We’re about one month away from the effective date of Maryland’s version of a state comprehensive privacy law--the Maryland Online Privacy Act (MODPA). Effective October 1, 2025, MODPA contains the now familiar comprehensive privacy law provisions, including obligations for privacy notices, processor contracts, security obligations, risk assessments for high-risk processing, and consumer rights to know, access, correct and delete their personal data. But MODPA also strikes out on a different path. MODPA’s thresholds for coverage are lower than the original trendsetters in state comprehensive privacy laws—California, Virginia, and Colorado. MODPA also puts more teeth in the data minimization requirement by limiting collection of personal data to what is reasonably necessary and proportionate “to provide or maintain a specific product or service requested by the consumer” instead of the more broadly phrased “in relation to the specified purposes for which the data are processed” in other comprehensive privacy laws. MODPA also has significant protections for Consumer Health Data—which includes data regarding gender-affirming care or reproductive or sexual healthcare, both of which are broadly defined. Among other restrictions, a controller cannot provide Consumer Health Data to an employee or contractor unless the employee or controller is subject to a contract or statutory duty of confidentiality or confidentiality is a condition of employment. A controller also cannot provide Consumer Health Data to a processor unless the processor has a contract with the controller and complies with processor obligations under the Act. Geofencing (using technology to establish a virtual boundary) is prohibited within 1750 feet of a mental health facility or sexual or reproductive health facility for the purpose of tracking, identifying, collecting data from or sending a notification to the consumer regarding the consumer’s Consumer Health Data. With the novel requirements of MODPA, October’s effective date will come soon. Read on for more detail.
Lower Thresholds for Coverage.
MODPA applies to persons conducting business in Maryland or that provide products or services that are targeted to Maryland residents, and in the preceding calendar year either:
- controlled or processed the personal data of at least 35,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or
- controlled or processed the personal data of at least 10,000 consumers and derived over 20% of gross revenue from the sale of personal data.
These thresholds are substantially lower than the thresholds set in most states. California, Colorado, Connecticut[1], Indiana, Iowa, Kentucky, Minnesota, New Jersey, Oregon, Tennessee, Utah and Virginia all have a 100,000-consumer processing threshold for prong 1, and, except for California, have a 25,000 consumer threshold for prong 2. Nebraska’s and Texas’ thresholds are based on the business’ size, specifically not being a small business under SBA criteria. Only Delaware, New Hampshire and Rhode Island-- states with much smaller populations-- have the 35,000 and 10,000 thresholds like Maryland. However, Maryland’s population is almost 6 times the population of Delaware, New Hampshire and Rhode Island, so the lower thresholds for coverage signal Maryland’s position that more businesses should protect the privacy of Maryland residents’ data.
Familiar Exemptions, including Employees.
MODPA includes a familiar list of entity and information exemptions: financial institutions and affiliates of financial institutions, data subject to GLBA, protected health information under HIPAA, information covered under FCRA, FERPA, DPPA, and the Farm Credit Act, and personal data collected by or on behalf of persons regulated under Maryland’s insurance law or an affiliate of such person in furtherance of the business of insurance. To the relief of employers, MODPA also does not cover data collected in the course of an individual applying to, being employed by or acting as an agent or independent contractor of a controller, processor or third party, leaving California as the only U.S. comprehensive privacy law that covers personal data collected in the employment context. There is no express exemption, however, for entities subject to HIPAA, so covered entities must implement measures to comply with MODPA with respect to data that does not qualify as protected health information, and nonprofits are exempt only if they are processing personal data solely to assist (i) law enforcement agencies in investigating criminal or fraudulent acts regarding insurance or (ii) first responders in responding to catastrophic events.
More Robust Data Minimization Requirements.
MODPA pushes the concept of data minimization beyond that required under other state comprehensive privacy laws and even GDPR. Specifically, MODPA mandates that controllers limit collection of personal data to that “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.” Therefore, collection for other purposes is prohibited. And this was no fluke. HB1365, introduced on February 7, 2025, sought to loosen this standard to limit collection to what is “adequate, relevant and necessary in relation to the purposes for which the data is processed, as disclosed to the consumer,” bringing MODPA’s data minimization more in line with other states and the GDPR definition of data minimization. The bill failed. This language does appear in Colorado proposed HB 1282 (2025), but in a much narrower context---limiting social media platforms to this collection standard related to minors.
MODPA requires even stricter data minimization for Sensitive Data. Sensitive Data includes Consumer Health Data, genetic and biometric data, personal data of a consumer that the controller knows or has reason to known is a child, precise geolocation data, and data revealing racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizen or immigration status. MODPA prohibits a controller from collecting Sensitive Data unless it is “strictly necessary to provide a specific product or service requested by the consumer to whom the personal data pertains.”
