece of legislation designed to enhance data privacy protections for Maryland residents. Known as Senate Bill 541 (SB 541), It was signed into law by Maryland governor Wes Moore on May 9, 2024. With an emphasis on transparency, accountability, and consumer rights, MODPA places strict requirements on businesses handling personal data.
What Is the Maryland Online Data Privacy Act (MODPA)?
The Maryland Online Data Privacy Act (MODPA) is a comprehensive data privacy law effective October 2025. It grants residents rights to access, delete, and control their data, requires opt-in for sensitive data, and mandates transparency, data minimization, and safeguards against misuse. It balances privacy with business compliance.
Why was MODPA passed?
The Maryland Online Data Privacy Act (MODPA) was passed to protect consumer privacy, address Big Tech's data exploitation, align with national privacy trends, and promote data minimization. It empowers residents with data rights, enhances transparency, and fosters trust in the digital economy while encouraging responsible business practices.
“It puts guardrails up on the amount of data that companies can collect on people online and also what they do with that data, and it gives consumers more control over their own data” - Maryland State Senator Sarah Love.
What makes MODPA unique?
The Maryland Online Data Privacy Act (MODPA) is similar to other U.S. states with regard to subject rights and opt-out of sale rights. However, it has unique attributes in a number of areas. MODPA has lower thresholds for business subject to laws: for example, the minimum consumer processing number is 35,000, as compared to Oregon’s 100,000. Compared to other U.S. states, MODPA has stricter definitions of Biometric Data, Consumer Health Data, and Sensitive Personal Data. In addition, MODPA has very strict data minimization requirements: strict limits on personal data processing, sale of data, and collection, regardless of consumer consent. MODPA does not allow processing of minors’ (under 18) personal data for sales or targeted advertising.
To fully grasp this Maryland data privacy law, it’s essential to understand the core definitions as outlined in Section 14–4701:
Personal data: Information that identifies or could reasonably be linked to an identified or identifiable consumer, excluding de-identified data and publicly available information.
Controller: An entity that determines the purposes and means of processing personal data, either alone or jointly with others.
Processor: An entity that processes personal data on behalf of a controller.
Sensitive data: Includes information such as racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, and precise geolocation data.
These definitions establish the framework for businesses to determine their roles and responsibilities under the law.
Who must comply with MODPA?
MODPA applies to entities conducting business in Maryland or targeting products or services to Maryland residents and that meet one of the following criteria:
Control or process personal data of at least 35,000 Maryland residents per year.
Control or process the personal data of at least 10,000 Maryland residents per year and derive more than 20% of their revenue from selling personal data.
‘Consumer’ means an an individual who is a resident of the State acting only in an individual or household context. It does not include an individual acting in a commercial or employment context."
The Maryland Online Data Privacy Act (MODPA) includes specific exemptions where its provisions do not apply. Key exemptions include:
Government agencies: Public entities and government agencies are exempt from MODPA requirements
Personal, non-commercial activities: Data processed for purely personal or household purposes is exempt
Health data: Data governed by laws like HIPAA (Health Insurance Portability and Accountability Act) is exempt
Financial institutions: Entities covered by the Gramm-Leach-Bliley Act (GLBA) are excluded
Education data: Information processed under FERPA (Family Educational Rights and Privacy Act) is not subject to MODPA
De-identified or aggregated data: Properly de-identified data that cannot be reasonably linked to individuals is exempt
Unlike some other state privacy laws, MODPA does not categorically exempt nonprofits or institutions of higher education. Only nonprofit organizations that process or share personal data to assist law enforcement or first responders are exempt.
Key provisions of MODPA
1. Consumer rights
Maryland residents have the right to:
Access their data: Consumers can request a copy of their personal data held by businesses.
Correct inaccuracies: Individuals can request corrections to inaccurate or incomplete personal data.
Delete their data: Consumers can ask businesses to delete their personal data, subject to certain exceptions.
Opt out: Residents can opt out of the processing of their data for purposes such as targeted advertising, the sale of personal data, or profiling.
Is MODPA opt-in or opt-out?
