October 1, 2025
The Maryland Online Data Protection Act (MODPA) is now in effect as of October 1, 2025, introducing stricter rules for how businesses handle personal data. It applies to companies processing data for at least 35,000 Maryland residents annually or earning 20% of revenue from selling data of 10,000 residents. This law emphasizes data minimization, bans the sale of sensitive data (even with consent), and prioritizes protections for minors. Key consumer rights include:
Access, delete, correct, and port data
Opt-out of targeted ads and data sales
Stronger protections for sensitive and children’s data
Businesses face fines of up to $25,000 per violation and must comply with requirements such as Data Protection Assessments (DPAs) and detailed privacy notices. MODPA raises the bar for digital privacy, ensuring Maryland residents have more control over their personal information.
Maryland Online Data Privacy Act (MODPA): A Guide for Businesses
Consumer Rights Under MODPA
The Maryland Online and Digital Privacy Act (MODPA) gives Maryland residents greater control over their personal data, ensuring they can understand and manage how businesses handle their information.
Right to Access, Delete, Correct, and Port Data
Under MODPA, Maryland residents can access, correct, delete, or transfer their personal data. This means they have the right to know what information businesses collect and why it's being used. To make this process straightforward, companies are required to include clear instructions in their privacy notices. These must detail how consumers can exercise these rights, such as providing an email address or an online submission method. Beyond data management, residents also have control over how their information is used for advertising and sales purposes.
Opt-Out Options for Targeted Advertising and Data Sales
Maryland residents can opt out of having their personal data sold or used for targeted advertising. Businesses are required to provide accessible ways for consumers to opt out, ensuring the process is user-friendly. Starting October 25, 2025, companies must also honor global opt-out signals - referred to as UOOMs - that automatically communicate privacy preferences across websites. Maryland will recognize opt-out mechanisms approved by other states, simplifying privacy management for consumers.
"It puts guardrails up on the amount of data that companies can collect on people online and also what they do with that data, and it gives consumers more control over their own data." – Delegate Sara Love
MODPA requires businesses to honor all valid opt-out requests and provide an appeals process. If an appeal is denied, consumers can escalate their complaints to the Maryland Attorney General's Consumer Protection Division.
The law also offers extra protections for sensitive data and minors. Businesses are strictly prohibited from selling sensitive data, even with consumer consent. Additionally, they cannot sell or use the personal data of individuals under 18 for targeted advertising if they know - or reasonably should know - the consumer's age.
Clear Data Collection and Sharing Disclosure
MODPA emphasizes transparency by requiring businesses to provide detailed and accessible privacy notices. These notices must go beyond vague language, specifying the categories of personal data collected and the exact reasons for processing it.
Companies are also obligated to disclose the categories of third parties with whom they share personal data. Upon request, businesses must provide either a detailed list of specific third parties that received the consumer's data or a general list if individual-level data isn't maintained in that format.
The law extends these disclosure requirements to practices like targeted advertising, data sales, and profiling. Businesses must clearly state if they engage in these activities and offer easy-to-use methods for opting out. With these measures in place, Maryland residents gain a clearer picture of how their data is used and shared, giving them the tools to better safeguard their privacy.
Business Compliance Requirements Under MODPA
MODPA introduces a set of compliance rules that impact any business handling the personal data of Maryland residents. For companies operating in the state, understanding these obligations is essential.
Low Threshold for Applicability
One of the standout features of MODPA is its low threshold for applicability. The law applies to businesses that process personal data for at least 35,000 Maryland consumers annually, or 10,000 consumers if 20% or more of their gross revenue comes from selling personal data.
"This deliberately low applicability threshold will result in broader applicability than consumer privacy laws that have taken effect over the last 5 years in other states." – McNees Law
This lower bar means that many small and mid-sized businesses, which might have previously been exempt under other states' privacy laws, now fall under MODPA's scope. As a result, even businesses that have never dealt with such regulations will need to develop comprehensive privacy programs to comply with Maryland's rules.