Despite the strict data minimization requirements, the exceptions in Section 14-4612 of MODPA should apply. These exceptions allow a controller to collect personal data for internal use to effectuate a product recall, identify and repair technical errors that impair existing or intended functionality, or perform internal operations that are (i) reasonably aligned with the expectations of the consumer or can be reasonably anticipated based on the consumer’s existing relationship with the controller or (ii) otherwise compatible with processing for the provision of a product or service requested by the consumer or the performance of the contract to which the consumer is a party. Exceptions for complying with law, cooperating with law enforcement or legal process, defending against legal claims, dealing with security incidents or other illegal activity, preserving the integrity and security of systems, and protecting the life and physical safety of individuals, also apply.
MODPA also permits a controller to process personal data for secondary purposes—specifically “a purpose that is neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed, as disclosed to the consumer” – if the consumer consents. However, the controller must provide an effective mechanism to allow the consumer to revoke consent and must stop the processing as soon as practicable and no later than 30 days after receiving the revocation request.
Other Protections for Sensitive Data.
Unlike many comprehensive state privacy laws, MODPA does not require that consumers opt-in to processing of their Sensitive Data. Although the opt-in requirement was in an earlier version of the bill, it was deleted in the final draft. Instead, MODPA prohibits controllers from processing or sharing Sensitive Data unless it meets the “strictly necessary” standard required for the collection of Sensitive Data. MODPA also has a blanket prohibition on the sale of Sensitive Data and requires the controller to conduct, on a regular basis, a data protection assessment for processing of Sensitive Data regardless of the risk of injury or unfair treatment to the consumer.
Significant Protections for Consumer Health Data.
Broad definition.
MODPA contains targeted and robust protections for Consumer Health Data—defined broadly as personal data (any data that is linked or can be reasonably linked to an identified or identifiable consumer) “that a controller uses to identity a consumer’s physical or mental health status.” As written, a consumer’s purchase of a thermometer or Tylenol would be Consumer Health Data if used by the controller to identify the consumer’s health status. By comparison, Washington’s My Health My Data Act is slightly broader, defining consumer health data as personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present or future physical or mental health status.
MODPA expressly states (perhaps unnecessarily) that data related to gender affirming treatment or reproductive or sexual healthcare are included in Consumer Health Data. “Reproductive or sexual health care” is broadly defined as a” healthcare related service or product rendered or provided concerning a consumer’s reproductive system or sexual well-being” and includes services and products, surgery, procedures, social, psychological, behavioral and medical intervention, the purchase or use of medication, a measurement of a bodily function, vital sign, or symptom, and abortion counseling. Gender affirming treatment is defined by reference to Maryland’s Health-General Code and includes “treatments as prescribed to suppress the development of endogenous secondary sex characteristics, align the individual’s appearance or physical body with gender identity, and alleviate symptoms of clinically significant distress resulting from gender dysphoria.”
Because MODPA excludes from “personal data” de-identified data and publicly available information (both as defined by the Act), de-identified or “publicly available” information about a consumer’s health is not covered by MODPA.
Data Protection Assessments and Limits on Collection of Consumer Health Data
Data revealing Consumer Health Data is “Sensitive Data” under MODPA, and therefore, controllers cannot collect the data unless it is strictly necessary to provide the specific product or service requested by the consumer. In addition, controllers will need to conduct and document a data protection assessment regarding their processing of Consumer Health Data. The assessment must include assessments for any algorithm used to assess the data.
Additional Requirements to Provide Others Access to Consumer Health Data.
MODPA places specific obligations on any person (not just processors or controllers) if they want to provide others access to Consumer Health Data. Employees and contractors cannot be given access to Consumer Health Data unless they are under a contractual or statutory obligation of confidentiality or confidentiality is otherwise required as a condition of employment. Employers whose employees or independent contractors will have access to Consumer Health Data will want to include Consumer Health Data in their written nondisclosure agreements. Likewise, processors cannot be given access to Consumer Health Data unless both the processor and the person providing access to the Consumer Health Data comply with the specific processor contract requirements of MODPA and the processor complies with MODPA’s requirements for assisting the controller with its obligations and providing certain information to the controller. Processor contracts also must require the processor to ensure that each person processing personal data is “subject to a duty of confidentiality” regarding the data.
Geofencing Restrictions.
