Nearly two years after Governor Wes Moore signed the Maryland Online Data Privacy Act (or MODPA), the next milestone some organizations have been anticipating since 2024 is right around the corner.
We covered some details of MODPA in October 2025, mostly regarding who the law affects and which organizations the law applies to. As the enforcement date quickly approaches, we would like to recap and include some additional details to help applicable organizations address remaining questions.
MODPA strengthens online data privacy protections for Maryland residents, both by imposing new compliance requirements on applicable organizations that handle personal consumer data and by granting consumers new rights. The law aims to curb exploitation and expand consumer control over personal data by granting new rights to access, delete, correct, and opt out of certain uses of their data, and by regulating how organizations (“controllers” and “processors”) collect, use, and share the personal data of Maryland residents. Maryland is one of many states with a data privacy law; however, MODPA establishes one of the strictest state-level consumer data privacy frameworks in the United States.
Applicable organizations were required to have a compliance program in place as of the first stage of MODPA, which took effect on October 1, 2025. Starting on April 1, 2026, organizations subject to MODPA’s regulations will be required to comply with the new guidelines for handling personal data.
As part of the April 1 enforcement date, Maryland residents will gain several actionable rights regarding their personal data that organizations will need to keep top of mind. This includes the right to:
Consumers are also granted the right to opt out of:
MODPA is enforced exclusively by the Consumer Protection Division of the Maryland Attorney General’s Office, and violations will be treated as unfair or deceptive trade practices. Civil penalties for violations are as follows:
To help organizations prepare for regulatory enforcement, below is a quick checklist. According to MODPA, organizations need to ensure they have the following in place where a privacy notice applies.
Applicable organizations are required to provide a clear, accessible, and meaningful privacy notice that includes:
In addition to privacy notice guidelines, MODPA also requires applicable organizations to:
For more details on consumer rights, definitions such as “controller” and “processor,” and more detailed information regarding regulations applicable to businesses and consumer rights, see the full text of the law here.
***DISCLAIMER: The checklists above are intended as a quick reference to assist organizations with review and preparation. They are not intended as an authoritative and/or complete and comprehensive list of all responsibilities in all scenarios. Controllers should work with their legal counsel and review the original and full text of the law to determine when and how a privacy notice should be implemented to ensure compliance.
Many states have been adopting comprehensive privacy laws, with more states expected to adopt similar laws in 2026, including Kentucky and Rhode Island. However, Maryland’s law stands out with its combination of lower applicability thresholds and particularly strong protections for sensitive data compared to some other state-level data privacy laws.
While regulations for MODPA are strict, it does allow a 60-day cure period for organizations to acclimate. Employers that do not correct violations within this period may be subject to penalties. It is important for organizations to note that this provided cure period ends on April 1, 2027. After this date, cure periods become discretionary, meaning that the Consumer Protection Division of the Maryland Attorney General’s Office will be able to take immediate action with no cure period.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.