The Maryland Online Data Privacy Act
MODPA gives Marylanders certain rights over their personal data and establishes responsibilities and privacy protection standards for data controllers and service providers (or “processors”) that handle personal data. It protects consumers acting in an individual or household context. It does not protect an individual acting in an employment context.
Personal data is any information that is linked or can be reasonably linked to an identifiable consumer, excluding publicly available information and de-identified data.
MODPA applies to people who conduct business in Maryland or who produce products or services targeted at Maryland residents and who, during the prior calendar year, controlled or processed the personal data of:
- At least 35,000 Marylanders; or
- Controlled or processed the personal data of at least 10,000 Marylanders and derived more than 20% of its gross revenue from the sale of personal data.
MODPA also applies to service providers (or “processors”) that maintain or provide services involving data on behalf of covered businesses.
- State and local governments and other governmental subdivisions and agencies
- National Securities associations registered under the Securities Exchange Act of 1934
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- A nonprofit controller that processes personal data solely for the purpose of assisting law enforcement or first responders responding to catastrophic events
MODPA also does not apply to certain types of personal data maintained in compliance with other laws, such as the GLBA, Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act, as well as personal data processed for certain specified purposes set forth in § 14-4703(b) of MODPA.
Nonprofits are NOT exempt from MODPA. If a nonprofit meets the personal data collection threshold and is not otherwise exempt, it must comply with MODPA.
A controller is a person or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.
Whether a person or entity is a controller or processor depends on their decision-making authority over personal data. Under MODPA, the processor processes data at the request and under the direction of a controller as outlined in the contract between them. A processor can become a controller if they begin to exercise decision-making authority with respect to the processing of personal data.
Sensitive data is a subset of personal data that includes:
- Genetic or biometric data
- Personal data of a child
- Precise geolocation data
- Data revealing racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizenship or immigration status.
Under MODPA, a controller cannot sell sensitive data.
A violation of MODPA is a per se violation of Maryland’s Consumer Protection Act, meaning a violation of MODPA is a Consumer Protection Act violation. A business can determine what is “reasonably necessary and proportionate to provide or maintain a specific product or service” based on the expectations of the reasonable consumer about how the data that is collected will be used.
A controller must conduct a data protection assessment for each of the controller’s processing activities that present a heightened risk of harm to a consumer, including an assessment of each algorithm that presents a heightened risk of harm.
A consumer can request information about their personal data from a controller once every 12 months for free. For requests that are more frequent than every 12 months, a controller may be able to charge an administrative fee. However, the controller would need to advise the consumer that the request will be subject to an administrative fee.
Among other obligations, a controller must:
- Provide notice regarding the types of personal data collected, the purpose(s) for processing data, whether and why the controller shares personal data with third parties, and information about how consumers can exercise their various rights over their personal data.
- Limit collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.
- Respond to requests to exercise consumers’ rights granted under MODPA.
- Conduct assessments before processing personal data in a manner that presents a heightened risk of harm to consumers. This includes processing personal data for the purposes of targeted advertising, selling personal data, processing sensitive data, or processing personal data for the purpose of profiling that presents certain reasonably foreseeable risks.
- Use reasonable safeguards to secure personal data.
- Not discriminate against consumers who exercise their rights under MODPA or process personal data in a manner that would otherwise result in unlawful discrimination.
A controller may not sell sensitive data, and only may collect, process, or share sensitive data where doing so is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains.
The Attorney General has the authority to enforce violations of MODPA.
No. The Office of the Attorney General cannot act as your attorney or give you legal advice.
For each violation, a merchant may face civil penalties up to $10,000. For repeated violations, a merchant may face civil penalties up to $25,000 for each subsequent violation. In addition to civil penalties, the Attorney General can seek injunctive relief, restitution, economic damages, and disgorgement.
The Consumer Protection Division cannot provide legal advice; however, you may ask questions of general applicability and, if appropriate, we may post the question and response on the Office of the Attorney General’s website.
Under MODPA, businesses are required to clearly and meaningfully inform Marylanders of their consumer rights and how to exercise them. MODPA’s consumer rights are similar to those of many other states that have enacted comprehensive data privacy laws. Thus, businesses may be able to inform residents of multiple states of these consumer rights in a single section. However, it must be unambiguously clear which rights apply to Maryland residents. While a Maryland-specific section is not required, the description must clearly indicate the rights available to Marylanders, especially if those rights differ in any way from rights available to residents of other states.
