The Maryland Online Data Privacy Act was signed in May 2024 and takes effect October 1, 2025.
Maryland Privacy & Accessibility Laws
Maryland enacted the Maryland Online Data Privacy Act (MODPA) in May 2024, becoming one of the states with comprehensive consumer privacy legislation. The law takes effect October 1, 2025. Maryland is also a leader in digital accessibility requirements for state government websites.
→
Privacy Law Status
MODPA Enacted
→
Accessibility Requirements
State Accessibility Standards
Maryland has strong accessibility requirements through its Nonvisual Access Act and state IT policies.
Maryland Online Data Privacy Act (MODPA)
The MODPA is one of the strongest state privacy laws, including unique provisions on data minimization and a ban on targeted advertising to minors.
Key Dates
- Enacted: May 9, 2024
- Effective Date: October 1, 2025
- Cure Period: 60 days (until April 1, 2027, then at AG discretion)
Who Must Comply?
The MODPA applies to entities that conduct business in Maryland or target Maryland residents AND:
| Threshold | Requirement |
|---|---|
| Data Volume | Control or process personal data of 35,000+ Maryland consumers |
| Revenue + Data | Derive more than 20% of gross revenue from selling personal data AND process data of 10,000+ consumers |
Consumer Rights Under MODPA
| Right | Description |
|---|---|
| Right to Know | Confirm whether personal data is being processed and access that data |
| Right to Correct | Correct inaccuracies in personal data |
| Right to Delete | Delete personal data provided by or obtained about the consumer |
| Right to Portability | Obtain personal data in a portable, readily usable format |
| Right to Opt-Out | Opt out of targeted advertising, sale of personal data, and profiling |
Unique MODPA Provisions
- Ban on Minor Targeting: Prohibits targeted advertising to consumers known to be under 18
- Strict Data Minimization: Must limit data collection to what is "reasonably necessary and proportionate"
- Sensitive Data Ban: Cannot sell sensitive data without explicit consent
- Global Opt-Out: Must honor universal opt-out mechanisms
Sensitive Data Categories
The MODPA defines sensitive data broadly, including:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health conditions
- Sexual orientation or sex life
- Citizenship or immigration status
- Genetic or biometric data
- Personal data of known children under 18
- Precise geolocation data
- National origin
- Gender identity
Accessibility Requirements
Maryland has strong accessibility requirements through multiple laws and policies:
Maryland Nonvisual Access Act
Maryland's Information Technology Nonvisual Access Act requires:
- State agencies must procure accessible information technology
- Software must include nonvisual access features
- Applies to all IT purchased, upgraded, or renewed by the state
- Strong enforcement through procurement requirements
State Government Obligations
- Maryland state agencies must comply with ADA Title II and state accessibility laws
- Department of Information Technology provides accessibility standards
- State websites must follow WCAG 2.1 Level AA guidelines
- Educational institutions must ensure accessible digital learning materials
- All new IT procurements must meet accessibility requirements
Private Sector Considerations
- Businesses with physical locations in Maryland are subject to ADA Title III
- Website accessibility claims can be brought under federal ADA
- Healthcare providers must ensure accessible patient portals
- Financial institutions must provide accessible online banking services
Enforcement
→
Privacy Enforcement
- Maryland Attorney General - Exclusive enforcement authority for MODPA
- 60-day cure period - Until April 1, 2027
- Division of Consumer Protection - Investigates complaints
- No private right of action - Only AG can enforce
Contact:
Office of the Attorney General
Consumer Protection Division
200 St. Paul Place
Baltimore, MD 21202
(410) 576-6300
→
Accessibility Enforcement
- U.S. Department of Justice - ADA Title II and III enforcement
- Maryland Commission on Civil Rights - State disability discrimination
- Private litigation - Federal ADA and state claims
Contact:
Disability Rights Maryland
1500 Union Avenue, Suite 2000
Baltimore, MD 21211
(410) 727-6352
MODPA Penalties
| Violation Type | Maximum Penalty |
|---|---|
| Per violation (after cure period) | $10,000 per violation |
| Unfair trade practice | Additional penalties under Maryland Consumer Protection Act |
| Injunctive relief | Court may order business practices to cease |
Business Obligations
| Obligation | Description |
|---|---|
| Privacy Notice | Clear notice of data categories, purposes, rights, and third-party sharing |
| Strict Data Minimization | Limit collection to what is reasonably necessary AND proportionate |
| No Minor Targeting | Cannot engage in targeted advertising to consumers under 18 |
| Sensitive Data Consent | Obtain explicit consent before processing or selling sensitive data |
| Request Response | Respond to consumer requests within 45 days (may extend 45 days) |
| Global Opt-Out | Honor universal opt-out preference signals |
| Data Protection Assessments | Conduct assessments for high-risk processing activities |
Consumer Rights
Maryland residents have comprehensive privacy rights under the MODPA:
- Right to Access: Confirm processing and access personal data
- Right to Correct: Correct inaccurate personal data
- Right to Delete: Request deletion of personal data
- Right to Portability: Receive data in portable format
- Right to Opt-Out: Opt out of targeted advertising, sales, and profiling
- Protection for Minors: Cannot be targeted with advertising if under 18
- Right to Non-Discrimination: Cannot be penalized for exercising rights
- Right to Appeal: Appeal controller's decision on consumer requests
Important Exemptions
The MODPA exempts government entities, nonprofits, higher education institutions, HIPAA-covered entities, financial institutions under GLBA, and data regulated by FERPA, HIPAA, FCRA, or GLBA.
Related Resources
- US Privacy Laws Overview
- State Privacy Law Comparison
- ADA Title II Requirements
- All State Laws
- Privacy Compliance Guide
- Report a Violation
Need Help with Maryland Compliance?
The MODPA takes effect October 1, 2025 with some of the strongest privacy protections in the nation. Businesses should prepare now, especially regarding the ban on minor targeting. Contact our experts for guidance.