Nearly two years after Governor Wes Moore signed the Maryland Online Data Privacy Act (or MODPA), the next milestone some organizations have been anticipating since 2024 is right around the corner.
We covered some details of MODPA in October 2025, mostly regarding who the law affects and which organizations the law applies to. As the enforcement date quickly approaches, we would like to recap and include some additional details to help applicable organizations address remaining questions.
A quick recap of MODPA
MODPA strengthens online data privacy protections for Maryland residents, both by imposing new compliance requirements on applicable organizations that handle personal consumer data and by granting consumers new rights. The law aims to curb exploitation and expand consumer control over personal data by granting new rights to access, delete, correct, and opt out of certain uses of their data, and by regulating how organizations (“controllers” and “processors”) collect, use, and share the personal data of Maryland residents. Maryland is one of many states with a data privacy law; however, MODPA establishes one of the strictest state-level consumer data privacy frameworks in the United States.
Applicable organizations were required to have a compliance program in place as of the first stage of MODPA, which took effect on October 1, 2025. Starting on April 1, 2026, organizations subject to MODPA’s regulations will be required to comply with the new guidelines for handling personal data.
Rights granted to consumers
As part of the April 1 enforcement date, Maryland residents will gain several actionable rights regarding their personal data that organizations will need to keep top of mind. This includes the right to:
- Access personal data collected
- Correct inaccuracies in their personal data
- Delete personal data
- Obtain a copy of their personal data
Consumers are also granted the right to opt out of:
- Targeted advertising
- The sale of personal data
- Certain profiling activities
Enforcement and penalties
MODPA is enforced exclusively by the Consumer Protection Division of the Maryland Attorney General’s Office, and violations will be treated as unfair or deceptive trade practices. Civil penalties for violations are as follows:
- Up to $10,000 per violation
- Up to $25,000 for repeat violations
Privacy notice checklist for applicable organizations
To help organizations prepare for regulatory enforcement, below is a quick checklist. According to MODPA, organizations need to ensure they have the following in place where a privacy notice applies.
Applicable organizations are required to provide a clear, accessible, and meaningful privacy notice that includes:
- The categories of data being processed and collected
- The purpose of processing the data
- Consumer rights under MODPA
- Categories of parties that data is being shared with, and how the data is being used by each party.
- An active email or online opt-out mechanism that can be used to easily contact the controller, without requiring the consumer to create a new account to exercise their rights.
- Consideration of how consumers normally interact with the controller, a secure means of communication as needed with the controller, and the ability for the controller to verify the identity of the consumer making the request.
A quick overview of other responsibilities
In addition to privacy notice guidelines, MODPA also requires applicable organizations to:
- Maintain reasonable data security safeguards
- Avoid discrimination against consumers who exercise their rights
- Refrain from selling sensitive personal data
- Limit data collection to what is reasonably necessary and proportionate
- Implement and honor Universal Opt‑Out Mechanisms (UOOMs), and
- Conduct data protection assessments for high‑risk processing, including:
- Targeted advertising
- Sale of personal data
- Sensitive data processing
- Profiling activities
For more details on consumer rights, definitions such as “controller” and “processor,” and more detailed information regarding regulations applicable to businesses and consumer rights, see the full text of the law here.
***DISCLAIMER: The checklists above are intended as a quick reference to assist organizations with review and preparation. They are not intended as an authoritative and/or complete and comprehensive list of all responsibilities in all scenarios. Controllers should work with their legal counsel and review the original and full text of the law to determine when and how a privacy notice should be implemented to ensure compliance.
Mandatory cure period until April 1, 2027
Many states have been adopting comprehensive privacy laws, with more states expected to adopt similar laws in 2026, including Kentucky and Rhode Island. However, Maryland’s law stands out with its combination of lower applicability thresholds and particularly strong protections for sensitive data compared to some other state-level data privacy laws.
While regulations for MODPA are strict, it does allow a 60-day cure period for organizations to acclimate. Employers that do not correct violations within this period may be subject to penalties. It is important for organizations to note that this provided cure period ends on April 1, 2027. After this date, cure periods become discretionary, meaning that the Consumer Protection Division of the Maryland Attorney General’s Office will be able to take immediate action with no cure period.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.
