March Privacy Forecast: Maryland’s Strict New Privacy Law Takes Effect October 1

March 14, 2025

This week in our March Privacy Forecast, we are discussing a significant outlier amongst U.S. state privacy laws: the Maryland Online Data Privacy Act (MODPA), which is set to take effect on October 1, 2025. 

With 13 comprehensive state privacy laws already in effect, the state privacy law landscape is complex. While there are several common threads throughout many of these frameworks that can allow companies to implement a universal compliance strategy, each state comprehensive privacy law in effect has unique nuances that companies must account for. The new Maryland law compounds these complexities, and companies subject to MODPA will face additional operational challenges in implementing several of the new law’s provisions, which significantly depart from other privacy laws.        

Below, we outline several of MODPA’s unique provisions, including those pertaining to scope, data minimization, sensitive data, and minors’ data.

  • Scope: The new law’s low thresholds and narrow exemptions may lead to broad applicability. Specifically, MODPA will apply to entities that conduct business in Maryland or provide products or services that are targeted to residents of the state and who, during the preceding year, controlled or processed the data of at least 35,000 Maryland consumers or at least 10,000 Maryland consumers while deriving more than 20% of gross revenue from the sale of personal data. These thresholds are significantly lower than many other states’ comprehensive privacy laws. Further, the Act does not have a broad exemption for nonprofit organizations, and instead only provides a narrow exemption for certain nonprofits that process or share personal data to assist law enforcement agencies in investigating criminal or fraudulent acts relating to insurance or first responders in responding to catastrophic events.
  • Minimization: MODPA creates strict data minimization requirements as compared to many other comprehensive privacy laws. Specifically, controllers will be required to limit the collection of personal data “to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer to whom the data pertains.”
  • Sensitive Data. MODPA defines sensitive data as personal data that reveals racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as transgender or nonbinary, citizenship or immigration status, national origin, consumer health data, genetic data, geolocation data, or biometric data. Under the new law, controllers will not be able to collect, process, or share such sensitive data except when it is “strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.” And there is broad restriction on “selling” sensitive data, which is defined as disclosure to a third party for monetary of other valuable consideration. Because precise geolocation data and consumer health data are included under the definition of sensitive health data, these types of data will be governed by these requirements and restrictions for sensitive health data, and transactions with any of this sensitive data should be reviewed carefully under Maryland’s new approach.
  • Minors’ Data. MODPA also prohibits the sale, or processing for purposes of targeted advertising, of personal data of consumers under 18 years of age.

As companies are working to build these requirements and restrictions into their compliance approaches, they should also monitor for potential changes in the Maryland law before it takes effect. In particular, some changes may be on the horizon due to the recently introduced HB1365, which proposes to modify the contentious data minimization provisions.

Regardless of whether the law is amended prior to its effective date, it is clear that MODPA will raise significant questions and hurdles for organizations working to operationalize it, given its broad scope and distinctive requirements.

Please stay tuned for our next article in this March Privacy Forecast series, which will be published on Friday, March 21.

***

Wiley’s Privacy, Cyber & Data Governance team assists a broad range of clients in implementing the ever-growing patchwork of state privacy laws. Contact one of the authors if your organization needs assistance in assessing the applicability of the new Maryland law or implementing its outlier requirements.    

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek