[co-author: Caroline Aiello]
The Maryland Online Data Privacy Act (MODPA) will take effect on October 1, 2025. Businesses marketing goods or services to consumers in Maryland will need to implement legal and technical measures to comply with the new law. In this series, McNees provides guidance on the general requirements of the law and how MODPA will affect core business practices.
Introduction
The Maryland Online Data Privacy Act (MODPA) takes effect on October 1, 2025, imposing comprehensive data protection requirements on businesses that market goods and services to Maryland consumers. With low applicability thresholds and strict protections for personal data, it represents one of the most restrictive state privacy frameworks to date. The upcoming series will examine how certain provisions of the law affect ordinary business practices and introduce new compliance obligations for covered companies.
Applicability
MODPA applies to any business that collects personal data from at least 35,000 Maryland consumers in any year. This deliberately low applicability threshold will result in broader applicability than consumer privacy laws that have taken effect over the last 5 years in other states. While states like California and Virginia apply only to businesses processing personal information of populations representing between 1% and 4% of those states’ total population, Maryland’s 35,000-consumer threshold means it applies to businesses that collect data from as little as just 0.5% of its population. This small difference has enormous practical implications, pulling thousands of additional businesses into the regulatory framework.
Companies meeting this threshold must evaluate how to implement extensive privacy programs or risk thousands of dollars in enforcement penalties. Understanding MODPA’s enforcement timeline and penalty structure will help guide businesses in making these strategic decisions.
Timeline
Implementation of the law follows a structured timeline designed to allow companies a grace period to come into compliance. Critical dates for covered businesses to note are:
- October 1, 2025: The law goes into effect, and all covered businesses must implement MODPA’s requirements.
- April 1, 2026: Enforcement begins. Regulatory actions will only apply to collection and processing activities that happen after this date. The Attorney General may provide an opportunity to cure the infraction.
- April 1, 2027: The optional cure period. The law will be fully enforced under the Maryland Consumer Protection Act, which allows for statutory damages in civil enforcement actions by the Attorney General.
Enforcement
MODPA violations carry substantial financial penalties under Maryland’s Consumer Protection Act: up to $10,000 for initial violations and $25,000 for repeat offenses. To avoid these fines, MODPA requires businesses to embed data protection considerations into core workflows. The upcoming series will describe how Maryland’s new privacy law affects, in particular:
- Risk and Privacy Assessments: Including required assessments and strategies for integrating them into your company’s workflow.
- Marketing and Advertising: Navigating consent requirements, targeted advertising limitations, and customer communication rules.
- Cybersecurity: Aligning incident response, data breach notifications, and security measures with MODPA obligations and guidance from other jurisdictions.
- Third-party vendors and information sales/sharing: Restructuring vendor relationships, data processing agreements, and information sales under enhanced restrictions.
This series provides actionable strategies for navigating MODPA’s requirements and preparing your business for one of the nation’s most restrictive state privacy frameworks. With less than a year until enforcement begins, companies must proactively plan for compliance to avoid significant penalties and operational disruption.