The Maryland Online Data Privacy Act (MODPA) is a hybrid model, combining opt-in and opt-out mechanisms:
Opt-in for sensitive data Businesses must obtain explicit consent (opt-in) before processing sensitive personal data, such as health information, religious beliefs, or precise geolocation.
Opt-out for other data practices Consumers have the right to opt out of:some text
Targeted advertising
Sale of personal data
Profiling for automated decision-making.
This approach ensures stronger protections for sensitive data while giving consumers control over other types of data processing.
Collect only the data that is adequate, relevant, and necessary for specified purposes.
Avoid excessive or unnecessary data collection to reduce potential risks.
3. Transparency requirements
Companies must:
Provide clear and accessible privacy notices.
Outline the categories of personal data collected, the purposes of collection, and the third parties with whom the data is shared.
Include instructions on how consumers can exercise their rights under MODPA.
4. Consent for sensitive data
MODPA contains a blanket prohibition on selling sensitive data, which is the first of its kind under any state privacy law. In regards to sensitive data, controllers must:
Obtain explicit and affirmative consent from consumers before processing sensitive data, such as health, genetic, or biometric information.
Ensure that consent is specific, informed, and freely given, with a clear opt-out option available.
MODPA requirements for businesses
To comply with MODPA, businesses must:
Develop privacy policies: Publish privacy notices detailing data collection, usage, and sharing practices to meet MODPA requirements.
Implement data security measures: Protect personal data through robust security practices and technologies in accordance with Maryland data privacy law.
Respond to consumer requests: Establish mechanisms to process consumer requests for data access, correction, and deletion in compliance with Maryland consumer privacy rights.
Conduct data protection assessments: Perform assessments for processing activities that present heightened risks, such as processing sensitive data or engaging in targeted advertising.
Execute contracts with processors: Define responsibilities in contracts to ensure processors adhere to MODPA’s requirements.
Penalties for non-compliance
Non-compliance with MODPA can result in severe penalties:
Civil penalties: Violations are considered unfair or deceptive trade practices under the Maryland Consumer Protection Act (MCPA). Civil penalties include fines of up to $10,000 for a first violation and up to $25,000 for subsequent violations.
Enforcement actions: The Maryland Attorney General’s Office oversees compliance and may issue notices of violation, providing 60 days to cure violations before initiating legal actions as part of MODPA enforcement.
Reputational damage: Public exposure of non-compliance can harm a business’s brand and consumer trust.
The impact of MODPA on businesses
MODPA presents both challenges and opportunities for businesses:
Operational changes: Companies may need to update systems, processes, and policies to meet compliance standards, including Maryland businesses privacy obligations.
Increased costs: Investments in legal counsel, technology, and staff training may be necessary to achieve MODPA compliance.
Enhanced trust: Compliance can improve consumer trust and competitive advantage by aligning with Maryland consumer data protection standards.
The impact of MODPA on consumers
For Maryland residents, MODPA offers significant benefits:
Greater control: Consumers have more power over their personal data, aligning with online privacy rights for Maryland residents.
Increased transparency: Clearer privacy notices ensure individuals understand how their data is used.
Stronger protections: Enhanced security measures reduce risks of data breaches, reflecting Maryland internet privacy laws.
How MODPA compares to other U.S. data privacy laws
MODPA shares similarities with laws like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA), but with distinct differences:
Scope: MODPA has lower thresholds for business subject to laws. The minimum consumer processing number is 35,000 (as compared to Oregon’s 100,000).
Sensitive data: Compared to other U.S. states, MODPA has stricter definitions of Biometric Data, Consumer Health Data, and Sensitive Personal Data. MODPA contains a blanket prohibition on selling sensitive data, which is the first of its kind under any state privacy law.
Data minimization: MODPA has very strict data minimization requirements: strict limits on personal data processing, sale of data, and collection, regardless of consumer consent. MODPA does not allow processing of minors’ (under 18) personal data for sales or targeted advertising.
