TL;DR: Maryland's Online Data Privacy Act (MODPA) took effect on October 1, 2025, establishing one of the strictest state-level privacy frameworks in the United States. The law introduces mandatory data minimization, universal opt-out mechanisms, and enhanced protections for sensitive data, setting a new benchmark that could influence privacy legislation nationwide.
What is MODPA?
What changed (June 28, 2026): MODPA enforcement began April 1, 2026, and Maryland has now layered a second privacy law on top of it: the Data Privacy Act (HB 711) passed both chambers in April 2026, banning state agencies and data brokers from handing Marylanders' records to federal immigration enforcement without a warrant. Governor Wes Moore has signed both, and a federal preemption fight is now active in Congress. See the HB 711 breakdown.
The Maryland Online Data Privacy Act (MODPA) represents a significant evolution in American privacy law. Signed into law in May 2024, MODPA went into effect on October 1, 2025, giving businesses 18 months to prepare for compliance. Unlike earlier state privacy laws like California's CCPA or Virginia's VCDPA, MODPA incorporates several provisions that privacy advocates have long championed but which other states have hesitated to implement.
The law applies to businesses that control or process the personal data of at least 35,000 Maryland consumers (excluding employee or B2B data) or derive over 20% of gross revenue from selling personal data while processing data of at least 10,000 consumers. This relatively low threshold means MODPA will affect many mid-sized companies, not just tech giants.
Key Provisions That Set MODPA Apart
1. Data Minimization Mandate
MODPA goes beyond the data minimization principles found in other state laws by making it a hard requirement, not just a guideline. Businesses must demonstrate that the personal data they collect is "adequate, relevant, and reasonably necessary" for the disclosed purpose. This shifts the burden of proof to companies and creates liability for over-collection, a significant departure from the permissive approach of other US privacy laws.
2. Universal Opt-Out Mechanism
The law requires businesses to honor universal opt-out preference signals, such as the Global Privacy Control (GPC). This means consumers can set a browser-level or device-level preference once, and companies must respect it across all services, eliminating the need to opt out of data sales site-by-site. This provision is modeled after California's regulations but is mandated from day one rather than being phased in.
3. Enhanced Sensitive Data Protections
MODPA expands the definition of "sensitive data" to include precise geolocation data, biometric identifiers, health data, genetic data, and data revealing racial or ethnic origin, religious beliefs, sexual orientation, citizenship status, and more. Processing such data requires affirmative consent (not just notice) and consumers have the right to opt out of its processing entirely. The inclusion of citizenship status is particularly noteworthy in the current immigration enforcement climate.
4. No Small Business Exemption Carve-Outs
While MODPA sets thresholds for applicability, it does not create a blanket exemption for small businesses the way some other state laws do. Any business meeting the volume thresholds, regardless of overall size or sector, must comply. This prevents the creation of a two-tiered privacy ecosystem where small data brokers and adtech firms operate without oversight.
5. Stronger Enforcement and Private Right of Action
MODPA grants the Maryland Attorney General enforcement authority with significant penalties: up to $10,000 per violation for general infractions and up to $25,000 per violation involving children or sensitive data. While MODPA does not include a full private right of action, it does allow consumers to bring claims related to data breaches caused by a controller's failure to implement reasonable security practices. This hybrid approach balances the risk of frivolous litigation against the need for meaningful accountability.
Why Maryland, and Why Now?
Maryland's move reflects both local political dynamics and broader national trends. The state has a politically active base of privacy advocates, civil liberties organizations, and consumer protection groups who have pushed for comprehensive privacy legislation for years. The passage of MODPA follows a pattern seen in states like California, Colorado, and Virginia: legislatures are stepping in to fill the vacuum left by federal inaction on privacy.
But Maryland's law is also a response to perceived weaknesses in earlier state laws. Privacy advocates have criticized the CCPA and its successors for creating loopholes, exemptions, and overly permissive frameworks that allow business-as-usual data practices with cosmetic changes. MODPA attempts to close many of those loopholes by imposing substantive limits on data collection and use, not just transparency requirements.
