Maryland’s “New Gold Standard” Privacy Law: The Maryland Online Data Privacy Act (MODPA) and Its Implications for Tech Companies

Ramyar Daneshgar

Ramyar Daneshgar

7 min read


By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering

Disclaimer: This article is for educational purposes only and does not constitute legal advice.

Introduction

On May 9, 2024, Maryland Online Data Privacy Act (“MODPA” or the “Act”) was signed into law by Wes Moore, Governor of Maryland, thereby positioning Maryland as yet another U.S. state adopting a comprehensive data-privacy statute. (White & Case) The law will take effect on October 1, 2025. (Lowenstein Sandler)

As tech companies, SaaS providers, and counsel supporting them prepare for increasingly complex regulatory regimes, MODPA merits special attention. It not only mirrors key features seen in other state-level statutes but also introduces stricter thresholds, expanded definitions (especially around “sensitive data” and minors), and more demanding governance obligations. For organizations involved in M&A, venture funding, or platform monetization, MODPA is a significant compliance milestone.

2024 Regular Session - House Bill 567 Chapter

This article provides a detailed breakdown of MODPA’s key provisions, examines how it differs from earlier state laws, and offers practical considerations for compliance and risk management.

Scope & Applicability

MODPA applies to any “controller” or “processor” that meets the following criteria:

  • The entity does business in Maryland, or offers products/services targeted to Maryland residents. (Clifford Chance)
  • And during the preceding calendar year, the entity either:
    • Controlled or processed the personal data of at least 35,000 Maryland consumers; or (Lowenstein Sandler)
    • Controlled or processed the personal data of at least 10,000 Maryland consumers and derived more than 20% of its gross revenue from the sale of personal data. (White & Case)

These thresholds place MODPA among the more broadly applicable U.S. state privacy laws. For example, even smaller-sized SaaS providers (or niche platform businesses) that previously thought themselves outside the coverage net may now be in scope.

Exemptions exist, but are narrower than many may anticipate: while the Act explicitly exempts certain entities (state or local government agencies, national securities associations, financial institutions subject to the Gramm-Leach-Bliley Act), it does not provide a broad exemption for institutions of higher education or many non-profit organizations. (Clifford Chance)

Key Consumer Rights Under MODPA

Beginning October 1, 2025, Maryland consumers (Maryland residents acting in an individual or household capacity) will receive the following rights:

  • Right of access: to confirm whether a controller is processing their personal data, and if so, to obtain a copy in a readily usable format. (White & Case)
  • Right to correction: to request correction of inaccurate personal data. (White & Case)
  • Right to deletion: to request deletion of personal data provided by or obtained about them, unless retention is required by law. (Clifford Chance)
  • Right to data portability: to obtain personal data in a usable format for transfer to another controller. (White & Case)
  • Right to know: to receive a list of the categories of third parties to which the controller disclosed personal data (including sensitive data) or disclosed personal data generally. (White & Case)
  • Opt-out rights: the consumer can opt out of (a) the sale of their personal data, (b) processing of personal data for “targeted advertising,” and (c) certain profiling that produces legal or similarly significant effects. (CookieYes)

Controllers must respond to consumer requests within 45 days, with potential extension if notice is given. (White & Case)

Controller / Processor Obligations & Prohibitions

Obligations

Controllers must implement and maintain “reasonable administrative, technical, and physical data-security practices” appropriate to the risk. (White & Case)

Controllers must also provide a “reasonably accessible, clear and meaningful privacy notice” that includes categories of personal data processed, categories of third parties, purposes of processing (including for targeted advertising/profile), a mechanism for exercising rights, and a contact method (email or other secure mechanism). (Securiti)

If a consumer gives consent for processing personal data, the controller must provide a mechanism to revoke consent that is “at least as easy” as the mechanism used to give consent. Upon revocation, the controller must stop processing as soon as practicable (no later than 30 days). (White & Case)

