An Overview of Maryland’s Online Data Privacy Act of 2024

I. Introduction

The Maryland Legislature approved the Maryland Online Data Privacy Act (MODPA) on April 6, 2024, and the governor signed it into law on May 9, 2024. The landmark law imposes stringent regulations on how organizations collect, use, and share personal data. Organizations subject to MODPA will likely be required to update their state law compliance programs in accordance with the legislation, which goes into effect on October 1, 2025.

Despite its enactment on 1 October 2025, the MODPA will not impact or apply to any personal data processing activities prior to 1 April 2026. In addition, the MODPA bans the sale of sensitive personal data without exception, taking a unique and unprecedented approach compared to previously enacted state privacy laws across the United States.

Although MODPA draws inspiration from other state data privacy laws being introduced and enacted across the United States, the law also stands out due to its robust consumer rights and obligations for controllers and processors.

II. Who Needs to Comply with the MODPA

A. Material Scope

The MODPA applies to organizations that conduct business in Maryland or provide products and services targeted to Maryland residents and, that during the immediately preceding calendar year:

• controlled or processed the personal information of at least 35,000 customers, excluding information handled or processed only to fulfill a payment transaction; or
• controlled or processed the personal data of at least 10,000 customers and derived more than 20% of gross revenue from the sale of personal data.

B. Exemptions

The MODPA exempts certain entities from the application of its provisions, including the following:

• A regulatory, administrative, advisory, executive, appointive, legislative, or judicial body or a state entity, including a board, bureau, commission, unit, or a political subdivision;
• A National Securities Association which is registered under Section 15 of the Federal Securities Exchange Act of 1934 or a Registered Futures Association designated in accordance with Section 17 of the Federal Commodity Exchange Act;
• A financial institution or an affiliate of a financial institution governed by the federal Gramm-Leach-Bliley Act (GLBA) and the regulations made in accordance with it; or
• A nonprofit controller that processes or shares personal data solely for the purposes of assisting (a) law enforcement agencies in investigating criminal or fraudulent acts related to insurance or (b) first responders in responding to catastrophic events.

Notably, there are certain types of data which are exempted from the application of MODPA:

• Protected health information under HIPAA;
• Patient–identifying data for the purposes of 42 U.S.C § 290DD-2;
• Identifiable private data that is used for purposes of the federal policy for the protection of human subjects in accordance with 45 C.F.R. § 46;
• Identifiable private data to the extent that it is collected and used as part of human subjects research in accordance with the ICH 36 Good Clinical Practice Guidelines;
• Work products for patient safety which are created and used to promote patient safety;
• Personal data that is collected, maintained, disclosed, sold, communicated, or used in compliance with the federal Fair Credit Reporting Act;
• Personal data collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act;
• Personal data regulated by the federal Family Educational Rights and Privacy Act;
• Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act;
• Personal data collected, processed, sold, or disclosed in relation to price, route, or service by an air carrier subject to the Federal Airline Deregulation Act;
• Employment-related data;
• Data processed or maintained as the emergency contact information of a consumer if the data is used for emergency contact purposes; and
• Personal data to the extent it is collected for, provided to, or used by a person regulated under the Insurance Article or an affiliate of such a person, in furtherance of the business of insurance.

III. Definitions of Key Terms

A. Biometric Data

Data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer’s identity. It includes a fingerprint, a voice print, an eye retina or iris image, and any other unique biological characteristics that can be used to uniquely authenticate a consumer’s identity. Biometric data does not include a digital or physical photograph, an audio or video recording, or any data generated from a digital or physical photograph or an audio or video recording, unless the data is generated to identify a specific consumer.

B. Consent

A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer for a particular purpose. It includes a written statement, a written statement by electronic means, or any other unambiguous affirmative action. Consent does not include: (a) the acceptance of a general or broad terms of use or similar document which contains descriptions of personal data processing along with other unrelated information; (b) hovering over, muting, pausing, or closing a piece of content; or (c) agreement obtained through the use of dark patterns.

C. Personal Data

Any information that is linked or can be reasonably linked to an identified or identifiable consumer. Personal data does not include de-identified data or publicly available information.

D. Sensitive Data

Any personal data that includes data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, citizenship or immigration status, genetic data or biometric data, personal data of a consumer that the controller knows or has reason to know is a child or precise geolocation data (within a 1,750-feet radius).

