May 29th, 2025
Maryland Online Data Privacy Act
Posted in: Business Law Tagged: Nidhi P. Patel
Author: Nidhi P. Patel
The Maryland Online Data Privacy Act of 2024 (MODPA) will significantly impact many Maryland businesses when it goes into effect on October 1, 2025. Here’s what businesses need to understand:
What is MODPA
MODPA gives consumers the right to protect their personal data, including, among other things, the right to require the deletion of personal data provided by (or obtained about) the consumer (unless retention of the personal data is required by law) and to opt out of the processing of personal data (e.g., targeted advertising). Additionally, the bill gives consumers the right to obtain a list of the categories of third parties the controller has disclosed their data to or to which the controller has disclosed data generally.
Who Will Be Affected
MODPA establishes new requirements for individuals or business entities that, alone or in conjunction with others, determine the purpose and strategies for processing personal data (“Controllers”) and that
- Conduct business in Maryland, or provide products or services targeted to Maryland residents, and
- During the calendar year:
- Controlled or processed personal data of 35,000 or more Maryland consumers (except for processing data solely for the purpose of completing a payment transaction)
- Controlled or processed personal data of 10,000 or more Maryland consumers and if 20% of their gross revenue was derived from the sale of personal data
While MODPA covers a wide array of entities, there are several which are exempt from this law, including:
- State and local agencies
- Courts
- Nonprofit agencies that process or share personal data to assist law enforcement in investigating insurance fraud and first responders responding to catastrophic events
- Financial institutions and data regulated by the Gramm-Leach-Bliley Act
- Registered national securities and futures associations subject to related federal laws
Additionally, certain data is also exempt from the bill’s requirements, including protected health data under HIPPA, financial data protected under the Fair Credit Reporting Act, and data collected under the Driver’s Privacy Protection Act, the Family Education Rights and Privacy Act, and the Farm Credit Act.
Privacy Policy Requirements
MODPA requires regulated entities to, among other things, provide consumers with a privacy notice that includes:
- The types of personal and sensitive data being processed;
- The purposes for processing the data;
- Instructions on how consumers can exercise their rights, appeal decisions, or revoke consent;
- Details about third parties with whom data is shared, including the nature of those entities and how they may use the data;
- The categories of personal and sensitive data shared with third parties; and
- A valid email address or other online method for consumers to contact the controller.
Other Requirements
Covered organizations must also:
- Limit personal data collection to what is reasonably necessary and proportionate to providing or maintaining a specific product or service for the consumer
- Establish and maintain appropriate administrative, technical, and physical data security safeguards to protect the confidentiality, integrity, and accessibility of personal data
- Provide an effective system for consumers to revoke consent that is at least as easy as the system used by the consumer to provide consent
- If a consumer revokes consent, stop processing personal data as soon as possible but no later than thirty (30) days after receiving the request
Additionally, if a regulated entity sells personal data to third parties or processes personal data for targeted advertisements or to profile customers, they must clearly disclose the sale or processing, and the steps consumers can take to opt out of the selling and processing of their data.
Finally, MODPA prohibits applicable businesses, individuals or entities from the following:
- Selling sensitive data (e.g., race, religion, citizenship etc.)
- Collecting, processing, or sharing personal data except when strictly necessary
- Processing personal data that violates laws prohibiting unlawful discrimination
- Processing or selling personal data for targeted advertisements belonging to individuals under 18
- Providing its employees or contractors access to Consumer Health Data
- Creating a geofence to establish a virtual boundary within 1,750 feet of any mental health facility or reproductive or sexual health facility to identify, track, or collect data from, or send notifications to consumers regarding their health data
How to Comply with Maryland’s New Law
Between now and October 1, 2025, businesses should reach out to their legal counsel for guidance on privacy practices, particularly concerning the implementation and enforcement of MODPA. If you have any questions or need assistance, please contact Stein Sperling’s Business Department.
