What makes Maryland's privacy law one of the strictest?

The MODPA has no cure period, strict data minimization requirements, low applicability thresholds, strong minor protections (no sale or targeted ads for under 18), and requires GPC recognition from day one.

Is there a cure period under the MODPA?

No. The MODPA does not include a cure period, meaning the Maryland AG can pursue enforcement immediately without giving businesses an opportunity to fix violations first.

Who does the MODPA apply to?

The MODPA applies to entities conducting business in Maryland or targeting MD consumers that process data of 35,000+ consumers, or 10,000+ consumers while deriving 20%+ of revenue from data sales.

Maryland Privacy Law

Q: What are the data minimization requirements?

The MODPA requires businesses to only collect and process personal data that is reasonably necessary and proportionate to the disclosed purpose. This is stricter than most state privacy laws.

Maryland Online Data Privacy Act

Effective: October 1, 2025Active

Overview

The Maryland Online Data Privacy Act (MODPA) was signed into law on May 9, 2024, and becomes effective on October 1, 2025. Maryland's law is considered one of the strongest state privacy laws, with no cure period, low applicability thresholds, a requirement to honor universal opt-out mechanisms, and robust data minimization requirements. The MODPA provides Maryland consumers with comprehensive privacy rights, including the right to access, correct, delete, and port personal data, as well as opt-out rights for data sales, targeted advertising, and profiling. Notably, the MODPA goes beyond most other state privacy laws by imposing strict data minimization requirements — businesses may only collect and process personal data that is reasonably necessary and proportionate to the purpose for which it is collected. The law applies to entities conducting business in Maryland or targeting Maryland consumers that control or process personal data of 35,000 or more consumers (excluding payment transaction data), or control or process personal data of 10,000 or more consumers while deriving more than 20% of gross revenue from the sale of personal data. The MODPA does not include a cure period, making it one of the strictest state privacy laws from an enforcement perspective. Penalties can reach $10,000 per violation, enforced by the Maryland Attorney General.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

35,000+

Maryland consumers' data processed

10,000+ consumers

AND 20%+ revenue from data sales

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

Law becomes effective October 1, 2025 — no cure period from day one
Strict data minimization requirements in full effect
Universal opt-out mechanism requirement in effect from the law's effective date
Maryland AG expected to be active in enforcement given the no-cure-period approach

Enforcement Details

Enforced By

Maryland Attorney General

Penalty Per Violation

$10,000

Cure Period

None — immediate enforcement

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

GPC / Universal Opt-Out Required

Businesses must recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC) for opt-out of data sales and targeted advertising from the law's effective date.

Effective: October 1, 2025

Minor / Child Protections

The MODPA includes strong minor protections. It prohibits the sale of personal data of consumers under 18 and bars targeted advertising directed at minors. The law also restricts the collection and processing of minor data beyond what is strictly necessary.

Compliance Checklist

1Assess applicability — note the lower thresholds of 35,000 consumers or 10,000+ with 20% data sale revenue
2Implement strict data minimization practices — only collect data reasonably necessary for the disclosed purpose
3Implement universal opt-out signal recognition (GPC and similar mechanisms)
4Update privacy notices with all MODPA-required disclosures
5Implement consumer rights request mechanisms with 45-day response period
6Obtain opt-in consent for processing sensitive personal data
7Review and restrict processing of minor data — no sale or targeted advertising for consumers under 18

Maryland Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.