Maryland’s Online Data Privacy Act (MODPA) is a groundbreaking Consumer Privacy Act that adds new complexities to the constantly evolving privacy landscape. We will explore the key points of the law, highlighting the unique requirements that distinguish it from other state laws.
Whether you’re a savvy business owner, a mindful consumer, or a curious observer, our goal is to equip you with the knowledge needed to understand Maryland’s online data privacy laws and help you navigate this digital privacy era.
The law will come into effect on October 1, 2025, providing businesses and consumers with a clear timeline to prepare for the changes.
The basics of Maryland’s Online Data Privacy Act
Scope
MODPA applies to businesses operating in the state or offering products or services to residents of the state. It pertains to those that, in the previous year, controlled or processed the personal data of at least 35,000 consumers (excluding pure payment transactions) or at least 10,000 consumers while deriving more than 20% of their gross revenue from the sale of personal data.
These thresholds are relatively low compared to Maryland’s population, covering businesses processing personal data from a lower percentage of the population than other states’ Consumer Privacy Acts.
This Act has exemptions similar to those in other Consumer Privacy State Acts, including entity-level and data-level exemptions for organizations covered by the GLBA and data covered by HIPAA. Some notable exemptions-related details include:
- There is no entity level exemption for organizations covered by HIPAA or higher education.
- The entity-level exception for non-profit organizations only applies to non-profits exclusively helping law enforcement to investigate insurance fraud or assist first responders during major incidents.
- MODPA exempts personal data collected by a regulated organization in the insurance sector or its affiliate to further the insurance business.
Consumer’s Rights
MODPA provides various individual rights for consumers in U.S. states with similar data privacy laws. These rights include:
- Right to know: Consumers can confirm whether a company is processing their personal data.
- Access: Consumers have the right to obtain a copy of their personal data.
- Rectification: Consumers can request the correction of any inaccurate personal data.
- Deletion: Consumers can request the deletion of their personal data unless data retention is required by law.
- Data portability: If the data processing is done by automatic means, consumers can obtain their personal data in a commonly used format.
- Third-party disclosure: Consumers can request a list of the categories of third parties to which the company has disclosed their data.
- Opt-out: Consumers can opt out of processing for targeted advertising, the sale of personal data, or profiling that involves automated decisions that significantly affect the consumer.
General requirements
MODPA shares a structure similar to other U.S. State Consumer Privacy Acts and includes essential consumer rights, procedures for responding to consumer requests (with a 45-day timeframe, extendable by an additional 45 days), authentication processes, and more. Additionally, MODPA requires organizations to provide consumers with a privacy notice and imposes vendor management requirements.
Novel requirements
Data minimization and purpose limitation
In several states with similar laws, organizations are required to minimize the collection of personal information to what is necessary, relevant, and reasonably needed to accomplish specific collection purposes, as communicated to the consumer. Maryland sets itself apart by mandating that organizations limit the collection and processing of personal information to what is reasonably necessary to provide or maintain a specific product or service requested by the consumer.
Additionally, it imposes a stricter requirement for minimizing the collection and processing of sensitive information to only what is strictly necessary to provide or maintain a specific product or service requested by the consumer. This emphasis on data minimization protects consumers and ensures responsible handling of their personal information.
The principle of purpose limitation under this law is consistent with other US State Consumer Privacy Acts. Organizations are prohibited from processing information for a purpose that is not reasonably necessary or compatible with the processing purposes disclosed to the consumer unless the consumer provides consent.
The relationship between data minimization and purpose limitation principles can be confusing because collecting is considered part of processing, which could imply that consumers can consent to less stringent data minimization standards.
Health data
Consumer Health Data under MODPA refers to personal data that controllers use to identify a consumer’s physical or mental health status, including gender-affirming treatment, reproductive, or sexual healthcare. This type of data is considered sensitive under MODPA, which means it has enhanced protections and specific processing requirements.
The Act prohibits the sale of Sensitive Data, including Consumer Health Data, without any exceptions such as opt-in consent. Additionally, there are specific prohibitions related to Consumer Health Data, some of which have exceptions. These prohibitions include:
- Providing access to Consumer Health Data to an employee or contractor unless there is a contractual or statutory duty of confidentiality, or confidentiality is required as a condition of employment.
- Providing access to a processor (vendor) without complying with vendor management requirements under MODPA, such as contract requirements.
- Using geofencing within 1,750 feet of any mental health facility or reproductive or sexual health facility to identify, track, collect data, or send notifications to a consumer regarding their health data.
Sensitive and children information
As stated earlier, under MODPA, the sale of sensitive data is strictly prohibited in all circumstances and without exceptions. The law also imposes a strict requirement to minimize the collection and processing of sensitive information to only what is absolutely necessary to provide or maintain a specific product or service requested by the consumer. Sensitive information, as defined by the Act, includes children’s data, and the processing of this type of data is further restricted under MODPA.
The Act generally prohibits the sale of personal data and the processing of personal data for targeted advertising purposes for consumers who are known or should have been known to be under 18, with no exceptions.
Notice of inconsistent data
MODPA includes new requirements for third parties that use or share consumers’ personal data in a way that doesn’t align with the promises made to the consumers when their personal information is collected. Before implementing, third parties must inform affected consumers about any new or changed practices. This notice should be provided within a reasonable timeframe to allow consumers to exercise their rights if they choose to do so.
Data Protection Assessments
Under the requirement to perform Data Protection Assessments (DPAs), MODPA includes an exhaustive list of the activities that present a heightened risk of harm to consumers. These activities are the sale of personal data, the processing of sensitive data, the processing of personal data for targeted advertisement, and the use of profiling when it presents the reasonably foreseeable risks listed in the Act.
This differs from the approach taken by the U.S. state Consumer Privacy Acts enacted so far with DPA requirements, which include non-exhaustive lists encompassing these activities.
In line with the data minimization principle, controllers must weigh the necessity and proportionality of processing in relation to its purpose. Additionally, the Act requires performing and documenting, on a regular basis, a DPA for each algorithm used during processing activities that pose a heightened risk of harm to consumers.
Other requirements
The Act incorporates several additional details that strengthen the consumer protections established by laws in other US states. These details include:
- Maryland is the only state with an established deadline (30 days) for organizations to stop processing personal information after a consumer has withdrawn consent.
- Prohibition to collect, process, or transfer publicly available data to unlawfully discriminate unavailable the equal enjoyment of goods or services based on discriminatory biases, unless exceptions apply.
Additionally, the Act does not include private rights of action. However, it states that consumers can pursue any other remedy provided by law.
Adapting to MODPA: Key considerations for businesses and consumers in the evolving privacy landscape
The Maryland Online Data Privacy Act represents a significant advancement in safeguarding consumer privacy in today’s rapidly changing digital landscape. Its unique requirements enable businesses to proactively adapt to evolving privacy laws. By gaining an understanding and grasping the key elements of MODPA, all stakeholders can effectively navigate the complexities of online data privacy, thereby promoting a more secure and empowered digital environment for all.
One crucial consideration when preparing for MODPA is to determine whether your organization processes personal data with specific requirements or processing limitations under this Act, such as consumer health data, children’s information, or other sensitive data. This will help ascertain if your organization needs to cease processing activities prohibited by this act or if it must limit them.
Lastly, data minimization will be a significant issue in this state with its innovative and restrictive approach, as well as in other states like California, where regulators have already emphasized the importance of complying with this principle.
Nymity Research
Get detailed insights, tools, and templates to help you manage the MODPA and other regulations.
Start today
Maximize customer trust
Easily orchestrate consents, preferences, opt-ins/outs, and empower your customers.
Learn more
