What Is the Maryland Online Data Privacy Act?
MODPA applies to controllers processing data of 35,000+ Maryland consumers or 10,000+ while selling data — lower thresholds than peer laws. It prohibits the sale of sensitive personal data outright, caps data collection to what is "reasonably necessary and proportionate", and adds heightened protections for consumers under 18. No cure period. AG enforcement with civil penalties up to $10,000 per violation, $25,000 per subsequent violation.
At a glance
- Full name
- Maryland Online Data Privacy Act
- Short code
- MODPA
- Effective date
- October 1, 2025
- Response deadline
- 45 days
- Cure period
- None (sunset)
- Private right of action
- No
- Enforcement
- Maryland Office of the Attorney General — Division of Consumer Protection
- Maximum penalty
- Up to $10,000 per violation; up to $25,000 for repeat violations under the Maryland Consumer Protection Act
- Statutory citation
- Md. Code, Com. Law § 14-4601 et seq.
Who MODPA applies to
A business is covered if it meets the applicability thresholds set out in Md. Code, Com. Law § 14-4601 et seq.. Most state laws use an “or” framework — any one of the thresholds triggers coverage unless otherwise noted.
- Conducts business in Maryland or targets Maryland residents, AND
- Controlled or processed personal data of 35,000+ Maryland consumers during the prior calendar year (excluding data processed solely for payment), OR
- Controlled or processed personal data of 10,000+ Maryland consumers AND derived more than 20% of gross revenue from the sale of personal data
Consumer rights under MODPA
Outright ban on sale of sensitive personal data
Strict data-minimization requirement
Heightened protections for minors
Low thresholds — more brokers are in scope
No cure period
Notable features (vs. CCPA)
MODPA is the strictest comprehensive state privacy law in the US. It outright bans the sale of sensitive personal data (including precise geolocation, racial or ethnic origin, genetic or biometric data, and health data — no opt-out option). It imposes mandatory data minimization — collection is limited to what is 'reasonably necessary and proportionate' to the specific product or service. It has no cure period. Maryland also protects consumers under 18 with opt-in requirements for targeted advertising and sale.
Enforcement & penalties
Enforcing agency: Maryland Office of the Attorney General — Division of Consumer Protection
Maximum penalty: Up to $10,000 per violation; up to $25,000 for repeat violations under the Maryland Consumer Protection Act
Cure period: MODPA has no cure period. Violations are directly enforceable from day one.
Private right of action: MODPA has no private right of action. Enforcement is through Maryland's Division of Consumer Protection (office of the Attorney General).
Where to file a complaint: Maryland Office of the Attorney General
How to exercise your MODPA rights
- 1
Identify the business that holds your data (or use OfflistMe, which pre-targets 300+ known brokers and applies MODPA citations automatically).
- 2
Submit a verifiable consumer request to the business's designated contact. Include enough identifying data that the business can verify you as a Maryland resident (e.g., ZIP code, email associated with your record).
- 3
Under MODPA, businesses have 45 days to respond. Extensions are permitted with written notice under most state laws.
- 4
If the business fails to respond or denies the request without legal basis, file a complaint with the Maryland Office of the Attorney General at https://www.marylandattorneygeneral.gov/Pages/CPD/Complaint.aspx.
Use your rights
MODPA-compliant deletion emails, $5 one-time
OfflistMe drafts MODPA-compliant deletion emails for 300+ data brokers. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Why is Maryland's MODPA considered the strictest state law?+
Three features: (1) outright ban on selling sensitive personal data, no exceptions; (2) data minimization must be "reasonably necessary and proportionate" — not just disclosed; (3) low consumer thresholds mean MODPA applies to smaller brokers that escape other state laws. Combined, it narrows the gap between state and EU GDPR protections.
Official sources & citations
Compare with sibling state laws
MODPA is one of 18 comprehensive US state privacy laws. Its closest peers by effective date — useful when tracking how this law influenced or was influenced by neighbouring legislation: