The Maryland Online Data Privacy Act (MODPA or the Act) took effect on October 1, 2025, making Maryland the most recent state to join the nationwide network of states with legislation protecting consumer data privacy. As part of our Spotlight series, Ezra Church, the leader of our privacy and cybersecurity litigation practice, and Rimsha Syeda, an associate in the cybersecurity, incident response, and privacy practice, share their insights into the MODPA requirements and nuances that companies should know.
Which Entities Must Comply with the MODPA, and When Does It Take Effect?
The MODPA applies to persons or entities doing business in Maryland or targeting Maryland residents that, in the prior calendar year, either
- control or process the data of at least 35,000 Maryland consumers, or
- control or process the personal data of at least 10,000 Maryland residents and derive more than 20% of their gross revenue from the sale of personal data (this latter group consisting primarily of “data brokers”).
Notably, MODPA does not categorically exempt nonprofits or institutions of higher education, except for narrow carve-outs, so many entities that believe themselves outside state privacy regimes should reexamine coverage.
While the Act is effective as of October 1, it will not apply to any activities involving the processing of personal data before April 1, 2026.
How Does the MODPA Compare with Other State Privacy Laws?
At a baseline level, MODPA shares many of the same guardrails as peer state laws. For example, controllers must publish robust privacy notices; limit collection and use of personal data to what is “reasonably necessary and proportionate”; implement reasonable security measures; enter into processor contracts; conduct data protection assessments for high-risk activities, such as targeted advertising, profiling, sales, or sensitive data processing; and offer the familiar bundle of data subject rights, such as access, correction, deletion, portability, and opt-out of sale, targeted advertising, or certain profiling.
Like Delaware and Oregon, MODPA also requires controllers to provide consumers with a list of the specific third parties to which that particular consumer’s personal data has been disclosed or, if that is not possible, a list of categories of third parties to which the controller has disclosed any consumer’s personal data.
Although Maryland’s law builds on the framework pioneered by other states, it diverges in important respects:
Broader Definitions of Biometric Data, Consumer Health Data, and Sensitive Data
- Biometric data: Most state privacy laws (e.g., Virginia) define biometric data as measurements of biological characteristics that are “used or intended to be used to identify a specific individual.” MODPA, by contrast, defines biometric data as “data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer’s identity” (emphasis added). This expansion means that even if a controller never deploys the data for identification, the data may still qualify as “biometric data” under the Act.
- Consumer health data (CHD): MODPA defines CHD as “personal data that a controller uses to identify a consumer’s physical or mental health status,” expressly including gender-affirming care and reproductive or sexual health. By comparison, some states have adopted a narrower definition. For example, Connecticut limits its definition of CHD to a consumer’s “condition or diagnosis,” and Washington’s My Health My Data Act applies to data “reasonably linkable” to health. Maryland’s “status-based” framing may arguably broaden the scope of CHD applicability.
- Sensitive personal data: Under MODPA, sensitive personal data comprises biometric and genetic data (even if not used for identification), consumer health data, precise geolocation, data revealing race/ethnicity, religious beliefs, sex life/sexual orientation, citizenship or immigration status, and national origin. Many states omit categories like national origin or citizenship (most commonly found in California’s California Consumer Protection Act) or restrict biometric data only when used for identity purposes, as discussed above. MODPA’s expansive definition means more datasets may be subject to the Act.
Unique Data Minimization Rules
Maryland has arguably adopted one of the most restrictive data minimization requirements of any US state to date, which include the following key features:
- Limit on personal data collection: Controllers must limit collection to what is “reasonably necessary and proportionate” to provide or maintain a specific product or service requested by the consumer, even if a consumer has provided consent. Other states typically allow broader collection tied to disclosed or compatible purposes, with consumer consent as a fallback. Note, the statute does not define “reasonably necessary and proportionate,” and, as of now, the Maryland state attorney general has not issued any guidance on the Act.
- Strict necessity for sensitive data: MODPA permits collection, processing, or sharing of sensitive data only when “strictly necessary” for the requested product or service, regardless of consent. This is a departure from state laws that allow consent-based processing of sensitive data. Sensitive data as defined under MODPA includes genetic, biometric, health, precise geolocation, and children’s information.
- Flat prohibition on sales of sensitive data: Whereas other states allow the sale of personal or sensitive data with consumer consent, MODPA prohibits the sale of sensitive personal data outright.
Heightened Protections for Minors
MODPA prohibits the sale of personal data or use for targeted advertising if the controller “knew or should have known” (emphasis added) that the consumer is a minor under 18 years of age. This “should have known” standard is more expansive than most state laws, which typically limit protections to under 13 or under 16 years of age and often require actual knowledge rather than “should have known.” Companies may consider adopting technical controls to detect under-18 users or exclude them proactively.
