Data privacy has been a recurring hot topic this year, with Utah, Minnesota, Montana, and several others passing or updating legislation regarding consumer data management and reporting regulations. Maryland has been on the list since the beginning of 2024 with Senate Bill 541 (SB0541), signed into law by Governor Wes Moore on May 9, 2024. The Maryland Online Data Privacy Act (MODPA), which took effect on October 1, 2025, will apply to personal data processing activities conducted after April 1, 2026.
What is the Maryland Online Data Privacy Act, who does it apply to, and what requirements and implementation parameters do employers need to know about? We’ll answer all these questions below, plus some insight into what SB0541 could mean for Maryland job seekers and employers.
Maryland Online Data Privacy Act explained
The MODPA is a consumer protection bill intended to provide comprehensive online data privacy protections for Maryland residents by enforcing substantial new compliance responsibilities for companies based in the state that handle consumer personal data. With SB0541 in effect, consumers will have the right to access their personal data, request the deletion of their data, correct inaccuracies, opt out of data processing for purposes like targeted advertising, and several other rights.
Who is affected?
SB0541 applies to organizations that (1) conduct business in Maryland, or (2) provide services or products that target Maryland residents, and meet one of the following thresholds in the preceding calendar year:
- Controlled or processed the personal data of at least 35,000 Maryland consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction
- Controlled or processed the personal data of at least 10,000 Maryland consumers and derived more than 20% of their gross revenue from the sale of personal data
The law implementation timeline provides companies with a grace period to prepare their processes for compliance.
Important dates to note
MODPA’s implementation calls for a few important dates that companies should keep in mind:
- October 1, 2025: The law goes into effect, and all covered businesses must implement MODPA’s requirements.
- April 1, 2026: Enforcement begins. Regulatory actions will only apply to collection and processing activities that happen after this date. The Attorney General may provide an opportunity to cure the infraction.
- April 1, 2027: The optional cure period. The law will be fully enforced under the Maryland Consumer Protection Act, which allows for statutory damages in civil enforcement actions by the Attorney General.
New requirements explained
As of October 1, 2025, organizations that are considered controllers of Marylanders’ consumer data are required to observe the following requirements:
Data protection assessments:
Controllers of consumer data are required to regularly complete a data protection assessment (DPA) for each activity that presents a heightened risk of harm to a consumer, including a calculation for each algorithm used. The DPA requires an analysis of potential risks to consumers and the safeguards in place to address those risks, as well as an evaluation of the necessity and proportionality of the processing relative to its stated purpose, among other requirements.
Data minimization:
Under MODPA, controllers of consumer data must “limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.” Because this data minimization standard is different from the standards adopted in other states' online data privacy laws, it may present unique compliance challenges depending on how it is implemented.
Notice requirements:
Organizations controlling consumer data must also provide consumers with a reasonably accessible, clear, and meaningful privacy notice that explains what categories of personal data the controller is processing, plus their reason for processing that data.
Enforcement
The Maryland Office of the Attorney General and the Division of Consumer Protection have exclusive enforcement authority over MODPA. Although it does not provide for a new private right of action to be brought by a consumer, the law does not prevent a consumer from “pursuing any other remedy provided by law.”
If a data controller wishes to apply to cure a violation of the Act, MODPA allows 60 days after a notice of violation for an opportunity to do so before initiating an enforcement action. Ultimately, the Division of Consumer Protection holds the authority to determine whether a data controller should be given the option to cure a violation.
Looking ahead
With this recent legislation in place, employers can expect to ramp up their compliance practices to ensure they remain in line with requirements. Additionally, organizations should consider how these laws can impact their management of candidate information during the screening and onboarding processes. Sealed or redacted information could potentially lead to broader searches and delays in results.
Organizations, candidates, and consumers benefit from being aware of internal data management practices and staying informed on changing privacy regulations. Employers should consult with their legal counsel to ensure compliance before taking any action.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.