The timing is significant. As of October 2025, over a dozen states have passed comprehensive privacy laws, but there is still no federal privacy standard. This patchwork creates compliance challenges for businesses but also opens the door for states to experiment with more ambitious frameworks. Maryland's law is an attempt to raise the floor and influence the national conversation.
Implications for Consumers, Businesses, and Policy
For Consumers
Maryland residents now have some of the strongest digital privacy rights in the country. They can demand to know what data companies hold about them, request deletion, correct inaccuracies, and opt out of targeted advertising and data sales with a single browser setting. The enhanced protections for sensitive data, especially around biometrics, health information, and citizenship status, provide meaningful safeguards against surveillance and profiling.
However, the law's effectiveness depends on enforcement. Privacy laws are only as strong as the political will to enforce them. Maryland's Attorney General will need adequate resources and technical expertise to investigate violations, particularly among smaller data brokers and adtech companies that operate in the shadows.
For Businesses
Compliance with MODPA will require significant investment in data governance infrastructure. Companies will need to conduct data mapping exercises to understand what personal data they collect, where it comes from, how it's used, and where it's stored. They'll need to implement systems to honor universal opt-out signals, manage consent for sensitive data, and respond to consumer requests within statutory timelines.
For businesses operating in multiple states, MODPA adds another layer of complexity to an already fragmented regulatory landscape. Many companies are likely to adopt a "highest common denominator" approach, applying Maryland's stricter requirements nationwide to avoid maintaining separate compliance programs for each state. This could have the paradoxical effect of Maryland's law influencing privacy practices for consumers far beyond its borders.
For National Privacy Policy
MODPA raises the stakes in the debate over federal privacy legislation. Business groups have long argued that a single federal standard would reduce compliance costs and regulatory uncertainty. But Maryland's law demonstrates that states are willing to go much further than Congress has shown appetite for. If Maryland's approach proves popular with consumers and enforceable in practice, it could become a model for other states, or pressure Congress to act.
The law also highlights tensions within the privacy advocacy community. Some groups favor comprehensive federal legislation, even if it means accepting weaker protections in exchange for nationwide coverage and federal preemption of state laws. Others argue that state-level experimentation is valuable and that preemption would lock in industry-friendly compromises. MODPA represents the latter approach: a state-level laboratory testing aggressive privacy protections that might not be politically feasible at the federal level.
Challenges and Open Questions
Despite its strengths, MODPA faces several challenges and leaves some questions unanswered:
Compliance Complexity
The data minimization requirement, while laudable, is vague. What counts as "reasonably necessary" for a given purpose? Will Maryland issue guidance or leave it to case-by-case enforcement? The lack of safe harbors or technical specifications creates legal uncertainty, which could chill beneficial data uses or lead to over-compliance.
Cross-Border Data Flows
MODPA does not address international data transfers, leaving open questions about how Maryland residents' data is protected when sent abroad. In contrast, the EU's GDPR and UK's Data Protection Act impose strict rules on data exports. As state laws proliferate, this gap becomes more glaring.
Lack of Private Right of Action
While MODPA's limited private right of action for data breaches is a step forward, it still relies primarily on government enforcement. Privacy advocates argue that private enforcement through class actions is necessary to hold companies accountable at scale. Without it, MODPA may suffer from the same under-enforcement that plagues other state privacy laws.
Exemptions and Loopholes
MODPA includes several exemptions for regulated entities (e.g., HIPAA-covered entities, financial institutions under GLBA) and for certain types of processing (e.g., national security, public safety, research). These exemptions are standard in state privacy laws but can create significant gaps. For example, health insurers processing genetic data for underwriting might claim a HIPAA exemption, even though that processing raises serious privacy concerns not adequately addressed by HIPAA.
