Maryland MODPA Enforcement Starts April 1, 2026: What Businesses Must Know
Maryland MODPA Enforcement: April 1, 2026
The Maryland Online Data Privacy Act (MODPA), signed into law in May 2024, officially becomes enforceable on April 1, 2026. While the law took effect on October 1, 2025, the six-month delayed enforcement window was designed to give businesses time to adapt. That window closes in days.
MODPA is widely regarded as the strictest comprehensive state privacy law in the United States, surpassing even California's CCPA/CPRA in several key areas. If your business collects personal data from Maryland residents, you need to understand what makes this law unique and what enforcement looks like.
Who Must Comply with MODPA?
MODPA applies to businesses that conduct business in Maryland or target Maryland residents and meet either of these thresholds:
- Process personal data of 35,000+ Maryland consumers (excluding data processed solely for payment transactions), OR
- Process data of 10,000+ consumers AND derive more than 20% of gross revenue from selling personal data
The 35,000-consumer threshold is lower than many states (Virginia and Colorado use 100,000), which means more businesses are in scope. Use our Privacy Law Calculator to check if MODPA applies to your business.
Notably, MODPA exempts certain entities and data types, including government entities, nonprofits, higher education institutions, data subject to HIPAA, GLBA, FCRA, FERPA, and employment-context data.
What Makes MODPA the Strictest State Privacy Law?
Several provisions set MODPA apart from the 20+ other state privacy laws:
1. True Data Minimization (Not Just Purpose Limitation)
Most state laws require that data collection be "reasonably necessary" for disclosed purposes — businesses define those purposes broadly. MODPA flips this: collection must be "reasonably necessary and proportionate" to provide the specific product or service the consumer requested. You cannot collect data for advertising, analytics, or other secondary purposes unless they are strictly necessary to deliver what the consumer asked for. Read our full guide on data minimization under state privacy laws.
2. Consent Cannot Override Minimization
Under most state laws, if a consumer consents, you can collect and use data beyond what is strictly necessary. MODPA does not allow this. Even with explicit consumer consent, you cannot collect data that is not reasonably necessary. This is a fundamental departure from the "notice and consent" framework used in most US privacy laws.
3. Sensitive Data Can Never Be Sold
MODPA categorically bans the sale of sensitive personal data, including racial or ethnic origin, religious beliefs, health data, sexual orientation, citizenship status, and genetic or biometric data. Other state laws generally allow the sale of sensitive data with opt-in consent — Maryland says no.
4. Strong Minor Protections
Businesses cannot process personal data of consumers they know or should know are under 18 for purposes of targeted advertising. This is broader than most state laws, which typically set the age threshold at 13 (matching COPPA) or 16.
5. No Private Right of Action — AG Enforcement Only
Only the Maryland Attorney General can enforce MODPA. There is no private right of action, which means individual consumers cannot sue businesses directly for violations. This is consistent with most state privacy laws except California.
