On April 6, 2024, Maryland passed the Maryland Online Data Privacy Act of 2024 (MODPA). Once signed by Governor Wes Moore, the state will join 15 others with comprehensive laws regarding consumer privacy on the books. Here are the highlights:
When does it take effect?
The law would take effect on October 1, 2025, but will not have any effect on or application to any personal data processing activities before April 1, 2026.
Who does it apply to?
MODPA will apply to any person who conducts business in Maryland and to anyone who provides services or products that are targeted to Maryland residents. The following conditions also must be met for the law to apply to an entity:
During the immediately preceding calendar year, the entity must have either:
Processed or controlled the personal data of at least 35,000 Maryland consumers (excluding data processed or controlled solely for completing payment transactions).
Processed or controlled personal data of at least 10,000 Maryland consumers and derived more than 20% of their gross revenue from the sale of that personal data.
These thresholds are lower than the majority of other state-level consumer privacy laws.
(Note: A consumer is defined by this bill as an individual who is a resident of Maryland and who acts only in the individual context).
What constitutes “personal data”?
Similarly to other data privacy laws, consumer data is defined as information that is linked or can be reasonably linked to an identified or identifiable individual. De-identified data and data that is publicly available are excluded from this definition.
What will enforcement look like?
Maryland’s attorney general will have exclusive enforcement power. If a violation occurs on or before April 1, 2027, there will be a 60-day cure period. If the processor fails to comply within the cure period, an enforcement action can be initiated with a penalty of up to $10,000 per violation. Repeat violations may cost up to $25,000 per violation.
Are there exemptions?
Yes, MODPA includes a short list of exempt entities. There are exemptions for:
Judicial bodies, administrative, advisory, legislative, appointive, and regulatory bodies of the state of Maryland.
Nonprofits that process data only to assist law enforcement investigations regarding insurance-related criminal or fraudulent acts or first responders to catastrophic events.
National securities associations under the SEA of 1934 or registered futures associations under the Commodity Exchange Act.
Financial institutions or affiliates subject to the Gramm-Leach-Bliley Act.
What are the obligations?
Under MODPA, Controllers are required to:
Limit the collection of data to what is reasonably necessary and proportionate to provide or maintain the specific product or service requested by the consumer.
Avoid processing personal data for secondary reasons (any purpose that is not reasonably necessary or compatible with the disclosed purpose) without the consumer’s consent.
Not sell sensitive data.
Not process personal data for targeted advertising or selling personal data if the controller knew or should have known the personal data related to a consumer who is under 18 years old.
Provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the disclosures now common under state consumer privacy laws.
What are the consumers’ rights under MODPA?
Consumer rights under MODPA resemble those of most other privacy bills and include:
The right to confirm if the consumer’s data is being processed and the right to access said data.
The right to correct and/or delete personal data.
The right to data portability.
The right to opt out of targeted advertising, sale of personal data, and profiling.
Appellate rights for requests that have not been fulfilled.
Sensitive Data
MODPA handles sensitive data similarly to other state privacy laws, with a difference in consumer health data. The bill includes consumer health data a controller uses to identify a consumer’s physical or mental health and includes data related to gender-affirming treatment and reproductive or sexual healthcare. There is no definition in the bill for “physical or mental health status”. The controller must be using this data to identify a consumer’s health status for this part of the bill to be triggered.
This is not an exhaustive list of coverages in MODPA, though the bulk of the bill is very similar to other existing state-level privacy laws. To read the full text of the bill, click below.
Sources: