The data privacy ball keeps on rolling in the US of A. Nebraska and Maryland recently had a good ole’ Big Ten matchup, although this time the battle took place in the legislatures and not on the field. In April, Nebraska and Maryland became the 17th and 18th states (including Florida’s FDBR) to pass comprehensive data privacy laws, American Privacy Rights Act be damned.

The Maryland legislature passed its law, the Maryland Online Data Privacy Act (MODPA) before Nebraska passed its law, the Nebraska Data Privacy Act, but Nebraska’s governor quickly signed the bill into law, while we are still awaiting Maryland governor Wes Moore to do so. Regardless, we’re jumping the gun a bit because there is too much to ignore in MODPA.

While Kentucky’s data privacy law, passed in March, is a virtual carbon copy of Virginia’s VCDPA, and Nebraska’s law heavily resembles Texas’s TDPSA, Maryland has introduced several new aspects that could shake up the data privacy landscape.

Maryland Data Privacy Law at a Glance

One of the first things to jump out about the Maryland data privacy law is its extremely low applicability threshold. For less populated states like Montana and New Hampshire, lowering the typical 100,000-consumer mark makes sense, but in spite of its 6.20 million population, Maryland has opted to go with some of the lowest thresholds seen in the country.

Businesses that operate within Maryland and/or target products or services to state residents, must comply with MODPA if within a calendar year they:

• Control or process personal data of 35,000+ consumers, or
• Control or process the personal data of 10,000+ consumers while deriving more than 20% of gross revenue from the sale of personal data.

In addition to holding the lowest current applicability threshold in the country, the 35,000 figure flies in the face of the proposed APRA, which would set the threshold at 200,000+ consumers. This means MODPA would apply to more small businesses than most other state laws do, which makes its unique provisions even more noteworthy. 

Before we dive into the provisions themselves, once signed, the Maryland Online Data Privacy Act will enter into force on October 1, 2025, roughly 18 months from now. On the timeline of laws passed in 2024, MODPA becomes official before both Nebraska and Kentucky’s laws, but after New Jersey and New Hampshire’s laws.

Where Maryland’s Privacy Law Stands Out

The things to take note of in Maryland’s law? 

• Ban on the sale of sensitive data
• Data minimization requirements
• Expanded categories of sensitive data, particularly around health data
• Strict wording around children’s data
• Impact assessments for algorithms 

Maryland defines sensitive data most similarly to Oregon’s data privacy law, covering:

• Racial/ethnic origin
• National origin
• Religious beliefs
• Sexual orientation
• Sex life
• Status as transgender or nonbinary
• Citizenship/immigration status
• Biometric/genetic data
• Precise geolocation data
• Consumer health data

The main differences between Maryland’s sensitive data categories and Oregon’s is that Maryland does not include mental or physical health conditions or diagnoses, but covers “Sex life” and “consumer health data” while Oregon does not.

The inclusion of consumer health data is noteworthy as only two other states, California and Connecticut, also categorize it as sensitive data (and Connecticut’s initial bill did not even do so, as that was added a year later in an amendment). 

Much of state-level privacy law just ends up being states copying from one another and tweaking certain sections to fit that state’s specific economic factors, but Maryland eschewed that even when crafting definitions. 

MODPA defines consumer health data as a “consumer’s physical or mental health status,” which differs from Connecticut’s “physical or mental health condition or diagnosis” definition. 

All of this, including the minutiae of definitions, is vital here because MODPA bans the sale of sensitive data. That marks the first ever law to do so, which could end up being a seismic shift in American data privacy. 

However, the wording around sensitive data collection and processing within MODPA does complicate things a bit. 

This ties into the bill’s strict stance on data minimization, a topic other state bill’s have punted on or been content to copy and paste over from early adopters. 

Maryland’s data privacy law notes that controllers must limit their data collection to “reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer to whom the data pertains.”

The wording steps up a notch around sensitive data, as controllers may not collect, process or share sensitive personal data unless it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.”

The bill does not further define “strictly necessary” vs “reasonably necessary,” which will create a bit of a gray zone and leave it up to companies to interpret which is which. The ban on the sale of sensitive data, combined with this lack of a distinction, should lead to companies thinking twice about selling any data.

We’ll need to see how this actually unfolds, but it’s a vast difference as much of the current landscape operates on simple opt-outs for personal data collection and opt-ins for sensitive data collection. By taking that burden off consumers’ shoulders and forcing businesses to interpret it, privacy programs are going to have to be much more premeditated about data collection and processing going forward.

Maryland Data Privacy Law Exemptions

Another area where the Maryland Online Data Privacy Act stands out is on exemptions. Slowly, as the country has expanded from 2 to 5 to 13 to 18 states with privacy laws, we’ve seen exemption lists slowly whittled away. 

Maryland carries that further, as the law does not feature exemptions for 

• Nonprofit organizations
• Institutions of higher education
• Pseudonymous data
• HIPAA-covered entities

It does exempt:

• Government and political entities within Maryland
• Health-related data
• GLBA-covered entities
• Insurance-related data

Given the list of exemptions in privacy laws out of Texas and Indiana are nearly a page long, bucking the trend and not including carve outs for typically protected areas like nonprofits and HIPAA further solidifies Maryland as meaning business.

Maryland Consumer Data Rights

One section where Maryland’s regulation does not greatly differ from recent laws like Delaware’s and Oregon’s is the list of rights it provides to residents. 

The list of data rights individuals within Maryland have are:

• Confirm
• Delete
• Correct inaccuracies
• Access
• Revoke consent
• Portability
• Appeal 
• Opt-out of the sale of data or processing for targeted advertising
• To see which third parties a controller has shared the specific consumer’s data with 

The last right was not seen until the end of 2023 when Delaware and Oregon adopted it, and its inclusion here hopefully indicates that the right is picking up steam.

An oddity around MODAP is its either/or language around universal opt-out mechanisms. Users have the right to opt-out of the sale of personal data (while the sale of sensitive data is banned across the board) or processing for profiling or targeted advertising, but where most states allow this through privacy policies and UOOM, Maryland allows companies to choose one to handle consent management.

Data subject rights are exercised on the normal 45-day timeline.

Maryland Data Privacy Law Requirements

Maryland’s data privacy law has these explicit requirements in place:

• Data protection impact assessments (for processing activities)
• Impact assessments for each algorithm in use (a la ADPPA & APRA requirements)
• The aforementioned data minimization principles (which are stricter than the looser definition of data minimization other states use)
• Clear and transparent privacy policies, with clear and easy methods to revoke consent
• A baseline of data security measures
• Data processing agreements
• Extra limitations around children’s data

MODPA takes an extra step to protect children’s data with some interesting wording. It states that a data controller cannot process the personal data for targeted advertising or sell any personal data of a minor, but where other states only cover “known minors,” Maryland takes it further, covering when organizations: “knew or should have known that the consumer is under the age of 18 years.”

The idea that organizations “should have known” someone was a minor adds increased complexity to providing products and services, particularly with the fact that consent does not override these prohibitions. Many have postulated that this could lead to age verification on more websites, which from everyone’s experience hardly solves the problem.

The one-two punch of the explicit requirements and the behind-the-scenes changes that MODPA’s data minimization, sensitive data rules, and expanded limitations around minors’ data could lead to drastic changes within privacy programs across the U.S.

Maryland Data Privacy Law Enforcement

The Maryland Online Data Privacy Acts will enter into force on October 1, 2025, although a 60-day cure period will last until April 1, 2027. The cure period however, is discretionary and not guaranteed, and will sunset in 2027 regardless.

The Attorney General will enforce the law through its Division of Consumer Protection. 

There are no rulemaking abilities within the law and noncompliance carries the typical $7500 fine per violation.

Maryland Data Privacy Law Preparation

As one of the strictest and most unique state privacy laws to pass in the U.S., organizations–including nonprofits–need to make sure they are running a mature privacy program. 

That means continuous, comprehensive data mapping to identify risk, help flag systems that hold sensitive data, and facilitate impact assessments.

Not sure where to start? Get a free, in-depth demo of MineOS’s data mapping and AI asset discovery capabilities to see how we’re boosting privacy programs around the world.