Senior Content Marketing Manager II
May 16, 2024â˘5 min read
Marylandâs privacy law applies to businesses that conduct operations in Maryland or target their goods or services to Maryland residents. Notably, the threshold for compliance is lower than most other state privacy laws.Â
To fall under the MODPAâs scope, businesses must:Â
This lower threshold broadens the scope of entities subject to the law and means that businesses who could sidestep the law in other states may end up needing to comply.
Maryland's privacy law establishes comprehensive compliance requirements aimed at protecting consumer data and ensuring transparency in data practices. Here's a breakdown of the key obligations for controllers and processors under the law:
Use of Universal Opt-Out Mechanisms (UOOMs)
Revoking consent
Access to consumer health data
Data security practices
Disclosure and opt-out mechanisms
Data protection impact assessments
Maryland's privacy law outlines stringent compliance obligations for entities handling consumer data. Businesses falling under the scope of this law should start working towards compliance now.
Maryland's Online Data Privacy Act (MODPA) distinguishes itself from other state privacy laws through several notable provisions:
MODPA imposes a strict standard on data minimization, requiring controllers to limit the collection of personal data to what is "reasonably necessary and proportionate" for providing or maintaining a specific product or service requested by the consumer. This surpasses the typical standard found in other laws, which often focus on collection for disclosed purposes outlined in privacy notices.
For sensitive data, MODPA prohibits collection or processing unless it is "strictly necessary" for fulfilling a consumer's product or service request, with no exceptions for consumer consent, setting a higher bar for data protection.
While many laws mandate opt-in consent for processing sensitive data, MODPA takes a more stringent approach by restricting such processing unless strictly necessary for fulfilling a consumer's request.
MODPA includes specific provisions safeguarding children's data privacy, prohibiting the processing of children's data for targeted advertising purposes without parental consent.
MODPA introduces a novel provision prohibiting the processing of personal data in a manner that unlawfully discriminates based on protected characteristics, a feature not commonly found in other state privacy laws.
MODPA applies to companies handling data of at least 35,000 consumers, setting a lower threshold compared to laws in Colorado, Connecticut, Virginia, and other states. This may necessitate compliance efforts from smaller businesses.
While MODPA draws inspiration from the Washington Privacy Act model, it also introduces novel consumer protection concepts related to data minimization, sensitive data handling, children's privacy, and anti-discrimination measures, setting a new standard in state privacy legislation.
Begin with a thorough review of your company's data practices to determine if the law applies. Assess whether you meet the thresholds outlined in the legislationâif you do, start laying the groundwork for compliance measures.
Create a comprehensive map of the personal data your business collects, processes, and stores. Make sure to identify types of data collected, processed, and stored, along with purposes and legal basis for each activity. With a comprehensive data inventory, you can then conduct a thorough gap analysis and compliance risk assessment.
Set up processes for consumers to exercise their rights under the law, such as access, correction, deletion, and data portability requests. Ensure procedures for verifying consumer identity and timely response. Next-generation tools like Transcend DSR Automation can help your teams automate this process end-to-end.Â
Compliant consent management requires collecting and enforcing consent preferences across all your digital interfaces, including websites, web apps, mobile apps, backend data stores, and more. A full-stack Transcend Consent Management helps ensure consumer consent preferences are honored from client-side UI to backend opt outs, as well as covering browser-based signals like GPC, LDU, and other Do Not Sell signalsâacross all domains, apps, and regions.
Maryland's law mandates assessments before high-risk processing activities like selling personal data or targeted advertising. Document assessment results, including risk analysis and mitigation measures, with tools like Transcend Assessments.
Develop clear, concise privacy notices informing consumers about data practices, including collection purposes, data categories, and consumer rights. Ensure transparency and accessibility to build trust and compliance.
Prepare to recognize and respect universal opt-out signals for targeted advertising, data sales, and profiling. Update systems and processes to accommodate opt-out preferences, ensuring seamless implementation by the enforcement deadline.
Maryland's Online Data Privacy Act introduces several unique provisions that significantly impact businesses' data processing practices. Compliance with MODPA requires careful consideration and planning to navigate its operational and legal challenges effectively. As the October 1, 2025, effective date approaches, businesses operating in or targeting Maryland should prioritize understanding and implementing measures to ensure compliance with MODPA's requirements.
Transcend is a next-generation platform privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facingâincluding getting you ready for new legislation like Maryland's data privacy law.
From Consent Management, to automated DSR Fulfillment, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.
Senior Content Marketing Manager II