The enactment of the Maryland Online Data Privacy Act (MODPA) on May 9, 2024, marks a significant moment in the evolving landscape of U.S. consumer data protection. While Maryland is the seventeenth state to pass a comprehensive privacy law, its legislation is far from a mere repetition of existing frameworks. With an effective date of October 1, 2025, and enforcement beginning on April 1, 2026, MODPA is poised to establish a new, more stringent benchmark for data privacy standards across the nation. This law will force a fundamental re-evaluation of data collection and processing practices, particularly for businesses in highly data-sensitive sectors like healthcare and fintech.
Maryland’s New Data Privacy Benchmark
The enactment of the Maryland Online Data Privacy Act (MODPA) on May 9, 2024, marks a significant moment in the evolving landscape of U.S. consumer data protection. While Maryland is the seventeenth state to pass a comprehensive privacy law, its legislation is far from a mere repetition of existing frameworks. With an effective date of October 1, 2025, and enforcement beginning on April 1, 2026, MODPA is poised to establish a new, more stringent benchmark for data privacy standards across the nation. This law will force a fundamental re-evaluation of data collection and processing practices, particularly for businesses in highly data-sensitive sectors like healthcare and fintech.
This report provides a comprehensive, expert analysis of MODPA’s unique provisions, with a targeted focus on its specific implications for the healthcare and financial technology industries. The aim is to translate complex legal concepts into actionable business intelligence, offering a clear and detailed guide for compliance professionals seeking to prepare their organizations for this new regulatory reality.
MODPA at a Glance: Foundational Provisions and Enforcement
MODPA’s scope is deliberately broad, designed to capture a wider range of businesses than many of its predecessors. The law applies to any entity that conducts business in Maryland or targets its products and services to state residents and, in the preceding calendar year, meets one of two criteria:
- Controlling or processing the personal data of at least 35,000 Maryland consumers, excluding data processed solely for payment transactions.
- Controlling or processing the personal data of at least 10,000 Maryland consumers and deriving 20% or more of gross revenue from the sale of personal data.
These thresholds are significantly lower than those found in many other state privacy laws, such as California or Virginia, which typically set a 100,000-consumer benchmark. For a state with a population of over 6 million, the 35,000-consumer threshold applies to businesses that process data from just over 0.5% of its residents, signaling a legislative intent to hold a greater number of organizations accountable. The law also lacks full entity-level exemptions for nonprofit organizations or HIPAA-covered entities, further broadening its reach beyond traditional privacy laws. As a result, many small to medium-sized businesses and organizations that were previously exempt from similar state laws may now find themselves subject to MODPA’s comprehensive requirements.
Core Consumer Rights: The Familiar, with an Edge
In line with other state privacy laws, MODPA grants Maryland residents a suite of rights regarding their personal data. These rights empower consumers to exert greater control over their information and include the ability to:
- Confirm whether a business is processing their personal data (Right to Access).
- Correct inaccuracies in their personal data.
- Request the deletion of their personal data, with limited exceptions.
- Obtain a copy of their personal data in a portable and usable format.
- Opt-out of the processing of their data for targeted advertising, data sales, or profiling in connection with solely automated decisions.
Controllers are obligated to respond to consumer requests within 45 days of receipt, with a possible one-time extension of an additional 45 days if reasonably necessary. Businesses must also provide a clear mechanism for consumers to appeal a controller’s decision regarding a privacy request.
Enforcement and Penalties: A Discretionary Hammer
Enforcement of MODPA falls under the exclusive authority of the Maryland Attorney General (AG), operating under the Maryland Consumer Protection Act. The law does not provide a private right of action, meaning individual consumers cannot sue for violations.
Violations are considered “unfair, abusive, or deceptive trade practices” and are subject to civil penalties of up to $10,000 for a first offense, escalating to $25,000 for repeated violations. Since a single non-compliant data practice can affect thousands of individuals, these fines have the potential to accumulate rapidly, creating significant financial exposure for businesses.
A critical, and often overlooked, aspect of the enforcement framework is the discretionary “cure period”. For alleged violations occurring on or before April 1, 2027, the AG has the discretion to provide a notice of violation and a grace period of at least 60 days to remedy the issue. This cure period, however, sunsets after April 1, 2027, after which the AG can move directly to enforcement without providing an opportunity to cure. This structured timeline creates a powerful incentive for businesses to prioritize compliance readiness now, rather than waiting for enforcement to begin. Waiting until the last minute could mean losing the chance to rectify a violation and facing immediate, substantial financial penalties.
