Media Center

September 17, 2025
Publications

In Part 4 of our series on the Maryland Online Data Privacy Act (MODPA), we turn to third-party vendors. MODPA sets strict requirements for data processing agreements and oversight of vendors who handle personal data on behalf of businesses.

Like many privacy laws, Maryland’s will govern the contractual relationship between data controllers and processors. The law requires that specific contracts be in place before personal data is exchanged between businesses and mandates that these contracts contain certain provisions designed to protect consumer privacy and ensure accountability throughout the data processing chain.

Many business relationships involve the processing and exchange of personal data. Whenever a service provider processes personal data on behalf of a business, the relationship must be documented in a written data processing agreement. These agreements limit the use of data by the service provider and impose data protections and other obligations on the service provider. Companies that hire external vendors to handle email campaigns and customer analytics, IT firms managing servers and databases, or healthcare providers using third-party platforms for patient records and telemedicine are all common relationships that would trigger the need for an agreement that meets Maryland’s requirements.

Contractual requirements

When controllers opt to outsource data processing to a third party, MODPA imposes contractual requirements that go beyond basic service agreements. Between the controller and processor, the parties must enter into a data processing agreement (DPA) that clearly gives instructions to the processor and establishes a framework for compliant data handling.

The DPA must detail:

• Instructions for processing – Specific, clear directives on how data should be handled, including permitted and prohibited uses.
• The nature and purpose of processing – A detailed explanation of why the data is being processed and the business objectives.
• The type of data being processed – Categories and sensitivity levels of personal information involved.
• The duration of processing – Specific timeframes, retention periods, and deletion schedules; and
• The rights and obligations of both parties – Clear delineation of responsibilities, liabilities, and performance expectations.

The contract must also include responsibilities for the processor, including:

• A duty of confidentiality with regard to the data, extending to all personnel with access
• Reasonable security practices that meet or exceed industry standards and MODPA requirements.
• Obligations to stop processing, delete, and return data at the controller’s request, with specific timelines and verification procedures.
• Demonstrating compliance to the controller through regular reporting, audits, and documentation.
• Providing an opportunity for the controller to object to subcontractor engagement for data processing, including advance notice and veto rights.
• Allowing assessments by the controller to support their compliance efforts, including on-site inspections and third-party audits.

If your company is covered under the Maryland law and currently engages third parties to process data, reassessing your contracts and adding the required provisions is the first step in compliance. If your business is planning to engage third parties, even prior to the law’s effective date, setting these provisions in place now will ensure the least amount of disruption to your processing practices once the law goes into effect.

Strategic considerations for choosing and maintaining vendors

Under MODPA, the responsibility for compliance ultimately rests with the data controller. This means that when personal data is shared with third-party vendors, the controller must take proactive steps to manage the associated legal and operational risks.

Vendor selection should be guided not only by service capabilities but also by the vendor’s ability to meet strict data privacy and security requirements. Controllers should prioritize vendors with strong compliance track records, robust technical safeguards, and a willingness to adhere to MODPA’s contractual requirements. Beyond the initial agreement, controllers should also be vigilant in performing regular audits and assessments of vendor compliance.

Effective incident response planning is also essential to minimize the impact of data breaches. Data controllers should work closely with vendors to develop and maintain a coordinated incident response plan that clearly outlines roles, responsibilities, and communication protocols. This plan should specify how quickly vendors must report security incidents, the types of information they must provide, and how both parties will collaborate to investigate, contain, and remediate the issue. A well-defined and practiced response strategy reduces legal exposure and preserves trust with regulators and customers.

By implementing robust data processing agreements, conducting thorough due diligence, and maintaining vigilant oversight through audits and incident response planning, businesses can not only meet MODPA’s requirements but also foster a privacy-first culture across their entire supply chain.

This article was co-authored by Caroline Aiello.