Clym Logo
US flag

US

Maryland Online Data Privacy Act (MODPA)

Overview

The Maryland Online Data Privacy Act (MODPA), enacted as House Bill 567, was signed by the Governor on May 9, 2024, and takes effect on October 1, 2025. MODPA is Maryland’s first comprehensive data privacy law and the eighteenth such law in the United States. It regulates how businesses handle personal data, grants Maryland residents rights over their information, and establishes enforcement mechanisms under the Maryland Consumer Protection Act.

Regulation Summary

  • May 9, 2024 – Signed into law by the Governor
  • October 1, 2025 – Law takes effect

MODPA applies to businesses that:

  • Conduct business in Maryland or target Maryland residents.
  • Annually process personal data of 35,000+ consumers (excluding data used solely for payment transactions).
  • Or process personal data of 10,000+ consumers while deriving over 20% of gross revenue from the sale of personal data.

MODPA exempts:

  • State agencies, courts, and other government bodies.
  • Financial institutions regulated under the Gramm–Leach–Bliley Act (GLBA).
  • National securities and registered futures associations.
  • Certain nonprofits processing data to assist law enforcement or first responders.
  • Data already regulated under HIPAA, FERPA, FCRA, DPPA, and other federal laws.

Businesses must:

  • Limit the collection of personal data to what is necessary.
  • Obtain consent before processing sensitive data.
  • Provide clear privacy notices detailing data practices.
  • Conduct risk assessments for high-risk activities like targeted ads, profiling, or selling personal data.
  • Implement administrative, technical, and physical security safeguards.
  • Stop processing within 15–30 days after consent is revoked.

Website operators must:

  • Display clear privacy policies.
  • Provide a prominent opt-out link for sales or targeted advertising.
  • By October 1, 2025, accept opt-out preference signals such as browser or device settings.
  • Ensure consumers are not required to create new accounts to exercise their rights.

  • Controllers must use contracts with processors containing detailed instructions.
  • Regular data protection assessments are required for risky processing.
  • Processors must maintain confidentiality and security.
  • At the end of service, processors must return or delete personal data unless retention is legally required.

Maryland residents gain the right to:

  • Access and correct their data.
  • Delete personal data.
  • Obtain portable copies of their data.
  • Opt out of sales, targeted advertising, or profiling.
  • Exercise opt-out rights through authorized agents or preference signals.

  • Authority: Maryland Division of Consumer Protection (Attorney General’s Office).
  • Penalties:
    • Up to $10,000 per violation.
    • Up to $25,000 per subsequent violation.
  • Cure period: Up to 60 days to correct violations, available until April 1, 2027, at the discretion of the Division.
Book a demo