Data Protection Assessments and Privacy Notices
To meet MODPA's requirements, businesses must implement significant internal changes. One key obligation is conducting Data Protection Assessments (DPAs) for activities that pose heightened risks to consumers. These include practices like targeted advertising, selling personal data, handling sensitive information, and profiling that could lead to negative outcomes for individuals. Each DPA must evaluate the risks and benefits of the activity, consider consumer expectations, and document strategies to minimize potential harm. Businesses are required to perform these assessments regularly and keep them confidential, although they must provide them to the Maryland Attorney General upon request.
Another critical requirement is the publication of privacy notices. These notices must be clear, accessible, and meaningful - typically made available on company websites. They should include:
Categories of personal data processed
Purposes for processing the data
Categories of third parties receiving the data
Instructions for consumers to exercise their rights
Details about any data sales or targeted advertising activities
Additionally, businesses must provide an active email address or an online mechanism for consumers to contact them.
"The relatively low applicability thresholds mean many small and mid-sized businesses will be covered." – McNees Law
Limited Business Exemptions
MODPA's broad applicability is further emphasized by the limited exemptions it provides. Unlike some other privacy laws, it does not offer blanket exemptions for small businesses, higher education institutions, or most nonprofit organizations. The few exemptions that exist are narrowly defined and come with specific conditions, ensuring that most businesses handling Maryland residents' data will need to comply, regardless of their size or industry.
The penalties for non-compliance are steep, reflecting the law's strictness. Initial violations can result in fines of up to $10,000, while repeat offenses can lead to fines as high as $25,000 under Maryland's Consumer Protection Act. Businesses have until April 1, 2027, to take advantage of the discretionary 60-day cure period, after which the Attorney General can enforce penalties without prior notice.
For businesses unfamiliar with privacy compliance, these requirements mark a substantial operational shift. Companies will need to map out their data flows, create systems for handling consumer requests, update privacy policies, and revise contracts with processors to align with MODPA. With the law taking effect on October 1, 2025, businesses have limited time to prepare for these sweeping changes. These regulations highlight the increasing importance of adopting robust privacy practices in today's digital landscape.
How MODPA Improves Data Minimization and Sensitive Data Protections
MODPA builds on existing compliance requirements by tightening rules around how businesses collect, use, and retain personal data. This law sets some of the toughest data minimization standards in the country, reshaping how companies handle personal information. For Maryland residents, this means stronger safeguards for their digital privacy.
Limits on Data Collection and Retention
Under MODPA, businesses can only collect personal data that is absolutely necessary to deliver the specific service requested by the consumer. This restriction applies across all stages - collection, processing, and sharing - and remains in place even if the consumer provides consent. Unlike other state privacy laws that allow broader data collection as long as the purpose is disclosed, MODPA enforces stricter limits, focusing solely on what is essential for the service.
The rules are even stricter for sensitive personal data. Businesses can only process this type of data if it is essential for the requested service, regardless of consumer consent.
"MODPA's robust data minimization requirements represent a significant evolution in U.S. privacy legislation, potentially reshaping how organizations approach data collection and retention practices nationwide." – Richt Law Firm
Additionally, businesses must implement systematic policies for data retention and deletion. Unlike some other privacy laws, MODPA does not allow exceptions for internal data use, such as product development.
Protections for Sensitive and Children's Data
MODPA takes a broad approach to defining sensitive data. Categories include racial or ethnic origin, religious beliefs, health data, sexual orientation, transgender or nonbinary status, national origin, immigration status, genetic and biometric data, children's personal data, and precise geolocation information. The law outright bans the sale of sensitive data, even if the consumer consents.
Children's data receives even stricter protections. Any personal data belonging to a known child is automatically treated as sensitive. Moreover, businesses are prohibited from processing or selling the personal data of individuals under 18 for targeted advertising if they "knew or should have known" the person’s age.
To ensure these protections are carried out effectively, MODPA requires businesses to conduct regular Data Protection Impact Assessments (DPIAs) for any activities that pose a heightened risk to consumers. These assessments are designed to identify and address potential risks associated with sensitive data processing.
"Maryland's privacy act requires controllers to conduct privacy impact assessments on a regular basis for each data activity that presents a heightened risk of harm to a consumer, 'including an assessment for each algorithm that is used.'" – Osano
MODPA also includes measures to prevent unfair treatment, ensuring that data practices do not result in discrimination.
