🆕  Is “dirty data” silently harming your AI initiatives? Read our new report!

Maryland Online Data Privacy Act (MODPA): What to know for 2025

Last updated
January 19, 2025

The Maryland Online Data Privacy Act (MODPA), effective October 1, 2025, is a groundbreaking piece of legislation designed to enhance data privacy protections for Maryland residents. Known as Senate Bill 541 (SB 541), It was signed into law by Maryland governor Wes Moore on May 9, 2024. With an emphasis on transparency, accountability, and consumer rights, MODPA places strict requirements on businesses handling personal data.

https://ketch.wistia.com/medias/5zkttdt3yk

What Is the Maryland Online Data Privacy Act (MODPA)?

Why was MODPA passed?

What makes MODPA unique?

Need an easy-to-use consent management solution?
Book a 30 min Demo

Key definitions in MODPA

To fully grasp this Maryland data privacy law, it’s essential to understand the core definitions as outlined in Section 14–4701:

  1. Personal data: Information that identifies or could reasonably be linked to an identified or identifiable consumer, excluding de-identified data and publicly available information.
  2. Controller: An entity that determines the purposes and means of processing personal data, either alone or jointly with others.
  3. Processor: An entity that processes personal data on behalf of a controller.
  4. Sensitive data: Includes information such as racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, and precise geolocation data.

These definitions establish the framework for businesses to determine their roles and responsibilities under the law.

Who must comply with MODPA?

MODPA applies to entities conducting business in Maryland or targeting products or services to Maryland residents and that meet one of the following criteria:

  1. Control or process personal data of at least 35,000 Maryland residents per year.
  2. Control or process the personal data of at least 10,000 Maryland residents per year and derive more than 20% of their revenue from selling personal data. 
‘Consumer’ means an an individual who is a resident of the State acting only in an individual or household context. It does not include an individual acting in a commercial or employment context."

Section 14-4201 of MODPA

MODPA exemptions

The Maryland Online Data Privacy Act (MODPA) includes specific exemptions where its provisions do not apply. Key exemptions include:

  1. Government agencies: Public entities and government agencies are exempt from MODPA requirements
  2. Personal, non-commercial activities: Data processed for purely personal or household purposes is exempt
  3. Health data: Data governed by laws like HIPAA (Health Insurance Portability and Accountability Act) is exempt
  4. Financial institutions: Entities covered by the Gramm-Leach-Bliley Act (GLBA) are excluded
  5. Education data: Information processed under FERPA (Family Educational Rights and Privacy Act) is not subject to MODPA
  6. De-identified or aggregated data: Properly de-identified data that cannot be reasonably linked to individuals is exempt

Unlike some other state privacy laws, MODPA does not categorically exempt nonprofits or institutions of higher education. Only nonprofit organizations that process or share personal data to assist law enforcement or first responders are exempt.

Key provisions of MODPA

1. Consumer rights

Maryland residents have the right to:

  • Access their data: Consumers can request a copy of their personal data held by businesses.
  • Correct inaccuracies: Individuals can request corrections to inaccurate or incomplete personal data.
  • Delete their data: Consumers can ask businesses to delete their personal data, subject to certain exceptions.
  • Opt out: Residents can opt out of the processing of their data for purposes such as targeted advertising, the sale of personal data, or profiling.

Is MODPA opt-in or opt-out?

The Maryland Online Data Privacy Act (MODPA) is a hybrid model, combining opt-in and opt-out mechanisms:

  1. Opt-in for sensitive data
    Businesses must obtain explicit consent (opt-in) before processing sensitive personal data, such as health information, religious beliefs, or precise geolocation.
  2. Opt-out for other data practices
    Consumers have the right to opt out of:some text
    • Targeted advertising
    • Sale of personal data
    • Profiling for automated decision-making.

This approach ensures stronger protections for sensitive data while giving consumers control over other types of data processing.

Read further: opt-in vs opt-out: what’s the difference?

2. Data minimization

Businesses are required to:

  • Collect only the data that is adequate, relevant, and necessary for specified purposes.
  • Avoid excessive or unnecessary data collection to reduce potential risks.

