Last month, Maryland joined the growing list of states that have passed comprehensive privacy legislation. If the governor signs the state’s Online Data Privacy Act of 2024 (MODPA), the new law would require companies to fulfill requirements related to data minimization, protection of sensitive data, and the processing and sale of data of minors under the age of 18.

MODPA applies to a person who “conducts business” in Maryland or provides products or services targeted to Maryland residents and, during the preceding calendar year, either controlled or processed the personal data of at least (1) 35,000 consumers (excluding personal data controlled or processed solely to complete a payment transaction); or (2) 10,000 consumers and derived more than 20 percent of its gross revenue from the sale of personal data. MODPA does not apply to individuals acting in a commercial or employment context. It includes certain exemptions for financial institutions and data subject to the Gramm-Leach-Bliley Act. It also exempts information governed by the Health Information Portability and Accountability Act. While it exempts personal health information governed by HIPAA, it does not exempt HIPAA-covered organizations. It does not exempt non-profits or institutions of higher learning.

MODPA imposes certain obligations on organizations that must comply with the law. The Law:

• Imposes heightened data minimization requirements based on whether the data at issue is personal or sensitive. Controllers must limit their collection of personal data to what is necessary to provide a product or service the consumer requests. Controllers may not collect, process, or share sensitive consumer data unless it is required to provide a specific product or service the consumer requests.
• It prohibits the sale of sensitive data. Sensitive data would include information revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, gender status as transgender or nonbinary, national origin, and citizenship or immigration status. Sensitive data would also include genetic and biometric data, personal data of a consumer the controller knows or has reason to know is a child, and precise geolocation data.
• The legislation requires that organizations regularly conduct and document a data protection assessment for each of their “processing activities that present a heightened risk of harm to a consumer,” including an assessment for each algorithm. The legislation sets our instances in which processing presents a heightened risk of harm.
• Establishes guardrails regarding the processing and sale of minors’ personal data. Controllers cannot sell a consumer’s data or use that data for targeted advertising if the controller knows or should have known that the consumer is under 18. This prohibition is stricter than other laws that require actual knowledge of consumers’ age or allow consumers to opt in for the processing and sale of minors’ data.
• Provide consumers with a reasonably accessible, transparent, and meaningful privacy notice with specified elements. They must also honor certain enumerated consumer rights. Controllers have 45 days to respond to consumer rights requests, with the possibility of a 45-day extension.

Maryland’s Division of Consumer Protection Will Enforce MODPA

The bill does not explicitly give consumers a private right of action, but it does not prevent them from pursuing remedies provided by other laws.

If enacted, MODPA will take effect on October 1, 2025, but it does not affect or apply to any personal data processing activities before April 1, 2026.

Ensure your business is fully compliant and prepared with expert guidance from Achieved Compliance Solutions; contact us today.