TL;DR: Starting today, April 1, 2026, Maryland’s Online Data Privacy Act (MODPA) gets teeth. The law flat-out bans selling sensitive data: no consent workaround, no opt-out checkbox. It demands companies only collect data they actually need. It protects everyone under 18, the highest age threshold of any US state privacy law. Penalties hit $10,000 per violation, $25,000 for repeat offenders. If you live in Maryland or do business with Maryland residents, the rules just changed.
What Just Happened
Maryland Governor Wes Moore signed the Online Data Privacy Act in May 2024. The law technically took effect October 1, 2025, but enforcement was delayed to give companies time to comply [1].
That grace period is over.
As of today, the Consumer Protection Division of the Maryland Attorney General’s office can investigate and penalize companies that violate MODPA. Any data collection or processing that happens from this point forward is fair game [2].
And this isn’t another California-lite. MODPA does things no other state privacy law has done.
Why MODPA Matters More Than Other State Laws
Twenty states have passed comprehensive privacy laws. Most of them follow the same playbook: give people opt-out rights, require consent for “sensitive” data, and let companies keep collecting everything as long as they disclose it.
Maryland rewrote the playbook. Three things set MODPA apart:
1. Sensitive Data Cannot Be Sold. Period.
Every other state privacy law lets companies sell your sensitive data if you consent. Tick a box, and your biometric data, health records, or precise location goes on the market.
MODPA says no. Sensitive data (which includes racial or ethnic origin, religious beliefs, health information, sexual orientation, transgender or nonbinary status, genetic data, biometric data, children’s data, and precise geolocation) cannot be sold under any circumstances [3]. Not with consent. Not with an opt-out. Not at all.
It can only be collected and processed when “strictly necessary” to deliver a product or service a consumer specifically requested [4]. That “strictly necessary” standard is the tightest restriction on sensitive data in any US state.
2. Real Data Minimization
Most state laws say companies should only collect “reasonably necessary” data. That sounds good until you realize companies define “necessary” broadly enough to include everything.
MODPA limits collection to what is “reasonably necessary and proportionate” to provide or maintain a specific product or service the consumer asked for [4]. The shift matters: the focus is on what the consumer wants, not what the company can justify collecting.
Maryland’s approach forces companies to answer a simple question: does this user need to give us this data to get what they asked for? If not, don’t collect it.
3. Everyone Under 18 Is Protected
The federal Children’s Online Privacy Protection Act (COPPA) protects kids under 13. Most state laws draw the line at 16. Maryland protects everyone under 18, the highest age threshold in the country [5].
Targeted advertising to minors is banned. Companies processing data from consumers they know are under 18 face the same strict-necessity requirements as sensitive data [5].
Who Has to Comply
MODPA casts a wider net than most state privacy laws. It applies to any business that:
- Processes personal data of 35,000 or more Maryland consumers in a year (excluding payment-only data), OR
- Processes data of 10,000 or more Maryland consumers AND derives over 20% of revenue from data sales [3]
That 35,000 threshold covers just 0.56% of Maryland’s population. Compare that to Colorado (1.72%), Oregon (2.35%), or Delaware (3.43%) [3]. More companies fall under MODPA than under most state laws.
Exempt: state and local government agencies, certain GLBA-regulated financial institutions, and data already covered by HIPAA, FERPA, or other sector-specific federal laws. Employee data, de-identified data, and B2B data are also carved out [5].
What Maryland Residents Can Do Now
If you live in Maryland, you now have the right to:
- Know what’s collected: Request confirmation of whether a company processes your data, and get access to it
- Fix mistakes: Correct inaccurate personal data
- Delete it: Request deletion of your personal data
- Take it with you: Get a portable copy of your data
- See who has it: Obtain a list of third parties your data was shared with
- Opt out: Stop targeted advertising, data sales, and certain profiling activities [2]
Companies have 45 to 60 days to respond to these requests. They can’t punish you for making them: no degraded service, no price hikes, no account restrictions [5].
MODPA also requires companies to honor Universal Opt-Out Mechanisms like the Global Privacy Control browser signal. If you’ve enabled GPC in your browser, Maryland companies must respect it [6].
The Enforcement Math
The Maryland Attorney General has exclusive enforcement authority. There’s no private right of action: you can’t sue a company yourself under MODPA [2].
Penalties:
- $10,000 per violation (first offense)
- $25,000 per violation (repeat offenders)
There’s a 60-day cure period: companies get a chance to fix violations before penalties kick in. But that cure period expires on April 1, 2027. After that, the Attorney General decides whether to offer one [2].
The “per violation” language matters. A company that improperly collects sensitive data from 100,000 Maryland users isn’t looking at one $10,000 fine. It’s looking at potential exposure in the billions. Whether the AG pursues penalties at that scale remains to be seen.
What Companies Need to Change
If you run a business that touches Maryland consumer data, here’s what MODPA requires starting today:
- Audit your data flows: Map what personal data you collect from Maryland residents and whether each data point is strictly necessary
- Stop selling sensitive data: If you sell biometric, health, geolocation, or other sensitive data from Maryland consumers, stop. Today.
- Update privacy notices: Disclose what data you collect, why, who gets it, and how consumers can exercise their rights
- Implement opt-out signals: Recognize Global Privacy Control and other universal opt-out mechanisms
- Conduct data protection assessments: Any processing that presents heightened risk (including algorithmic decision-making) requires a formal impact assessment [4]
- Protect minors: No targeted advertising to anyone under 18. Apply strict-necessity standards to their data
- Set up request infrastructure: Build systems to handle access, deletion, correction, and portability requests within 45-60 days
The Bigger Picture
Maryland is now the template. While Congress debates a federal privacy law that never arrives, states keep writing their own. And MODPA sets a new floor.
The ban on selling sensitive data is the headline. Other states let data brokers sell your health conditions, sexual orientation, and religious beliefs as long as you “consented” (usually by not finding a buried opt-out link). Maryland killed that loophole.
This matters especially right now. The FTC just settled with OkCupid for sharing 3 million user photos with a facial recognition company, with zero penalty. If that happened in Maryland after today, the same behavior would violate MODPA’s ban on selling or sharing sensitive biometric data without strict necessity.
The question is enforcement. Maryland’s AG has the tools. Whether Attorney General Anthony Brown uses them aggressively will determine if MODPA is a real shield or another paper promise.
What You Should Do
- Maryland residents: Enable Global Privacy Control in your browser. Companies in Maryland now have to respect it
- Everyone else: Check if your state has a privacy law. Twenty states do. Use your rights. Our state tracker shows where things stand
- Exercise your rights: Send data access and deletion requests to companies you do business with. Make the system work
- Watch enforcement: The first MODPA enforcement action will signal how seriously Maryland takes this. We’ll cover it when it happens
References
- EPIC: Maryland Online Data Privacy Act Comes Into Effect
- Verified Credentials: MODPA Enforcement Begins on April 1, 2026
- Osano: What Makes the Maryland Online Data Privacy Act (MODPA) Different?
- Corporate Compliance Insights: What You Need to Know About Maryland’s New Data Privacy Law
- Potomac Law: Maryland’s Online Data Privacy Act (MODPA): What Business Owners Need to Know
- OneTrust: Maryland’s MODPA Key Rules and Requirements
Published: April 1, 2026