The New Standard: Unpacking MODPA’s Strictest Provisions
MODPA introduces a series of provisions that set it apart from the existing U.S. state privacy laws, establishing a far more rigorous compliance standard.
Substantive Data Minimization: The “Strictly Necessary” Rule
A core principle of MODPA is its strict data minimization mandate. The law requires controllers to limit the collection of personal data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer”. This requirement goes a step further for sensitive data, which can only be collected, processed, or shared when it is “strictly necessary” to provide or maintain a requested service.
This represents a significant departure from the traditional “notice and choice” model that dominates many other privacy frameworks. Under the old model, a business could collect a wide array of data for various purposes as long as it disclosed these practices in a privacy policy and offered a consumer a way to opt-out. MODPA, by contrast, adopts a “substantive minimization” approach, placing a default restriction on the very collection of data itself. The law challenges business models that rely on collecting extensive, ancillary data for secondary uses like analytics, targeted advertising, or future product development. For example, a website that uses cookies or tracking pixels to collect information about user behavior for purposes of interest-based advertising or analytics may find it difficult to justify this practice if the data is not integral to providing the core service requested by the consumer.
The statute does not explicitly define what constitutes “reasonably necessary and proportionate” or “strictly necessary,” leaving a degree of legal ambiguity. This lack of definitive guidance from the AG means businesses must proactively make their own documented determinations for what data they collect. This uncertainty will likely compel a major overhaul of data collection practices, moving companies from a model of permissive data collection to one of restrictive necessity.
The Unprecedented Sensitive Data Ban
MODPA’s definition of “sensitive data” is expansive, encompassing consumer health data, genetic and biometric data, precise geolocation information (within 1,750 feet), and personal data revealing racial or ethnic origin, religious beliefs, sex life, or sexual orientation. The law then takes a groundbreaking step by imposing a blanket prohibition on the sale of this data.
Unlike other state laws that might permit the sale of sensitive data with explicit consumer consent, MODPA prohibits it outright, with no exceptions for consent. This blanket ban forces a complete reconsideration of data monetization strategies. Any business that exchanges sensitive data for “monetary or other valuable consideration” must cease this practice in Maryland. This will significantly impact a wide range of companies, from ad-tech firms and data brokers to developers of health and wellness apps that might previously have profited from this data.
Stronger Protections for Minors
The law imposes a strict prohibition on the sale of personal data and its use for targeted advertising for individuals under the age of 18. What makes this provision particularly stringent is its use of the “knew or should have known” standard. This is a more aggressive threshold than the “known child” standard in other laws, as it places a proactive burden on companies to assess whether their users are minors. Businesses can no longer simply rely on a user’s stated age; they must implement reasonable measures to determine a consumer’s age if contextual cues suggest they might be a minor.
This heightened standard presents a significant compliance challenge for businesses with teenage user bases. The risk of violating the law may lead some companies to implement robust age-gating mechanisms or to simply cease processing the data of any user they suspect to be a minor. The potential legal and reputational consequences for being wrong are simply too high.
The Geofencing Ban for Health Data
MODPA includes a specific and notable prohibition against using a geofence a virtual boundary within 1,750 feet of a mental health facility or a reproductive or sexual health facility. The ban prevents businesses from identifying, tracking, collecting data from, or sending notifications to a consumer within this zone for purposes related to their health data. This provision directly addresses the privacy risks associated with location data that can reveal highly sensitive information about an individual’s physical or mental health. Businesses that utilize location-based services or apps will need to review and adjust their geofencing practices to ensure they do not create these prohibited zones in Maryland.