Civil Rights and Anti-Discrimination Provisions
MODPA goes beyond data minimization by addressing discriminatory practices tied to personal data. It prohibits businesses from using or transferring data in ways that unlawfully discriminate or limit access to goods and services. These protections cover discrimination based on race, color, religion, national origin, sex, sexual orientation, gender identity, or disability.
The law also protects consumers from retaliation for exercising their privacy rights. Businesses cannot deny services, raise prices, or reduce service quality as a form of retribution. While the law ensures compliance with existing anti-discrimination laws, it does allow certain exceptions for legitimate activities like conducting self-tests to address biases, expanding applicant diversity, or running loyalty programs.
How to Protect Your Digital Privacy
While Maryland's MODPA law offers strong legal protections, taking charge of your personal information goes beyond relying on legislation. By pairing these safeguards with privacy-conscious tools and smart browsing habits, you can better defend yourself against intrusive data collection and tracking.
Understanding and Exercising Your Rights
MODPA gives Maryland residents several rights over their personal data. These include the ability to confirm if a company is processing your data, access and correct inaccuracies, delete information, and receive a copy of your data in a usable format. You can also find out which third parties have received your information and opt out of targeted advertising, data sales, or profiling.
To make the most of these rights, review privacy notices to understand what data is being collected and how to act on your rights. When you submit a request, companies must provide secure methods without requiring you to create a new account. If your request is denied, you have 60 days to appeal, and if that fails, businesses must connect you to the Maryland Attorney General's Consumer Protection Division for further action.
You can also streamline your privacy efforts with universal opt-out tools. By using browser settings or extensions that support signals like Global Privacy Control (GPC), you can automatically opt out of data processing for targeted ads or data sales across multiple websites without manually visiting each site.
When combined with privacy-enhancing tools, these rights give you a strong foundation for protecting your data.
Leveraging Decentralized VPNs and Privacy Tools
Traditional VPNs often rely on centralized servers, which can store user logs and create vulnerabilities. Decentralized VPNs (dVPNs) take a different approach by using peer-to-peer networks and blockchain technology. This eliminates central points of failure and enhances user anonymity.
"Decentralized VPNs do not store user logs, eliminating the risk of data breaches or misuse. Traffic is routed through multiple nodes, masking users' IP addresses and locations."
– Metana Editorial
MASQ's decentralized VPN, for example, not only hides your IP address and location but also aligns with MODPA's data minimization principles. Pairing dVPNs with privacy-focused tools like tracker-blocking browsers can further reduce the personal data collected about you. MASQ's browser goes a step further with built-in ad and tracker blocking, Web3 wallet integration, and automatic history deletion.
Additionally, the end-to-end encryption provided by dVPNs ensures your data remains secure during transmission, protecting it from interception or unauthorized access. These tools complement the security measures that MODPA requires businesses to implement, such as administrative and technical safeguards.
Enhancing Browser Privacy and Exploring Web3
Your browser plays a central role in managing sensitive data, making it a key area to focus on for privacy. Browsers like Firefox and Tor offer advanced tracker-blocking and security features to help protect your information.
"Your browser is the interface through which you'll engage with most of the internet, and as such it handles a huge amount of sensitive personal data. And you need to make sure you're using a secure browser, because that data is extremely valuable."
– Paulius Ilevičius, NordVPN
To maximize browser privacy, tweak your settings: disable third-party cookies, clear history regularly, and block trackers. Adjust permissions for devices like your camera, microphone, and location, and disable telemetry functions to limit unnecessary data sharing.
Web3 technologies offer a fresh approach to online privacy by giving users control over their digital identities and data. Unlike centralized Web2 services that collect and store large volumes of information, Web3 allows for selective data sharing and ownership.
"Web3 empowers users with greater control over their digital identities, personal data, and online interactions. Through self-sovereign identity solutions and decentralized identity management, individuals can selectively share their information and maintain ownership of their data."
– BlockApps Inc.
Decentralized Identities (DIDs) and Self-Sovereign Identity solutions enable you to manage your digital identity without relying on centralized entities. These tools align with MODPA's goal of reducing unnecessary data collection.