Geofencing (using technology to establish a virtual boundary) is prohibited within 1750 feet of a mental health facility or sexual or reproductive health facility for the purpose of tracking, identifying, collecting data from or sending a notification to the consumer regarding the consumer’s Consumer Health Data.
Other Protections.
Other provisions of MODPA that apply to personal data in general, including implementing reasonable administrative, technical and physical data security practices, will apply to Consumer Health Data. Controllers whose employees, independent contractors or processors will have access to Consumer Health Data will want to ensure that protections and processes for Consumer Health Data are in place before MODPA’s October 1st effective date.
Increased Protection of Minors.
MODPA also is in line with the trend to provide increased protections for the personal data of minors. A controller cannot process the personal data of a consumer for targeted advertising or sell personal data of the consumer if the controller knew or should have known that the consumer was under the age of 18 years old. MODPA’s definition of targeted advertising includes displaying an ad to a consumer or a device identified through a unique identifier if the advertisement is selected based on consumer activity over time and across nonaffiliated websites or online apps that are unaffiliated with each other. Like other comprehensive privacy laws, ads based on the consumer’s activity on the controller’s website are excluded. With families sharing devices, advertisers will need to be careful about targeted advertising to a device that the advertiser knows or should have known is used by someone under 18, even if the device is also used by an adult.
Consumer Rights.
Under MODPA, consumers have the standard rights typical in state comprehensive privacy laws, including:
- the right to know whether a controller is processing the consumer’s Personal Data and to access, correct, and delete their Personal Data;
- the right to obtain a list of the categories of third parties to whom the controller disclosed their personal data or a list of the categories of third parties to whom the controller disclosed any consumer’s personal data if the controller does not maintain information specific to the consumer;
- the right to opt-out of targeted advertising, sale of personal data, and profiling for automated decisions that produce legal or similarly significant effects; and
- the right to appeal if the controller denies the consumer’s request. If the controller denies an appeal, the controller must provide the consumer with an online mechanism, if available, through which the consumer can file a complaint with the Consumer Protection Division of the Maryland AG’s office.
Like California and a number of other states, “sale” under MODPA includes the exchange of personal data to a third party for monetary or other valuable consideration. Familiar exceptions, as discussed above, apply.
Controller Obligations.
In addition to the requirements outlined above, controllers must:
- provide a privacy notice outlining the categories of data (including Sensitive Data) processed by the controller, the purposes of the processing, the categories of third parties with which the controller shares personal data (with enough detail for the consumer to understand the type of, business model of or processing conducted by each third party), the categories of data shared with third parties, whether the controller sells personal data to third parties or processes for targeted advertising or profiling the consumer in furtherance of decisions that produce legal or similarly significant effects, mechanisms for exercising consumer rights, and an active email address or online mechanism to contact the controller;
- allow consumers to exercise opt-out rights through an authorized agent, including through GPC settings;
- conduct data protection assessments for high-risk processing activities; and
- establish contracts with processors detailing specific data processing and purposes, cooperation, audit, flow down and security requirements.
Processor Obligations.
Processors have the standard obligations set forth in their contract with the controller and to assist with the controller’s data protection assessments. Because the limitations on providing access to Consumer Health Data outlined above apply to “persons” under MODPA, these requirements (such as not sharing Consumer Health Data with employees not subject to confidentiality obligations) presumably apply to processors as well.
Third Party Obligations.
Third parties under MODPA are persons other than the consumer, controller, processors or affiliates of the controller or processor. MODPA expressly requires third parties to give prior notice to the consumer of use or sharing of the consumer’s personal information in a manner inconsistent with the promised made to the consumer at the time of collection.
Security and Nondiscrimination.
MODPA mandates reasonable administrative, technical, and physical security measures to protect personal data. MODPA prohibits discrimination against consumers for exercising their rights under MODPA. It also prohibits processing in an unlawful discriminatory manner, with certain exceptions for diversifying applicant pools, loyalty programs, and self-testing to prevent or mitigate unlawful discrimination.
Enforcement.
MODPA is enforced by the Maryland Attorney General. There is no private right of action for consumers. However, a violation of MODPA is a violation of Maryland’s unfair and deceptive trade practice law (section 13 of Maryland’s Code). The AG can, but is not required to, allow a violator 60 days to cure a violation that occurs on or before April 1, 2027.
Maryland's comprehensive privacy law is poised to set a new standard in consumer privacy. Expect other states to view MODPA a model when drafting or amending their own comprehensive privacy laws.
[1] Although recent amendments will drop Connecticut’s threshold to fewer than 35,000 consumers for prong 1, effective July 1, 2026.
