Maryland’s privacy law at a glance

• Effective October 1, 2025, Maryland’s Governor signed the Maryland Online Data Privacy Act (MODPA) on May 9, 2024. 
• This act introduces several unique provisions and has a much broader scope than most other state privacy laws, with the National Law Review calling it “unique and operationally challenging.”
• Keep reading to learn who’s subject to Maryland’s privacy law, what’s required of businesses under its scope, and how the MODPA is different from other state privacy laws in the US.
• At the end, you’ll find a 7 step Maryland privacy law compliance checklist. 

Who’s subject to Maryland’s privacy law?

Maryland’s privacy law applies to businesses that conduct operations in Maryland or target their goods or services to Maryland residents. Notably, the threshold for compliance is lower than most other state privacy laws. 

To fall under the MODPA’s scope, businesses must: 

• Control or process the personal data of at least 35,000 Maryland residents OR 
• Control or process the personal data of 10,000 Maryland residents, while deriving more than 20% of their gross revenue from the sale of personal data. 

This lower threshold broadens the scope of entities subject to the law and means that businesses who could sidestep the law in other states may end up needing to comply.

Compliance requirements under Maryland’s privacy law

Maryland's privacy law establishes comprehensive compliance requirements aimed at protecting consumer data and ensuring transparency in data practices. Here's a breakdown of the key obligations for controllers and processors under the law:

Use of Universal Opt-Out Mechanisms (UOOMs)

• Controllers must allow consumers to communicate their privacy preferences through online UOOMs
• Maryland permits the use of UOOMs approved by other states to satisfy this requirement, streamlining compliance efforts for businesses operating across multiple jurisdictions

Revoking consent

• Controllers must give consumers a mechanism to revoke consent for the processing of their personal data.
• If consent is revoked, controllers must stop processing the data as soon as possible, within a maximum time frame of 30 days.

Access to consumer health data

• Controllers and processors must ensure employees and contractors are bound by a duty of confidentiality before accessing consumer health data
• Data collection must be limited to what is reasonably necessary and proportionate to provide or maintain specific products or services, unless explicit consent is obtained from the consumer

Data security practices

• Controllers and processors are required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices
• These practices aim to protect the confidentiality, integrity, and accessibility of personal data, safeguarding it from unauthorized access

Disclosure and opt-out mechanisms

• Controllers must clearly disclose to consumers if they sell personal data to third parties or process personal data for targeted advertising or profiling
• Consumers must be provided with a clear method to opt out of such processing activities, ensuring transparency and consumer choice

Data protection impact assessments

• Controllers must conduct a data protection impact assessment for processing activities presenting a heightened risk of harm to the consumer.
• This requirement applies to processing activities occurring on or after October 1, 2025, promoting proactive risk assessment and mitigation measures.

Maryland's privacy law outlines stringent compliance obligations for entities handling consumer data. Businesses falling under the scope of this law should start working towards compliance now.

How Maryland’s privacy law compares to other state privacy laws

Maryland's Online Data Privacy Act (MODPA) distinguishes itself from other state privacy laws through several notable provisions:

Data minimization

MODPA imposes a strict standard on data minimization, requiring controllers to limit the collection of personal data to what is "reasonably necessary and proportionate" for providing or maintaining a specific product or service requested by the consumer. This surpasses the typical standard found in other laws, which often focus on collection for disclosed purposes outlined in privacy notices.

For sensitive data, MODPA prohibits collection or processing unless it is "strictly necessary" for fulfilling a consumer's product or service request, with no exceptions for consumer consent, setting a higher bar for data protection.

Sensitive data processing

While many laws mandate opt-in consent for processing sensitive data, MODPA takes a more stringent approach by restricting such processing unless strictly necessary for fulfilling a consumer's request.

Children's data privacy

MODPA includes specific provisions safeguarding children's data privacy, prohibiting the processing of children's data for targeted advertising purposes without parental consent.

Unlawful discrimination

MODPA introduces a novel provision prohibiting the processing of personal data in a manner that unlawfully discriminates based on protected characteristics, a feature not commonly found in other state privacy laws.

Low applicability threshold

MODPA applies to companies handling data of at least 35,000 consumers, setting a lower threshold compared to laws in Colorado, Connecticut, Virginia, and other states. This may necessitate compliance efforts from smaller businesses.

While MODPA draws inspiration from the Washington Privacy Act model, it also introduces novel consumer protection concepts related to data minimization, sensitive data handling, children's privacy, and anti-discrimination measures, setting a new standard in state privacy legislation.

Maryland privacy law compliance checklist

1) Conduct a compliance assessment

Begin with a thorough review of your company's data practices to determine if the law applies. Assess whether you meet the thresholds outlined in the legislation—if you do, start laying the groundwork for compliance measures.

2) Complete a data inventory

Create a comprehensive map of the personal data your business collects, processes, and stores. Make sure to identify types of data collected, processed, and stored, along with purposes and legal basis for each activity. With a comprehensive data inventory, you can then conduct a thorough gap analysis and compliance risk assessment.

3) Establish mechanisms for DSR fulfillment

Set up processes for consumers to exercise their rights under the law, such as access, correction, deletion, and data portability requests. Ensure procedures for verifying consumer identity and timely response. Next-generation tools like Transcend DSR Automation can help your teams automate this process end-to-end. 

4) Implement a consent management solution

Compliant consent management requires collecting and enforcing consent preferences across all your digital interfaces, including websites, web apps, mobile apps, backend data stores, and more. A full-stack Transcend Consent Management helps ensure consumer consent preferences are honored from client-side UI to backend opt outs, as well as covering browser-based signals like GPC, LDU, and other Do Not Sell signals—across all domains, apps, and regions.

5) Conduct data protection assessments

Maryland's law mandates assessments before high-risk processing activities like selling personal data or targeted advertising. Document assessment results, including risk analysis and mitigation measures, with tools like Transcend Assessments.

6) Implement privacy notices

Develop clear, concise privacy notices informing consumers about data practices, including collection purposes, data categories, and consumer rights. Ensure transparency and accessibility to build trust and compliance.

7) Honor universal opt-out mechanisms

Prepare to recognize and respect universal opt-out signals for targeted advertising, data sales, and profiling. Update systems and processes to accommodate opt-out preferences, ensuring seamless implementation by the enforcement deadline.

Conclusion

Maryland's Online Data Privacy Act introduces several unique provisions that significantly impact businesses' data processing practices. Compliance with MODPA requires careful consideration and planning to navigate its operational and legal challenges effectively. As the October 1, 2025, effective date approaches, businesses operating in or targeting Maryland should prioritize understanding and implementing measures to ensure compliance with MODPA's requirements.

About Transcend

Transcend is a next-generation platform privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facing—including getting you ready for new legislation like Maryland's data privacy law.

From Consent Management, to automated DSR Fulfillment, to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.