Maryland now has one of the strongest consumer privacy laws in the United States. The Maryland Online Data Privacy Act (MODPA) took effect on October 1, 2025, with full enforcement beginning on April 1, 2026. What sets MODPA apart from most state privacy laws is its strict treatment of sensitive data — categories like health information, biometrics, and data related to gender-affirming care and reproductive health cannot be sold under any circumstances, even with consumer consent. Here is everything Maryland residents need to know about their privacy rights under this landmark law.
The Maryland Online Data Privacy Act (MODPA)
MODPA was signed into law in 2024 and represents Maryland's first comprehensive consumer data privacy statute. It joins a growing wave of state privacy legislation across the country, but goes significantly further than most in restricting how businesses collect and use personal data — particularly sensitive categories.
The law applies to organizations that conduct business in Maryland or target Maryland residents and meet at least one of the following thresholds during a calendar year:
- Process the personal data of 35,000 or more consumers (excluding data processed solely for completing payment transactions), or
- Derive 20% or more of gross revenue from selling personal data and process the data of 10,000 or more consumers
Data Minimization: A Higher Standard
One of MODPA's most significant provisions is its data minimization requirement. Unlike many state privacy laws that focus primarily on consumer rights after data is collected, Maryland requires businesses to limit collection at the front end.
Under MODPA, organizations may only collect personal data that is reasonably necessary and proportionate to the purpose for which it is being processed. This means companies cannot vacuum up every available data point and figure out how to use it later. They must have a defined, legitimate reason for each piece of data they collect — and the collection must be proportionate to that reason.
This approach shifts the burden from consumers (who must opt out) to businesses (who must justify what they collect in the first place). It is one of the features that makes MODPA one of the strongest privacy frameworks at the state level.
Why Data Minimization Matters
Most data breaches expose information that companies never needed to collect in the first place. When a business stores your date of birth, Social Security number, or health conditions without a necessary purpose, it creates risk with no corresponding benefit to you. MODPA's minimization standard directly addresses this by requiring companies to collect only what they actually need.
Sensitive Data: The Strongest Protections in Any State
MODPA's treatment of sensitive data is where the law truly sets itself apart. Sensitive data under MODPA includes:
- Racial or ethnic origin
- Religious beliefs
- Health conditions and diagnoses
- Gender-affirming care information
- Reproductive and sexual health care data
- Sexual orientation
- Biometric data
- Precise geolocation data
- Data concerning children under 18
- Immigration or citizenship status
Under MODPA, sensitive data may be processed only when strictly necessary to provide a product or service specifically requested by the consumer. This is a higher bar than most states, which typically allow processing of sensitive data with opt-in consent.
Most critically, sensitive data cannot be sold — period. Even if a consumer provides explicit consent, businesses are prohibited from selling sensitive data categories. This bright-line rule has no exceptions and represents a significant departure from the consent-based frameworks used in states like Virginia and Colorado.
No Targeted Advertising to Children Under 18
MODPA prohibits targeted advertising directed at consumers known to be under 18 years of age. This goes further than many state laws that set the threshold at 13 or 16. Businesses that collect data from minors must treat all of it as sensitive and cannot use it for advertising purposes under any circumstances.
Your Rights Under MODPA
As a Maryland resident, MODPA gives you the following rights over your personal data:
Right to Confirm Processing
You can ask any covered business whether they are processing your personal data. The business must provide a clear yes-or-no answer.
Right to Access
You have the right to access the specific personal data a business has collected about you in a clear and understandable format.
Right to Correct
If a business holds inaccurate personal data about you, you can request that they correct it. This is particularly important for information that could affect credit decisions, insurance pricing, or employment background checks.
Right to Delete
You can request that a business delete the personal data it has collected from you, with limited exceptions for data needed to complete a transaction or comply with a legal obligation.
Right to Data Portability
You can obtain a portable copy of your personal data in a format that allows you to transfer it to another service.
Right to Opt Out
You have the right to opt out of the processing of your personal data for purposes of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.
Security Requirements and Data Protection Assessments
MODPA requires businesses to implement reasonable administrative, technical, and physical security measures to protect personal data. While the law does not prescribe specific technical standards, it expects security practices that are appropriate to the volume and sensitivity of the data being processed.
Additionally, businesses must conduct data protection assessments for high-risk processing activities such as processing sensitive data, selling personal data, targeted advertising, and profiling. These assessments must weigh the benefits of processing against the potential risks to consumer privacy and be made available to the Attorney General upon request.
Enforcement: How MODPA Is Policed
MODPA is enforced exclusively by the Maryland Attorney General. There is no private right of action — individual consumers cannot file lawsuits against businesses for violations. If you believe a business has violated your rights, you file a complaint with the AG's office.
The enforcement framework includes a graduated penalty structure:
- Notice and cure period: The AG can issue a notice of violation, giving the business a 60-day period to cure the issue
- First violation: Penalties of up to $10,000 per violation
- Subsequent violations: Penalties of up to $25,000 per violation
With enforcement now active as of April 1, 2026, businesses that have not yet come into compliance face real financial consequences.
How MODPA Compares to Other State Privacy Laws
MODPA stands out from the growing list of state privacy laws in several important ways:
- Stricter data minimization: While most state laws focus on consumer opt-out rights, MODPA limits what businesses can collect in the first place
- Absolute ban on selling sensitive data: Other states allow sensitive data sales with consent. Maryland bans it entirely
- Broader definition of children: MODPA protects all minors under 18 from targeted advertising, while many states use a threshold of 13 or 16
- Gender-affirming and reproductive care protections: MODPA explicitly includes these categories as sensitive data, reflecting concerns about the misuse of health data
- Higher penalties: With fines of up to $25,000 for subsequent violations, MODPA's penalties exceed those in several other state frameworks
How to Protect Your Privacy in Maryland
MODPA gives Maryland residents powerful rights, but exercising them across every company that holds your data requires effort and persistence. Here is how to take full advantage of the law:
- Know what is out there. Search for your name on Google and popular people search sites to understand what personal data is publicly available. You may be surprised by how much is exposed.
- Submit opt-out and deletion requests. Use the privacy links on company websites to opt out of data sales and targeted advertising. Request deletion of data you do not want businesses to hold.
- Exercise your right to correct. If you find inaccurate information about yourself — common on data broker sites — use your correction rights under MODPA to demand it be fixed.
- File complaints when businesses do not comply. If a business ignores your request or fails to respond within the required timeframe, file a complaint with the Maryland Attorney General. The AG's office needs consumer reports to identify and pursue the worst offenders.
- Automate your data removal with PrivacyOn. Data brokers are persistent — they re-list your information from public records and commercial databases even after you submit removal requests. PrivacyOn removes your personal data from over 100 data broker sites, monitors for re-listings, and provides dark web monitoring to alert you if your information appears in places you cannot reach on your own. It is the most effective way to complement your MODPA rights with ongoing, automated protection.
Maryland's MODPA represents a significant step forward for consumer privacy in the United States — especially its refusal to allow any sale of sensitive data and its emphasis on data minimization. But even the strongest law cannot eliminate every data broker or prevent every re-listing. Combining your legal rights with a service like PrivacyOn ensures your personal information stays protected — not just on paper, but in practice.