MASQ's Web3 browser brings these privacy-centric principles to life with features like decentralized storage via IPFS, integrated Web3 wallets, and a decentralized app store. To secure your presence in the Web3 space, use strong passwords with a password manager, enable Two-Factor Authentication, and protect your private keys and seed phrases. For additional security, consider using hardware wallets to store significant crypto assets offline, keeping them safe from online threats.
Conclusion: Maryland's Leadership in Digital Privacy
Maryland has taken a bold step forward in digital privacy with the Maryland Online Data Privacy Act (MODPA), setting a high bar for protecting personal information. MODPA introduces strict limits on data collection and outright bans the sale of sensitive data, even with consumer consent - a move that reshapes the way businesses handle personal information.
The law's approach to data protection stands out for its low consumer threshold, ensuring more individuals benefit from its safeguards. By mandating that data collection occurs only when absolutely necessary, MODPA prioritizes privacy over profit. This philosophy is reinforced by its unique prohibition on selling sensitive data, which privacy experts see as a significant departure from other state laws.
"MODPA has a number of provisions that go far beyond the comprehensive consumer privacy laws currently enacted in other states, including the California Consumer Privacy Act (CCPA). Rarely have we ever seen a privacy law that so discounts a consumer's consent. This outright prohibition [on selling sensitive data] is very unique among the new state laws."
– Gary Kibel, Partner, AdExchanger
Privacy advocates view MODPA as a potential game-changer, with many wondering if its stricter standards will inspire similar measures in other states. Alongside the legal framework, Maryland residents benefit from privacy-enhancing tools like MASQ's decentralized VPN and Web3 browser, providing an extra layer of protection. Starting in April 2026, the law will also enforce universal opt-out mechanisms, making privacy choices even more seamless.
"Still, Maryland residents are now some of the best protected in the nation. Other states should take the cue."
– R.J. Cross, Director, Our Online Life Program; and Don't Sell My Data Campaign, U.S. PIRG Education Fund
Maryland's approach proves that strong consumer protections can coexist with practical business compliance. It offers a vision of what meaningful digital privacy reform could look like across the United States.
FAQs
How is the Maryland Online Data Protection Act different from the California Consumer Privacy Act?
The Maryland Online Data Protection Act (MODPA) differs from the California Consumer Privacy Act (CCPA) in both scope and compliance requirements. MODPA applies to businesses managing data for at least 35,000 consumers annually, setting a lower threshold compared to the CCPA. Additionally, it places a stronger focus on data minimization and enforces stricter guidelines for handling sensitive information.
While the CCPA prioritizes consumer rights - such as the ability to access, delete, or opt out of data sharing - MODPA goes further by introducing tighter restrictions on how businesses process and manage data. This approach underscores Maryland's commitment to protecting consumer privacy with stricter controls and clearer obligations for companies.
What should small and mid-sized businesses do to prepare for the Maryland Online Data Protection Act before October 1, 2025?
To gear up for the Maryland Online Data Protection Act, small and mid-sized businesses should focus on a few essential steps:
Review your data practices: Take a close look at the personal data your business collects, processes, and stores. Create a detailed inventory to map out where the data comes from and how it’s being used.
Set up consumer rights processes: Establish systems to handle requests like accessing, correcting, or deleting data. Make sure your policies are straightforward, allowing consumers to easily exercise their rights.
Enhance cybersecurity protocols: Safeguard sensitive information by implementing strong security measures to prevent breaches or unauthorized access.
Be transparent and secure consent: Clearly communicate your data collection and usage practices. Make sure to obtain explicit opt-in consent for processing sensitive information.
By tackling these areas now, businesses can ensure compliance and build customer trust well before the October 1, 2025, deadline.
How does the Maryland Online Data Protection Act provide stronger privacy protections for minors?
The Maryland Online Data Protection Act (MODPA) introduces stricter privacy measures for minors, prohibiting the sale or targeted advertising of personal data for anyone under 18 when businesses are aware - or should reasonably be aware - of their age. This regulation goes a step further than many earlier laws by specifically addressing how data related to teenagers is handled.
MODPA also expands protections for minors aged 13 and older, limiting targeted advertising and the sale of their personal information. These provisions build upon federal laws like the Children’s Online Privacy Protection Act (COPPA), offering a wider net of protection against data exploitation and intrusive marketing directed at young users. By doing so, MODPA helps ensure greater online privacy and security for minors.
