By Gia Grimm and Karan Manohar
In an era where technology is woven into nearly every part of daily life, consumers often share personal information without realizing the full scope of what is being collected. In fact, a recent 2023 Pew Study confirmed that a staggering 67 % of consumers have little to no understanding about what companies are doing with their personal data. Therefore, in an effort to protect consumers and hold businesses accountable, the Maryland General Assembly passed, and Governor Moore signed, the Maryland Online Data Privacy Act (“MODPA”) in May 2024. MODPA puts the power back into the consumers’ hands by establishing meaningful protections over personal data and holding businesses accountable for responsibly maintaining consumer data.
MODPA goes into effect October 1, 2025, but only applies to companies’ personal data processing activities occurring after April 2026. The six-month delay between the implementation of MODPA going into effect and affecting businesses is given to provide businesses with a grace period to review and adjust their data practices, thereby ensuring a smoother transition for compliance with MODPA. Businesses that either operate within Maryland or target Maryland residents and who process the personal data of at least 35,000 Maryland residents annually or process the data of at least 10,000 Maryland residents and derive more than 20% of their gross revenue from the sale of personal data must comply with MODPA. Business engaging in e-commerce and retailers that collect names, addresses, and payment information are among the types that would need to comply with MODPA. Subscription services businesses, like streaming platforms, that keep consumer login, billing, or preference details must also comply with MODPA.
MODPA establishes affirmative rights for consumers. Consumers will now have more control over how their personal data is used, processed, and maintained. For example, MODPA now requires businesses to provide consumers with access to copies of their retained personal data, if the consumer requests it. Consumers also now have the rights to correct inaccuracies within their personal data and can opt out of having their personal data processed and used for targeted advertising. This means that consumers can now refuse to permit companies to use their personal information to show them targeted ads based on their browsing history, interests, or other personal data.
It is critical that businesses prepare now. Businesses should first determine if they are governed by MODPA, and if so, establish an implementation plan to comply with MODPA’s requirements before enforcement occurs on April 1, 2026. As a result of MODPA going into effect:
- Businesses are now limited to collecting only data that is “strictly necessary.” Although “strictly necessary” is not defined, MODPA states that data collected must be proportional to what is needed to maintain a specific product or service requested by the consumer.
- Businesses are required to notify consumers if the usage or sharing of their consumer data changes. The notification must be in a manner that enables consumers to access, correct, delete, or opt out of the new use of their personal data.
- Businesses must update their privacy risk assessments regarding sensitive protected information processes to comply with MODPA. In other words, businesses should be prepared to document all of their current uses of sensitive protected information and also train teams on how to handle this information in a way that complies with MODPA.
- Businesses will now be banned from selling sensitive data related to a consumer’s racial or ethnic background, religious beliefs, sexual orientation, citizenship or immigration status. In fact, businesses are only permitted to collect and process sensitive data when it is strictly necessary to provide a product or service requested by the consumer.
- Businesses must identify third party risks when dealing with sensitive protected information. In other words, businesses should review contracts with third parties to ensure that the sale of sensitive protected information aligns with MODPA’s requirements.
As a result of these new protections, businesses will likely need to adjust or update their policies to ensure compliance. Failure to comply could result in fines up to $10,000 per violation and $25,000 for repeated violations. Businesses are given some leeway and have up to sixty (60) days to rectify violations at the Maryland Office ATTY ETC’s discretion, but only until April 1, 2027.
MODPA represents a landmark step in consumer data protection and gives Maryland residents clear, enforceable rights while imposing stringent obligations on businesses. As this law takes effect on October 1, 2025, businesses should act now to review practices, assess risks, and implement systems that safeguard consumer information. By prioritizing transparency and accountability, MODPA transforms the collection of personal data from a largely unregulated commodity into a protected consumer asset. At Joseph Greenwald &Laake, we handle consumer law and data litigation matters of all kinds. If you have any questions about your rights as a consumer or obligations as a business owner, you should contact our experienced legal counsel to discuss your rights and available options.