Feature
ICDPA
VCDPA (Virginia)
CPA (Colorado)
CCPA/CPRA (California)
Consumer Rights
Access, Correct, Delete, Portability
Access, Correct, Delete, Portability
Access, Correct, Delete, Portability
Access, Correct, Delete, Portability, Opt-out of automated decisions
Threshold for Applicability
100,000 consumers or 50% revenue from sales
100,000 consumers or 50% revenue from sales
100,000 consumers or 25,000 with sales
$25 million revenue or data of 100,000+ consumers
Data Protection Assessment Required
No
Yes
Yes
Yes
Enforcement
Attorney General
Attorney General
Attorney General
Attorney General + Private Right of Action
Private Right of Action
No
No
No
Yes
What makes MODPA stand out?
The Maryland Online Data Privacy Act (MODPA) differs from other state privacy laws with its strong focus on data minimization, requiring businesses to collect only necessary data.
It mandates opt-in consent for sensitive data, phased enforcement (effective October 2025, enforceable April 2026), and a sunset on its cure period by 2027.
How Ketch can simplify MODPA compliance
Complying with MODPA and other state privacy laws can be simpler than you think. The Ketch data permissioning platform helps businesses stay compliant by:
MODPA policy template: Ketch Consent Management includes a pre-built policy template for the MODPA, with ability to customize rights as desired, no coding required to make changes.
Location-aware consent banners: MODPA is a very strict regulation, and Ketch can help businesses ensure that complying with MODPA requirements does not limit data practices in other locations with different laws. Ketch automatically serves jurisdiction-aware consent language to individuals based on their location.
Data subject rights: MODPA provides consumers with the right to access, correct, delete, and obtain a copy of their personal data. Ketch enables end-to-end DSR fulfillment with capabilities like drag-and-drop workflow builder, smart routing, and task-level automation.
Opt-out right for sales, targeted advertising, and profiling: Ketch consent management makes it easy for businesses to offer customers a transparent option for opt-outs, and use our pre-built APIs to connect those opt-out signals to your business data systems and apps, ensuring you honor consumer choices.
Final thoughts: Preparing your business for MODPA
Compliance with MODPA is not just a legal obligation but a strategic opportunity to enhance consumer trust. Businesses should:
Assess their data practices using a MODPA compliance checklist.
Update privacy policies and systems to meet online privacy law Maryland standards.
Invest in tools like Ketch to ensure smooth compliance.
By taking proactive steps, companies can turn compliance challenges into opportunities for growth and innovation, especially for small businesses adapting to MODPA requirements.
Contact Ketch today to streamline your compliance and future-proof your privacy strategy.
This a sample accordion element needed for script above to work
Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
Does MODPA require data protection officers? While not explicitly required, businesses may benefit from appointing a data protection officer to manage compliance efforts.
What is a data protection assessment under MODPA? Businesses must conduct assessments for high-risk activities, such as processing sensitive data or targeted advertising, to evaluate potential impacts on consumer privacy.
How does MODPA define targeted advertising? MODPA defines targeted advertising as delivering ads based on personal data collected across different websites or apps, excluding context-based advertising.
Are businesses outside Maryland required to comply? Yes, businesses located outside Maryland must comply if they target Maryland residents or process their data and meet the law’s thresholds.
What are the timelines for responding to consumer requests? Businesses must respond to consumer requests, such as access or deletion requests, within 45 days, with an option for a 45-day extension if needed.
Does MODPA apply to employee data? MODPA primarily targets consumer data, but businesses should evaluate if certain employee data collection activities fall under its scope.
How does MODPA handle children’s data? Businesses must comply with COPPA (Children’s Online Privacy Protection Act) for users under 13 and ensure MODPA compliance for data of minors under applicable Maryland laws. MODPA dictates no processing of minors’ (under 18) personal data for sales or targeted advertising.
Does MODPA apply to small businesses? The Maryland Online Data Privacy Act (MODPA) applies to small businesses only if they meet specific thresholds:
Applicability Criteria:
Process personal data of 35,000 or more Maryland residents annually.
Process personal data of 10,000 or more Maryland residents and derive 20% or more of gross revenue from selling personal data.
Exemptions:
Small businesses below these thresholds are generally exempt from compliance.
This approach avoids overburdening smaller entities that handle limited or non-sensitive data.
Matt George is the Data Protection Officer at Ketch. A seasoned privacy attorney with a strong IT and data management background, he is also CIPP/US and CIPP/A certified from IAPP.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.