Blog December 4, 2025 20 Minutes

Maryland’s New Online Data Privacy Law is Here: What Consumers & Businesses Need to Know Heading into 2026

Maryland’s New Online Data Privacy Law

Maryland’s General Assembly has officially rolled out House Bill 567, the new online data privacy protection act, also known as “MODPA.” This law went into effect October 1, 2025, and although the legislation was first proposed back in May 2024, enforcement on personal data processing activities won’t begin until April 1, 2026. This gives businesses some time to update and adjust any data practices that aren’t already aligned with the new expectations and legal standards, but it would be wise to begin strategizing and implementing the required functionality now to ensure a smooth transition to compliance.

MODPA represents forward progress for Maryland’s residents and online consumers as it gives them increased control over their personal data. With the implementation of the law’s requirements, users gain greater visibility into where their personal data resides and a better understanding of how organizations use it on a day-to-day basis.

Below you’ll find a breakdown of what MODPA is all about, how it’s already shaped business practices within the first few months of being in force, and what this significant new law means for everyday users.

What does Maryland’s New Privacy Law Actually Do?

Under MODPA, consumers have new rights that are meant to enhance privacy protections and hold organizations accountable for how they collect, use, and store personal data on a regular basis.

The key rights consumers may now advocate for, as noted by Governor Moore are:

The right to access or request their personal data. Consumers may request access to any personal data collected by an organization once a year for free. “If a controller is processing a consumer’s personal data,” the user has the right to “access the consumer’s personal data” (page 17).
- This shift forces organizations to be more transparent about their intentions and helps consumers understand what sort of information is being stored.
The right to correct or delete their personal data. Maryland residents may also “correct inaccuracies in the consumer’s personal data,” or “delete personal data provided by, obtained about, the consumer” (page 18).
- Unless the personal data is legally required, users may request to delete, update, or correct their sensitive information. This reinforces the importance of implementing and maintaining proper data retention periods to avoid keeping information longer than needed and supports timely fulfillment of any deletion request, while also keeping consumer consent as a top priority.
The right to opt out of sale/sharing and profiling of their personal data. Consumers can opt-out of “any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of personal data, through an opt-out preference signal sent, with the consumer’s consent” (page 26).
- This gives users more of a choice in how their information is used and the right to prevent having their personal data processed for targeted ads or sold to third parties. Organizations are required to offer a clear, easily accessible opt-out method for consumers to decide on and agree to.
The right to understand why their personal data is being collected and how it’s being used. MODPA proposes data minimization requirements, suggesting businesses can only collect the “minimum data necessary for the purpose of ensuring that the consumer’s personal data: (I) remains deleted from the controller’s records; (II) is not being used for any other purpose” (page 20-21).
- Organizations are required to limit the amount of data collected to only what is necessary for a specific purpose and must clearly explain why they may need it, how information is being used, who it’s being shared with, and proof of data deletion. Data must not be used for other purposes beyond what it is being collected for, and practices will need to be clarified and disclosed to customers about data usage on an ongoing basis.

These changes are crucial in today’s digital landscape, where personal data is often mishandled, over collected, and/or used for profit without prior consent or knowledge from the consumer. MODPA empowers Maryland residents to take back control of their information and holds organizations accountable to adopt and ensure responsible data practices are being used moving forward.

How MODPA Impacts Organizations & Shapes Compliance Requirements Now & in 2026

Maryland’s privacy law applies at lower thresholds than many other U.S. state privacy laws, broadening the range of organizations required to comply. Organizations that fall under MODPA are:

Businesses operating within the state or that provide any services or products targeted at Maryland residents;
Organizations that control or process the personal data of at least 35,000 consumers annually (excluding data used solely for payment transactions); and/or
Organizations that control or process personal data from at least 10,000 consumers and derive more than 20% of its gross revenue from selling personal data (page 13).

Any business that falls under this set of criteria is responsible for abiding by and complying with MODPA to operate legally within the state of Maryland.

