Maryland

Comprehensive Privacy Law

Maryland has enacted the Maryland Online Data Privacy Act (MODPA), making it the 17th state to pass comprehensive consumer data privacy legislation[1][2]. Governor Wes Moore signed Senate Bill 541 into law on May 9, 2024, establishing some of the strongest data protection requirements in the United States[3][4]. The law creates extensive consumer rights and places strict obligations on businesses that collect and process personal data from Maryland residents.

Legislative Activity

The Maryland Legislature passed Senate Bill 541 on April 6, 2024, followed by companion House Bill 567 on April 8, 2024[5]. The legislation received bipartisan support and was designed to address growing concerns about big tech data exploitation and provide Maryland consumers with meaningful control over their personal information[3]. The law includes unique provisions that set Maryland apart from other state privacy laws, particularly regarding data minimization and sensitive data protection.

Implementation Timeline

MODPA will take effect on October 1, 2025, giving businesses over a year to prepare for compliance[1][6]. However, the law specifically states it will not apply to any personal data processing activities that occurred before April 1, 2026[1][7]. Until April 1, 2027, the Maryland Attorney General may offer businesses a 60-day cure period to fix violations before pursuing enforcement action[8][9].

Your Rights as a Maryland Resident

Starting October 1, 2025, Maryland residents will have comprehensive rights regarding their personal data held by businesses operating in the state.

Right to know what data is collected: You can confirm whether a company is processing your personal data and request access to see exactly what information they have about you[4][6]
Right to delete personal information: You can require companies to delete personal data they have collected about you, unless they are legally required to retain it[4][7]
Right to opt out of data sales: You can prevent companies from selling your personal information to third parties, and they must honor universal opt-out signals like Global Privacy Control[2][10]
Right to correct inaccurate data: You can request that companies fix errors in your personal information, considering the nature of the data and how it’s being used[4][7]
Right to data portability: When data processing is automated, you can obtain a copy of your personal data in a portable format[4][6]
Right to non-discrimination: Companies cannot discriminate against you for exercising any of these privacy rights[2][10]

Maryland’s law provides stronger protections for sensitive data than most other states, requiring companies to obtain explicit consent before processing information about your health, race, religion, sexual orientation, or precise location within 1,750 feet[10][7].

Business Requirements

Companies that must comply: Businesses conducting business in Maryland or targeting Maryland residents that process personal data of at least 35,000 consumers, or 10,000+ consumers while deriving over 20% revenue from data sales[1][8]
Data minimization obligations: Companies can only collect personal data that is “reasonably necessary and proportionate” to provide a specific product or service requested by the consumer[11][12]
Sensitive data restrictions: Businesses cannot sell sensitive personal data under any circumstances and can only process it when “strictly necessary” for requested services[10][11]
Consumer request procedures: Companies must establish secure and reliable methods for consumers to exercise their rights and respond within specified timeframes[4][10]
Universal opt-out mechanisms: Businesses must recognize and honor universal opt-out signals, including those approved by other states[2][10]
Data protection assessments: Companies must conduct impact assessments for data processing that presents heightened risk of consumer harm[2][8]

Practical Impact

Daily life protections: The law limits how companies can collect your data when you shop online, use apps, or browse websites, requiring they only gather information truly necessary for the service you requested[3][11]
Enhanced sensitive data security: Your health information, location data, and other sensitive details receive extra protection, with companies prohibited from selling this information regardless of consent[10][7]
Violation reporting process: If you believe a company has violated your privacy rights, you can file a complaint with the Maryland Attorney General’s Consumer Protection Division, which has exclusive enforcement authority[8][13]
Legal limitations: You cannot sue companies directly under this law, though you may pursue other legal remedies available under different laws[8][14]
Enforcement uncertainty: Since the law contains no rulemaking provision, the practical application of some requirements may remain unclear until enforcement actions begin[14]

Comparison Context

Stricter than most states: Maryland’s data minimization requirements are more restrictive than other state privacy laws, potentially setting a new national standard for consumer protection[11][12]
Lower business thresholds: With a 35,000 consumer threshold, Maryland’s law applies to more businesses than most other state privacy laws, which typically require processing 100,000+ consumers[4][14]
Unique sensitive data approach: Unlike other states that rely primarily on consent, Maryland prohibits the sale of sensitive data entirely and requires “strict necessity” for processing[7][11]
Missing elements: Maryland lacks some protections found in other states, such as full exemptions for nonprofits and educational institutions, and provides no private right of action for consumers[8][14]

