Maryland Privacy Law

Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.

Maryland Governor Wes Moore signed the Maryland Consumer Data Privacy Act (HF 4757 / SF 4782), (the “Maryland Online Data Privacy Act” or “MODPA”) into law on May 9, 2024. The MODPA’s main provisions become effective on October 1, 2025.

The Maryland law creates obligations on “controllers” and “processors” of personal data; defined as a person that, alone or jointly with others, determines the purposes and means of processing personal data, and the person that processes personal data on behalf of a controller, respectively.

Controllers and processors subject to the MODPA are any persons who conduct business in Maryland, or who produce a product or offer a service to Maryland residents, and satisfies one or more of the following: (1) controls or processes personal data of 35,000 or more “consumers” (defined as Maryland residents, but does not include an individual acting in a commercial or employment context) in a calendar year, excluding personal data processed solely for the purpose of completing a payment transaction; or (2) derives over 20% of gross revenue from the sale of personal data and processed or controlled the personal data of 10,000 or more consumers.

Information and data exempt from the MODPA include, among other types, personal data subject to regulation under the FCRA, HIPAA, and GLBA.  

Controllers have the following obligations under the MODPA:

  • Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice which specifies: (i) the categories of personal data processed; (ii) the purposes for which the personal data is processed; (iii) the categories of personal data that the controller shares with third parties; (iv) how consumers may exercise their rights, including how a consumer may appeal a controller’s decision on his/her request; (v) an active email address or other online mechanism the consumer may use to contact the controller; and (vi) a disclosure if the controller sells personal data to third parties or processes personal data for targeted advertising or profiling.
  • Restraint: controllers shall limit the controller’s collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.
  • Security: take reasonable measures to establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of the personal data appropriate to the volume and nature of the personal data at issue.
  • Rights Request Mechanism: controllers must provide an effective means by which a consumer may exercise the consumer’s rights and establish a process for the consumer to appeal the controller’s decision on the consumer’s request.

Consumer rights under the MODPA include the right to:

  • Confirm whether a controller processes personal data concerning the consumer and accesses the consumer’s personal data and allow the consumer to obtain a copy of the consumer’s personal data that the controller has processed or is processing;
  • Require a controller to correct inaccuracies in personal data about the consumer;
  • Require a controller to delete personal data concerning the consumer;
  • Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling the consumer in furtherance of decisions made by the controller that produce legal effects or effects of similar significance for the consumer, through a universal opt-out mechanism.

Controllers must respond to a consumer’s rights request within 45 days of receipt of the consumer’s request, with an option to extend such response by an additional 45 days with notice to the consumer.

Like the privacy laws in Utah and Iowa, the MODPA does not provide a private right of action, with violations exclusively enforceable by the Maryland Attorney General’s office. Controllers are allowed a 60-day period to cure alleged violations before an enforcement action may proceed, the outcome of which may result in civil penalties of up to $10,000 per violation and $25,000 per violation for repeated violations.

Have more Questions?