Maryland Passes the Online Data Privacy Act of 2024: What You Need to Know About MODPA

Written by

Achieved Compliance

Last month, Maryland joined the growing list of states that have passed comprehensive privacy legislation with the introduction of the Online Data Privacy Act of 2024 (MODPA). If the governor signs the state's Online Data Privacy Act of 2024 (MODPA), the new legislation will mandate companies to comply with data protection requirements related to data minimization, safeguarding sensitive data, and the processing and sale of data of minors under the age of 18.

MODPA applies to individuals or entities engaged who "conduct business" in Maryland or offer products/services to Maryland residents. To be subject to MODPA, an entity must have controlled or processed the personal data of at least 35,000 consumers in the preceding year, (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or 10,000 consumers while deriving over 20% of its gross revenue from personal data sales. Exclusions apply to individuals in commercial or employment contexts, with exemptions for financial institutions and data governed by specific acts like Gramm-Leach-Bliley and HIPAA. Notably, MODPA does not exempt HIPAA covered organizations, non-profits, or higher education institutions.

MODPA Imposes Certain Obligations on Organizations That Must Comply With the Law:

  • Imposes heightened data minimization requirements based on whether the data at issue is personal or sensitive. Controllers must limit their collection of personal data to what is reasonably necessary and proportionate to provide a product or service requested by the consumer to whom the data pertains. Controllers may not collect, process, or share sensitive consumer data unless it is strictly necessary to provide a specific product or service requested by the consumer to whom the personal data pertains.
  • Prohibits the sale of sensitive data. The legislation mandates a prohibition on the sale of sensitive data, encompassing various categories such as racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, gender status as transgender or nonbinary, national origin, and citizenship or immigration status. This includes genetic and biometric data, information about minors, and precise geolocation data.
  • Requires that organizations must regularly conduct and document data protection assessment for "processing activities posing a heightened risk of harm to a consumer". This includes assessing each algorithm used. The legislation outlines instances where processing is considered to present a heightened risk of harm.
  • Establishes guardrails with respect to the processing and sale of minors' personal data. Controllers are prohibited from selling a consumer's personal data or using that data for targeted advertising if they knew or should have known that the consumer is under 18. This prohibition is stricter than other laws that require actual knowledge of consumers' age or offer opt-in opportunities for processing and selling minors' data.
  • Provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes specified elements. They must also honor certain enumerated consumer rights. Controllers have 45 days to respond to consumer rights requests, with an option for a 45-day extension.

Key Details and Timeline

Maryland's Division of Consumer Protection will enforce MODPA. While the bill does not grant consumers a private right of action, it does not prohibit them from seeking remedies under other laws. If passed, MODPA will come into effect on October 1, 2025, but it will not apply retroactively to any personal data processing activities before April 1, 2026.

Navigating the new requirements of Maryland's Online Data Privacy Act of 2024 (MODPA) can be challenging. Ensure your business is fully compliant and prepared with expert guidance from Achieved Compliance Solutions; contact us today.

PRIVACY BLOG