3. Transparency requirements

Companies must:

  • Provide clear and accessible privacy notices.
  • Outline the categories of personal data collected, the purposes of collection, and the third parties with whom the data is shared.
  • Include instructions on how consumers can exercise their rights under MODPA.

4. Consent for sensitive data

MODPA contains a blanket prohibition on selling sensitive data, which is the first of its kind under any state privacy law. In regards to sensitive data, controllers must: 

  • Obtain explicit and affirmative consent from consumers before processing sensitive data, such as health, genetic, or biometric information.
  • Ensure that consent is specific, informed, and freely given, with a clear opt-out option available.

MODPA requirements for businesses

To comply with MODPA, businesses must:

  1. Develop privacy policies: Publish privacy notices detailing data collection, usage, and sharing practices to meet MODPA requirements.
  2. Implement data security measures: Protect personal data through robust security practices and technologies in accordance with Maryland data privacy law.
  3. Respond to consumer requests: Establish mechanisms to process consumer requests for data access, correction, and deletion in compliance with Maryland consumer privacy rights.
  4. Conduct data protection assessments: Perform assessments for processing activities that present heightened risks, such as processing sensitive data or engaging in targeted advertising.
  5. Execute contracts with processors: Define responsibilities in contracts to ensure processors adhere to MODPA’s requirements.

Penalties for non-compliance

Non-compliance with MODPA can result in severe penalties:

  1. Civil penalties: Violations are considered unfair or deceptive trade practices under the Maryland Consumer Protection Act (MCPA). Civil penalties include fines of up to $10,000 for a first violation and up to $25,000 for subsequent violations.
  2. Enforcement actions: The Maryland Attorney General’s Office oversees compliance and may issue notices of violation, providing 60 days to cure violations before initiating legal actions as part of MODPA enforcement.
  3. Reputational damage: Public exposure of non-compliance can harm a business’s brand and consumer trust.

The impact of MODPA on businesses

MODPA presents both challenges and opportunities for businesses:

  1. Operational changes: Companies may need to update systems, processes, and policies to meet compliance standards, including Maryland businesses privacy obligations.
  2. Increased costs: Investments in legal counsel, technology, and staff training may be necessary to achieve MODPA compliance.
  3. Enhanced trust: Compliance can improve consumer trust and competitive advantage by aligning with Maryland consumer data protection standards.

The impact of MODPA on consumers

For Maryland residents, MODPA offers significant benefits:

  1. Greater control: Consumers have more power over their personal data, aligning with online privacy rights for Maryland residents.
  2. Increased transparency: Clearer privacy notices ensure individuals understand how their data is used.
  3. Stronger protections: Enhanced security measures reduce risks of data breaches, reflecting Maryland internet privacy laws.

How MODPA compares to other U.S. data privacy laws

MODPA shares similarities with laws like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA), but with distinct differences:

  1. Scope: MODPA has lower thresholds for business subject to laws. The minimum consumer processing number is 35,000 (as compared to Oregon’s 100,000). 
  2. Sensitive data: Compared to other U.S. states, MODPA has stricter definitions of Biometric Data, Consumer Health Data, and Sensitive Personal Data. MODPA contains a blanket prohibition on selling sensitive data, which is the first of its kind under any state privacy law. 
  3. Data minimization: MODPA has very strict data minimization requirements: strict limits on personal data processing, sale of data, and collection, regardless of consumer consent. MODPA does not allow processing of minors’ (under 18) personal data for sales or targeted advertising.
Feature ICDPA VCDPA (Virginia) CPA (Colorado) CCPA/CPRA (California)
Consumer Rights Access, Correct, Delete, Portability Access, Correct, Delete, Portability Access, Correct, Delete, Portability Access, Correct, Delete, Portability, Opt-out of automated decisions
Threshold for Applicability 100,000 consumers or 50% revenue from sales 100,000 consumers or 50% revenue from sales 100,000 consumers or 25,000 with sales $25 million revenue or data of 100,000+ consumers
Data Protection Assessment Required No Yes Yes Yes
Enforcement Attorney General Attorney General Attorney General Attorney General + Private Right of Action
Private Right of Action No No No Yes

What makes MODPA stand out?

