Maryland Online Data Privacy Act (MODPA): Complete 2026 Compliance Guide

MODPA Enforcement Begins April 1, 2026 — What You Need to Know

The Maryland Online Data Privacy Act (MODPA) was signed into law on May 9, 2024, and became effective on October 1, 2025. However, the critical date businesses need to focus on is April 1, 2026 — when the Maryland Attorney General begins enforcement. Regulatory actions apply only to collection and processing activities occurring after this date.

The MODPA is widely regarded as one of the strictest state privacy laws in the country, thanks to its combination of no cure period, rigorous data minimization requirements, strong minor protections, and low applicability thresholds. Use our Privacy Law Calculator to determine if the MODPA applies to your business.

Who Must Comply with the MODPA?

The MODPA applies to entities that conduct business in Maryland or provide products or services targeted to Maryland consumers, AND meet either of these thresholds:

• Control or process personal data of 35,000 or more Maryland consumers annually (excluding data processed solely for completing payment transactions), OR
• Control or process personal data of 10,000 or more Maryland consumers AND derive more than 20% of gross revenue from the sale of personal data

The lower threshold of 35,000 consumers (compared to the 100,000 threshold used by many other states) means the MODPA captures a broader range of businesses, especially those with significant Maryland-focused operations.

Exemptions

The MODPA exempts certain entities and data types:

• Entity exemptions: Government bodies, nonprofits, institutions of higher education, entities covered by HIPAA (entity-level), GLBA-regulated financial institutions
• Data exemptions: Data governed by HIPAA, GLBA, FCRA, FERPA, DPPA, and certain employment and B2B contact data
• Payment data: Data processed solely for completing payment transactions is excluded from the consumer count threshold

What Makes the MODPA One of the Strictest State Privacy Laws

Three features set the MODPA apart from other state privacy laws:

1. Strict Data Minimization Requirements

The MODPA goes further than almost any other state law on data minimization. Businesses may only collect and process personal data that is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer. This means:

• You cannot collect data “just in case” or for general analytics purposes that are not tied to a specific service
• Every data field must be justified against a specific consumer-requested purpose
• Data retained beyond the original purpose must be deleted or anonymized

Most other state privacy laws allow broader data collection as long as it aligns with a disclosed purpose. Maryland’s approach is closer to the EU’s GDPR standard of data minimization.

2. No Cure Period

The MODPA does not include a cure period. This means the Maryland Attorney General can pursue enforcement action immediately upon discovering a violation, without first offering the business an opportunity to fix the problem. This is one of the strictest enforcement approaches among state privacy laws — joining California and Colorado, which also lack cure periods.

However, during the initial enforcement period beginning April 1, 2026, businesses will receive a 60-day notice before formal enforcement action, providing a window to address identified issues.

3. Strong Minor Protections

The MODPA includes robust protections for minors (under 18):

• No sale of minor data: Businesses cannot sell personal data of consumers known to be under 18
• No targeted advertising for minors: Targeted advertising directed at known minors is prohibited
• Data minimization for minors: Collection and processing of minor data is restricted beyond what is strictly necessary to deliver a requested service

Consumer Rights Under the MODPA

The MODPA provides Maryland consumers with a comprehensive set of privacy rights:

• Right to access — Confirm whether a controller is processing their personal data and access that data
• Right to correction — Request correction of inaccurate personal data
• Right to deletion — Request deletion of personal data provided by or obtained about the consumer
• Right to data portability — Obtain a copy of personal data in a portable, readily usable format
• Right to opt out of data sale — Opt out of the sale of personal data
• Right to opt out of targeted advertising — Opt out of processing for targeted advertising
• Right to opt out of profiling — Opt out of profiling in furtherance of decisions that produce legal or similarly significant effects
• Right to limit sensitive data processing — Restrict the processing of sensitive personal data
• Right to appeal — Appeal a controller’s denial of a consumer rights request

Controllers must respond to consumer requests within 45 days, with one 45-day extension if reasonably necessary. Responses must be provided free of charge.

Universal Opt-Out Mechanism (GPC) Requirement

The MODPA requires businesses to recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC) for opting consumers out of data sales and targeted advertising. This requirement has been in effect since the law’s effective date of October 1, 2025.

Check your GPC compliance obligations across all states with our GPC Compliance Checker.

Sensitive Data Requirements

Processing sensitive personal data requires prior opt-in consent. Sensitive data categories under the MODPA include:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Biometric data used for identification purposes

Notably, the MODPA’s data minimization principle applies with extra force to sensitive data — businesses may not collect sensitive data beyond what is strictly necessary, and the sale of sensitive data is prohibited even with consumer consent.

Data Broker Provisions

Maryland has separate data broker registration requirements under the Maryland Personal Information Protection Act. The MODPA adds additional obligations for businesses that buy and sell consumer data, including enhanced transparency about data collection and sale practices. Businesses operating as data brokers in Maryland should also review the requirements covered in our data broker registration guide.

Enforcement and Penalties

The Maryland Attorney General has exclusive enforcement authority. There is no private right of action.

• First violation: Up to $10,000 per violation
• Subsequent violations: Up to $25,000 per violation
• Enforcement begins: April 1, 2026
• Cure period: None (but 60-day notice provided during initial enforcement period)

The escalating penalty structure and the absence of a cure period signal that Maryland intends to take enforcement seriously. View past enforcement actions across all states on our Enforcement Tracker.

How Maryland Compares to Other State Privacy Laws

The MODPA stands out in several key areas:

• Strictest data minimization: Maryland’s “reasonably necessary and proportionate” standard is the most restrictive among US state laws, closer to the GDPR approach than any other state
• Low thresholds: The 35,000-consumer threshold (with payment data excluded) is among the lowest, similar to Connecticut’s post-amendment threshold
• No cure period: Joining California, Colorado, and Oregon in not providing businesses an automatic cure period
• Escalating penalties: The $10,000/$25,000 penalty structure is unique — most states have a flat penalty rate
• No sale of sensitive data: Even with consent, sensitive data cannot be sold — stricter than most states that allow sale with opt-in consent
• Strong minor protections: No sale of minor data under 18, no targeted advertising for minors
• GPC required from day one: Unlike some states that phase in universal opt-out requirements

Use our State Comparison Tool for a detailed side-by-side analysis.

7-Step MODPA Compliance Plan

1. Assess applicability — Determine if your business processes data of 35,000+ Maryland consumers (excluding payment-only data) or 10,000+ consumers with 20%+ data sale revenue. Use the Privacy Law Calculator.
2. Audit your data practices for minimization — This is the most critical MODPA-specific step. Map every data field you collect to a specific consumer-requested product or service. Eliminate any data collection that cannot be justified as “reasonably necessary and proportionate.”
3. Implement GPC recognition — Ensure your website and apps recognize and honor Global Privacy Control and other universal opt-out signals for data sale and targeted advertising opt-outs.
4. Update privacy notices — Include all MODPA-required disclosures: categories of data processed, purposes, consumer rights, third-party sharing, and how to exercise rights.
5. Review minor data practices — Implement age-gating or age detection where appropriate. Ensure no sale of data for known minors under 18 and no targeted advertising directed at minors.
6. Build consumer rights infrastructure — Create intake, verification, fulfillment, and appeals workflows for all consumer rights requests. Configure 45-day response timelines.
7. Obtain opt-in consent for sensitive data — Implement clear, affirmative consent flows for processing sensitive data. Remember: sensitive data cannot be sold even with consent.

For a detailed compliance walkthrough, visit our Maryland Compliance Checklist.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.