MODPA

Maryland Online Data Privacy Act

Flag of US
Maryland, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
October 1, 2025
Enacted
May 9, 2024
Enforcing Authority
Maryland Attorney General (Division of Consumer Protection)
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Entities in MD or targeting MD residents: 35,000+ consumers OR 10,000+ consumers and 20%+ revenue from selling PI

Overview

Maryland's MODPA is the most restrictive US state privacy law. It completely prohibits the sale of sensitive data — not even consent can authorize it. Sensitive data may only be processed when "strictly necessary" to deliver a service requested by the consumer. Under-18 data sale and targeted advertising are prohibited regardless of consent.

What This Means for Your Website

  • GPC/UOOM signals must be honored
  • Sensitive data sale is completely prohibited — consent cannot authorize it
  • Sensitive data processing is limited to what is "strictly necessary" for requested services
  • Under 18: sale and targeted advertising prohibited regardless of consent
  • The strictest data minimization requirements among all US state privacy laws
  • Biometric data is covered even if not used for identification purposes
  • Consumer health data includes gender-affirming care and reproductive health

Key Requirements

The Maryland AG enforces the MODPA with penalties of $10,000 per first violation and $25,000 per subsequent violations. There is no cure period. Consumer requests must be fulfilled within 45 days. The sensitive data definition is the broadest among US states, covering biometric data even without identification use, consumer health data including gender-affirming care, and precise geolocation.

How ConsentStack Handles This

ConsentStack detects Maryland visitors and applies the strictest consent model among US states — blocking sensitive data sale entirely and limiting processing to strictly necessary purposes.

Penalties

$10,000 per first violation; $25,000 per subsequent violation.

Maximum Fine
$25,000 per violation

Key Requirements

  • Honor GPC/universal opt-out signals
  • Sensitive data: processing only when strictly necessary
  • Sale of sensitive data completely prohibited even with consent
  • Under 18: sale and targeted advertising prohibited regardless of consent
  • Strict data minimization — most restrictive among US states
  • Data protection assessments for high-risk processing

Notable Provisions

  • Most restrictive US state privacy law
  • Sensitive data sale completely prohibited — consent cannot authorize it
  • Strictest data minimization requirements
  • Under 18 sale/advertising prohibited regardless of consent
  • Biometric data covered even without identification use

US State Specifics

Private Right of Action
No
Global Opt-out Required
Yes
Sensitive Data Opt-in
Yes
Children Provisions
Under 18: sale and targeted advertising PROHIBITED regardless of consent.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
CCPACalifornia, United States
The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

Frequently Asked Questions

What makes Maryland the most restrictive US privacy law?

Maryland completely prohibits sensitive data sales (even with consent), has the strictest data minimization requirements, and prohibits under-18 data sale and advertising regardless of consent.

Can sensitive data be sold with consent in Maryland?

No. Maryland is the only US state that completely prohibits sensitive data sales — consent cannot authorize it.

What are Maryland's penalties?

$10,000 per first violation, $25,000 per subsequent violation, with no cure period.

How does Maryland define sensitive data?

The broadest definition among US states: includes biometric data even without identification use, consumer health data including gender-affirming and reproductive care, and precise geolocation.

Stay compliant with MODPA

ConsentStack helps you implement Opt-out consent for Maryland, United States automatically.

Get started free