For any processing activity that presents a “heightened risk of harm,” the controller must conduct, document, and retain a data protection assessment (DPA) prior to engaging in that processing. This includes algorithmic decision-making, profiling, or manipulation. (Baker Donelson)

Prohibitions

Several of MODPA’s provisions depart from typical state laws and impose stricter constraints:

  • Data minimization: Controllers may collect or process personal data only if it is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.” This is more restrictive than the “in relation to the purpose” standard used in many other jurisdictions. (Cooley)
  • Sensitive data: MODPA defines “sensitive data” broadly (including racial or ethnic origin; religious or philosophical beliefs; physical or mental health status; gender-affirming care; sex life or sexual orientation; biometric or genetic data; citizenship/immigration status; geolocation—among others). Controllers may not sell sensitive data and may not collect, process or share it unless strictly necessary to provide or maintain a specific product or service requested by the consumer. Consent is not a substitute for necessity in these cases. (Clifford Chance)
  • Minors (under age 18): A controller may not sell or use the personal data of a consumer the controller “knows or should know” is under 18 for targeted advertising. The definition of “targeted advertising” is quite broad under MODPA. (Cooley)
  • Non-Discrimination: The controller must not discriminate against a consumer for exercising their rights (denying service, charging different price) unless the difference is reasonably related to the value derived from the personal data. (Securiti)

Enforcement & Penalties

MODPA does not create a private right of action. Enforcement rests with the Office of the Attorney General of Maryland (Consumer Protection Division). (White & Case)

Before bringing a civil action, the Attorney General must issue a notice of violation, and the controller or processor has 60 days to cure. If the violation is not cured, the A.G. may obtain injunctive relief, civil penalties, and attorney’s fees. Per-violation penalties can go up to $10,000 for each violation and $25,000 for repeated violations. (White & Case)

Notably, enforcement is slated to begin after April 1, 2026 for certain requirements (specifically universal opt-out mechanisms). (McNees Wallace & Nurick LLC)

Key Compliance Implications for Cybersecurity & Privacy Practitioners

For counsel advising technology and SaaS companies (especially operating in multi-state or cross-border contexts), MODPA introduces several important implications:

  1. Re-evaluate scope of coverage: Because the thresholds are relatively low (35,000 consumers or 10,000 + 20% revenue from data sales), organizations that previously assumed they were “below the threshold” may need to revisit applicability.
  2. Review business models around data monetization: Especially if your client sells or shares personal data (or analytics built on that data), note that MODPA’s definition of “sale” is broad (“exchange for monetary or other valuable consideration”) and no separate carve-out for sensitive data sale exists—they are prohibited. (Clifford Chance)
  3. Audit third-party tracking / advertising practices: Given the strict limitations around targeted advertising, processing sensitive data, and universal opt-out mechanisms, companies that rely on ad-tech or third-party data may face compliance gaps.
  4. Tighten data-minimization and “strict necessity” standards: The requirement that data collection be “reasonably necessary and proportionate to a specific product/service requested by the consumer” is more rigorous than many existing state laws. Many legacy data-collection practices (broad analytics, profiling, cookie tracking) may not satisfy this test.
  5. Governance and documentation requirements: Controllers must undertake data-protection assessments for high-risk processing, update contracts with processors to align with MODPA, publish clear privacy notices and opt-out mechanisms, and maintain rights-request processes.
  6. Integration with cybersecurity risk management: Privacy and cybersecurity converge under MODPA’s requirements around security practices, data-protection assessments, and documentation. Organizations should integrate privacy risk into their broader security frameworks, vulnerability-assessment programs, and incident-response plans.
  7. M&A and funding diligence: For firms conducting M&A or funding in SaaS/tech, MODPA introduces new diligence questions: coverage of Maryland operations, past tracking/advertising practices, monetization of personal data, adequacy of third-party contracts, presence of data-impact assessments, and readiness of rights-request procedures.

