On October 1, 2025, the Maryland Online Data Privacy Act (MODPA) became effective, joining the growing list of states with comprehensive consumer data privacy laws. With enforcement beginning April 1, 2026, now is the time for businesses to get their house in order, especially because MODPA introduces some of the most stringent data minimization requirements in the country.
What Makes MODPA Different?
MODPA shares many familiar features with other state privacy laws: consumer rights to access, correct, delete, and opt out of sales and targeted advertising; requirements for privacy notices and security measures; and obligations around high-risk data processing. But Maryland’s law diverges in several key areas that businesses should not overlook.
Data Minimization: Maryland’s Elevated Standard
MODPA’s approach to data minimization is one of its most distinctive—and operationally challenging—features.
Most state laws require that personal data collection be “reasonably necessary” for the purposes disclosed to the consumer. Maryland goes further. Under MODPA:
- General personal data must be reasonably necessary and proportionate to provide or maintain the specific product or service requested by the consumer.
- Sensitive personal data—including biometric, health, precise geolocation, and data revealing race, ethnicity, or sexual orientation—must be strictly necessary for that product or service.
“Strictly necessary” is a significant shift for sensitive consumer data. Not “useful,” not “nice to have,” not “we disclosed it in our privacy policy.” Even if a consumer consents to the collection of sensitive data, MODPA prohibits it unless it is strictly necessary to deliver the requested service.
Businesses will need to carefully evaluate their data collection practices and ensure they can justify each data point under this necessity-based framework.
Additional Highlights of MODPA
While data minimization is the headline, MODPA has plenty of other features that set it apart:
- No sale of sensitive data – period: MODPA prohibits the sale of sensitive personal data outright, regardless of consent.
- Minors under 18 get special protection: The law bans targeted advertising and data sales if the business “knew or should have known” the consumer is under 18, a broader standard than most states.
- Algorithmic assessments are required: Businesses must conduct documented risk assessments for each algorithm used that presents a heightened risk of harm to a consumer.
Preparing for Compliance
If your business has already taken steps to comply with other state privacy laws, you’re on the right track. But MODPA’s unique provisions mean additional work may be needed:
- Revisit your data inventory. Pay close attention to what qualifies as sensitive under Maryland’s definitions.
- Audit data collection and ad-targeting flows to determine if that data is strictly or even reasonably necessary for the product or service being offered
- Update privacy notices and consent mechanisms to reflect MODPA’s rights and obligations
- Embed risk assessments into product development and ongoing operations, especially for profiling tools and other processing that poses heightened risk of harm
- Don’t forget nonprofits. MODPA doesn’t categorically exempt them, so check your coverage.
MODPA reflects broader trends in privacy legislation: stronger protections for children’s data, restrictions on the collection and use of sensitive data, and growing emphasis on risk assessment.
But Maryland’s law also sets a new bar for data minimization – one that may influence future legislation in other states. Businesses should treat MODPA not just as another compliance obligation, but as a signal of where privacy governance is headed.
To help businesses keep track of all of the comprehensive consumer data privacy laws, we’ve developed a state privacy law map to guide your compliance efforts. With enforcement beginning April 1, 2026, now is the time to evaluate your data practices and ensure they align with Maryland’s elevated standards. If you have questions or need support navigating these complex requirements, contact us.