Comparative Risk Assessments and Algorithm Reviews
MODPA requires controllers to conduct documented data protection assessments for processing activities that present heightened risk, including targeted advertising, sales, sensitive data processing, and certain profiling. Importantly, it uniquely mandates assessment of each algorithm used in those activities. Other state privacy laws require broader assessments for certain categories of data processing, but not specifically for every algorithm.
What Should Entities Consider About MODPA in Relation to Privacy Policies and Contracts?
With the evolving landscape of state privacy laws, it is typically preferred to avoid being overly limited or prescriptive in privacy policies, data processing agreements, or other commercial contract documents. While companies may insert Maryland-specific clauses, a more sustainable approach may be to frame privacy and data protection obligations in contracts and privacy policies broadly as “U.S. state privacy law requirements,” supplemented with non-exhaustive examples.
This allows companies to accommodate evolving state laws without repeated revisions while still carving out state-specific obligations—such as Oregon and Maryland’s right to a list of third parties—where they cannot be addressed generically. Even under this approach, it remains critical for organizations to conduct impact assessments of each new privacy law to determine if additional changes are appropriate or necessary in order to achieve compliance.
What Practical Steps Can Companies Consider to Comply with MODPA ?
Compliance efforts undertaken by organizations to comply with other state privacy laws will likely be the first step in complying with MODPA. But because MODPA has certain unique requirements, organizations should consider taking the following steps:
- Inventory and classify data, paying close attention to categories likely deemed sensitive.
- Reevaluate automated decision systems, profiling features, or ad-targeting flows (even those consented to) through the lens of “strict necessity.”
- Update consent mechanisms and notices to clearly reflect MODPA’s rights and obligations, including withdrawal mechanisms and third-party disclosures.
- Enhance risk assessment governance, embedding assessments in product development, documenting necessity tradeoffs, and revisiting assessments over time.
- Review nonprofit operations, as many nonprofit organizations previously outside state privacy regimes may now need compliance under MODPA’s narrow carve-outs.
What Potential Strategies Can Help Entities Seeking to Comply with MODPA’s Data Assessment Requirements?
As discussed above, one of the most operationally significant elements of MODPA is its requirement that controllers conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm, including each algorithm used for targeted advertising, profiling, or sensitive data processing. While many organizations already perform risk assessments under other state laws, MODPA is arguably narrower in scope but more intensive in its documentation expectations.
Covered businesses should consider taking the following strategic steps:
- Leverage existing impact assessments completed under other state privacy jurisdictions if they are “reasonably comparable in scope,” but tailor them to ensure they cover MODPA’s specific triggers, such as algorithmic use.
- Document necessity and proportionality, including explaining the rationale for decisions, the alternatives considered, and the mitigation steps taken.
- Maintain assessments as living documents as processing activities evolve; establish a cadence for revisiting assessments when systems are retrained, new features are added, or risk levels shift.
- Ensure processor cooperation, including confirming that data processing agreements obligate processors to provide the information needed to complete and maintain these assessments, particularly with respect to algorithms and data flows they control.
What State Privacy Law Trends or Changes Stand Out Right Now?
There are a number of trends that are emerging in the patchwork of state privacy laws:
- Opt-out requirements: Almost all recently enacted state privacy laws require businesses to either implement or honor universal opt-out mechanisms. The idea is that universal opt-out mechanisms allow the consumer to automatically express their privacy preferences instead of clicking on individual cookie banners. The most common tool that we are seeing is the Global Privacy Control (GPC), which is a protocol available as a browser extension or an option built into some browsers. Once a consumer has the GPC installed on their browser, it automatically sends a signal with each website requesting to opt the consumer out per their preference. Given recent enforcement activity in California and AG guidance in other states, we suspect the right to opt-out will continue to be of key focus.
- Increased protections for children’s data: Most of the recently enacted state privacy laws introduce amendments or provisions for increased protection of children’s data. Several states have also introduced stand-alone age-appropriate design codes or social media addiction laws, reflecting a broader trend to protect children’s data.
- Transparency around third-party sharing: In recent years, there has been a notable trend among states to mandate greater transparency regarding the sharing of data with third parties. Minnesota, Oregon, Delaware, and Maryland state privacy laws introduce the concept of providing either categories of or specific lists of third parties with whom a consumer’s data is shared.
And because Maryland has introduced a few unique obligations under MODPA, organizations should view Maryland’s law as a signal of where state privacy legislation is heading and adapt their governance programs accordingly.