For organizations within the scope (or likely to be), the following timeline is recommended:

  • Immediately (now to Q4 2025)
    • Perform a scoping exercise: quantify Maryland-resident data subject population, evaluate revenue from personal‐data sales, assess whether the company targets Maryland residents.
    • Inventory all data-collection practices, especially tracking, profiling, targeted advertising, sensitive data collection, minors’ data, third-party data sharing.
    • Map all data flows (particularly controllers vs. processors) and identify any existing gaps in contractual arrangements.
    • Review and update the privacy notice and rights-request procedures to align with MODPA (access, correction, deletion, portability, opt-out).
    • Develop a draft data-minimization strategy tied to products/services: identify data elements that are strictly necessary vs. optional.
    • Plan for systems changes: universal opt-out mechanism (UOOM) compliance by April 2026, updating consent/revocation workflows, data-impact assessment processes.
    • Engage cybersecurity & privacy functions together: ensure security controls, incident-response readiness, data-protection assessments are aligned with privacy obligations.
  • Short-Term (Effective date October 1, 2025 to early 2026)
    • Ensure all eligible consumer rights request mechanisms are operational and tested.
    • Start performing data-protection assessments for processing activities deemed “high risk.”
    • Monitor enforcement guidance forthcoming from the Maryland Attorney General (Minnimal timelines, good-faith safe-harbour, etc.).
    • Train internal stakeholders (product, marketing, legal, engineering) on the “strict necessity” standard and limitations around sensitive data.
  • Medium Term (April 1, 2026 onward)
    • Implement universal opt-out mechanism (UOOM) and ensure technology stack supports recognized signals (Global Privacy Control). (PIRG)
    • Monitor any Maryland enforcement actions or Attorney General guidance for precedent and adjust compliance practices accordingly.
    • Include MODPA compliance as part of ongoing privacy governance programs: risk assessments, audits, vendor management, incident response.
    • Integrate MODPA‐specific work into audit, SOC2/ISO27001/ISO27701 programs (especially for providers of services to Maryland residents).

Conclusion

For technology and SaaS companies, and the legal and cybersecurity advisers supporting them, the Maryland Online Data Privacy Act represents a significant regulatory development with real operational and governance implications. While the law shares familiar features with other U.S. state privacy laws, its lower thresholds, stricter data-minimization standard, broad definition of sensitive data, and robust consumer rights establish it as a “next-generation” model.

From a compliance perspective, organizations must calibrate their privacy and security programs not only to meet current obligations but also to anticipate ongoing evolution of privacy laws across states and sectors. Incorporating MODPA readiness into due-diligence processes, product development, data monetization strategies, and vendor/third-party management will be critical to mitigating legal, financial, and reputational risk.

If you are advising clients in the SaaS, digital-platform, ad-tech, or B2C space, or if you are preparing your internal program for compliance, I encourage you to treat October 1, 2025, as a hard milestone and to begin the conceptual and operational work now.

Read more

Inside Meta’s $725 Million Facebook Privacy Settlement: The Largest U.S. Class-Action Privacy Payout and What It Means for the Future of Data Governance

By Ramyar Daneshgar Security Engineer | USC Viterbi School of Engineering Disclaimer: This article is for educational purposes only and does not constitute legal advice. 1. Introduction: A Turning Point for U.S. Privacy Enforcement In 2025, Facebook’s parent company Meta Platforms, Inc. began disbursing payments from a $725 million

By Ramyar Daneshgar

The Cybersecurity Information Sharing (WIMWAG) Act at a Crossroads: Renewal, Revision, and Privacy Concerns

By Ramyar Daneshgar Security Engineer | USC Viterbi School of Engineering Disclaimer: This article is for educational purposes only and does not constitute legal advice. Executive Summary The Cybersecurity Information Sharing Act (CISA), originally enacted in 2015, has served as the legal foundation for cybersecurity cooperation between the private sector and

By Ramyar Daneshgar