IV. Obligations for Organizations Under MODPA

Under the law, organizations have multiple obligations, such as:

A. Consent Requirements

Controllers are responsible for ensuring that consumers withdraw their consent using an effective mechanism that is no more difficult to use than the one they used to provide their consent. In the event that a consumer chooses to opt-out, the controller must cease using their personal data as soon as practicable but no later than 30 days after the request is received.

B. Data Minimization Requirements and Purpose Limitation

Controllers must ensure that personal data collection is limited to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer and must limit its collection, processing, and sharing of sensitive data to what is "strictly necessary" to provide or maintain a specific product or service.

The law restricts controllers from processing personal data that is neither reasonably necessary nor compatible with the disclosed purpose communicated initially unless the controllers obtain the consumer’s consent before processing personal data.

C. Prohibition on Selling Sensitive Data

MODPA prohibits the collection, processing, and sharing of sensitive data concerning a consumer, except when necessary to provide or maintain a specific product or service requested by the consumer. In addition, the MODPA heightens protections for minors' data. Controllers cannot process a consumer's personal data for purposes of targeted advertising or sell it if the controller “knew or should have known that the consumer is under the age of 18.”

D. Privacy Notice and Disclosure Requirements

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that contains the following details:

• the categories of personal data, including sensitive data, that the controller processes;
• the controller’s purpose for processing personal data;
• the methods by which a consumer may exercise their consumer rights, including appeals and revoking consent.
• the categories of third parties with which the controller shares personal data in sufficient detail for a consumer to comprehend the nature, business model, or processing method employed by each third party;
• the categories of personal data, particularly sensitive data, that the controller provides to other parties, and
• a working email account or other online method by which a consumer may contact the controller.

A controller must clearly and conspicuously disclose the sale or processing of personal data and how a consumer may exercise their right to opt-out of the sale or processing if the data is sold to third parties, processed for targeted advertising, or used to profile the consumer against decisions that have legal or similarly significant effects. The disclosure must be prominently displayed, using clear, easy-to-understand, and unambiguous language, stating whether personal data will be sold or shared with third parties.

The privacy notice must establish one or more secure and reliable methods for consumers to submit requests to exercise their rights. These methods must take into account:

• How consumers normally interact with the controller.
• The need for secure and reliable communication of consumer requests.
• The controller’s ability to verify the identity of the requesting consumer.

E. Requirement for Opt-out Mechanism

The controller should provide:

• A clear and conspicuous link on their website to a webpage where consumers or their authorized agents can opt-out of targeted advertising or the sale of personal data.
• By 1 October 2025, controllers must allow consumers to opt-out of data processing for targeted advertising or any sale of personal data via an opt-out preference signal sent by a platform, technology, or mechanism, with the consumer's consent, indicating their intent to opt-out.

The law specifies standards for the opt-out mechanism:

• The platform, technology, or mechanism must be easy for the average consumer to use.
• Must use clear, easy-to-understand, and unambiguous language.
• It should be as consistent as possible with other similar platforms, technologies, or mechanisms required by federal or state law or regulation.
• It must enable the controller to reasonably determine if the consumer is a state resident and if the opt-out request is legitimate.
• It must require consumers to make an affirmative, unambiguous, and voluntary choice to opt-out of data processing.

Furthermore, the controller should ensure that:

• The platform, technology, or mechanism used must not unfairly disadvantage another controller.
• It should not use a default setting to opt consumers out of data processing.

If a consumer opts out of data processing for targeted advertising or the sale of personal data via an opt-out preference signal, and this conflicts with the consumer's existing controller-specific privacy settings or their participation in certain programs, the controller must notify the consumer of the conflict. After notifying the consumer of the conflict, the controller must provide the consumer with the choice to either:

• Confirm their existing controller-specific privacy settings, or
• Continue participating in programs such as bona fide loyalty, rewards, premium features, discounts, or club card programs.

A controller that recognizes and adheres to opt-out signals approved by other states will be considered compliant with this law.

F. Non-Discrimination

Controllers must not collect, process, or transfer personal data or publicly available data in a manner that unlawfully discriminates or makes unavailable the equal enjoyment of goods or services based on race, color, religion, national origin, sex, sexual orientation, gender identity, or disability This prohibition does not apply if the data collection, processing, or transfer is for:

• Self-testing to prevent or mitigate unlawful discrimination.
• Diversifying an applicant, participant, or customer pool.
• Private clubs or groups not open to the public, as defined by the Civil Rights Act of 1964.

