Maryland’s new data privacy law, the Maryland Online Data Privacy Act (MODPA) signifies a potential shift in nationwide compliance requirements. Enacted on May 9, 2024, and set to take effect on October 1, 2025, MODPA establishes stringent standards for how businesses collect, process, and protect the personal data of Maryland consumers. It aims to create robust consumer data protection, focusing on user privacy and accountability, and setting a high benchmark for state privacy legislation.
MODPA’s comprehensive approach requires businesses not only operating within Maryland, but also those who serve or target Maryland residents to comply with its guidelines. This creates a ripple effect, influencing potential legislative trends across the United States. As more states observe the robust framework established by MODPA, it is likely we will see similar laws enacted elsewhere, contributing to the growing patchwork of privacy laws across the country.
For businesses, this means the need to rethink their data privacy strategies is more urgent than ever. The evolving privacy landscape demands a scalable, proactive approach to compliance. Executives must stay ahead of these changes to ensure their businesses can navigate the complexities of varying state regulations effectively.
MODPA brings a fresh perspective to state data privacy laws, refining and enhancing existing frameworks rather than merely adapting them. While it shares similarities with the California Consumer Privacy Act and Virginia’s Consumer Data Protection Act (VCDPA), MODPA sets stringent privacy requirements and lower thresholds for data applicability, positioning it on the stricter end of the regulatory spectrum.
One of the unique features of MODPA is its broad scope, applying to businesses that handle data of 35,000 consumers or more. This threshold is significantly lower than those in states like Colorado and Delaware, making MODPA applicable to a larger number of businesses. MODPA’s strict data minimization standards mandate that companies collect only the personal data necessary for a specific product or service.
MODPA also stands out for its rigid directives surrounding sensitive data. It outright prohibits the collection and selling of sensitive personal data without exception, covering categories such as health data, racial or ethnic origin, and biometric information. The law enhances protections around children’s data, specifically preventing targeted advertising for individuals under the age of 18. Additionally, it addresses the handling of sensitive data. MODPA imposes robust obligations on data controllers and processors, reinforcing consumer rights and accountability.
Despite its unique features, MODPA shares several commonalities with other state data privacy laws. For instance, it grants consumers the right to access their personal data, request its deletion, and obtain a list of third parties that have received their data. These rights promote transparency in data processing and ensure that consumers have greater control over their personal information.
Additionally, these consumer rights necessitate the implementation of effective data protection assessments. Businesses must regularly evaluate their data practices to comply with these requirements, ensuring that consumer data is processed responsibly and securely.
This alignment with other state laws underscores the growing trend towards stronger consumer consent rights and data protection under state law across the United States, which has similarly significant effects.
The introduction of MODPA presents significant challenges for multistate companies. These businesses must navigate the complexities of varying state regulations, each with its own unique requirements and enforcement mechanisms.
Multistate companies often struggle with the complexity of aligning their data practices with MODPA and other state privacy laws, with inconsistencies across state privacy laws leading to increased compliance costs and administrative burdens. For example, Maryland’s new privacy law includes lower thresholds for applicability, covering more businesses compared to similar laws in other states.
The complexity of tracking and managing diverse state privacy laws adds to the compliance burden for businesses operating across state lines. Companies may find it challenging to align MODPA’s requirements with those of other states due to differing regulations and enforcement mechanisms. This necessitates extensive reviews of their data practices to meet MODPA’s detailed requirements.
The heightened risks associated with non-compliance, including significant fines and reputational damage, further complicate the compliance landscape. Companies must ensure they have robust mechanisms in place to handle consumer requests and manage data practices effectively.
To address these challenges, multistate companies are encouraged to implement scalable solutions that can adapt to changes in privacy legislation across states. This includes establishing a hybrid compliance model that combines both opt-in and opt-out options for consumers, as introduced by MODPA, including opt-out preference signals.
Regular training and updates for staff can significantly enhance a company’s ability to meet the compliance demands posed by different state laws. By keeping employees informed about the latest regulatory changes and compliance requirements, businesses can better navigate the evolving privacy landscape.
Companies should also maintain reasonable administrative, technical, and physical measures to safeguard personal data and comply with MODPA and other state laws. This proactive approach helps mitigate risks and ensures that businesses are well-prepared to handle the complexities of nationwide data privacy compliance.
Meeting the requirements under MODPA is crucial for businesses to ensure compliance and protect consumer data.
MODPA’s principle of data minimization requires businesses to collect and use only the personal data necessary to deliver the specific service requested by the consumer. This means limiting data collection to what is essential for that purpose and nothing more.
Processing sensitive data, such as health information, genetic or biometric data, racial or ethnic origin, or national origin, is only permitted when it is strictly necessary to provide the requested service. These safeguards are designed to ensure that all data practices are narrowly aligned with the consumer’s needs and the service being delivered. By enforcing strict data minimization, MODPA promotes responsible data use, reduces the risk of breaches, and strengthens consumer trust.
MODPA emphasizes stronger consumer rights than many existing state laws, particularly in its prohibition of selling sensitive data. Maryland residents are granted the following rights:
These rights empower consumers to take charge of their personal information and ensure its accurate and secure handling, giving consumers the ability to correct inaccuracies.
Consumers have the following rights regarding their personal data:
These provisions promote transparency and accountability in publicly available data processing, including a clear and conspicuous link to the processor’s data processing procedures.
Companies must comply with MODPA by:
MODPA mandates that businesses implement robust security protocols to safeguard personal data. These protocols must address administrative, technical, and physical data security practices, as well as data security measures to secure personal data, limiting access to authorized individuals and implementing verification procedures. The security measures should reflect the volume and type of personal data being processed.
MODPA compliance requires data protection assessments for processing activities that pose a heightened risk to consumers. These assessments evaluate data protection when processing sensitive information, weighing potential risks and outcomes associated with such tasks. Businesses must perform these assessments for high-risk activities like processing sensitive data, ensuring that appropriate safeguards are in place.
MODPA emphasizes the need for robust security measures and regular assessments to protect consumer data. By conducting these assessments, businesses can identify and mitigate potential risks, ensuring that consumer data is handled responsibly and securely.
The penalties for non-compliance with MODPA are significantly higher than those established by many other state privacy laws. Companies that do not comply with MODPA may face fines up to $10,000 per occurrence, escalating to $25,000 for multiple infractions. These substantial fines underscore the importance of adhering to MODPA’s requirements.
Failure to comply with MODPA is classified as an unfair or deceptive trade practice under the Maryland Consumer Protection Act. The Maryland Office of the Attorney General can assess fines of $10,000 for each violation, increasing to $25,000 for subsequent violations. The Attorney General also has the discretion to determine if a violation can be cured before taking enforcement action.
Preparing for MODPA compliance is essential for businesses to meet legal obligations and enhance consumer trust. Key steps include:
Creating a compliance checklist can help businesses assess their data practices in line with MODPA standards. This checklist should include reviewing data collection practices, implementing robust security measures, and establishing mechanisms for handling consumer requests.
By following these steps, businesses can ensure they are well-prepared for MODPA compliance.
MODPA sets a new standard for data privacy laws in the United States. Its comprehensive requirements, including data minimization, consumer rights, and security protocols, provide robust protections for consumer data. Multistate businesses must navigate the complexities of varying state regulations and adopt scalable compliance strategies.
By preparing for MODPA compliance, companies can enhance consumer trust and ensure they meet legal obligations. Partnering with the cybersecurity experts at Hartman Executive Advisors can provide the necessary guidance and support to achieve compliance. Contact us today to learn more about how to become compliant by October 1, 2025.