Enforcement Mechanics: What to Expect
Starting April 1, 2026, the Maryland Attorney General's office can investigate potential violations and take enforcement action. Here is how it works:
| Enforcement Element | Details |
|---|---|
| Enforcement authority | Maryland Attorney General (exclusive) |
| Cure period | 60 days to cure a violation after receiving notice from the AG |
| Cure period expiration | The 60-day cure period sunsets on April 1, 2027 — after that date, the AG is not required to offer a cure opportunity |
| First violation penalty | Up to $10,000 per violation |
| Subsequent violation penalty | Up to $25,000 per violation |
| Scope of enforcement | Applies only to data collection and processing activities occurring ON or AFTER April 1, 2026 |
| Private right of action | None — consumers cannot sue directly |
Last-Minute Compliance Checklist
If you have not yet prepared for MODPA enforcement, here are the critical steps to take immediately:
| Priority | Action | Why It Matters |
|---|---|---|
| Critical | Audit data collection points | Identify every form, cookie, SDK, API, and integration that collects personal data from Maryland consumers. Eliminate any collection that is not strictly necessary to provide your product or service. |
| Critical | Stop selling sensitive data | If you sell any sensitive data category (health, racial, biometric, genetic, etc.), you must stop immediately for Maryland consumers. There is no consent exception. |
| Critical | Disable targeted advertising for minors | Implement age-gating or age-estimation mechanisms. If you know or should know a consumer is under 18, do not serve them targeted ads based on their personal data. |
| High | Update your privacy policy | Disclose specific purposes for each data category collected. Generic language like "to improve services" is insufficient under MODPA's strict purpose limitation. |
| High | Implement consumer rights processes | MODPA grants consumers rights to access, correct, delete, and port their data, plus the right to opt out of targeted advertising and data sales. Ensure you have processes to handle these requests within the required timeframes. |
| High | Conduct a data protection assessment | MODPA requires DPIAs for high-risk processing: targeted advertising, data sales, profiling, sensitive data processing, and processing children's data. |
| Medium | Review vendor contracts | Ensure all data processor agreements include MODPA-compliant terms. You are responsible for downstream data use by processors. |
| Medium | Train your team | Customer support, marketing, and product teams need to understand the new restrictions, particularly around data minimization and sensitive data handling. |
MODPA vs. Other State Laws: Key Comparisons
How does MODPA stack up against other major state privacy laws? Use our comparison tool for a full side-by-side analysis.
| Feature | Maryland (MODPA) | California (CCPA/CPRA) | Virginia (VCDPA) |
|---|---|---|---|
| Consumer threshold | 35,000 | Applies based on revenue ($25M+) or data volume | 100,000 |
| Data minimization | Strictest — necessary for requested service only | Reasonably necessary for disclosed purposes | Adequate, relevant, and reasonably necessary |
| Consent overrides minimization? | No | Partially (consumer can authorize) | Yes (with opt-in for sensitive data) |
| Sensitive data sales | Banned entirely | Allowed with opt-in consent | Allowed with opt-in consent |
| Minor age threshold | Under 18 | Under 16 | Under 13 (COPPA only) |
| Cure period | 60 days (sunsets April 2027) | None (removed in CPRA) | 30 days |
| Private right of action | No | Yes (data breaches only) | No |
| DPIA required | Yes | Yes (risk assessments) | Yes |
Frequently Asked Questions
Does MODPA apply to businesses outside Maryland?
Yes. MODPA applies to any business that conducts business in Maryland or targets products or services to Maryland residents, regardless of where the business is physically located. If you have customers in Maryland and meet the consumer thresholds, the law applies to you.
What is the difference between the effective date and enforcement date?
MODPA became law on October 1, 2025, establishing the legal requirements. However, the Maryland AG agreed not to begin enforcement until April 1, 2026, giving businesses a six-month grace period to come into compliance. Enforcement actions can only target data practices occurring on or after April 1, 2026.
Can I still collect data for analytics and advertising in Maryland?
Only if the analytics or advertising activity is strictly necessary to provide the specific product or service the consumer requested. General website analytics for improving user experience may qualify, but collecting data for behavioral advertising profiles almost certainly does not meet MODPA's strict necessity standard. Consult with legal counsel for your specific use case.
What should I do if I receive an enforcement notice?
During the first year of enforcement (April 1, 2026 to April 1, 2027), the AG must provide a 60-day cure period before pursuing penalties. If you receive a notice, immediately review the alleged violation, develop a remediation plan, implement fixes within the cure window, and document all corrective actions taken. After April 1, 2027, the cure period is no longer guaranteed.
Is Maryland going to be the model for future state laws?
Several privacy advocates and legal experts view MODPA as a potential model for future legislation. Its data minimization approach — limiting what companies can collect rather than just requiring disclosure — represents a philosophical shift from the "notice and choice" framework that has dominated US privacy law. Watch for similar language in proposed state amendments and potential new state bills in 2026-2027.
Last updated: March 29, 2026.Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.