This targeted ban, alongside the broader prohibitions on sensitive data, illustrates the law’s underlying objective: to protect consumer privacy by limiting the inference and monetization of sensitive information, particularly in a manner that could be discriminatory or harmful.
| Provision | MODPA | CCPA/CPRA (California) | VCDPA (Virginia) |
| Applicability Thresholds | 35,000 consumers OR 10,000 consumers + 20% revenue from data sales | 100,000 consumers OR 25M gross revenue | 100,000 consumers OR 25,000 consumers + 50% revenue from data sales |
| Data Minimization Standard | Substantive: “Reasonably necessary and proportionate to provide… a specific product or service” | Procedural: “Adequate, relevant, and reasonably necessary… in relation to the purposes for which such data is processed” | Procedural: “Adequate, relevant, and reasonably necessary… in relation to the purposes for which such data is processed” |
| Sensitive Data Sales | Blanket Prohibition: Prohibited without exception, even with consent | Opt-Out: Consumers can opt out of the sale or sharing of sensitive data | Opt-In: Requires opt-in consent to process sensitive data |
| Minor Protection Threshold | Strict: No targeted advertising/sale for those under 18 if controller “knew or should have known” their age | Moderate: No targeted advertising/sale for those under 16 without consent | Standard: Applies to data of a “known child” (under 13) |
| Cure Period | Discretionary & Sunsetting: AG has discretion to provide 60 days to cure until April 1, 2027 | Mandatory: Provides a mandatory 30-day cure period | Mandatory: Provides a mandatory 30-day cure period |
For the Healthcare Sector: Beyond HIPAA’s Familiarity
A critical point of confusion for healthcare organizations is MODPA’s relationship with HIPAA. While MODPA includes a data-level exemption for Protected Health Information (PHI) covered by HIPAA, it does not provide an entity-level exemption for HIPAA-covered entities or their business associates. This is a crucial distinction that forces a new compliance paradigm.
The lack of a full entity exemption means a healthcare organization can be a HIPAA-covered entity but still be subject to MODPA for any data it collects that does not qualify as PHI. For instance, while data from a patient’s electronic health record is protected under HIPAA, data collected by a hospital’s general-purpose website, a fitness app not directly integrated with medical care, or a wellness blog is often not considered PHI. MODPA’s broad definition of “consumer health data,” which includes personal data used to identify a consumer’s physical or mental health status, captures precisely this type of information and subjects it to MODPA’s more rigorous standards.
To comply, healthcare organizations must implement a dual compliance strategy. They must continue to adhere to HIPAA for all PHI while simultaneously implementing MODPA-specific protocols for all other consumer data. This includes reviewing data collection practices, updating privacy policies, and implementing enhanced access controls for all consumer health data to ensure it is handled according to MODPA’s requirements.
| Characteristic | HIPAA-PHI | MODPA Consumer Health Data |
| Governing Law/Rule | Health Insurance Portability and Accountability Act (HIPAA) | Maryland Online Data Privacy Act (MODPA) |
| Data Definition | Individually identifiable health information related to a person’s past, present, or future physical or mental health, healthcare provision, or payment for care. | Personal data used to identify a consumer’s physical or mental health status, including gender-affirming treatments, reproductive, or sexual healthcare. |
| Applicability | Applies to specific entities (covered entities and business associates) and the PHI they hold. | Applies to all data that meets the definition, regardless of the entity type (unless a data-level exemption applies). |
| Consent Requirement | Use/disclosure generally requires patient authorization, with exceptions for treatment, payment, and healthcare operations (TPO). | Processing requires consumer consent unless “strictly necessary” for a requested service. |
| Data Minimization Standard | “Minimum necessary” standard for use and disclosure. | “Strictly necessary” standard for collection, processing, and sharing. |
| Data Sale/Sharing Rules | Disclosure requires authorization, with exceptions. | Blanket prohibition on sale without exception. |
For the Fintech Sector: The GLBA Exemption and Its Limits
MODPA’s relationship with the Gramm-Leach-Bliley Act (GLBA) is similarly complex. The law provides an exemption for financial institutions and data subject to GLBA. However, this exemption is narrow, untested, and does not provide a blanket shield for all data processed by fintech companies.
Many modern fintech business models extend beyond traditional financial services and handle a mix of data types, some of which may fall outside of GLBA’s protection. For example, a payment app might collect not only transactional data (which is GLBA-exempt) but also precise geolocation for fraud detection, biometric data for authentication, or app usage data for marketing purposes.
The issue arises when this non-GLBA data is processed in a manner that conflicts with MODPA’s core provisions. The law’s strict data minimization mandate requires that data collection be “reasonably necessary and proportionate” to providing a specific service. A company using location data for targeted advertising, for example, may struggle to justify that practice as “reasonably necessary” for providing its core financial service.
