On this pageDoes the Maryland Online Data Privacy Act apply to your business?
State Law Practice Note

Maryland Consumer Privacy Law (MODPA)

The Maryland Online Data Privacy Act gives Maryland consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above defined thresholds — it is notably stricter than the Virginia-style model, banning the sale of sensitive data outright and limiting sensitive-data collection to what is strictly necessary, and is enforced exclusively by the Attorney General with no private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawMd. Code Ann., Com. Law § 14-4702; Md. Code Ann., Com. Law § 14-4707; Md. Code Ann., Com. Law § 14-4708; Md. Code Ann., Com. Law § 14-4713; Md. Code Ann., Com. Law § 14-4714

Does the Maryland Online Data Privacy Act apply to your business?

It turns mostly on consumer volume, and the bar is low. MODPA applies to persons that do business in Maryland or target its residents and that, in the prior calendar year, controlled or processed the personal data of at least 35,000 consumers, or at least 10,000 consumers while deriving more than 20% of gross revenue from selling personal data .

The 35,000-consumer trigger is far lower than the 100,000-consumer floor in many peer states, so MODPA reaches a much wider band of mid-market businesses; data processed solely to complete a payment transaction is excluded from the count. There is no general dollar-revenue floor. Maryland's exemptions are also narrower than the norm: it carves out state agencies and GLBA-regulated financial institutions, but the nonprofit exemption is limited to nonprofits that process data solely to assist law-enforcement insurance-fraud investigations or first responders in catastrophic events, so an ordinary charity that hits the threshold is covered. A consumer is a Maryland resident acting in an individual or household context, not an employee or business contact.

Sources for this answer

Primary law

A.1 Md. Code Ann., Com. Law § 14-4702

MODPA applies to persons doing business in Maryland or targeting its residents that, in the preceding calendar year, controlled or processed the data of at least 35,000 consumers, or at least 10,000 consumers while deriving more than 20% of gross revenue from the sale of personal data.

(1) Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) Controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

See Md. Code Ann., Com. Law § 14-4702.

What must your Maryland privacy policy contain?

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed (including sensitive data), the purpose for processing, how consumers exercise and appeal their rights and revoke consent, the categories of third parties data is shared with and the categories of data shared, and a contact mechanism .

Section 14-4707(d) is the content checklist, and one item is more demanding than in most states: the third-party disclosure must be detailed enough to let a consumer understand the type of, business model of, or processing conducted by each third party — generic labels like service providers or marketing partners will not satisfy it. A controller that sells personal data or processes it for targeted advertising must also clearly and conspicuously disclose that and how to opt out, and MODPA pairs the notice with data minimization and an easy consent-revocation path. The notice the policy presents should match the data practices the controller actually carries out.

Sources for this answer

Primary law

B.1 Md. Code Ann., Com. Law § 14-4707

A controller must provide a reasonably accessible, clear, and meaningful privacy notice listing the categories of personal data processed (including sensitive data), the purpose for processing, and the categories of third parties with which data is shared, among other required disclosures.

A controller shall provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that includes: (1) The categories of personal data processed by the controller, including sensitive data; (2) The controller’s purpose for processing personal data;

See Md. Code Ann., Com. Law § 14-4707(d).

What must your contracts with processors say?

A controller that uses a processor must enter into a binding contract governing the processor's data processing on the controller's behalf — so a data processing agreement is a statutory requirement, not a best practice .

Section 14-4708 then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and the duration, and the rights and obligations of both parties — plus mandatory covenants that the processor keep staff under a duty of confidentiality, maintain reasonable security, delete or return data at the controller's direction, provide the information needed to demonstrate compliance, bind subcontractors by written contract to the same obligations, and cooperate with assessments. A compliant template DPA tracks each of these.

Sources for this answer

Primary law

C.1 Md. Code Ann., Com. Law § 14-4708

If a controller uses a processor, the controller and processor must enter into a binding contract that governs the processor's data processing procedures and clearly sets forth processing instructions, the nature and purpose, the type of data, the duration, and the parties' rights and obligations.

