Maryland Online Data Privacy Act (MODPA) Takes Effect: What Businesses Need to Know

The Maryland Online Data Privacy Act (MODPA) went into effect on October 1, 2025 becoming the eighth state this year to adopt a comprehensive privacy law.

The Maryland Online Data Privacy Act (MODPA) went into effect on October 1, 2025 becoming the eighth state this year to adopt a comprehensive privacy law, bringing the total number of states with their own comprehensive state privacy laws up to 20. For businesses operating in Maryland — or handling Maryland residents’ data — the bar for compliance just got even higher.

Here’s what you need to know:

1. Expands Definition of Minors

MODPA expands the definition of a child to anyone under 18, compared with the Children’s Online Privacy Protection Act (COPPA) under-13 standard. Maryland also applies a broader standard than COPPA’s “actual knowledge” requirement: companies are now responsible if they “should have known” a user is under 18.

2. Stricter Protections for Minors

The law outright bans the use of minors’ personal data for advertising (regardless of parental consent!).

3. Limits on Sensitive Data

Under MODPA, sensitive data includes personal information that reveals racial or ethnic origin, religious beliefs, health status, gender-affirming or reproductive care, sexual orientation, transgender or non-binary status, citizenship or immigration details, genetic or biometric data, geolocation, and data from children. This covers two main categories: information about minors, which is automatically considered sensitive, and other personal data that requires careful protection.

Selling sensitive data is prohibited altogether. Collecting, processing, or sharing sensitive data is only allowed when strictly necessary to provide a service the consumer requested. MODPA also expands the definition of biometric data to include any information that can be used to uniquely authenticate a consumer’s identity, not just data intended for that purpose. This broader scope means more types of data — like avatars or smart glasses data — fall under the law’s sensitive data protections.

The law includes strict data minimization requirements, directing businesses to collect only the personal data that is reasonably necessary and proportionate to provide the specific product or service requested by the consumer. This is a tighter standard than in most other U.S. state privacy laws, underscoring the importance of evaluating whether each piece of data collected is truly necessary

4. Consumer Rights Under Maryland’s Privacy Law

In addition to the protections for sensitive data, Maryland’s law also grants consumers a set of rights common to many U.S. privacy laws. Consumers can:

Request a copy of the personal information a company holds about them.
Correct any inaccuracies in their data.
Request deletion of their data.
Obtain a list of third parties with whom their data has been shared.
Opt out of the sale of their personal information.

These rights align Maryland with other state privacy laws and emphasize transparency and control for individuals over how their data is collected and used (White & Case US Data Privacy Guide).

5. Tougher Penalties

Non-compliance comes with serious consequences. MODPA imposes penalties of up to $10,000 for initial violations and $25,000 for repeat offenses. This is higher than other state laws. Notably, each user affected counts as a separate violation! This makes compliance absolutely essential for any company handling personal data.

6. Mandatory Privacy Impact Assessments

Businesses must now conduct privacy risk assessments for activities that could pose heightened risks to individuals. This specifically includes the use of algorithms, which MODPA calls out directly. What’s been “best practice” elsewhere is now a legal requirement here.

The Bottom Line

This new law signals a trend to rising expectations nationwide. Not only does this legislation strengthen existing data requirements but also adds in new requirements. Complying with MODPA isn’t just about avoiding penalties — it’s about protecting your users and doing the right thing. This law sets a standard to ensure that minors and sensitive personal data are treated with care. By following these rules, your organization adheres to best practices, builds trust with customers, and positions itself ahead of future privacy regulations.

At Common Sense Privacy, we’re passionate about helping organizations stay current with evolving privacy regulations and helping companies implement best practices. Schedule a consultation today to learn how our software can help protect your business and your users.

Find Out if You Qualify for the Privacy Seal

Learn More

Sign Up for Our Quarterly Newsletter

And stay up to date with the latest changes in privacy laws.

Sign Up Today

Get your free privacy risk assessment

Click Here

Easy, affordable, and accessible
privacy solutions, by Common Sense

Get started today