Controllers are not required to provide a product or service that requires personal data they do not collect or maintain. Controllers are allowed to offer different prices, rates, levels, quality, or selections of goods or services if this is part of a voluntary bona fide loyalty, rewards, premium features, discounts, or club card program.

G. Security Requirements

Controllers are required to establish, implement, and maintain reasonable administrative, technological, and physical data security protocols to safeguard the privacy, integrity, and accessibility of personal data. Data security procedures must be appropriate to the volume and kind of personal data being processed by the controller.

H. Data Protection Impact Assessment

Controllers must conduct data protection impact assessments (DPIAs) on a regular basis for each of the controller’s processing activities, which present a heightened risk of harm to a consumer. A data protection assessment must identify and balance the potential benefits to the controller, the consumer, other interested parties, and the public that may arise from the processing, both directly and indirectly, against any potential risks to the consumer's rights that may be mitigated by the controller using safeguards to reduce these risks, as well as the necessity and proportionality of the processing in relation to the processing's stated purpose.

The controller shall factor into a data protection assessment:

• the use of de-identified data;
• the reasonable expectations of consumers;
• the context of the processing; and
• the relationship between the controller and the consumer whose personal data will be processed.

Data protection assessments must be kept confidential and are exempted from disclosure under the federal Freedom of Information Act or the Public Information Act. Moreover, a single assessment can cover comparable processing operations with similar activities. Assessments conducted for other laws may suffice if reasonably similar in scope and effect.

This requirement applies to processing activities on or after October 1, 2025.

V. Processing Deidentified Data

The law does not require a controller or processor to re-identify de-identified data or obtain, maintain, or access data in identifiable form for the purpose of allowing the controller or processor to associate a consumer request with personal data. The controller is also not required to comply with an authenticated consumer request to exercise a right under the law, if:

• Either the controller does not have the reasonable capacity to associate the request with the personal data, or it would be unreasonably burdensome for it to associate the request with the personal data;
• personal data is not being used by the controller to recognize or respond to the consumer who is the subject of the personal data; and
• personal data is not being sold or disclosed to any third party other than a processor.

A controller that discloses de-identified data should:

• Reasonably monitor compliance with any contractual commitments related to the de-identified data that it has disclosed.
• If there are any breaches of these contractual commitments, the controller is required to take appropriate steps to address them.

Moreover, data subject rights do not apply to pseudonymous data.

VI. Processor Agreements

When a controller engages the help of a processor to handle consumer personal data processing, the controller and processor must enter a contract that specifies the processor's data processing procedures for processing done on the controller's behalf. The contract shall be binding and must specify the instructions for processing data, the nature and purpose of processing, the categories of data subject processing, the duration of processing, and each party's rights and responsibilities. Also, these contracts should also bind the processor to a duty of confidentiality pertaining to the processing of personal data.

Moreover, any subcontractor engaged by a processor pursuant to a written contract is also bound by the same obligations. Processors must follow the controller's instructions and assist the controller in fulfilling his or her obligations, including those relating to the security of personal data processing and security breach notifications.

In addition, a processor shall assist the controller in meeting its obligations under MODPA, including, as much as reasonably practicable, fulfilling the controller’s obligation to respond to consumer rights requests and meeting the controller’s obligations in relation to the notification of a breach of the system's security.

VII. Data Subject Rights

A. Right to Confirm and Access

Consumers have the right to confirm whether a controller is processing their personal data and accessing their personal data.

B. Right to Correction

Consumers have the right to correct inaccuracies in their personal data.

C. Right to Delete

Consumers have the right to require a controller to delete their personal data unless retention of the personal data is required by law. If a controller obtained personal data from another source, they can comply with deletion requests by retaining a record of the deletion request and the minimum data necessary to ensure the data remains deleted and is not used for any other purpose.

D. Right to Portability

Consumers have the right to obtain a copy of their personal data (if personal data processing is done by automatic means) in a portable and, to the extent technically feasible, readily usable format that enables the consumer to transmit the data to another controller without hindrance.

E. Right to Transparency

Consumers have the right to obtain a list of the categories of third parties to which the controller has disclosed their personal data.