The Maryland Online Data Privacy Act (MODPA) differs from other state privacy laws with its strong focus on data minimization, requiring businesses to collect only necessary data. 

It mandates opt-in consent for sensitive data, phased enforcement (effective October 2025, enforceable April 2026), and a sunset on its cure period by 2027. 

How Ketch can simplify MODPA compliance

Complying with MODPA and other state privacy laws can be simpler than you think. The Ketch data permissioning platform helps businesses stay compliant by:

  • MODPA policy template: Ketch Consent Management includes a pre-built policy template for the MODPA, with ability to customize rights as desired, no coding required to make changes. 
  • Location-aware consent banners: MODPA is a very strict regulation, and Ketch can help businesses ensure that complying with MODPA requirements does not limit data practices in other locations with different laws. Ketch automatically serves jurisdiction-aware consent language to individuals based on their location. 
  • Data subject rights: MODPA provides consumers with the right to access, correct, delete, and obtain a copy of their personal data. Ketch enables end-to-end DSR fulfillment with capabilities like drag-and-drop workflow builder, smart routing, and task-level automation. 
  • Opt-out right for sales, targeted advertising, and profiling: Ketch consent management makes it easy for businesses to offer customers a transparent option for opt-outs, and use our pre-built APIs to connect those opt-out signals to your business data systems and apps, ensuring you honor consumer choices. 

Final thoughts: Preparing your business for MODPA

Compliance with MODPA is not just a legal obligation but a strategic opportunity to enhance consumer trust. Businesses should:

  1. Assess their data practices using a MODPA compliance checklist.
  2. Update privacy policies and systems to meet online privacy law Maryland standards.
  3. Invest in tools like Ketch to ensure smooth compliance.

By taking proactive steps, companies can turn compliance challenges into opportunities for growth and innovation, especially for small businesses adapting to MODPA requirements.

Contact Ketch today to streamline your compliance and future-proof your privacy strategy. 

Read further: 2025 U.S. State Privacy Laws: what you need to know

FAQ

This a sample accordion element needed for script above to work

  1. Does MODPA require data protection officers?
    While not explicitly required, businesses may benefit from appointing a data protection officer to manage compliance efforts.
  2. What is a data protection assessment under MODPA?
    Businesses must conduct assessments for high-risk activities, such as processing sensitive data or targeted advertising, to evaluate potential impacts on consumer privacy.
  3. How does MODPA define targeted advertising?
    MODPA defines targeted advertising as delivering ads based on personal data collected across different websites or apps, excluding context-based advertising.
  4. Are businesses outside Maryland required to comply?
    Yes, businesses located outside Maryland must comply if they target Maryland residents or process their data and meet the law’s thresholds.
  5. What are the timelines for responding to consumer requests?
    Businesses must respond to consumer requests, such as access or deletion requests, within 45 days, with an option for a 45-day extension if needed.
  6. Does MODPA apply to employee data?
    MODPA primarily targets consumer data, but businesses should evaluate if certain employee data collection activities fall under its scope.
  7. How does MODPA handle children’s data?
    Businesses must comply with COPPA (Children’s Online Privacy Protection Act) for users under 13 and ensure MODPA compliance for data of minors under applicable Maryland laws. MODPA dictates no processing of minors’ (under 18) personal data for sales or targeted advertising. 
  8. Does MODPA apply to small businesses?
    The Maryland Online Data Privacy Act (MODPA) applies to small businesses only if they meet specific thresholds:
    • Applicability Criteria:
      • Process personal data of 35,000 or more Maryland residents annually.
      • Process personal data of 10,000 or more Maryland residents and derive 20% or more of gross revenue from selling personal data.
    • Exemptions:
      • Small businesses below these thresholds are generally exempt from compliance. 
    This approach avoids overburdening smaller entities that handle limited or non-sensitive data.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.