← Back to Blog

Maryland Online Data Privacy Act: The Strictest State Privacy Law

Maryland's privacy law bans selling sensitive data entirely and has strong data minimization requirements. Here's what makes it different.

2026-03-04

The Maryland Online Data Privacy Act (MODPA) took effect on October 1, 2025, and it's arguably the strictest state privacy law in the country. Maryland goes further than any other state on data minimization, sensitive data, and children's protections.

Who Does Maryland's Law Apply To?

MODPA applies to businesses that conduct business in Maryland or target Maryland residents and meet either threshold:

  • Control or process personal data of at least 35,000 Maryland consumers (excluding payment-only data), OR
  • Control or process personal data of at least 10,000 Maryland consumers and derive more than 20% of gross revenue from selling personal data

These thresholds match Rhode Island's — among the lowest of any state. Combined with Maryland's population (~6.2 million), many more businesses will be covered than under typical 100,000-consumer thresholds.

What Makes Maryland Different

No Selling Sensitive Data — Period

Most states say you need consent to process sensitive data. Maryland goes further: you cannot sell sensitive data at all, even with consumer consent. This includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Health data
  • Sexual orientation
  • Biometric and genetic data
  • Children's data (under 18 — not 13)
  • Precise geolocation

Data Minimization

Maryland requires actual data minimization — you can only collect personal data that is reasonably necessary and proportionate to the purpose disclosed to the consumer. This is stricter than the "purpose limitation" requirements in most other states.

Heightened Children's Protections

Maryland defines "children" as under 18, not under 13. This means:

  • No targeted advertising to anyone under 18
  • No selling data of anyone under 18
  • No profiling of anyone under 18 that presents a risk of harm
  • Data protection assessments required for any processing that could affect minors

Consumer Rights

Maryland consumers can:

  • Access their personal data
  • Correct inaccurate data
  • Delete their personal data
  • Data portability — obtain a copy
  • Opt out of sale, targeted advertising, and profiling

Response deadline: 45 days, with a possible 15-day extension.

Enforcement

Enforced by the Maryland Attorney General and the Division of Consumer Protection. No private right of action. There is no cure period — Maryland can pursue enforcement immediately upon discovering a violation.

Maryland Compliance Checklist

  • Privacy policy with all required disclosures
  • No selling sensitive data — full stop, even with consent
  • Data minimization — only collect what's reasonably necessary
  • Children's protections — under 18 threshold, no targeted ads to minors
  • Cookie consent banner with opt-out
  • Consumer request process — 45-day response window
  • Data protection assessments for high-risk processing and processing that affects minors

Why Maryland Matters

Maryland signals where privacy law is heading: stricter data minimization, broader definitions of sensitive data, and stronger protections for minors. If you build your compliance program around Maryland's requirements, you'll be covered for every other state too.

Check Your Compliance

ClearConsent scans your site against all 19 US state privacy laws including Maryland's strict requirements.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free