MODPA is Maryland’s comprehensive data privacy law, effective from October 1, 2025, and enforceable for data processing after April 1, 2026. It grants Maryland residents enhanced rights over their personal and sensitive data and places strict obligations on controllers and processors.
MODPA is Maryland’s comprehensive data privacy law, effective from October 1, 2025, and enforceable for data processing after April 1, 2026. It grants Maryland residents enhanced rights over their personal and sensitive data and places strict obligations on controllers and processors.
MODPA compliance measures include:
Update privacy policy:
Updating privacy policies.
Implement consent management:
Implement cookie consent banners and opt-out flows to obtain clear, affirmative consent
Data subject handling:
Establishing processes for handling data subject requests.
Data security:
Ensuring data security measures are in place.
Review and disclose data and cookie practices:
Disclose data handling practices, including collection, storage and sharing of cookie types, purposes, etc.
Data management:
Practice data minimization (collect only what is needed) and conduct data protection assessments.
Compliance with MODRA Maryland is required of any entity that:
Does business in Maryland or targets its residents; and
In the prior calendar year, processed:
Personal data of ≥ 35,000 Maryland consumers, or
Personal data of ≥ 10,000 plus > 20% of gross revenue from data sales.
Exemptions include:
Maryland state and local government bodies
Entities under GLBA or securities laws
Certain nonprofits and first responders
Data regulated by HIPAA, FCRA, FERPA, Driver’s Privacy Protection Act, Farm Credit, etc.
Under MODPA, consumers have the:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Consumers can obtain a list of specific third parties who received their data
Controllers must honor optout within 30 days and offer consent withdrawal mechanisms as accessible as consent itself.
Under MODPA, any cookies used for targeted advertising, profiling, or sale of personal data is subject to consumer rights. Cookies must be restricted to what is “reasonably necessary and proportionate” for the service requested. Non-essential cookies require opt-out options, and sensitive data cookies are banned unless strictly necessary.
Clear, conspicuous notices must inform users about cookie use and provide a user-friendly mechanism to decline non-essential cookies. Required cookie banners must include an opt-out option for non-essential cookies (i.e., not strictly necessary for product/service delivery).
Cookies used for targeted ads or profiling must be minimized, with explicit user consent and easy withdrawal mechanisms.
Maryland’s Consumer Protection Act classifies violations of data privacy as unfair or deceptive trade practices. The Attorney General may issue a 60day cure period (until April 1, 2027) before enforcement. Penalties can include up to 10,000 USD per violation and up to 25,000 for repeated violations.
Compliance with MODPA Maryland requires a number of specific actions but also, organizations should work toward the following data privacy best practices:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
It applies to organizations doing business in Maryland or targeting its residents and meeting thresholds (data volume or revenue from selling data). Data processing after April 1, 2026, falls under enforcement.
Any information linked or reasonably linkable to an identifiable consumer (excluding deidentified or public data).
Personal data revealing race, religion, health, sex life, sexual orientation, gender identity, citizenship, genetic/biometric data, child data, or precise geolocation (within 1,750 ft).
Enforcement is done by the Maryland Attorney General’s Consumer Protection Division.
Exemptions cover state bodies, GLBA-regulated financial entities, certain nonprofits/first responders, and data already regulated by HIPAA, FCRA, FERPA, etc.
Visit the Maryland General Assembly website (SB 541) for guidance.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