Action Steps for Residents

Prepare for October 2025: Stay informed about the law’s implementation and begin identifying which companies may be subject to MODPA requirements based on your interactions with them
Enable privacy controls: Configure your browsers and devices to send universal opt-out signals like Global Privacy Control, which Maryland businesses will be required to honor[2][10]
Document privacy violations: Keep records of any suspected violations of your privacy rights to support potential complaints with the Attorney General’s office
Contact legislators: Engage with your state representatives about privacy issues and potential improvements to the law as implementation approaches
Monitor enforcement: Watch for guidance from the Maryland Attorney General’s Consumer Protection Division as they develop enforcement practices for the new law

Official Resources and Contact Information

Maryland Legislature

Contact your state legislators to provide input on privacy legislation or express concerns about data protection issues. You can find your specific representatives using the Maryland Association of Counties interactive map at https://www.mdcounties.org/69/Contact-Your-Legislator. All legislators can be reached toll-free from anywhere in Maryland at 1-800-492-7122, or from Baltimore Metro at 410-841-XXXX, or Washington Metro at 301-858-XXXX[15].

Consumer Protection and Privacy Violations

The Maryland Attorney General’s Consumer Protection Division has exclusive authority to enforce MODPA. To file complaints about privacy violations or unfair business practices, contact:

Consumer Protection Division Hotlines:

Consumer Hotline: 410-528-8662 or toll-free 1-888-743-0023
Health-related complaints: 410-528-1840 or toll-free 1-877-261-8807
Spanish language assistance: 410-230-1712
Online complaint form: www.marylandattorneygeneral.gov [13][16]

Legislative Information

For information about current and proposed privacy legislation, contact the Maryland General Assembly at 410-841-3000 or 301-858-3000. General Assembly information is available online, and you can track bill status and committee activities through official legislative resources[15].

The Consumer Protection Division provides mediation services and can investigate companies for violations of Maryland consumer protection laws. Hotlines operate Monday through Friday, 10:00 AM to 2:00 PM, except holidays[16][17].

Sources and Citations

[1] consumerfsblog.com/2024/05/maryland-enacts-expansive-comprehensive-consumer-data-privacy-law/

[2] www.whitecase.com/insight-alert/maryland-enacts-comprehensive-data-privacy-law

[3] www.ketch.com/regulatory-compliance/maryland-online-data-privacy-act-modpa

[4] www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20240521-maryland-and-nebraska-adopt-comprehensive-privacy-laws

[5] www.mcdonaldhopkins.com/insights/news/maryland-legislature-passes-comprehensive-data-privacy-law

[6] www.smwpa.com/maryland-online-data-privacy-act-goes-into-effect-this-october/

[7] www.mwe.com/insights/maryland-joins-growing-ranks-and-passes-its-own-consumer-data-privacy-law/

[8] www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2024/08/maryland-online-data-privacy-act–an-overview.html

[9] www.dlapiper.com/en/insights/publications/2024/07/us-maryland-online-data-privacy-act-summary-and-comparative-analysis

[10] www.cookieyes.com/blog/maryland-online-data-privacy-act-modpa/

[11] www.datagrail.io/blog/data-privacy/why-marylands-new-privacy-law-could-be-the-strictest-in-the-us/

[12] calawyers.org/privacy-law/differing-data-minimization-standards-comparing-californias-ccpa-and-marylands-modpa/

[13] www.marylandattorneygeneral.gov/CPD%20Documents/Tips-Publications/Consumer_Guide_to_Protecting_Privacy.pdf

[14] www.blankrome.com/publications/maryland-passes-unique-and-operationally-challenging-privacy-law

[15] www.mdcounties.org/69/Contact-Your-Legislator

[16] www.peoples-law.org/filing-consumer-complaint

[17] insurance.maryland.gov/Consumer/Documents/agencyhearings/Virtual-Government-Agency-Day-slides.pdf

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.