If a controller uses a processor to process the personal data of consumers, the controller and the processor shall enter into a contract that governs the processor’s data processing procedures with respect to processing performed on behalf of the controller.

See Md. Code Ann., Com. Law § 14-4708(a)(1).

What are the rules for sensitive data?

Maryland is stricter than the opt-in model used elsewhere. A controller may not collect, process, or share sensitive data unless doing so is strictly necessary to provide or maintain a specific product or service the consumer requested, and it may not sell sensitive data at all . Consent does not unlock either limit. Sensitive data is defined broadly to include data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, transgender or nonbinary status, national origin, or citizenship or immigration status; genetic or biometric data; a known child's data; and precise geolocation.

This strictly necessary ceiling is the headline difference from the consent-based approach in most states: a consumer clicking I agree cannot authorize collecting sensitive data that is not needed to deliver the requested service, nor can it authorize a sale. The sale ban is categorical rather than an opt-out. MODPA layers on a parallel ban for minors — a controller may not sell the personal data of a consumer it knew or should have known is under 18, nor target advertising to them. For a multi-state program, a Maryland-compliant posture generally means turning off sensitive-data sales and most secondary uses of sensitive data for Maryland residents, not relying on a consent banner.

Sources for this answer

Primary law

D.1 Md. Code Ann., Com. Law § 14-4707

A controller may not collect, process, or share sensitive data except where strictly necessary to provide or maintain a product or service the consumer requested, and may not sell sensitive data at all.

A controller may not: (1) Except where the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains, collect, process, or share sensitive data concerning a consumer; (2) Sell sensitive data;

See Md. Code Ann., Com. Law § 14-4707(a).

Can a consumer sue your business under MODPA?

No. A MODPA violation is treated as an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act, enforced by the Attorney General's Consumer Protection Division — and the statute routes enforcement to that machinery while excluding the Consumer Protection Act's private-action section . For an alleged violation occurring on or before April 1, 2027, the Division may issue a notice of violation if a cure is possible, after which the business gets at least 60 days to cure .

There is no standalone private right of action — consumers cannot sue controllers or processors directly for MODPA violations, though the statute preserves any other remedy provided by law. The cure window is discretionary, not automatic, and it is time-limited: it applies only to violations on or before April 1, 2027, after which the Division can act without a notice-and-cure step. Because penalties run under the Consumer Protection Act and can be assessed per violation, the practical posture is to build the notice, minimization, sensitive-data, and contracting controls up front rather than relying on the cure period.

Sources for this answer

Primary law

E.1 Md. Code Ann., Com. Law § 14-4713

A MODPA violation is an unfair, abusive, or deceptive trade practice subject to the Consumer Protection Act's enforcement and penalty provisions, except for its private-action section — so enforcement runs through the Attorney General, not a consumer lawsuit.

a violation of this subtitle is: (1) An unfair, abusive, or deceptive trade practice within the meaning of Title 13 of this article; and (2) Subject to the enforcement and penalty provisions contained in Title 13 of this article, except for § 13–408 of this article.

See Md. Code Ann., Com. Law § 14-4713(a).

Primary law

E.2 Md. Code Ann., Com. Law § 14-4714

For violations occurring on or before April 1, 2027, the Division may issue a notice of violation if a cure is possible, and the controller or processor then has at least 60 days to cure before the Division may bring an enforcement action.

If the Division issues a notice of violation under subsection (b) of this section, the controller or processor shall have at least 60 days to cure the violation after receipt of the notice.

See Md. Code Ann., Com. Law § 14-4714(c)(1).

OpenAgreements is a free legal reference project maintained by UseJunior. See our methodology for how we research and verify the content.
This research preview is not legal advice. Page text is intended for reuse under CC BY 4.0; source excerpts and linked materials belong to their respective owners.
PrivacyTermsDisclaimer