F. Right to Opt-Out

Consumers have the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Consumers can designate an authorized agent to opt out of data processing on their behalf. Controllers are not required to authenticate opt-out requests.

VIII. DSR Request

• Means to submit DSR request: A consumer may exercise a right by submitting an authenticated request to a controller, by means prescribed by the controller, specifying the right the consumer intends to exercise. In the instance of processing personal data concerning a child, the parent or legal guardian of the child can exercise a right on the child's behalf. In the case of processing personal data concerning a consumer subject to guardianship, conservatorship, or other protective arrangements, the guardian or the conservator of the consumer shall exercise a right on the consumer's behalf. If a controller cannot authenticate a request using commercially reasonable efforts, they are not required to comply but must inform the consumer and request additional information for authentication.
• Time period to fulfill DSR request: A controller shall comply with a consumer's request to exercise a right within 45 days after the day on which a controller has received that particular request. The controller then shall take action on the consumer's request and inform the consumer of any action taken on the consumer's request.
• Extension in the time period: An additional 45 days can be granted if it is reasonably necessary to comply with the request, considering the complexity of the request or the volume of requests received by the controller. In such cases, the controller is to inform the consumer of the extension and provide reasons for the extension.
• Declining Requests: If a request is declined, the controller must inform the consumer within 45 days, providing justification and instructions on how to appeal the decision
• Appeal Process: Controllers must establish a process for consumers to appeal a decision within a reasonable period after receiving a decision. The appeal process must be clearly available and similar to the process for submitting initial requests. Controllers must respond to appeals within 60 days, providing a written explanation of any action taken or reasons for not taking action. If an appeal is denied, controllers must provide an online mechanism (if available) for consumers to contact the relevant division to submit a complaint.
• Charges: Controllers must provide information to consumers free of charge once per year. If the request is a consumer's second or subsequent request within the same 12-month period, a controller may charge a reasonable fee. A controller may also charge a reasonable fee to cover the administrative costs of complying with a request or refuse to act on a request if:
• the request is excessive, repetitive, technically infeasible as per the law; or
• the controller considers that the primary goal for the submitted request was something other than exercising a right; or
• the request disrupts or imposes an undue burden on the resources of the controller’s business.

IX. Limitations

The law contains important substantive exemptions, including:

• Data processed for legal obligations: This law does not prevent a controller or processor from complying with other applicable laws, asserting or defending legal claims, or cooperating with government authorities or investigations.
• Data processed to perform contractual obligations: Nothing in this law restricts a controller or processor from complying with contractual obligations with the consumer.
• Data processed to protect life and physical safety: Nothing in this legislation prevents a controller or processor from taking prompt action to defend an interest that is vital to the consumer's or another natural person's life or physical safety, and if another legal basis cannot justify the processing.
• Data processed for security purposes: Nothing in this law prevents a controller or processor from processing data to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; maintain the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action.
• Data processed for internal purposes: Nothing in this law restricts a controller or processor from processing personal data to conduct internal research to identify, improve, or repair products, services, or technology, including technical errors that impair existing or intended functionality, or undertake internal operations reasonably aligned with the consumer’s expectations for the performance of a service or provision of a product.

X. Regulatory Authority

Maryland’s attorney general has exclusive enforcement power. With respect to an alleged violation on or before April 1, 2027, the attorney general may issue a notice of violation and a 60-day opportunity to cure it.

XI. Penalties for Non-Compliance

If the controller or processor fails to remedy the issue within those 60 days, the attorney general can initiate an enforcement action. Penalties can be up to $10,000 per violation, but if the fine is in connection with a repeat violation, it may cost up to $25,000 for each violation.

XII. How an Organization Can Operationalize the MODPA

Organizations can operationalize Maryland’s Online Data Privacy Act (MODPA) by:

• Establishing clearly defined policies and procedures for processing data in compliance with  MODPA’s provisions;
• Developing clear and accessible understandable privacy notices that comply with MODPA’s requirements;
• Obtaining explicit consent from users before processing their personal data;
• Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
• Train employees who handle the consumers’ data on the organization's policies and procedures, as well as the requirements of the MODPA.

XIII. How Securiti Can Help

Securiti’s Data Command Center enables organizations to comply with Maryland’s Online Data Privacy Act (MODPA) by securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.