Media Center

September 16, 2025
Publications

The Maryland Online Data Privacy Act (MODPA) will take effect on October 1, 2025. In this second part of our series, McNees explores which businesses the law applies to and the key mandates they will face. 

Who does MODPA apply to and what does it mandate? 

MODPA will apply to businesses operating in Maryland or targeting Maryland residents if, in the prior year, they processed personal data of at least 35,000 Maryland consumers (excluding payment transaction data), or processed data of at least 10,000 consumers and derived more than 20 percent of gross revenue from selling personal data. 

The law includes exemptions for certain organizations such as state and local governments, GLBA-regulated financial institutions, and specific nonprofits, as well as data already covered by HIPAA, FERPA, and other sector-specific laws. 

MODPA imposes strict rules on data collection, use, and disclosure. It requires that businesses collect only data “reasonably necessary and proportionate” to provide or maintain a requested product or service. Sensitive data, including race or ethnicity, religion, health, biometrics, precise geolocation, and data about known children, may be processed only when strictly necessary and may never be sold.  

Enforcement is handled solely by the Maryland Office of the Attorney General’s Consumer Protection Division, and private lawsuits are not allowed. Under Maryland law, violations are considered unfair or deceptive trade practices. 

If your business has never been covered by a privacy law 

For companies new to privacy compliance, MODPA will require significant changes. The relatively low applicability thresholds mean many small and mid-sized businesses will be covered. The operational work will be substantial, from drafting a compliant privacy notice to building systems for handling consumer requests. Data mapping will be a critical first step, enabling you to track where personal data is collected, stored, and shared. Businesses handling sensitive or teen data will need to review and possibly redesign their systems to meet strict limits on collection and use. 

Key legal requirements for new-to-privacy businesses: 

• Determine if thresholds are met (greater than 35,000 consumers, or greater than 10,000 plus 20 percent revenue from data sales). 

• Publish a clear and accessible privacy notice with all required disclosures. 

• Implement internal processes for handling access, deletion, correction, and portability requests. 

• Enable opt-outs and honor global privacy signals. 

• Review and limit collection of sensitive data; remove any sales of that data. 

• Put contracts in place with all processors that meet MODPA standards applicability thresholds. 

• Begin data protection assessments for any high-risk processing. 

Because the law takes effect on October 1, 2025, businesses without existing privacy programs should start now to allow for the necessary policy, technical, and cultural changes. 

If you are already compliant with another state privacy law: 

Organizations already subject to laws such as California’s and Virginia’s will find familiar concepts, but they should note Maryland’s stricter elements. Maryland contains unique data minimization provisions. The outright ban on selling sensitive data also stands apart from other states that may allow sales with consent. Maryland extends protections to teenagers aged 13 to 17, whereas many states only focus on under 13 protections. 

Maryland also requires data protection assessments for a wider range of processing activities, including any targeted advertising or profiling with significant effects. Although there is no private right of action, the law’s explicit requirement to honor global opt-out signals will require some businesses to upgrade systems and processes. 

Key legal requirements for already-compliant businesses: 

• Update privacy policies and notices. 

• Cease any sale of sensitive data, even if previously permitted in other states. 

• Extend teen protections to ages 13–17 for ads, profiling, and data sales. 

• Conduct broader data protection assessments than may be required elsewhere. 

• Implement and test global opt-out signal recognition. 

• Confirm contracts and internal procedures meet Maryland’s specific language requirements. 

In the upcoming series, we will examine more closely how these broad legal requirements affect specific business practices, including risk assessments, marketing, and managing third-party relationships.  

This article was co-authored by Caroline Aiello.