Maryland Online Data Privacy Act (MODPA) Compliance

Maryland Online Data Privacy Act (MODPA)

The Maryland Online Data Privacy Act (MODPA), which emphasizes strict data minimization and transparency, took effect on October 1, 2025. It places significant responsibilities on businesses handling personal data, including obtaining explicit consent for certain data processing activities, especially involving sensitive personal information. The law also mandates data protection assessments and enhances consumer rights, such as the right to access, delete, and restrict sharing of their data. These obligations are aligned with Maryland’s move towards a stricter, consumer-centric privacy framework.

Obligations & Consequences

The following are few key obligations & consequences flowing from the MODPA, on any organization to whom these provisions apply:

Applicability
If your business operates in Maryland or targets Maryland consumers from outside the state, the Maryland Online Data Privacy Act (MODPA) likely applies to you. There are two main criteria:

If your business processes the data of at least 35,000 Maryland consumers.

If your business processed the data of at least 10,000 Maryland consumers and earned at least 20% of its revenue from selling consumer data.

For example, even if you’re a small business using tools like Google Analytics or Meta Pixel and collect data from 35,000 Maryland residents, you’ll need to comply with this law.

However, if your company is already subject to specific privacy laws like HIPAA or GLBA, you may be exempt from certain aspects of other state privacy laws.
Bans on sales of personal data

The Act would ban the sale of “Sensitive Personal Data” without exception. “Sensitive Personal Data” would include data related to an individual’s race, religious beliefs, sex life or orientation, genetic or biometric data, Consumer Health Data, or precise (within 1,750 feet) geolocation. The Act would also ban the sale of any personal data about individuals who are under the age of 18.
Consumer health data

The Act would impose strict data access controls for personnel or subcontractors who access Consumer Health Data. “Consumer Health Data” would be personal data that identifies a consumer’s physical or mental health status, gender-related treatment, or reproductive or sexual health care.
Children’s data

The Act would prohibit businesses from selling Personal Data without consent if the business knows or “should have known” the individual at issue is under age 18. This language is similar to that found in the Children’s Online Privacy Protection Act, which requires businesses to more proactively monitor whether children under the age of 13 may be using a website. The Act’s requirement may prompt businesses to adopt similar monitoring or age-verification requirements in Maryland (or stop processing such data altogether).
Universal opt-out mechanisms

The Act’s language with respect to universal opt-out mechanisms, or “UOOMs,” is one area where the Act appears to be more lenient than many other state laws. A UOOM is a signal set at the user’s browser level that tells a site not to collect information like cookies. The Act would appear to make adoption of an UOOM Most state privacy laws make UOOMs mandatory after a certain date. Notably, the Act states that if a business recognizes UOOMs approved by other states, the UOOM will be deemed compliant with the Act.

Challenges

Following challenges, emanating from the UCPA requirements, are currently being encountered by various organizations:

To facilitate its smooth implementation of UCPA Organizations need to have knowledge of their entire “Data Footprint” to facilitate implementation of the CPA.
Lack of visibility for Organizations sharing the user data with various third parties, during the course of its business.
Manually managing data mapping and inventory to adhere to UCPA requirements is costly and time-consuming, but must be done within a 45 days period or the organization opens itself to sanctions.
Implementation of Data Minimization under UCPA.
Lack of provision or process to delete the data, despite the fact that the UCPA mandates data deletion when the lawful basis for processing expires.
Organizations lack the mechanism of validating the permanent deletion of the data.

Data Security

Requiring businesses to be transparent about what data they collect, how it’s used, and who it’s shared with.
User Consent
Data Access Rights
Enforcement Mechanisms
Cross-Border Data Transfers

Solutions

Compliance Automation

TurtleShield CA (Compliance Automation) automates and streamline privacy-related processes and tasks. Compliance assessments, risk assessments, PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.
Data Discovery and Intelligence

Our AI-based, patented solution, TurtleShield DD (Data Discovery and Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. It enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often, organizational silos between business and IT teams make it difficult to get a complete view of data flowing in and out, especially when shared with third parties or partners. TurtleShield DD automatically maps your “data sharing” to provide clear visibility and actionable insights.
Data Minimization

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.
Right to Erasure with Assured Deletion
Enable Data subject rights with cost savings and compliance in totality

Search capability in large datasets to fulfill consumer requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.
TurtleShield Unified Consent Management

TurtleShield UCM (Unified Consent Management) is designed to help organizations ensure consent compliance by implementing processes, technologies, and policies that enable the proper user consent collection, storage, updating, revocation and management in alignment with applicable data protection regulations and industry best practices.