How MODPA Compares to Other State Privacy Laws
Recommendations
For Maryland Residents
For Businesses
For Policymakers in Other States
Conclusion: A Step Forward, But Not the End
Maryland's Online Data Privacy Act is a significant achievement for privacy advocates and a potential turning point in American privacy law. By mandating data minimization, requiring universal opt-out mechanisms, and enhancing protections for sensitive data, MODPA moves beyond the transparency-and-choice framework that has dominated US privacy policy for decades. It recognizes that individuals cannot meaningfully consent to complex data practices and that structural limits on data collection are necessary to protect privacy and prevent surveillance.
But MODPA is not a panacea. It leaves gaps, relies on under-resourced enforcement, and operates within a fragmented state-by-state regulatory landscape. The real test will come in the months and years ahead: Will Maryland's Attorney General vigorously enforce the law? Will businesses comply in good faith or seek workarounds? Will other states follow Maryland's lead or stick with weaker frameworks?
For now, MODPA represents what's possible when privacy advocates, policymakers, and the public demand more than cosmetic reforms. It's a reminder that surveillance capitalism is not inevitable: that we can choose a different path where personal data is treated as something to be protected, not commodified. Whether that path becomes a national standard depends on what happens next.
Update (June 28, 2026)
MODPA's substantive privacy rules went live on October 1, 2025, as planned; the Maryland Attorney General began full enforcement on April 1, 2026, after a six-month grace period, putting the data minimization, universal opt-out, and sensitive-data consent obligations described above on real legal footing. Maryland's privacy regime is now stronger than when this article was first written, but the federal counter-current is also stronger.
On April 13, 2026, the Maryland General Assembly passed the Data Privacy Act (HB 711, with companion SB 504) on a 94-35 House and 28-8 Senate vote. Governor Wes Moore signed the bill and the companion Community Trust Act (SB 791) on April 15. HB 711 prohibits state and local agencies from sharing MVA records, school enrollment data, or public benefit applications with ICE or CBP without a judicial warrant, and bars data brokers from knowingly selling personal data to any government entity engaged in civil immigration enforcement. Civil penalties of up to $1,000 per violation attach to non-compliant agencies, and individual state employees face disciplinary action. The two bills together take effect July 1, 2026.
Maryland is no longer operating alone. Virginia's SB 338 (signed March 2026, effective July 1, 2026) bans the sale of geolocation data without consent; Oregon passed similar protections in 2025; and Connecticut's SB 4 created a state data broker registry with a deletion mechanism. The federal picture, however, has tilted the other way. The Secure Data Act hearing on June 3, 2026 advanced a discussion of federal preemption that could nullify state-level protections like the MODPA sensitive-data consent requirement. Republican state-law preemption bills have also moved through committee, raising the prospect of Congress stripping states of the authority Maryland is now using.
For Maryland residents, the practical implication is that MODPA rights (data access, deletion, correction, opt-out via GPC) are now enforceable and that the state will not hand DMV, school, or benefit records to federal immigration enforcement without a warrant. For other states, the Maryland model is becoming the template for combining a comprehensive privacy law with explicit immigration-data protections. For Congress, it is becoming the test case for whether state privacy laws survive the Trump-era preemption push.
Sources for this update: Maryland General Assembly - HB 711 (Data Privacy Act of 2026); Maryland General Assembly - SB 504 (companion bill); Virginia General Assembly - SB 338 (Geolocation Data); Connecticut General Assembly - SB 4 (Data Broker Registry); IAPP. "Maryland Online Data Privacy Act Enforcement Begins." April 2026.
References
- Maryland General Assembly - SB 541 (Maryland Online Data Privacy Act)
- Maryland Attorney General - Consumer Protection Division
- IAPP - Maryland Online Data Privacy Act Approved
- EPIC - Maryland Privacy Legislation
- EFF - Maryland Passes Strong Privacy Law
- Global Privacy Control (GPC)
- California Attorney General - California Consumer Privacy Act (CCPA)
- Virginia Consumer Data Protection Act (VCDPA)