In addition to those who must follow the law, MODPA also highlights specific standards and responsibilities for how data handlers or “controllers” must manage their consumer data. Below are several compliance requirements, as highlighted by Governor Wes Moore (pages 22-23, 30-31):

Organizations cannot collect, process, or share a consumer’s sensitive data unless it is “strictly necessary” to provide or maintain a product or service the consumer has requested.
A controller must implement and maintain administrative, technical, and physical security practices to protect the confidentiality of personal data and ensure that consumers can easily decline or withdraw consent with ease and clarity.
Businesses cannot discriminate against consumers for exercising their privacy rights as well as collect, use, or share personal or publicly available data in a way that unlawfully discriminates or restricts equal access to goods or services based on:
- Race, color, religion, national origin, gender, or disability.
- Limited exceptions only apply to data that is collected specifically for the controller’s own lawful testing to prevent discrimination, efforts to diversify applicants or customer pools, and lastly data pertaining to a private club or group that is not open to the public defined under federal law.
Controllers are not allowed to process personal data for the purposes of targeted advertising if the consumer is under the age of 18 years old.
Controllers cannot sell sensitive personal data and are required to obtain consent before processing.
- If a consumer revokes consent and submits a request,the organization must stop processing personal data within 30 days or less.
Businesses are expected to regularly conduct and document data protection assessments for each high-risk processing activity, such as targeted ads, data sales (if allowed), and the handling of sensitive information. This requirement also includes an assessment for every algorithm an organization uses in high-risk processing.
- This includes reviewing each system used to identify emerging risks and weigh them against potential benefits for consumers. This process helps to effectively inform and protect users while also making sure data is handled with care.

Organizations that are exempt from having to comply with MODPA are:

State government agencies, courts, and other similar public institutions.
National securities and registered futures associations designated in accordance with the Federal Commodity Exchange Act.
Financial institutions that fall under Gramm–Leach–Bliley Act (GLBA).
Specific nonprofits groups that process and share data to support law enforcement with criminal or fraudulent investigations or assist emergency first responders in devastating events. A notably narrower exemption compared to many current U.S. state privacy laws.
Information or data already covered by federal laws of HIPAA, the federal Fair Credit Reporting Act (FCRA), the federal Driver’s Privacy Protection Act (DPPA), the federal Family Educational Rights and Privacy Act (FERPA), and other comparable regulations and laws.

Organizations that are subject to MODPA must follow and comply with the criteria carefully. It is evident that these requirements are extensive, detailed, and not to be taken lightly, failing to comply can lead to tremendous fines and enforcement actions.

Penalties for Not Complying with MODPA

According to Maryland Attorney General Anthony G. Brown, an organization that fails to comply with MODPA may face a penalty of up to $10,000 for each violation not adhered to, as well as a hefty civil penalty of up to $25,000 for any repeat offenses.

The Attorney General may also “seek injunctive relief, restitution, economic damages, and disgorgement,” ordering businesses to stop their unlawful practices, compensate harmed consumers affected by misconduct, and forfeit any profit gained through non-compliance of MODPA. In other words, latitude is provided for further enforcement penalties that can have real and serious economic and brand reputation consequences for non-compliant organizations.

Conclusion & Takeaways

As enforcement approaches in 2026, online users and Maryland residents will likely be taking advantage of their newly granted rights and the increased transparency the law provides. Throughout the early drafting stages of this regulation, MODPA increased expectations and set new standards which businesses must now meet to accurately achieve compliance, maintain accountability with consumers, and uphold responsible data practices moving forward.

With MODPA comes the potential for even more states to adopt similar measures and refine their laws for the betterment of their consumers. The map below illustrates U.S. states with comprehensive state privacy laws, in place.

This image underscores the uneven landscape of consumer data protection state laws across the country and the likely trend for more states to enact privacy rights for their consumers in the coming months and years. Maryland’s approach now contributes and serves as one of the most recent examples of how states have been, and will likely continue to, prioritize robust privacy standards to protect their residents.

Next Steps:

To comply with Maryland’s new requirements, organizations should review their privacy notices, evaluate current privacy risk assessment practices, and assess their overall data management. Stay tuned for updates on future developments as more and more U.S. states work to pass similar legislation.

Need more guidance?

Reach out to our privacy experts at Myna for any questions or concerns. We’re happy to help guide you through these new regulations, assess your current data practices, and support your business as you prepare for 2026.

Contact Us

Name(Required)

First Last

Email(Required)

Phone

Company Name(Required)

Job title

How can we help you?

Message(Required)

Please let us know what's on your mind. Have a question for us? Ask away.

Consent

Myna Partners is committed to protecting and respecting your privacy, and we’ll only use your personal information to administer your account and to provide the products and services you requested from us. By clicking submit below, you consent to allow Myna Partners to store and process the personal information submitted above to provide you the content requested. You may unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy. By clicking submit below, you consent to allow levelupconsult.com to store and process the personal information submitted above to provide you the content requested.

I agree to receive other communications from Myna Partners.

CAPTCHA