Maryland
💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.
Maryland's MODPA gives you the right to opt out of data brokers.
What the MODPA does for you
Under the Maryland Online Data Privacy Act (MODPA), you have the right to know what personal data businesses collect about you, correct inaccuracies, request deletion, and opt out of the sale of your data or its use for targeted advertising. You can also get a portable copy of your data and opt out of automated profiling that produces significant decisions about your life. These rights apply to Maryland residents.
Your rights under the MODPA
Right to Know
You have the right to confirm whether a business is processing your personal data and, if so, to access that data. You can also obtain a list of the categories of third parties to whom your personal data has been disclosed.
Exceptions: Does not apply if access would require disclosure of a trade secret; Controller may decline if unable to authenticate the request using commercially reasonable efforts.
Source: Md. Code, Com. Law § 14–4605(B)(1), (2), (6)
Right to Delete
You have the right to require a business to delete personal data it has collected from you or about you.
Exceptions: Does not apply where retention of the personal data is required by law; For data obtained from a source other than the consumer, the controller may comply by retaining a record of the deletion request and minimum data necessary to ensure the data remains deleted.
Source: Md. Code, Com. Law § 14–4605(B)(4)
Right to Correct
You have the right to correct inaccuracies in your personal data, taking into account the nature of the data and the purposes for which it is being processed.
Source: Md. Code, Com. Law § 14–4605(B)(3)
Right to Opt Out of Sales
You have the right to opt out of the sale of your personal data to third parties for monetary or other valuable consideration.
Exceptions: Does not apply to disclosures to processors acting on behalf of a controller; Does not apply to transfers of personal data as part of a merger, acquisition, or similar business transaction; Does not apply where the consumer directs the disclosure.
Source: Md. Code, Com. Law § 14–4605(B)(7)(II)
Right to Opt Out of Processing
You have the right to opt out of the processing of your personal data for targeted advertising — ads selected based on your activities tracked across different websites and apps over time.
Exceptions: Does not apply to context-based advertising not targeted based on cross-site tracking; Does not apply to advertising based on activities within the controller's own websites or apps.
Source: Md. Code, Com. Law § 14–4605(B)(7)(I)
Right to Opt Out of Automated Decisions
You have the right to opt out of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning you, such as decisions about your access to financial services, housing, employment, health care, or other essential goods and services.
Exceptions: Only applies to profiling used for solely automated decisions that produce legal or similarly significant effects.
Source: Md. Code, Com. Law § 14–4605(B)(7)(III)
Right to Data Portability
If a business processes your personal data by automated means, you can request a copy of your data in a portable, readily usable format so you can easily transfer it to another business.
Exceptions: Only applies when processing is done by automatic means; Format must be technically feasible to be readily usable.
Source: Md. Code, Com. Law § 14–4605(B)(5)
Right to Non-Discrimination
A business cannot discriminate against you for exercising any of your privacy rights under this law — for example, by denying you goods or services, charging you different prices, or providing a lower quality of service.
Exceptions: A controller may offer different prices or benefits in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, or club card program, provided that selling personal data is not a condition of participation.
Source: Md. Code, Com. Law § 14–4607(A)(6)
Right to Limit Sensitive Data
You have the right to limit how businesses collect, process, or share your sensitive personal data. Sensitive data includes your racial or ethnic origin, religious beliefs, health data, sex life, sexual orientation, transgender or nonbinary status, national origin, citizenship or immigration status, genetic or biometric data, precise geolocation, and data about children. Businesses generally need your consent before collecting or sharing sensitive data, and they may not sell sensitive data at all.
Exceptions: A controller may collect or process sensitive data without consent where strictly necessary to provide a specific product or service you requested.
Source: Md. Code, Com. Law § 14–4607(A)(1), (2)
How to exercise your rights
- See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
- Submit a MODPA deletion or opt-out request. Covered businesses have 45 days to respond (Md. Code, Com. Law § 14–4605(E)), with up to 45 additional days if they invoke the extension provision.
- Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →
Authorized agents
The MODPA mentions authorized agents only in the context of opt-out requests (Maryland Online Data Privacy Act). Data brokers may choose to — but are not required to — honor deletion requests submitted by an authorized agent. In practice, many brokers do accept agent-submitted deletion requests. Optery handles both types on your behalf where permitted.
Enforcement and penalties
The MODPA is enforced by Maryland Attorney General, Consumer Protection Division. Violations of MODPA are treated as unfair, abusive, or deceptive trade practices under the Maryland Consumer Protection Act and are enforced by the Maryland Attorney General's Consumer Protection Division. The Division may bring enforcement actions and seek penalties under the Maryland Consumer Protection Act. For violations occurring on or before April 1, 2027, the Division may first issue a notice of violation giving the business at least 60 days to cure the problem before taking further action.
Who does the MODPA apply to?
This law applies to businesses that conduct business in Maryland or offer products and services to Maryland residents, AND during the prior calendar year either (1) processed the personal data of at least 35,000 Maryland consumers (excluding data processed solely for completing a payment transaction), or (2) processed data of at least 10,000 consumers and derived more than 20% of gross revenue from selling personal data. Certain entities are exempt, including government bodies, financial institutions subject to the Gramm-Leach-Bliley Act, and most HIPAA-covered health entities.
Frequently asked questions
Does this law apply to every business that has my data?
No. MODPA only covers businesses that conduct business in Maryland or target Maryland residents with their products or services, AND that during the prior year either processed personal data of at least 35,000 Maryland consumers or processed data of at least 10,000 consumers and made more than 20% of their gross revenue from selling personal data (Md. Code, Com. Law § 14–4602). Smaller businesses and many regulated entities like banks and health insurers are exempt.
How long does a business have to respond to my privacy request?
A business must respond to your request within 45 days of receiving it (Md. Code, Com. Law § 14–4605(E)(2)(I)). If your request is complex or you have made multiple requests, the business may extend the deadline by an additional 45 days, but it must notify you of the extension and the reason within the original 45-day window (Md. Code, Com. Law § 14–4605(E)(2)(II)).
Can I use a service like Optery to opt out of data sales on my behalf?
Yes, for opt-out requests you can designate an authorized agent — such as Optery — to act on your behalf (Md. Code, Com. Law § 14–4606(A)). The authorized agent can use browser settings, browser extensions, global device settings, or similar technology to signal your intent to opt out. Note that the authorized agent right under MODPA is specifically limited to opt-out requests; deletion and other rights must be exercised directly by the consumer or a parent/legal guardian.
What happens if a business violates my privacy rights?
Violations of MODPA are treated as unfair, abusive, or deceptive trade practices and can be enforced by the Maryland Attorney General's Consumer Protection Division (Md. Code, Com. Law § 14–4613). For violations occurring on or before April 1, 2027, the Division may first give the business at least 60 days to fix the problem before taking formal enforcement action (Md. Code, Com. Law § 14–4614). There is no private right of action allowing you to sue directly under this law, though other legal remedies may still be available.
Does MODPA protect my health data in special ways?
Yes. MODPA treats consumer health data — including data related to gender-affirming treatment and reproductive or sexual health care — as sensitive data that requires your consent before a business may collect, process, or share it (Md. Code, Com. Law § 14–4607(A)(1)). Businesses are also prohibited from using geofencing technology within 1,750 feet of a mental health facility or reproductive or sexual health facility to track or collect consumer health data (Md. Code, Com. Law § 14–4604(3)).