Maryland Online Data Privacy Act (MODPA): What Businesses Need to Know Before 2026

Maryland has officially joined the growing list of U.S. states enacting strong privacy protections through the Maryland Online Data Privacy Act (MODPA). Enacted in 2024, this landmark law took effect on October 1, 2025, though it will not apply to processing activities that occurred before April 1, 2026. The gap provides a short transition window — but organizations are urged to prepare early.

Unlike many other state laws, MODPA introduces stricter standards for sensitive data, consumer rights, and automated decision-making, creating a higher compliance bar that reflects the evolution of U.S. privacy frameworks. For businesses and nonprofits alike, understanding and adapting to these rules is essential for operational readiness

Scope and Applicability: Who Must Comply with MODPA

MODPA applies broadly to entities that operate in Maryland or handle data about Maryland residents. Two main thresholds determine compliance obligations:

1. Data Volume:

Organizations processing personal data of at least 35,000 consumers per year must comply. Notably, payment transaction data is excluded from this count, slightly narrowing the scope.

2. Revenue from Data Sales:

Organizations that earn revenue from selling personal data of at least 10,000 consumers, representing 20% or more of total gross revenue, also fall under the law.

A significant change is the inclusion of nonprofits. While other states often exempt nonprofit organizations, Maryland applies the law to them with narrow exceptions — such as first responder organizations or nonprofits assisting law enforcement with criminal or insurance fraud investigations.

MODPA also replaces “personal information” with “personal data” and defines “sale” broadly to include any exchange for monetary or valuable consideration. This expansion means more organizations and transactions are captured within the law’s scope, emphasizing Maryland’s message: privacy compliance is no longer limited to big tech.

Key Requirements: Sensitive Data, Consumer Rights, and Automated Decision-Making

One of MODPA’s defining features is its rigorous stance on sensitive data. This includes biometric, genetic, health, children’s, and precise geolocation data. Organizations may only collect or process sensitive data when strictly necessary to provide or maintain a service requested by the consumer. Importantly, the sale of sensitive data is prohibited entirely — even consumer consent cannot override this rule.

Consumers are granted robust rights under MODPA, including:

• The right to know whether personal data is being processed
  
  
• The right to access, correct, and delete personal data
  
  
• The right to data portability
  
  
• The right to opt out of data sales, targeted advertising, and profiling

Maryland also addresses algorithmic decision-making, focusing on profiling decisions made solely by automated means that have legal or significant effects (like employment or credit decisions). This reinforces the state’s commitment to algorithmic fairness and transparency.

Consent is another cornerstone of the law. Businesses must obtain opt-in consent for any processing beyond the original purpose or when handling sensitive data. Consumers must also be able to withdraw consent easily, and organizations are required to honor such withdrawals within 30 days.

Transparency is non-negotiable. Consumers can request details about third parties receiving their data and can designate a representative to act on their behalf.

Organizational Obligations and Enforcement

MODPA imposes direct obligations on both controllers (entities determining data use) and processors (entities processing data on behalf of controllers).

Controllers must:

• Implement reasonable security measures
  
  
• Conduct data protection assessments for high-risk activities such as profiling, data sales, and targeted advertising
  
  
• Publish clear and accessible privacy notices disclosing data sales and consumer rights

A distinct feature is MODPA’s focus on algorithmic accountability — organizations must explicitly address automated decision-making systems in their assessments.

Processors, on the other hand, must follow controller instructions, support compliance efforts, and maintain robust security standards.

Enforcement authority rests with the Maryland Attorney General. Organizations receive a 60-day cure period to correct violations once notified. Penalties can reach up to $10,000 per initial violation and $25,000 for subsequent ones. While consumers cannot file lawsuits directly, state enforcement ensures accountability.

Preparing for MODPA Compliance

With MODPA effective from October 2025 and applicable from April 2026, organizations should act now to ensure readiness.

Start by mapping all personal and sensitive data, especially biometric, health, and location information. Review algorithms used for automated decisions and include them in data protection assessments. Update consent flows and privacy notices to be clear, transparent, and user-friendly. Strengthen risk assessments and security measures, ensuring data protection standards meet MODPA’s requirements.

Nonprofits should confirm whether they qualify for exemptions. Though there’s a brief transition window, early preparation is key to avoiding compliance gaps and operational disruptions.

Final Thoughts

The Maryland Online Data Privacy Act raises the bar for privacy protection across the United States. Its stringent standards for sensitive data handling, consumer rights, and automated decision-making demonstrate where state-level privacy laws are heading next.

As the compliance landscape continues to evolve, organizations that act early will not only reduce risk but also strengthen consumer trust and brand credibility.

Redacto supports businesses in navigating complex privacy frameworks like MODPA through AI-powered compliance monitoring, vendor risk assessments, and automated data governance tools — helping you stay compliant, efficient, and audit-ready in the era of evolving privacy regulations.

FAQs

1. How does MODPA treat sensitive data differently from other privacy laws?

MODPA strictly prohibits the sale of sensitive data, even with consumer consent. This makes Maryland’s framework tougher than most state laws, which typically allow such sales if users opt in.

2. What unique challenges does MODPA create for AI and automated systems?

Organizations must evaluate how automated decisions affect consumers, especially in areas like hiring or lending. MODPA requires clear documentation of algorithms’ fairness and accuracy through dedicated risk assessments.

3. Why are nonprofits significantly affected under MODPA?

Unlike many states that exempt nonprofits, Maryland includes most of them under MODPA. Only first responder and law enforcement-related nonprofits are exempt, meaning many nonprofits must now comply with commercial-grade privacy standards.

4. What is the purpose of the gap between October 2025 and April 2026?

The gap offers organizations a short transition period to prepare systems and policies. However, enforcement begins in October 2025, so compliance work should start well before April 2026.

5. How can businesses reduce compliance risks under MODPA?

Organizations should start by mapping sensitive data, updating consent mechanisms, and assessing algorithms for bias. Partnering with compliance platforms like Redacto can simplify automation, monitoring, and audit readiness.