Maryland Privacy Law Overview
Maryland's privacy law took effect October 1, 2025 (applying to data processing from April 1, 2026) and goes further than any other state. Rather than letting consumers opt in to broad data uses, it caps collection at what is strictly necessary for the requested product or service, and it flatly prohibits selling sensitive data — a first among U.S. states.
The Maryland Online Data Privacy Act (MODPA)
Maryland's law is the strictest comprehensive state privacy law. It imposes hard data minimization — collection is limited to what is reasonably necessary to provide the specific product or service the consumer requested — and bans the sale of sensitive data outright, with no opt-in workaround. It also bars selling minors' data and targeted advertising to anyone under 18.
MODPA: Quick Overview
- Effective Date: October 1, 2025
- Citation: Md. Code, Com. Law § 14-4601 et seq.
- Enforced By: Maryland Attorney General
- Maximum Penalty: Up to $10,000 per violation; $25,000 for repeat violations
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: 60 days (discretionary; expires April 1, 2027)
Who Must Comply
The MODPA applies to businesses that meet Maryland's applicability thresholds:
- Controls or processes the personal data of 35,000+ Maryland consumers per year, or
- Processes data of 10,000+ consumers and derives more than 20% of gross revenue from selling personal data
What makes Maryland different: Maryland is the strictest state — hard data minimization and an outright ban on selling sensitive data, with no opt-in workaround.
Consumer Rights Under the MODPA
Maryland residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to correct inaccurate data
- Right to delete personal data
- Right to data portability
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for significant decisions
Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).
Data Breach Notification in Maryland
Maryland requires notice to the Attorney General before affected residents are notified, and to residents within 45 days of discovery.
- Deadline to notify residents: No later than 45 days after discovery of the breach
- Attorney General notice: Notify the Maryland Attorney General before notifying individuals
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Federal Privacy Laws That Apply in Maryland
Even where Maryland law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Maryland Privacy Law FAQ
Why is Maryland's privacy law considered the strictest?
When do Maryland businesses actually have to comply?
How a Maryland Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Maryland Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Maryland Privacy Attorney?
Whether you are a business working toward compliance or a Maryland resident whose privacy has been violated, our network of Maryland-licensed attorneys can help.
Find a Maryland Privacy Attorney