Who does MODPA apply to?
MODPA applies to anyone doing business in Maryland or providing products or services to Maryland residents. andduring the immediately preceding calendar year, one of the following occurs:
- Manage or process at least the following personal data: 35,000 Maryland Consumers (excluding personal data maintained or processed solely for the purpose of completing payment transactions)
- Manage or process at least the following personal data: 10,000 Maryland consumers can get all that and more. 20% A portion of the total revenue from the sale of personal data.
Both triggering scenarios are significantly lower than most other similar state consumer privacy laws, with the exception of the recently passed New Hampshire Privacy Act.
Who is a “consumer”?
MODPA follows the consumer privacy laws of most other states and defines a consumer as an individual who is a resident of Maryland and acts only in his or her personal context (In other wordsexcluding employed or commercial actors).
What is “personal data”?
Another well-known definition is that of “personal data.” MODPA defines this as information that is associated with, or can reasonably be associated with, an identified or identifiable individual, but does not include de-identified data or publicly available information. Excludes.
Who can force it?
Maryland's attorney general has exclusive enforcement authority. For alleged violations before April 1, 2027, the Attorney General may issue a notice of violation and her 60-day opportunity to cure it. If the controller or processor fails to resolve the issue within her 60 days, the Attorney General may initiate enforcement action. Fines can be up to $10,000 per violation, but fines related to repeat violations can be assessed up to $25,000 per violation.
Who is exempt?
MODPA includes a short list of entity-level exemptions, including:
- Any regulatory, administrative, advisory, administrative, appointive, legislative, or judicial agency or instrumentality of the State of Maryland.
- Non-profit organizations that process data for the sole purpose of assisting law enforcement agencies in the investigation of insurance-related criminal activity or fraud, or first responders to catastrophic events.
- A national securities association under the Securities Exchange Act of 1934 or a registered futures association under the Commodity Exchange Act.
- Financial institutions or affiliates subject to the Gramm-Leach-Bliley Act.
MODPA's list of data-level exemptions is fairly standard and includes the Health Insurance Portability and Accountability Act (HIPAA), federal research laws and regulations (such as the Common Rule), the Fair Credit Reporting Act, and the Driver Privacy Protection Act. , the Family Educational Rights and Privacy Act, the Farm Credit Act of 1971, the Airline Deregulation Act, and the Children's Online Privacy Protection Act.
What obligations are imposed?
Administrators have several obligations under MODPA, including the following requirements:
- We limit the collection of personal data to that which is reasonably necessary and appropriate to provide or maintain the specific product or service requested by the consumer.
- Avoid processing personal data for secondary reasons (purposes that are not reasonably necessary and are incompatible with the purpose for which it was originally disclosed) without the consumer's prior consent.
- Establish, implement and maintain reasonable administrative, technical and physical data security practices (depending on the amount and nature of the personal data in question, to ensure the confidentiality, integrity and accessibility of personal data) (to protect)
- Do not collect, process, or share sensitive data unless strictly necessary to provide or maintain the specific product or service requested by the consumer.
- Do not sell sensitive data
- not process personal data in violation of laws prohibiting unlawful discrimination against consumers and not to discriminate against consumers who exercise their rights;
- not process personal data for the purposes of targeted advertising or sales of personal data if the controller knows or should have known that the personal data relates to consumers under 18 years of age;
- Provide consumers with a reasonably accessible, clear, and meaningful privacy notice, including disclosures that are currently common under state consumer privacy laws.
One of the more unique and restrictive aspects of MODPA is that “the sale of sensitive data and the collection of sensitive data about consumers unless the collection or processing is strictly necessary to provide or maintain specific information; “Complete prohibition of processing and sharing.” The product or service requested by the consumer. ”
To date, no other state privacy laws prohibit the sale of sensitive data. Depending on what the sale consists of, this prohibition may befor examplenon-HIPAA regulated healthcare sector), deploy website tracking technology.
What consumer rights does MODPA create?
MODPA provides Maryland consumers with the following rights:
- The right to find out whether the controller is processing the consumer's personal data and to access such data (if so)
- The right to rectify personal data, taking into account the nature of the personal data and the purposes for which it is processed.
- The right to request that the controller erase personal data provided by or obtained about the consumer, unless retention is required by law.
- Right to data portability where data processing is carried out through automated means
- Right to obtain from the controller a list of the categories of third parties receiving personal data
- Right to opt out of targeted advertising, sale of personal data and profiling (if profiling is used to produce legal or similarly significant effects)
- Right to object to unfulfilled rights claims
sensitive data
MODPA has a list of sensitive data that generally tracks consumer privacy laws in other states, but with the following twist when it comes to consumer health data:
- racial or ethnic origin, religious beliefs, consumer health data, sex life, sexual orientation, transgender or non-binary status, national origin, or citizenship or immigration status;
- Genetic or biometric data
- Personal data collected from consumers that the controller knows or has reason to know are children (under 13 years of age)
- Precise geolocation data (within a 1,750 foot radius).
Consumer health data under MODPA includes personal data that a controller uses to identify a consumer's physical or mental health condition and that is related to gender-affirming treatment or reproductive or sexual health care. It also explicitly includes data that “Physical or mental health condition” is not defined.To trigger a defined term, the controller must actually Use Data to identify a consumer's health status.
Additionally, companies should be aware that the law treats genetic or biometric data as sensitive data, regardless of whether the data is used to uniquely identify a consumer. This is different from other states.
Responding to consumer demands
Under MODPA, following the same framework as most states, controllers must respond within 45 days of receiving a data subject's request. He is entitled to a 45-day extension if reasonably necessary. If denied, the controller must provide a way to contest the denial of the request and make the process prominently available. A decision on a dispute must be submitted within 60 days of receipt of the consumer's dispute. If the appeal is denied, the decision must include a way for the consumer to submit a complaint to the Attorney General.
Data protection assessment
As expected, MODPA requires controllers to conduct a “data protection assessment” for each processing activity that poses an increased risk of harm, and also includes an assessment of each algorithm used. These types of activities include:
- Processing of personal data for targeted advertising
- Selling personal data
- Handling sensitive data
- Processing of personal data for profiling purposes. Such profiling may create a reasonably foreseeable risk of unfair, abusive or deceptive treatment of consumers or may result in significant harm to consumers.
The assessment should identify and compare the benefits of processing activities that may flow to all parties with potential risks to consumer rights. Like other state privacy laws, MODPA permits impact assessments to be performed against other state privacy laws to meet the evaluation requirements. The data protection assessment requirements apply to processing activities that occur after October 1, 2025.
When does MODPA become effective?
MODPA goes into effect on October 1, 2025. However, this law does not affect or apply to his processing activities before April 1, 2026.
***
Many states' unique privacy laws become more difficult with each new version introduced. In addition to implementing a comprehensive privacy program, organizations should ensure that they review applicability and update internal policies and procedures as necessary to maintain compliance.