Maryland Passes Privacy Law

The Maryland Legislature passed the Mayland Online Data Privacy Act of 2024 (MODPA), joining other states like New Jersey, New Hampshire, Kentucky, and Nebraska in passing privacy laws in 2024.

The Maryland law is unique because it bans the sale of sensitive data and has more stringent restrictions on the sale or use of data for targeted advertising to consumers under 18. Here are the key elements of the Maryland privacy law that will go into effect on October 1, 2025.

Applicability

The law will apply to organizations that conduct business in the state or sell services and products to Maryland residents and met one of the following criteria in the previous year:

• Controlled or processed the data of at least 35,000 consumers, excluding data for the sole purpose of completing payment transactions
• Controlled or processed the data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data

The Maryland privacy law exempts organizations and data subject to HIPAA and the GLBA. Further, the law does not apply to non-profit organizations that are assisting law enforcement agencies investigating insurance crimes or first responders responding to catastrophic events.

Consumer Rights

Maryland’s privacy law grants consumers the following rights:

• Confirm whether a controller processes the consumer’s personal data and access to personal data
• Correct inaccuracies in their data
• Delete personal data
• Obtain a copy of the personal data held by the controller if the processing of the data is done by automatic means
• Opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or certain types of profiling
• Obtain a list of third parties or categories of third parties to controller has shared personal data with

Business Obligations

The Maryland privacy law places the following requirements and restrictions on businesses:

• Businesses must limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains
• Selling sensitive data is prohibited. Sensitive data includes data that reveals racial and ethnic origins, religious beliefs, health information, sex life and sexual orientation, gender status, immigration status, genetic or biometric data, the data of a child, and precise geolocation data.
• Processing data for targeted advertising is prohibited if the business knows or should have known that the consumer is under 18
• Selling the personal data of a consumer known to be under 18 is prohibited without consent
• Implement and maintain reasonable safeguards to protect the personal data within their control
• Do not discriminate against a consumer for exercising any of the consumer rights
• Establish a secure and reliable method to enable a consumer to submit a request to exercise consumer rights
• Provide a mechanism to consumers to revoke consent
• Gain the consumer’s consent before processing sensitive data

Businesses must respond to consumer requests within 45 days. A 45-day extension is available when reasonably necessary.

Privacy Notice

The Maryland privacy law requires businesses to provide a “reasonably accessible, clear, and meaningful” privacy notice that includes the following:

• The categories of personal data the controller processes
• The purpose for processing personal data
• How consumers may exercise their rights, including how a consumer may appeal a controller’s decision concerning the consumer’s request
• The categories of personal data that the controller shares with third parties
• An active e-mail address or other online mechanism a consumer may use to contact the controller
• How consumers can opt out of the selling of their data for targeted advertising

Data Protection Impact Assessments

The Maryland Online Data Privacy Act requires businesses to conduct and document a data protection assessment of each of the following processing activities:

• Processing personal data for targeted advertising
• The sale of personal data
• Processing data for profiling
• Processing sensitive data
• Processing data that presents a heightened risk of consumer harm

Enforcement

Enforcement is the responsibility of the Maryland Attorney General. There is no private right of action. There is a 60-day right-to-cure period should the AG believe the violation may be cured (expires on April 1, 2027).

Learn how the MODPA compares with other state laws that were previously passed here.

CompliancePoint can help your organization comply with GDPR, CCPA, and all other state privacy laws. Reach out to us at connect@compliancepoint.com to learn more about our privacy services.