Furthermore, if this ancillary data meets MODPA’s broad definition of “sensitive data” as is the case with biometric or precise geolocation data it becomes subject to the law’s blanket ban on sales for any valuable consideration. The ambiguity around the GLBA exemption compels a prudent approach for all fintech companies operating in the state. Companies should audit their data practices to identify what falls outside GLBA’s protection and, for that data, implement MODPA’s stringent requirements.
| Data Type/Activity | Is it GLBA-Exempt? | Is it MODPA-Covered? |
| Credit card transaction data | Yes | No |
| User-provided financial info (e.g., bank account numbers) | Yes | No |
| Location data for fraud detection | Varies; often No | Yes; potentially “sensitive data” subject to minimization and sale bans |
| Biometric data for authentication | Varies; often No | Yes; “sensitive data” subject to minimization, consent requirements, and sale bans |
| App usage data for marketing | No | Yes; subject to consumer opt-out rights |
| Analytics data for product improvement | No | Yes; subject to strict data minimization requirements |
A Path to Readiness: Essential Compliance Best Practices
To navigate the complexities of MODPA, businesses must adopt a proactive, multi-layered approach to privacy compliance.
- Conduct a Comprehensive Data Inventory and Mapping. The foundational step is to gain a complete understanding of all personal data an organization collects, processes, and stores. This involves documenting the purpose for which each data element is collected, where it is stored, and with whom it is shared. This is particularly crucial for satisfying MODPA’s strict data minimization mandate and its transparency requirements regarding third-party data sharing.
- Update Privacy Notices and Policies for Transparency. Privacy notices must be revised to be “reasonably accessible, clear, and meaningful”. A key requirement of MODPA is the disclosure of specific third-party recipients of personal data, rather than just categories of third parties, providing consumers with a clearer understanding of where their information goes.
- Establish Robust Consumer Rights Request Workflows. Businesses must have efficient and well-documented procedures for handling consumer requests for access, correction, deletion, and data portability. These workflows must ensure a timely response within the 45-day window and provide a clear appeal mechanism for consumers to challenge a decision.
- Operationalize Opt-Out Mechanisms, Including Universal Signals. Companies must provide a clear and conspicuous web-link for consumers to opt-out of targeted advertising and data sales. Furthermore, by October 1, 2025, controllers are required to honor universal opt-out signals (UOOMs), such as Global Privacy Control, as a valid form of consumer consent.
- Address High-Risk Processing with Data Protection Assessments (DPAs). MODPA requires controllers to conduct and document DPAs for processing activities that present a “heightened risk of harm” to consumers. This includes processing for targeted advertising, data sales, handling sensitive data, and profiling that could result in unfair or discriminatory impacts. Notably, the law mandates a DPA for “each algorithm used” in such high-risk processing activities. This is a direct directive for companies that rely on AI and machine learning for consumer-facing services, as their models must be meticulously documented and assessed for potential consumer harm.
- Strengthen Third-Party Processor Contracts. A key obligation is the requirement for controllers to enter into new, written contracts with all data processors that handle consumer data on their behalf. These contracts must include specific provisions that govern the processing, outline security measures, and require confidentiality obligations.
- Prohibit Sensitive Data Sales and Reassess Collection Practices. Given the unprecedented ban on the sale of sensitive data, businesses must establish clear controls to ensure this data is not exchanged for any valuable consideration. Furthermore, a thorough review of all data collection practices is necessary to ensure sensitive data is only collected when it is “strictly necessary” for a requested service, regardless of whether a consumer has provided consent.
The Future of Privacy is Proactive
MODPA is not merely an addition to the U.S. privacy patchwork; it is a clear signal that the regulatory landscape is shifting toward more substantive and proactive data protection standards. With its low applicability thresholds, stringent data minimization mandate, and unprecedented ban on sensitive data sales, the law sets a new bar for compliance. For businesses in the healthcare and fintech sectors, in particular, the nuances of the HIPAA and GLBA exemptions underscore the need to move beyond outdated, entity-based compliance models. The law’s structured timeline, with a sunsetting cure period, adds a layer of urgency. Waiting to comply could result in immediate and significant penalties once the grace period expires. The time to act is now. A proactive, multi-layered approach to compliance is no longer a best practice; it is a business imperative.
