Media Center

September 17, 2025
Publications

As part of our continuing series on the Maryland Online Data Privacy Act (MODPA), this installment focuses on risk assessments. MODPA requires businesses to perform data protection assessments when certain processing activities pose a heightened risk of harm to consumers.

Under the Maryland Online Data Privacy Act, risk assessments are required when the processing activity of a business presents a “heightened risk of harm to consumers.” By October 1st, 2025, companies must begin preparing to perform risk assessments for any such personal data processing they plan to continue. These risk assessments only need to be completed by controllers of personal data, but processors must cooperate to ensure thoroughness and accuracy of the process.

If your company has never performed DPAs

Complex risk assessment requirements may be new territory for your business. Maryland’s privacy law will regulate more entities than most other states. This expanded scope means that companies previously exempt from state privacy obligations must now carefully evaluate how their data collection and processing activities may impact individuals’ privacy rights.

Activities that present a “heightened risk of harm to consumers” and trigger the need for a risk assessment include:

• Targeted advertising
• Selling personal data
• Processing sensitive data
• Processing personal data for profiling purposes that could result in disparate or unfair outcomes

The required frequency of re-assessing risk is undefined, but the law mandates that companies perform them “on a regular basis.” For different products or service changes, the standard for this timing varies. If your company is planning to begin a high-risk processing activity, the best practice is to perform a thorough risk assessment before taking action in order to identify and mitigate risks before they occur. Routine, low-risk processing activities do not need to be assessed for their risk potential.

When performing an assessment, companies must identify the risks and benefits of the processing activity, taking into consideration the expectations of the consumer and the context of processing. They must also document mitigation strategies to lower the probability that the consumers will be harmed by that activity.

While assessments remain confidential, the Maryland attorney general can request them during enforcement proceedings. Well-documented risk assessments that demonstrate proactive risk mitigation and a thorough understanding of your data processing activities can significantly benefit your company during regulatory scrutiny, showing good faith compliance efforts and potentially influencing enforcement decisions. Beyond regulatory advantages, a comprehensive understanding of your company’s risk also signals to customers, partners, and stakeholders that your organization takes data protection seriously.

If your company already performs risk assessments to comply with other privacy laws

Your existing risk assessments provide a strong foundation for MODPA compliance, but will likely require updates to address Maryland’s unique requirements. If performed for laws like the CCPA, GDPR, or other state privacy frameworks, your assessments will likely follow similar methodologies and address similar MODPA-required risk factors.

However, Maryland’s law introduces several prohibitions and heightened protections that do not exist in other frameworks:

• Complete ban on selling sensitive personal data
• Stricter data minimization requirements
• Enhanced protections for minors’ data

Activities that may have been classified as “moderate risk” under other laws may now require “high risk” or “prohibited” classifications under Maryland’s framework.

Non-privacy risk assessments (such as cybersecurity, financial, or operational risk assessments) do not satisfy MODPA’s requirements for privacy-related risk assessments, regardless of their quality or comprehensiveness. The law specifically requires assessments that evaluate consumer harm, data processing necessity, and compliance with Maryland’s specific restrictions.

Whether your company is conducting its first privacy risk assessment or is updating existing frameworks, the key to successful compliance lies in early preparation and thorough documentation. With enforcement beginning in April 2026, businesses have a limited window to develop risk assessment processes that satisfy regulatory requirements and demonstrate commitment to consumer privacy protection.

This article was co-authored by Caroline Aiello.