enactedUS-MDEffective October 1, 2025

Maryland Online Data Privacy Act (MODPA)

Complete compliance guide for companies with <200 employees. Everything you need to know about MODPA requirements, deadlines, and penalties.

DSAR Deadline

45 calendar days

+ 45 days extension

Max Penalty

$10,000/violation

Up to $10,000 per violation for first offense and $25,000 for repeat violations under the Maryland Consumer Protection Act. No cure period — the Attorney General may proceed directly with enforcement. One of the strictest US state privacy laws regarding data minimization.

Threshold

35,000 consumers

Est. Cost

$5,000 – $20,000

5-14 weeks

Mid-Market Compliance Guide

Maryland's MODPA is one of the most consumer-protective US state privacy laws. It imposes strict data minimization requirements — businesses may only collect data that is reasonably necessary and proportionate. It prohibits targeted advertising to known minors under 18 and bans the sale of sensitive data entirely. The low threshold (35,000 consumers or 10,000 with 20%+ revenue from data sales) and lack of a cure period make this particularly demanding for mid-market companies.

Key Requirements

Strict data minimization — collect only what is reasonably necessary
Provide a clear and accessible privacy notice
Obtain consent before processing sensitive data
Conduct data protection assessments for high-risk processing
Implement and maintain reasonable data security practices
Prohibit targeted advertising to consumers known to be under 18
Prohibit sale of sensitive data

Enforced by: Maryland Attorney GeneralOfficial site

Consumer Rights

Right to Access personal data

Right to Correct inaccurate data

Right to Delete personal data

Right to Data Portability

Right to Opt-Out of sale, targeted advertising, and profiling

Business Obligations

1.Provide privacy notice with required disclosures
2.Respond to consumer requests within 45 days
3.Strictly limit data collection to necessary purposes
4.Prohibit targeted advertising to known minors
5.Execute data processing agreements with processors
6.Implement reasonable data security measures

Exemptions

•HIPAA-covered entities and data
•GLBA-covered financial institutions
•Nonprofits
•Higher education institutions
•Government entities

Related Privacy Laws

CTDPA

US-CT

Connecticut Data Privacy Act

NJDPA

US-NJ

New Jersey Data Privacy Act

CCPA/CPRA

US-CA

California Consumer Privacy Act

Recommended Compliance Tools

No vendors have been reviewed for MODPA coverage yet.

Browse all compliance tools

Get a mid-market compliance checklist for MODPA

We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.

See how DPAs enforce MODPA in practice

Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under MODPA.

Browse Enforcement Actions

Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/3/2026.

Read the official text of MODPA