U.S. Consumer Data Privacy Law Guide: Maryland

Professionals

Name / Keyword Office Practice Industry Language Show All
Practices

Antitrust and Competition Law

Business and Corporate

Construction

Cross-Border Business

Data Protection, Privacy and Cybersecurity

Emerging Companies

Environment, Social and Governance (ESG)

Environmental, Sustainability, and Product Stewardship

Financial Services

Government Enforcement and Investigations

Government Relations and Public Policy

Health Law

Hospitality

Immigration

Intellectual Property

Labor & Employment

Litigation

Mergers and Acquisitions

Product Liability, Class Action and Mass Tort

Real Estate

Securities

Tax

Technology

Transportation and Logistics
Industries

Automotive

Aviation

Construction

Disaster Recovery and Government Services

Drug, Device and Life Sciences

Education

Energy

Financial Services

Food and Beverage

Gaming

Governmental Entities

Health Care

Hospitality

Manufacturing

Real Estate

Retail

Seniors Housing and Long Term Care

Technology

Telecommunications

Transportation and Logistics
Experience

Featured Case Study
Community Healthcare Trust Incorporated Community Healthcare Trust Incorporated More Case Studies

Search Experience
Keywords Practice Industry
News & Events

Professionals
Practices
Industries
Experience
News & Events
Other Pages

Quick Results

View More Results

U.S. Consumer Data Privacy Law Guide: Maryland

This state-specific guide covers data privacy law, rules, and regulations that professionals and clients often encounter or have questions about in Maryland.

Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Maryland Online Data Privacy Act (MODPA)

Effective Date: October 1, 2025.

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the MODPA applies to persons who conduct business in the State of Maryland, or provide products or services targeted to Maryland residents (consumer); and that during the preceding calendar year, controlled or processed either:

35,000+ Maryland consumers' personal data, excluding payment transaction data;or
10,000+ Maryland consumers' personal data and derived more than 20 percent of its gross revenue from the sale of personal data.

2. Key Definitions:

Sales of Personal Data: Similar to California, "sale of personal data" is broadly defined to include the exchange of personal data for not only monetary compensation but also "other valuable consideration," subject to certain exemptions.

Sensitive Data: Sensitive data is defined very broadly to include:

data revealing racial or ethnic origin, religious belief, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizenship or immigration status;
biometric data or genetic data;
personal data of a known child under the age of 13; or
precise geolocation data (i.e., within a radius of 1,750 feet).

One thing to note regarding sensitive data is that the MODPA expressly prohibits: (1) the collection, processing, or sharing of sensitive data "except where it is strictly necessary to provide or maintain a specific product or service requested by the consumer"; and (2) the sale of sensitive data.

3. Business Obligations:

The MODPA imposes additional obligations on persons who, alone or jointly with others, determine the purpose and means of processing personal data (Controller):

Heightened Protection for Minors Under the Age of 18:
- The MODPA expressly prohibits certain processing activities by a Controller involving consumer under the age of 18.
Enhanced Protection for Consumer Health Data: Similar to Connecticut, the MODPA uniquely regulates "consumer health data."
Data Processing Agreement (DPA): Processing activities by a supplier (Processor) shall be governed by a DPA between the Controller and Processor.
Data Protection Assessment. Effective October 1, 2025, an MD Controller must conduct and document a data protection assessment for certain processing activities that present a higher risk of harm to consumers. Notably, the MODPA requires a Controller to conduct and document an assessment for each algorithm that is used in these processing activities that present a heightened risk of harm.
Privacy Notice: Yes, a Controller shall provide the consumer with a "reasonably accessible, clear, and meaningful privacy notice."
Universal Opt-out Mechanism: On or before October 1, 2025. Controllers must allow consumers to opt out of any processing of consumer personal data for the purposes of targeted advertising and/or sale of personal data.

4. Consumer Rights:

Subject to certain exceptions, a Maryland consumer has the right to:

Confirm whether a Controller is processing their personal data and access their personal data;
Correct inaccuracies in their personal data.
Delete personal data subject to certain exceptions.
Obtain a copy of certain categories personal data processed by the Controller in a readily usable format; and
Obtain a list of categories of third parties, to which the Controller has disclosed personal data.

Opt-out of data processing for targeted advertising, sales of personal data, and profiling for solely automated decisions producing legal or similarly significant effects.

Finally, the MODPA prohibits Controllers from collecting, processing, or transferring personal data or publicly available data – a unique requirement in a manner that "unlawfully discriminates" "on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability," subject to limited exceptions.

5. Enforcement and Penalties:

Private Right of Action: None.

Penalties: Not more than $10,000 per violation, with increasing penalties of up to $25,000 per violation for each subsequent violation as described in the Maryland Consumer Protection Act.

Cure Period: A 60-day cure period. Such a cure period may sunset after April 1, 2027.

U.S. Consumer Data Privacy Law Guides

Key Contact

Vivien F. Peaden, AIGP, CIPP/US, CIPP/E, CIPM, PLS

T: 678.406.8722

Email Professional

Related Practices

Resources

Download PDF version

Have Questions?
Let's Talk!

To contact a Baker Donelson Privacy Professional, click above to email us.

Search By Last Name

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 24 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia, and Washington, D.C.