Strictest of any comprehensive state privacy law: data minimization required, sale of sensitive data prohibited even with consent, no cure period. Effective October 1, 2025.
Effective
2025-10-01
Penalty max
$10,000
Cure period
None
Honor GPC
Required
Overview
The Maryland Online Data Privacy Act (MODPA) took effect October 1, 2025, and is the strictest comprehensive state privacy law in the country today. MODPA introduces three obligations not found in most other state laws. First, true data minimization: you can only collect personal data 'reasonably necessary and proportionate' to the specific product or service the consumer requests — not whatever you disclose in a privacy policy. Second, MODPA outright prohibits the sale of sensitive personal data (precise geolocation, health, race, ethnicity, religion, sexual orientation, citizenship status, biometric data) — even with the consumer's consent. Third, MODPA has no cure period at all from the date of effectiveness — the AG can bring enforcement actions immediately. The applicability threshold is also low: 35,000 residents (or 10,000 + 20% data-sales revenue).
Who it applies to
Businesses processing personal data of 35,000+ Maryland residents annually.
Businesses processing personal data of 10,000+ Maryland residents AND deriving 20%+ of revenue from selling personal data.
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.
What this means for e-commerce
Maryland is the strictest comprehensive state privacy law in the country today. Three things make it stand out: (1) data minimization — you can only collect personal data 'reasonably necessary' for the requested service, not for any business purpose you disclose; (2) outright prohibition on the sale of sensitive personal data, period — even with consent; (3) no cure period from day one. Maryland also has a low 35K-resident threshold. Treat Maryland as a top compliance priority.
Penalties & enforcement
Enforced by the Maryland Attorney General. Penalties range from $0 to $10,000 per violation.
The cure period sunset on 2025-10-01 — the AG can bring enforcement actions immediately upon finding a violation, without first giving you time to fix the problem.
Compliance checklist
Audit data collection practices to ensure you only collect what's 'reasonably necessary' for the requested service (Maryland-specific data minimization)
Stop selling any sensitive personal data — even with consent (Maryland-specific prohibition)
Add a 'Your Privacy Choices' link in the site footer
Configure your site to detect and honor Global Privacy Control (GPC) signals
Update privacy policy with MODPA-required disclosures
Implement a 45-day consumer request response process
Conduct data protection assessments for high-risk processing
Treat Maryland as a top compliance priority — no cure period means no warning before enforcement
Does the MODPA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including Maryland.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.